]> git.saurik.com Git - apple/xnu.git/blob - bsd/kern/kern_exec.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-6153.121.1.tar.gz
[apple/xnu.git] / bsd / kern / kern_exec.c
1 /*
2 * Copyright (c) 2000-2019 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28 /* Copyright (c) 1995 NeXT Computer, Inc. All Rights Reserved */
29 /*
30 * Mach Operating System
31 * Copyright (c) 1987 Carnegie-Mellon University
32 * All rights reserved. The CMU software License Agreement specifies
33 * the terms and conditions for use and redistribution.
34 */
35
36 /*-
37 * Copyright (c) 1982, 1986, 1991, 1993
38 * The Regents of the University of California. All rights reserved.
39 * (c) UNIX System Laboratories, Inc.
40 * All or some portions of this file are derived from material licensed
41 * to the University of California by American Telephone and Telegraph
42 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
43 * the permission of UNIX System Laboratories, Inc.
44 *
45 * Redistribution and use in source and binary forms, with or without
46 * modification, are permitted provided that the following conditions
47 * are met:
48 * 1. Redistributions of source code must retain the above copyright
49 * notice, this list of conditions and the following disclaimer.
50 * 2. Redistributions in binary form must reproduce the above copyright
51 * notice, this list of conditions and the following disclaimer in the
52 * documentation and/or other materials provided with the distribution.
53 * 3. All advertising materials mentioning features or use of this software
54 * must display the following acknowledgement:
55 * This product includes software developed by the University of
56 * California, Berkeley and its contributors.
57 * 4. Neither the name of the University nor the names of its contributors
58 * may be used to endorse or promote products derived from this software
59 * without specific prior written permission.
60 *
61 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
62 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
63 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
64 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
65 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
66 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
67 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
68 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
69 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
70 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
71 * SUCH DAMAGE.
72 *
73 * from: @(#)kern_exec.c 8.1 (Berkeley) 6/10/93
74 */
75 /*
76 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
77 * support for mandatory and extensible security protections. This notice
78 * is included in support of clause 2.2 (b) of the Apple Public License,
79 * Version 2.0.
80 */
81 #include <machine/reg.h>
82 #include <machine/cpu_capabilities.h>
83
84 #include <sys/param.h>
85 #include <sys/systm.h>
86 #include <sys/filedesc.h>
87 #include <sys/kernel.h>
88 #include <sys/proc_internal.h>
89 #include <sys/kauth.h>
90 #include <sys/user.h>
91 #include <sys/socketvar.h>
92 #include <sys/malloc.h>
93 #include <sys/namei.h>
94 #include <sys/mount_internal.h>
95 #include <sys/vnode_internal.h>
96 #include <sys/file_internal.h>
97 #include <sys/stat.h>
98 #include <sys/uio_internal.h>
99 #include <sys/acct.h>
100 #include <sys/exec.h>
101 #include <sys/kdebug.h>
102 #include <sys/signal.h>
103 #include <sys/aio_kern.h>
104 #include <sys/sysproto.h>
105 #include <sys/persona.h>
106 #include <sys/reason.h>
107 #if SYSV_SHM
108 #include <sys/shm_internal.h> /* shmexec() */
109 #endif
110 #include <sys/ubc_internal.h> /* ubc_map() */
111 #include <sys/spawn.h>
112 #include <sys/spawn_internal.h>
113 #include <sys/process_policy.h>
114 #include <sys/codesign.h>
115 #include <sys/random.h>
116 #include <crypto/sha1.h>
117
118 #include <libkern/libkern.h>
119
120 #include <security/audit/audit.h>
121
122 #include <ipc/ipc_types.h>
123
124 #include <mach/mach_param.h>
125 #include <mach/mach_types.h>
126 #include <mach/port.h>
127 #include <mach/task.h>
128 #include <mach/task_access.h>
129 #include <mach/thread_act.h>
130 #include <mach/vm_map.h>
131 #include <mach/mach_vm.h>
132 #include <mach/vm_param.h>
133
134 #include <kern/sched_prim.h> /* thread_wakeup() */
135 #include <kern/affinity.h>
136 #include <kern/assert.h>
137 #include <kern/task.h>
138 #include <kern/coalition.h>
139 #include <kern/policy_internal.h>
140 #include <kern/kalloc.h>
141
142 #include <os/log.h>
143
144 #if CONFIG_MACF
145 #include <security/mac_framework.h>
146 #include <security/mac_mach_internal.h>
147 #endif
148
149 #if CONFIG_AUDIT
150 #include <bsm/audit_kevents.h>
151 #endif
152
153 #if CONFIG_ARCADE
154 #include <kern/arcade.h>
155 #endif
156
157 #include <vm/vm_map.h>
158 #include <vm/vm_kern.h>
159 #include <vm/vm_protos.h>
160 #include <vm/vm_kern.h>
161 #include <vm/vm_fault.h>
162 #include <vm/vm_pageout.h>
163
164 #include <kdp/kdp_dyld.h>
165
166 #include <machine/machine_routines.h>
167 #include <machine/pal_routines.h>
168
169 #include <pexpert/pexpert.h>
170
171 #if CONFIG_MEMORYSTATUS
172 #include <sys/kern_memorystatus.h>
173 #endif
174
175 #include <IOKit/IOBSD.h>
176
177 extern boolean_t vm_darkwake_mode;
178
179 extern int bootarg_execfailurereports; /* bsd_init.c */
180
181 #if CONFIG_DTRACE
182 /* Do not include dtrace.h, it redefines kmem_[alloc/free] */
183 extern void dtrace_proc_exec(proc_t);
184 extern void (*dtrace_proc_waitfor_exec_ptr)(proc_t);
185
186 /*
187 * Since dtrace_proc_waitfor_exec_ptr can be added/removed in dtrace_subr.c,
188 * we will store its value before actually calling it.
189 */
190 static void (*dtrace_proc_waitfor_hook)(proc_t) = NULL;
191
192 #include <sys/dtrace_ptss.h>
193 #endif
194
195 /* support for child creation in exec after vfork */
196 thread_t fork_create_child(task_t parent_task,
197 coalition_t *parent_coalition,
198 proc_t child_proc,
199 int inherit_memory,
200 int is_64bit_addr,
201 int is_64bit_data,
202 int in_exec);
203 void vfork_exit(proc_t p, int rv);
204 extern void proc_apply_task_networkbg_internal(proc_t, thread_t);
205 extern void task_set_did_exec_flag(task_t task);
206 extern void task_clear_exec_copy_flag(task_t task);
207 proc_t proc_exec_switch_task(proc_t p, task_t old_task, task_t new_task, thread_t new_thread);
208 boolean_t task_is_active(task_t);
209 boolean_t thread_is_active(thread_t thread);
210 void thread_copy_resource_info(thread_t dst_thread, thread_t src_thread);
211 void *ipc_importance_exec_switch_task(task_t old_task, task_t new_task);
212 extern void ipc_importance_release(void *elem);
213 extern boolean_t task_has_watchports(task_t task);
214
215 /*
216 * Mach things for which prototypes are unavailable from Mach headers
217 */
218 #define IPC_KMSG_FLAGS_ALLOW_IMMOVABLE_SEND 0x1
219 void ipc_task_reset(
220 task_t task);
221 void ipc_thread_reset(
222 thread_t thread);
223 kern_return_t ipc_object_copyin(
224 ipc_space_t space,
225 mach_port_name_t name,
226 mach_msg_type_name_t msgt_name,
227 ipc_object_t *objectp,
228 mach_port_context_t context,
229 mach_msg_guard_flags_t *guard_flags,
230 uint32_t kmsg_flags);
231 void ipc_port_release_send(ipc_port_t);
232
233 #if DEVELOPMENT || DEBUG
234 void task_importance_update_owner_info(task_t);
235 #endif
236
237 extern struct savearea *get_user_regs(thread_t);
238
239 __attribute__((noinline)) int __EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__(mach_port_t task_access_port, int32_t new_pid);
240
241 #include <kern/thread.h>
242 #include <kern/task.h>
243 #include <kern/ast.h>
244 #include <kern/mach_loader.h>
245 #include <kern/mach_fat.h>
246 #include <mach-o/fat.h>
247 #include <mach-o/loader.h>
248 #include <machine/vmparam.h>
249 #include <sys/imgact.h>
250
251 #include <sys/sdt.h>
252
253
254 /*
255 * EAI_ITERLIMIT The maximum number of times to iterate an image
256 * activator in exec_activate_image() before treating
257 * it as malformed/corrupt.
258 */
259 #define EAI_ITERLIMIT 3
260
261 /*
262 * For #! interpreter parsing
263 */
264 #define IS_WHITESPACE(ch) ((ch == ' ') || (ch == '\t'))
265 #define IS_EOL(ch) ((ch == '#') || (ch == '\n'))
266
267 extern vm_map_t bsd_pageable_map;
268 extern const struct fileops vnops;
269 extern int nextpidversion;
270
271 #define USER_ADDR_ALIGN(addr, val) \
272 ( ( (user_addr_t)(addr) + (val) - 1) \
273 & ~((val) - 1) )
274
275 /* Platform Code Exec Logging */
276 static int platform_exec_logging = 0;
277
278 SYSCTL_DECL(_security_mac);
279
280 SYSCTL_INT(_security_mac, OID_AUTO, platform_exec_logging, CTLFLAG_RW, &platform_exec_logging, 0,
281 "log cdhashes for all platform binary executions");
282
283 static os_log_t peLog = OS_LOG_DEFAULT;
284
285 struct exec_port_actions {
286 uint32_t portwatch_count;
287 uint32_t registered_count;
288 ipc_port_t *portwatch_array;
289 ipc_port_t *registered_array;
290 };
291
292 struct image_params; /* Forward */
293 static int exec_activate_image(struct image_params *imgp);
294 static int exec_copyout_strings(struct image_params *imgp, user_addr_t *stackp);
295 static int load_return_to_errno(load_return_t lrtn);
296 static int execargs_alloc(struct image_params *imgp);
297 static int execargs_free(struct image_params *imgp);
298 static int exec_check_permissions(struct image_params *imgp);
299 static int exec_extract_strings(struct image_params *imgp);
300 static int exec_add_apple_strings(struct image_params *imgp, const load_result_t *load_result);
301 static int exec_handle_sugid(struct image_params *imgp);
302 static int sugid_scripts = 0;
303 SYSCTL_INT(_kern, OID_AUTO, sugid_scripts, CTLFLAG_RW | CTLFLAG_LOCKED, &sugid_scripts, 0, "");
304 static kern_return_t create_unix_stack(vm_map_t map, load_result_t* load_result, proc_t p);
305 static int copyoutptr(user_addr_t ua, user_addr_t ptr, int ptr_size);
306 static void exec_resettextvp(proc_t, struct image_params *);
307 static int check_for_signature(proc_t, struct image_params *);
308 static void exec_prefault_data(proc_t, struct image_params *, load_result_t *);
309 static errno_t exec_handle_port_actions(struct image_params *imgp,
310 struct exec_port_actions *port_actions);
311 static errno_t exec_handle_spawnattr_policy(proc_t p, thread_t thread, int psa_apptype, uint64_t psa_qos_clamp,
312 uint64_t psa_darwin_role, struct exec_port_actions *port_actions);
313 static void exec_port_actions_destroy(struct exec_port_actions *port_actions);
314
315 /*
316 * exec_add_user_string
317 *
318 * Add the requested string to the string space area.
319 *
320 * Parameters; struct image_params * image parameter block
321 * user_addr_t string to add to strings area
322 * int segment from which string comes
323 * boolean_t TRUE if string contributes to NCARGS
324 *
325 * Returns: 0 Success
326 * !0 Failure errno from copyinstr()
327 *
328 * Implicit returns:
329 * (imgp->ip_strendp) updated location of next add, if any
330 * (imgp->ip_strspace) updated byte count of space remaining
331 * (imgp->ip_argspace) updated byte count of space in NCARGS
332 */
333 static int
334 exec_add_user_string(struct image_params *imgp, user_addr_t str, int seg, boolean_t is_ncargs)
335 {
336 int error = 0;
337
338 do {
339 size_t len = 0;
340 int space;
341
342 if (is_ncargs) {
343 space = imgp->ip_argspace; /* by definition smaller than ip_strspace */
344 } else {
345 space = imgp->ip_strspace;
346 }
347
348 if (space <= 0) {
349 error = E2BIG;
350 break;
351 }
352
353 if (!UIO_SEG_IS_USER_SPACE(seg)) {
354 char *kstr = CAST_DOWN(char *, str); /* SAFE */
355 error = copystr(kstr, imgp->ip_strendp, space, &len);
356 } else {
357 error = copyinstr(str, imgp->ip_strendp, space, &len);
358 }
359
360 imgp->ip_strendp += len;
361 imgp->ip_strspace -= len;
362 if (is_ncargs) {
363 imgp->ip_argspace -= len;
364 }
365 } while (error == ENAMETOOLONG);
366
367 return error;
368 }
369
370 /*
371 * dyld is now passed the executable path as a getenv-like variable
372 * in the same fashion as the stack_guard and malloc_entropy keys.
373 */
374 #define EXECUTABLE_KEY "executable_path="
375
376 /*
377 * exec_save_path
378 *
379 * To support new app package launching for Mac OS X, the dyld needs the
380 * first argument to execve() stored on the user stack.
381 *
382 * Save the executable path name at the bottom of the strings area and set
383 * the argument vector pointer to the location following that to indicate
384 * the start of the argument and environment tuples, setting the remaining
385 * string space count to the size of the string area minus the path length.
386 *
387 * Parameters; struct image_params * image parameter block
388 * char * path used to invoke program
389 * int segment from which path comes
390 *
391 * Returns: int 0 Success
392 * EFAULT Bad address
393 * copy[in]str:EFAULT Bad address
394 * copy[in]str:ENAMETOOLONG Filename too long
395 *
396 * Implicit returns:
397 * (imgp->ip_strings) saved path
398 * (imgp->ip_strspace) space remaining in ip_strings
399 * (imgp->ip_strendp) start of remaining copy area
400 * (imgp->ip_argspace) space remaining of NCARGS
401 * (imgp->ip_applec) Initial applev[0]
402 *
403 * Note: We have to do this before the initial namei() since in the
404 * path contains symbolic links, namei() will overwrite the
405 * original path buffer contents. If the last symbolic link
406 * resolved was a relative pathname, we would lose the original
407 * "path", which could be an absolute pathname. This might be
408 * unacceptable for dyld.
409 */
410 static int
411 exec_save_path(struct image_params *imgp, user_addr_t path, int seg, const char **excpath)
412 {
413 int error;
414 size_t len;
415 char *kpath;
416
417 // imgp->ip_strings can come out of a cache, so we need to obliterate the
418 // old path.
419 memset(imgp->ip_strings, '\0', strlen(EXECUTABLE_KEY) + MAXPATHLEN);
420
421 len = MIN(MAXPATHLEN, imgp->ip_strspace);
422
423 switch (seg) {
424 case UIO_USERSPACE32:
425 case UIO_USERSPACE64: /* Same for copyin()... */
426 error = copyinstr(path, imgp->ip_strings + strlen(EXECUTABLE_KEY), len, &len);
427 break;
428 case UIO_SYSSPACE:
429 kpath = CAST_DOWN(char *, path); /* SAFE */
430 error = copystr(kpath, imgp->ip_strings + strlen(EXECUTABLE_KEY), len, &len);
431 break;
432 default:
433 error = EFAULT;
434 break;
435 }
436
437 if (!error) {
438 bcopy(EXECUTABLE_KEY, imgp->ip_strings, strlen(EXECUTABLE_KEY));
439 len += strlen(EXECUTABLE_KEY);
440
441 imgp->ip_strendp += len;
442 imgp->ip_strspace -= len;
443
444 if (excpath) {
445 *excpath = imgp->ip_strings + strlen(EXECUTABLE_KEY);
446 }
447 }
448
449 return error;
450 }
451
452 /*
453 * exec_reset_save_path
454 *
455 * If we detect a shell script, we need to reset the string area
456 * state so that the interpreter can be saved onto the stack.
457 *
458 * Parameters; struct image_params * image parameter block
459 *
460 * Returns: int 0 Success
461 *
462 * Implicit returns:
463 * (imgp->ip_strings) saved path
464 * (imgp->ip_strspace) space remaining in ip_strings
465 * (imgp->ip_strendp) start of remaining copy area
466 * (imgp->ip_argspace) space remaining of NCARGS
467 *
468 */
469 static int
470 exec_reset_save_path(struct image_params *imgp)
471 {
472 imgp->ip_strendp = imgp->ip_strings;
473 imgp->ip_argspace = NCARGS;
474 imgp->ip_strspace = (NCARGS + PAGE_SIZE);
475
476 return 0;
477 }
478
479 /*
480 * exec_shell_imgact
481 *
482 * Image activator for interpreter scripts. If the image begins with
483 * the characters "#!", then it is an interpreter script. Verify the
484 * length of the script line indicating the interpreter is not in
485 * excess of the maximum allowed size. If this is the case, then
486 * break out the arguments, if any, which are separated by white
487 * space, and copy them into the argument save area as if they were
488 * provided on the command line before all other arguments. The line
489 * ends when we encounter a comment character ('#') or newline.
490 *
491 * Parameters; struct image_params * image parameter block
492 *
493 * Returns: -1 not an interpreter (keep looking)
494 * -3 Success: interpreter: relookup
495 * >0 Failure: interpreter: error number
496 *
497 * A return value other than -1 indicates subsequent image activators should
498 * not be given the opportunity to attempt to activate the image.
499 */
500 static int
501 exec_shell_imgact(struct image_params *imgp)
502 {
503 char *vdata = imgp->ip_vdata;
504 char *ihp;
505 char *line_startp, *line_endp;
506 char *interp;
507
508 /*
509 * Make sure it's a shell script. If we've already redirected
510 * from an interpreted file once, don't do it again.
511 */
512 if (vdata[0] != '#' ||
513 vdata[1] != '!' ||
514 (imgp->ip_flags & IMGPF_INTERPRET) != 0) {
515 return -1;
516 }
517
518 if (imgp->ip_origcputype != 0) {
519 /* Fat header previously matched, don't allow shell script inside */
520 return -1;
521 }
522
523 imgp->ip_flags |= IMGPF_INTERPRET;
524 imgp->ip_interp_sugid_fd = -1;
525 imgp->ip_interp_buffer[0] = '\0';
526
527 /* Check to see if SUGID scripts are permitted. If they aren't then
528 * clear the SUGID bits.
529 * imgp->ip_vattr is known to be valid.
530 */
531 if (sugid_scripts == 0) {
532 imgp->ip_origvattr->va_mode &= ~(VSUID | VSGID);
533 }
534
535 /* Try to find the first non-whitespace character */
536 for (ihp = &vdata[2]; ihp < &vdata[IMG_SHSIZE]; ihp++) {
537 if (IS_EOL(*ihp)) {
538 /* Did not find interpreter, "#!\n" */
539 return ENOEXEC;
540 } else if (IS_WHITESPACE(*ihp)) {
541 /* Whitespace, like "#! /bin/sh\n", keep going. */
542 } else {
543 /* Found start of interpreter */
544 break;
545 }
546 }
547
548 if (ihp == &vdata[IMG_SHSIZE]) {
549 /* All whitespace, like "#! " */
550 return ENOEXEC;
551 }
552
553 line_startp = ihp;
554
555 /* Try to find the end of the interpreter+args string */
556 for (; ihp < &vdata[IMG_SHSIZE]; ihp++) {
557 if (IS_EOL(*ihp)) {
558 /* Got it */
559 break;
560 } else {
561 /* Still part of interpreter or args */
562 }
563 }
564
565 if (ihp == &vdata[IMG_SHSIZE]) {
566 /* A long line, like "#! blah blah blah" without end */
567 return ENOEXEC;
568 }
569
570 /* Backtrack until we find the last non-whitespace */
571 while (IS_EOL(*ihp) || IS_WHITESPACE(*ihp)) {
572 ihp--;
573 }
574
575 /* The character after the last non-whitespace is our logical end of line */
576 line_endp = ihp + 1;
577
578 /*
579 * Now we have pointers to the usable part of:
580 *
581 * "#! /usr/bin/int first second third \n"
582 * ^ line_startp ^ line_endp
583 */
584
585 /* copy the interpreter name */
586 interp = imgp->ip_interp_buffer;
587 for (ihp = line_startp; (ihp < line_endp) && !IS_WHITESPACE(*ihp); ihp++) {
588 *interp++ = *ihp;
589 }
590 *interp = '\0';
591
592 exec_reset_save_path(imgp);
593 exec_save_path(imgp, CAST_USER_ADDR_T(imgp->ip_interp_buffer),
594 UIO_SYSSPACE, NULL);
595
596 /* Copy the entire interpreter + args for later processing into argv[] */
597 interp = imgp->ip_interp_buffer;
598 for (ihp = line_startp; (ihp < line_endp); ihp++) {
599 *interp++ = *ihp;
600 }
601 *interp = '\0';
602
603 #if !SECURE_KERNEL
604 /*
605 * If we have an SUID or SGID script, create a file descriptor
606 * from the vnode and pass /dev/fd/%d instead of the actual
607 * path name so that the script does not get opened twice
608 */
609 if (imgp->ip_origvattr->va_mode & (VSUID | VSGID)) {
610 proc_t p;
611 struct fileproc *fp;
612 int fd;
613 int error;
614
615 p = vfs_context_proc(imgp->ip_vfs_context);
616 error = falloc(p, &fp, &fd, imgp->ip_vfs_context);
617 if (error) {
618 return error;
619 }
620
621 fp->f_fglob->fg_flag = FREAD;
622 fp->f_fglob->fg_ops = &vnops;
623 fp->f_fglob->fg_data = (caddr_t)imgp->ip_vp;
624
625 proc_fdlock(p);
626 procfdtbl_releasefd(p, fd, NULL);
627 fp_drop(p, fd, fp, 1);
628 proc_fdunlock(p);
629 vnode_ref(imgp->ip_vp);
630
631 imgp->ip_interp_sugid_fd = fd;
632 }
633 #endif
634
635 return -3;
636 }
637
638
639
640 /*
641 * exec_fat_imgact
642 *
643 * Image activator for fat 1.0 binaries. If the binary is fat, then we
644 * need to select an image from it internally, and make that the image
645 * we are going to attempt to execute. At present, this consists of
646 * reloading the first page for the image with a first page from the
647 * offset location indicated by the fat header.
648 *
649 * Parameters; struct image_params * image parameter block
650 *
651 * Returns: -1 not a fat binary (keep looking)
652 * -2 Success: encapsulated binary: reread
653 * >0 Failure: error number
654 *
655 * Important: This image activator is byte order neutral.
656 *
657 * Note: A return value other than -1 indicates subsequent image
658 * activators should not be given the opportunity to attempt
659 * to activate the image.
660 *
661 * If we find an encapsulated binary, we make no assertions
662 * about its validity; instead, we leave that up to a rescan
663 * for an activator to claim it, and, if it is claimed by one,
664 * that activator is responsible for determining validity.
665 */
666 static int
667 exec_fat_imgact(struct image_params *imgp)
668 {
669 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
670 kauth_cred_t cred = kauth_cred_proc_ref(p);
671 struct fat_header *fat_header = (struct fat_header *)imgp->ip_vdata;
672 struct _posix_spawnattr *psa = NULL;
673 struct fat_arch fat_arch;
674 int resid, error;
675 load_return_t lret;
676
677 if (imgp->ip_origcputype != 0) {
678 /* Fat header previously matched, don't allow another fat file inside */
679 error = -1; /* not claimed */
680 goto bad;
681 }
682
683 /* Make sure it's a fat binary */
684 if (OSSwapBigToHostInt32(fat_header->magic) != FAT_MAGIC) {
685 error = -1; /* not claimed */
686 goto bad;
687 }
688
689 /* imgp->ip_vdata has PAGE_SIZE, zerofilled if the file is smaller */
690 lret = fatfile_validate_fatarches((vm_offset_t)fat_header, PAGE_SIZE);
691 if (lret != LOAD_SUCCESS) {
692 error = load_return_to_errno(lret);
693 goto bad;
694 }
695
696 /* If posix_spawn binprefs exist, respect those prefs. */
697 psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
698 if (psa != NULL && psa->psa_binprefs[0] != 0) {
699 uint32_t pr = 0;
700
701 /* Check each preference listed against all arches in header */
702 for (pr = 0; pr < NBINPREFS; pr++) {
703 cpu_type_t pref = psa->psa_binprefs[pr];
704 if (pref == 0) {
705 /* No suitable arch in the pref list */
706 error = EBADARCH;
707 goto bad;
708 }
709
710 if (pref == CPU_TYPE_ANY) {
711 /* Fall through to regular grading */
712 goto regular_grading;
713 }
714
715 lret = fatfile_getbestarch_for_cputype(pref,
716 (vm_offset_t)fat_header,
717 PAGE_SIZE,
718 imgp,
719 &fat_arch);
720 if (lret == LOAD_SUCCESS) {
721 goto use_arch;
722 }
723 }
724
725 /* Requested binary preference was not honored */
726 error = EBADEXEC;
727 goto bad;
728 }
729
730 regular_grading:
731 /* Look up our preferred architecture in the fat file. */
732 lret = fatfile_getbestarch((vm_offset_t)fat_header,
733 PAGE_SIZE,
734 imgp,
735 &fat_arch);
736 if (lret != LOAD_SUCCESS) {
737 error = load_return_to_errno(lret);
738 goto bad;
739 }
740
741 use_arch:
742 /* Read the Mach-O header out of fat_arch */
743 error = vn_rdwr(UIO_READ, imgp->ip_vp, imgp->ip_vdata,
744 PAGE_SIZE, fat_arch.offset,
745 UIO_SYSSPACE, (IO_UNIT | IO_NODELOCKED),
746 cred, &resid, p);
747 if (error) {
748 goto bad;
749 }
750
751 if (resid) {
752 memset(imgp->ip_vdata + (PAGE_SIZE - resid), 0x0, resid);
753 }
754
755 /* Success. Indicate we have identified an encapsulated binary */
756 error = -2;
757 imgp->ip_arch_offset = (user_size_t)fat_arch.offset;
758 imgp->ip_arch_size = (user_size_t)fat_arch.size;
759 imgp->ip_origcputype = fat_arch.cputype;
760 imgp->ip_origcpusubtype = fat_arch.cpusubtype;
761
762 bad:
763 kauth_cred_unref(&cred);
764 return error;
765 }
766
767 static int
768 activate_exec_state(task_t task, proc_t p, thread_t thread, load_result_t *result)
769 {
770 int ret;
771
772 task_set_dyld_info(task, MACH_VM_MIN_ADDRESS, 0);
773 task_set_64bit(task, result->is_64bit_addr, result->is_64bit_data);
774 if (result->is_64bit_addr) {
775 OSBitOrAtomic(P_LP64, &p->p_flag);
776 } else {
777 OSBitAndAtomic(~((uint32_t)P_LP64), &p->p_flag);
778 }
779 task_set_mach_header_address(task, result->mach_header);
780
781 ret = thread_state_initialize(thread);
782 if (ret != KERN_SUCCESS) {
783 return ret;
784 }
785
786 if (result->threadstate) {
787 uint32_t *ts = result->threadstate;
788 uint32_t total_size = result->threadstate_sz;
789
790 while (total_size > 0) {
791 uint32_t flavor = *ts++;
792 uint32_t size = *ts++;
793
794 ret = thread_setstatus(thread, flavor, (thread_state_t)ts, size);
795 if (ret) {
796 return ret;
797 }
798 ts += size;
799 total_size -= (size + 2) * sizeof(uint32_t);
800 }
801 }
802
803 thread_setentrypoint(thread, result->entry_point);
804
805 return KERN_SUCCESS;
806 }
807
808
809 /*
810 * Set p->p_comm and p->p_name to the name passed to exec
811 */
812 static void
813 set_proc_name(struct image_params *imgp, proc_t p)
814 {
815 int p_name_len = sizeof(p->p_name) - 1;
816
817 if (imgp->ip_ndp->ni_cnd.cn_namelen > p_name_len) {
818 imgp->ip_ndp->ni_cnd.cn_namelen = p_name_len;
819 }
820
821 bcopy((caddr_t)imgp->ip_ndp->ni_cnd.cn_nameptr, (caddr_t)p->p_name,
822 (unsigned)imgp->ip_ndp->ni_cnd.cn_namelen);
823 p->p_name[imgp->ip_ndp->ni_cnd.cn_namelen] = '\0';
824
825 if (imgp->ip_ndp->ni_cnd.cn_namelen > MAXCOMLEN) {
826 imgp->ip_ndp->ni_cnd.cn_namelen = MAXCOMLEN;
827 }
828
829 bcopy((caddr_t)imgp->ip_ndp->ni_cnd.cn_nameptr, (caddr_t)p->p_comm,
830 (unsigned)imgp->ip_ndp->ni_cnd.cn_namelen);
831 p->p_comm[imgp->ip_ndp->ni_cnd.cn_namelen] = '\0';
832 }
833
834 /*
835 * exec_mach_imgact
836 *
837 * Image activator for mach-o 1.0 binaries.
838 *
839 * Parameters; struct image_params * image parameter block
840 *
841 * Returns: -1 not a fat binary (keep looking)
842 * -2 Success: encapsulated binary: reread
843 * >0 Failure: error number
844 * EBADARCH Mach-o binary, but with an unrecognized
845 * architecture
846 * ENOMEM No memory for child process after -
847 * can only happen after vfork()
848 *
849 * Important: This image activator is NOT byte order neutral.
850 *
851 * Note: A return value other than -1 indicates subsequent image
852 * activators should not be given the opportunity to attempt
853 * to activate the image.
854 *
855 * TODO: More gracefully handle failures after vfork
856 */
857 static int
858 exec_mach_imgact(struct image_params *imgp)
859 {
860 struct mach_header *mach_header = (struct mach_header *)imgp->ip_vdata;
861 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
862 int error = 0;
863 task_t task;
864 task_t new_task = NULL; /* protected by vfexec */
865 thread_t thread;
866 struct uthread *uthread;
867 vm_map_t old_map = VM_MAP_NULL;
868 vm_map_t map = VM_MAP_NULL;
869 load_return_t lret;
870 load_result_t load_result = {};
871 struct _posix_spawnattr *psa = NULL;
872 int spawn = (imgp->ip_flags & IMGPF_SPAWN);
873 int vfexec = (imgp->ip_flags & IMGPF_VFORK_EXEC);
874 int exec = (imgp->ip_flags & IMGPF_EXEC);
875 os_reason_t exec_failure_reason = OS_REASON_NULL;
876
877 /*
878 * make sure it's a Mach-O 1.0 or Mach-O 2.0 binary; the difference
879 * is a reserved field on the end, so for the most part, we can
880 * treat them as if they were identical. Reverse-endian Mach-O
881 * binaries are recognized but not compatible.
882 */
883 if ((mach_header->magic == MH_CIGAM) ||
884 (mach_header->magic == MH_CIGAM_64)) {
885 error = EBADARCH;
886 goto bad;
887 }
888
889 if ((mach_header->magic != MH_MAGIC) &&
890 (mach_header->magic != MH_MAGIC_64)) {
891 error = -1;
892 goto bad;
893 }
894
895 if (mach_header->filetype != MH_EXECUTE) {
896 error = -1;
897 goto bad;
898 }
899
900 if (imgp->ip_origcputype != 0) {
901 /* Fat header previously had an idea about this thin file */
902 if (imgp->ip_origcputype != mach_header->cputype ||
903 imgp->ip_origcpusubtype != mach_header->cpusubtype) {
904 error = EBADARCH;
905 goto bad;
906 }
907 } else {
908 imgp->ip_origcputype = mach_header->cputype;
909 imgp->ip_origcpusubtype = mach_header->cpusubtype;
910 }
911
912 task = current_task();
913 thread = current_thread();
914 uthread = get_bsdthread_info(thread);
915
916 if ((mach_header->cputype & CPU_ARCH_ABI64) == CPU_ARCH_ABI64) {
917 imgp->ip_flags |= IMGPF_IS_64BIT_ADDR | IMGPF_IS_64BIT_DATA;
918 }
919
920 /* If posix_spawn binprefs exist, respect those prefs. */
921 psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
922 if (psa != NULL && psa->psa_binprefs[0] != 0) {
923 int pr = 0;
924 for (pr = 0; pr < NBINPREFS; pr++) {
925 cpu_type_t pref = psa->psa_binprefs[pr];
926 if (pref == 0) {
927 /* No suitable arch in the pref list */
928 error = EBADARCH;
929 goto bad;
930 }
931
932 if (pref == CPU_TYPE_ANY) {
933 /* Jump to regular grading */
934 goto grade;
935 }
936
937 if (pref == imgp->ip_origcputype) {
938 /* We have a match! */
939 goto grade;
940 }
941 }
942 error = EBADARCH;
943 goto bad;
944 }
945 grade:
946 if (!grade_binary(imgp->ip_origcputype, imgp->ip_origcpusubtype & ~CPU_SUBTYPE_MASK, TRUE)) {
947 error = EBADARCH;
948 goto bad;
949 }
950
951 if (validate_potential_simulator_binary(imgp->ip_origcputype, imgp,
952 imgp->ip_arch_offset, imgp->ip_arch_size) != LOAD_SUCCESS) {
953 #if __x86_64__
954 const char *excpath;
955 error = exec_save_path(imgp, imgp->ip_user_fname, imgp->ip_seg, &excpath);
956 os_log_error(OS_LOG_DEFAULT, "Unsupported 32-bit executable: \"%s\"", (error) ? imgp->ip_vp->v_name : excpath);
957 #endif
958 error = EBADARCH;
959 goto bad;
960 }
961
962 #if defined(HAS_APPLE_PAC)
963 assert(mach_header->cputype == CPU_TYPE_ARM64
964 );
965
966 if (((mach_header->cputype == CPU_TYPE_ARM64 &&
967 (mach_header->cpusubtype & ~CPU_SUBTYPE_MASK) == CPU_SUBTYPE_ARM64E)
968 ) && (CPU_SUBTYPE_ARM64_PTR_AUTH_VERSION(mach_header->cpusubtype) == 0)) {
969 imgp->ip_flags &= ~IMGPF_NOJOP;
970 } else {
971 imgp->ip_flags |= IMGPF_NOJOP;
972 }
973 #endif
974
975 /* Copy in arguments/environment from the old process */
976 error = exec_extract_strings(imgp);
977 if (error) {
978 goto bad;
979 }
980
981 AUDIT_ARG(argv, imgp->ip_startargv, imgp->ip_argc,
982 imgp->ip_endargv - imgp->ip_startargv);
983 AUDIT_ARG(envv, imgp->ip_endargv, imgp->ip_envc,
984 imgp->ip_endenvv - imgp->ip_endargv);
985
986 /*
987 * We are being called to activate an image subsequent to a vfork()
988 * operation; in this case, we know that our task, thread, and
989 * uthread are actually those of our parent, and our proc, which we
990 * obtained indirectly from the image_params vfs_context_t, is the
991 * new child process.
992 */
993 if (vfexec) {
994 imgp->ip_new_thread = fork_create_child(task,
995 NULL,
996 p,
997 FALSE,
998 (imgp->ip_flags & IMGPF_IS_64BIT_ADDR),
999 (imgp->ip_flags & IMGPF_IS_64BIT_DATA),
1000 FALSE);
1001 /* task and thread ref returned, will be released in __mac_execve */
1002 if (imgp->ip_new_thread == NULL) {
1003 error = ENOMEM;
1004 goto bad;
1005 }
1006 }
1007
1008
1009 /* reset local idea of thread, uthread, task */
1010 thread = imgp->ip_new_thread;
1011 uthread = get_bsdthread_info(thread);
1012 task = new_task = get_threadtask(thread);
1013
1014 /*
1015 * Load the Mach-O file.
1016 *
1017 * NOTE: An error after this point indicates we have potentially
1018 * destroyed or overwritten some process state while attempting an
1019 * execve() following a vfork(), which is an unrecoverable condition.
1020 * We send the new process an immediate SIGKILL to avoid it executing
1021 * any instructions in the mutated address space. For true spawns,
1022 * this is not the case, and "too late" is still not too late to
1023 * return an error code to the parent process.
1024 */
1025
1026 /*
1027 * Actually load the image file we previously decided to load.
1028 */
1029 lret = load_machfile(imgp, mach_header, thread, &map, &load_result);
1030 if (lret != LOAD_SUCCESS) {
1031 error = load_return_to_errno(lret);
1032
1033 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
1034 p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_BAD_MACHO, 0, 0);
1035 if (lret == LOAD_BADMACHO_UPX) {
1036 set_proc_name(imgp, p);
1037 exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_UPX);
1038 exec_failure_reason->osr_flags |= OS_REASON_FLAG_GENERATE_CRASH_REPORT;
1039 } else {
1040 exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_BAD_MACHO);
1041
1042 if (bootarg_execfailurereports) {
1043 set_proc_name(imgp, p);
1044 exec_failure_reason->osr_flags |= OS_REASON_FLAG_GENERATE_CRASH_REPORT;
1045 }
1046 }
1047
1048 exec_failure_reason->osr_flags |= OS_REASON_FLAG_CONSISTENT_FAILURE;
1049
1050 goto badtoolate;
1051 }
1052
1053 proc_lock(p);
1054 p->p_cputype = imgp->ip_origcputype;
1055 p->p_cpusubtype = imgp->ip_origcpusubtype;
1056 p->p_platform = load_result.ip_platform;
1057 p->p_sdk = load_result.lr_sdk;
1058 proc_unlock(p);
1059
1060 vm_map_set_user_wire_limit(map, p->p_rlimit[RLIMIT_MEMLOCK].rlim_cur);
1061
1062 /*
1063 * Set code-signing flags if this binary is signed, or if parent has
1064 * requested them on exec.
1065 */
1066 if (load_result.csflags & CS_VALID) {
1067 imgp->ip_csflags |= load_result.csflags &
1068 (CS_VALID | CS_SIGNED | CS_DEV_CODE |
1069 CS_HARD | CS_KILL | CS_RESTRICT | CS_ENFORCEMENT | CS_REQUIRE_LV |
1070 CS_FORCED_LV | CS_ENTITLEMENTS_VALIDATED | CS_DYLD_PLATFORM | CS_RUNTIME |
1071 CS_ENTITLEMENT_FLAGS |
1072 CS_EXEC_SET_HARD | CS_EXEC_SET_KILL | CS_EXEC_SET_ENFORCEMENT);
1073 } else {
1074 imgp->ip_csflags &= ~CS_VALID;
1075 }
1076
1077 if (p->p_csflags & CS_EXEC_SET_HARD) {
1078 imgp->ip_csflags |= CS_HARD;
1079 }
1080 if (p->p_csflags & CS_EXEC_SET_KILL) {
1081 imgp->ip_csflags |= CS_KILL;
1082 }
1083 if (p->p_csflags & CS_EXEC_SET_ENFORCEMENT) {
1084 imgp->ip_csflags |= CS_ENFORCEMENT;
1085 }
1086 if (p->p_csflags & CS_EXEC_INHERIT_SIP) {
1087 if (p->p_csflags & CS_INSTALLER) {
1088 imgp->ip_csflags |= CS_INSTALLER;
1089 }
1090 if (p->p_csflags & CS_DATAVAULT_CONTROLLER) {
1091 imgp->ip_csflags |= CS_DATAVAULT_CONTROLLER;
1092 }
1093 if (p->p_csflags & CS_NVRAM_UNRESTRICTED) {
1094 imgp->ip_csflags |= CS_NVRAM_UNRESTRICTED;
1095 }
1096 }
1097
1098 /*
1099 * Set up the system reserved areas in the new address space.
1100 */
1101 int cpu_subtype;
1102 cpu_subtype = 0; /* all cpu_subtypes use the same shared region */
1103 #if defined(HAS_APPLE_PAC)
1104 if (cpu_type() == CPU_TYPE_ARM64 &&
1105 (p->p_cpusubtype & ~CPU_SUBTYPE_MASK) == CPU_SUBTYPE_ARM64E) {
1106 assertf(p->p_cputype == CPU_TYPE_ARM64,
1107 "p %p cpu_type() 0x%x p->p_cputype 0x%x p->p_cpusubtype 0x%x",
1108 p, cpu_type(), p->p_cputype, p->p_cpusubtype);
1109 /*
1110 * arm64e uses pointer authentication, so request a separate
1111 * shared region for this CPU subtype.
1112 */
1113 cpu_subtype = p->p_cpusubtype & ~CPU_SUBTYPE_MASK;
1114 }
1115 #endif /* HAS_APPLE_PAC */
1116 vm_map_exec(map, task, load_result.is_64bit_addr, (void *)p->p_fd->fd_rdir, cpu_type(), cpu_subtype);
1117
1118 /*
1119 * Close file descriptors which specify close-on-exec.
1120 */
1121 fdexec(p, psa != NULL ? psa->psa_flags : 0, exec);
1122
1123 /*
1124 * deal with set[ug]id.
1125 */
1126 error = exec_handle_sugid(imgp);
1127 if (error) {
1128 vm_map_deallocate(map);
1129
1130 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
1131 p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_SUGID_FAILURE, 0, 0);
1132
1133 exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_SUGID_FAILURE);
1134 if (bootarg_execfailurereports) {
1135 set_proc_name(imgp, p);
1136 exec_failure_reason->osr_flags |= OS_REASON_FLAG_GENERATE_CRASH_REPORT;
1137 }
1138
1139 goto badtoolate;
1140 }
1141
1142 /*
1143 * Commit to new map.
1144 *
1145 * Swap the new map for the old for target task, which consumes
1146 * our new map reference but each leaves us responsible for the
1147 * old_map reference. That lets us get off the pmap associated
1148 * with it, and then we can release it.
1149 *
1150 * The map needs to be set on the target task which is different
1151 * than current task, thus swap_task_map is used instead of
1152 * vm_map_switch.
1153 */
1154 old_map = swap_task_map(task, thread, map);
1155 vm_map_deallocate(old_map);
1156 old_map = NULL;
1157
1158 lret = activate_exec_state(task, p, thread, &load_result);
1159 if (lret != KERN_SUCCESS) {
1160 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
1161 p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_ACTV_THREADSTATE, 0, 0);
1162
1163 exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_ACTV_THREADSTATE);
1164 if (bootarg_execfailurereports) {
1165 set_proc_name(imgp, p);
1166 exec_failure_reason->osr_flags |= OS_REASON_FLAG_GENERATE_CRASH_REPORT;
1167 }
1168
1169 goto badtoolate;
1170 }
1171
1172 /*
1173 * deal with voucher on exec-calling thread.
1174 */
1175 if (imgp->ip_new_thread == NULL) {
1176 thread_set_mach_voucher(current_thread(), IPC_VOUCHER_NULL);
1177 }
1178
1179 /* Make sure we won't interrupt ourself signalling a partial process */
1180 if (!vfexec && !spawn && (p->p_lflag & P_LTRACED)) {
1181 psignal(p, SIGTRAP);
1182 }
1183
1184 if (load_result.unixproc &&
1185 create_unix_stack(get_task_map(task),
1186 &load_result,
1187 p) != KERN_SUCCESS) {
1188 error = load_return_to_errno(LOAD_NOSPACE);
1189
1190 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
1191 p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_STACK_ALLOC, 0, 0);
1192
1193 exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_STACK_ALLOC);
1194 if (bootarg_execfailurereports) {
1195 set_proc_name(imgp, p);
1196 exec_failure_reason->osr_flags |= OS_REASON_FLAG_GENERATE_CRASH_REPORT;
1197 }
1198
1199 goto badtoolate;
1200 }
1201
1202 error = exec_add_apple_strings(imgp, &load_result);
1203 if (error) {
1204 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
1205 p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_APPLE_STRING_INIT, 0, 0);
1206
1207 exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_APPLE_STRING_INIT);
1208 if (bootarg_execfailurereports) {
1209 set_proc_name(imgp, p);
1210 exec_failure_reason->osr_flags |= OS_REASON_FLAG_GENERATE_CRASH_REPORT;
1211 }
1212 goto badtoolate;
1213 }
1214
1215 /* Switch to target task's map to copy out strings */
1216 old_map = vm_map_switch(get_task_map(task));
1217
1218 if (load_result.unixproc) {
1219 user_addr_t ap;
1220
1221 /*
1222 * Copy the strings area out into the new process address
1223 * space.
1224 */
1225 ap = p->user_stack;
1226 error = exec_copyout_strings(imgp, &ap);
1227 if (error) {
1228 vm_map_switch(old_map);
1229
1230 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
1231 p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_COPYOUT_STRINGS, 0, 0);
1232
1233 exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_COPYOUT_STRINGS);
1234 if (bootarg_execfailurereports) {
1235 set_proc_name(imgp, p);
1236 exec_failure_reason->osr_flags |= OS_REASON_FLAG_GENERATE_CRASH_REPORT;
1237 }
1238 goto badtoolate;
1239 }
1240 /* Set the stack */
1241 thread_setuserstack(thread, ap);
1242 }
1243
1244 if (load_result.dynlinker) {
1245 uint64_t ap;
1246 int new_ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT_ADDR) ? 8 : 4;
1247
1248 /* Adjust the stack */
1249 ap = thread_adjuserstack(thread, -new_ptr_size);
1250 error = copyoutptr(load_result.mach_header, ap, new_ptr_size);
1251
1252 if (error) {
1253 vm_map_switch(old_map);
1254
1255 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
1256 p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_COPYOUT_DYNLINKER, 0, 0);
1257
1258 exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_COPYOUT_DYNLINKER);
1259 if (bootarg_execfailurereports) {
1260 set_proc_name(imgp, p);
1261 exec_failure_reason->osr_flags |= OS_REASON_FLAG_GENERATE_CRASH_REPORT;
1262 }
1263 goto badtoolate;
1264 }
1265 task_set_dyld_info(task, load_result.all_image_info_addr,
1266 load_result.all_image_info_size);
1267 }
1268
1269 /* Avoid immediate VM faults back into kernel */
1270 exec_prefault_data(p, imgp, &load_result);
1271
1272 vm_map_switch(old_map);
1273
1274 /*
1275 * Reset signal state.
1276 */
1277 execsigs(p, thread);
1278
1279 /*
1280 * need to cancel async IO requests that can be cancelled and wait for those
1281 * already active. MAY BLOCK!
1282 */
1283 _aio_exec( p );
1284
1285 #if SYSV_SHM
1286 /* FIXME: Till vmspace inherit is fixed: */
1287 if (!vfexec && p->vm_shm) {
1288 shmexec(p);
1289 }
1290 #endif
1291 #if SYSV_SEM
1292 /* Clean up the semaphores */
1293 semexit(p);
1294 #endif
1295
1296 /*
1297 * Remember file name for accounting.
1298 */
1299 p->p_acflag &= ~AFORK;
1300
1301 set_proc_name(imgp, p);
1302
1303 #if CONFIG_SECLUDED_MEMORY
1304 if (secluded_for_apps &&
1305 load_result.platform_binary) {
1306 if (strncmp(p->p_name,
1307 "Camera",
1308 sizeof(p->p_name)) == 0) {
1309 task_set_could_use_secluded_mem(task, TRUE);
1310 } else {
1311 task_set_could_use_secluded_mem(task, FALSE);
1312 }
1313 if (strncmp(p->p_name,
1314 "mediaserverd",
1315 sizeof(p->p_name)) == 0) {
1316 task_set_could_also_use_secluded_mem(task, TRUE);
1317 }
1318 }
1319 #endif /* CONFIG_SECLUDED_MEMORY */
1320
1321 #if __arm64__
1322 if (load_result.legacy_footprint) {
1323 task_set_legacy_footprint(task);
1324 }
1325 #endif /* __arm64__ */
1326
1327 pal_dbg_set_task_name(task);
1328
1329 /*
1330 * The load result will have already been munged by AMFI to include the
1331 * platform binary flag if boot-args dictated it (AMFI will mark anything
1332 * that doesn't go through the upcall path as a platform binary if its
1333 * enforcement is disabled).
1334 */
1335 if (load_result.platform_binary) {
1336 if (cs_debug) {
1337 printf("setting platform binary on task: pid = %d\n", p->p_pid);
1338 }
1339
1340 /*
1341 * We must use 'task' here because the proc's task has not yet been
1342 * switched to the new one.
1343 */
1344 task_set_platform_binary(task, TRUE);
1345 } else {
1346 if (cs_debug) {
1347 printf("clearing platform binary on task: pid = %d\n", p->p_pid);
1348 }
1349
1350 task_set_platform_binary(task, FALSE);
1351 }
1352
1353 #if DEVELOPMENT || DEBUG
1354 /*
1355 * Update the pid an proc name for importance base if any
1356 */
1357 task_importance_update_owner_info(task);
1358 #endif
1359
1360 memcpy(&p->p_uuid[0], &load_result.uuid[0], sizeof(p->p_uuid));
1361
1362 #if CONFIG_DTRACE
1363 dtrace_proc_exec(p);
1364 #endif
1365
1366 if (kdebug_enable) {
1367 long args[4] = {};
1368
1369 uintptr_t fsid = 0, fileid = 0;
1370 if (imgp->ip_vattr) {
1371 uint64_t fsid64 = vnode_get_va_fsid(imgp->ip_vattr);
1372 fsid = fsid64;
1373 fileid = imgp->ip_vattr->va_fileid;
1374 // check for (unexpected) overflow and trace zero in that case
1375 if (fsid != fsid64 || fileid != imgp->ip_vattr->va_fileid) {
1376 fsid = fileid = 0;
1377 }
1378 }
1379 KERNEL_DEBUG_CONSTANT_IST1(TRACE_DATA_EXEC, p->p_pid, fsid, fileid, 0,
1380 (uintptr_t)thread_tid(thread));
1381
1382 /*
1383 * Collect the pathname for tracing
1384 */
1385 kdbg_trace_string(p, &args[0], &args[1], &args[2], &args[3]);
1386 KERNEL_DEBUG_CONSTANT_IST1(TRACE_STRING_EXEC, args[0], args[1],
1387 args[2], args[3], (uintptr_t)thread_tid(thread));
1388 }
1389
1390 /*
1391 * If posix_spawned with the START_SUSPENDED flag, stop the
1392 * process before it runs.
1393 */
1394 if (imgp->ip_px_sa != NULL) {
1395 psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
1396 if (psa->psa_flags & POSIX_SPAWN_START_SUSPENDED) {
1397 proc_lock(p);
1398 p->p_stat = SSTOP;
1399 proc_unlock(p);
1400 (void) task_suspend_internal(task);
1401 }
1402 }
1403
1404 /*
1405 * mark as execed, wakeup the process that vforked (if any) and tell
1406 * it that it now has its own resources back
1407 */
1408 OSBitOrAtomic(P_EXEC, &p->p_flag);
1409 proc_resetregister(p);
1410 if (p->p_pptr && (p->p_lflag & P_LPPWAIT)) {
1411 proc_lock(p);
1412 p->p_lflag &= ~P_LPPWAIT;
1413 proc_unlock(p);
1414 wakeup((caddr_t)p->p_pptr);
1415 }
1416
1417 /*
1418 * Pay for our earlier safety; deliver the delayed signals from
1419 * the incomplete vfexec process now that it's complete.
1420 */
1421 if (vfexec && (p->p_lflag & P_LTRACED)) {
1422 psignal_vfork(p, new_task, thread, SIGTRAP);
1423 }
1424
1425 goto done;
1426
1427 badtoolate:
1428 /* Don't allow child process to execute any instructions */
1429 if (!spawn) {
1430 if (vfexec) {
1431 assert(exec_failure_reason != OS_REASON_NULL);
1432 psignal_vfork_with_reason(p, new_task, thread, SIGKILL, exec_failure_reason);
1433 exec_failure_reason = OS_REASON_NULL;
1434 } else {
1435 assert(exec_failure_reason != OS_REASON_NULL);
1436 psignal_with_reason(p, SIGKILL, exec_failure_reason);
1437 exec_failure_reason = OS_REASON_NULL;
1438
1439 if (exec) {
1440 /* Terminate the exec copy task */
1441 task_terminate_internal(task);
1442 }
1443 }
1444
1445 /* We can't stop this system call at this point, so just pretend we succeeded */
1446 error = 0;
1447 } else {
1448 os_reason_free(exec_failure_reason);
1449 exec_failure_reason = OS_REASON_NULL;
1450 }
1451
1452 done:
1453 if (load_result.threadstate) {
1454 kfree(load_result.threadstate, load_result.threadstate_sz);
1455 load_result.threadstate = NULL;
1456 }
1457
1458 bad:
1459 /* If we hit this, we likely would have leaked an exit reason */
1460 assert(exec_failure_reason == OS_REASON_NULL);
1461 return error;
1462 }
1463
1464
1465
1466
1467 /*
1468 * Our image activator table; this is the table of the image types we are
1469 * capable of loading. We list them in order of preference to ensure the
1470 * fastest image load speed.
1471 *
1472 * XXX hardcoded, for now; should use linker sets
1473 */
1474 struct execsw {
1475 int(*const ex_imgact)(struct image_params *);
1476 const char *ex_name;
1477 }const execsw[] = {
1478 { exec_mach_imgact, "Mach-o Binary" },
1479 { exec_fat_imgact, "Fat Binary" },
1480 { exec_shell_imgact, "Interpreter Script" },
1481 { NULL, NULL}
1482 };
1483
1484
1485 /*
1486 * exec_activate_image
1487 *
1488 * Description: Iterate through the available image activators, and activate
1489 * the image associated with the imgp structure. We start with
1490 * the activator for Mach-o binaries followed by that for Fat binaries
1491 * for Interpreter scripts.
1492 *
1493 * Parameters: struct image_params * Image parameter block
1494 *
1495 * Returns: 0 Success
1496 * EBADEXEC The executable is corrupt/unknown
1497 * execargs_alloc:EINVAL Invalid argument
1498 * execargs_alloc:EACCES Permission denied
1499 * execargs_alloc:EINTR Interrupted function
1500 * execargs_alloc:ENOMEM Not enough space
1501 * exec_save_path:EFAULT Bad address
1502 * exec_save_path:ENAMETOOLONG Filename too long
1503 * exec_check_permissions:EACCES Permission denied
1504 * exec_check_permissions:ENOEXEC Executable file format error
1505 * exec_check_permissions:ETXTBSY Text file busy [misuse of error code]
1506 * exec_check_permissions:???
1507 * namei:???
1508 * vn_rdwr:??? [anything vn_rdwr can return]
1509 * <ex_imgact>:??? [anything an imgact can return]
1510 * EDEADLK Process is being terminated
1511 */
1512 static int
1513 exec_activate_image(struct image_params *imgp)
1514 {
1515 struct nameidata *ndp = NULL;
1516 const char *excpath;
1517 int error;
1518 int resid;
1519 int once = 1; /* save SGUID-ness for interpreted files */
1520 int i;
1521 int itercount = 0;
1522 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
1523
1524 error = execargs_alloc(imgp);
1525 if (error) {
1526 goto bad_notrans;
1527 }
1528
1529 error = exec_save_path(imgp, imgp->ip_user_fname, imgp->ip_seg, &excpath);
1530 if (error) {
1531 goto bad_notrans;
1532 }
1533
1534 /* Use excpath, which contains the copyin-ed exec path */
1535 DTRACE_PROC1(exec, uintptr_t, excpath);
1536
1537 MALLOC(ndp, struct nameidata *, sizeof(*ndp), M_TEMP, M_WAITOK | M_ZERO);
1538 if (ndp == NULL) {
1539 error = ENOMEM;
1540 goto bad_notrans;
1541 }
1542
1543 NDINIT(ndp, LOOKUP, OP_LOOKUP, FOLLOW | LOCKLEAF | AUDITVNPATH1,
1544 UIO_SYSSPACE, CAST_USER_ADDR_T(excpath), imgp->ip_vfs_context);
1545
1546 again:
1547 error = namei(ndp);
1548 if (error) {
1549 goto bad_notrans;
1550 }
1551 imgp->ip_ndp = ndp; /* successful namei(); call nameidone() later */
1552 imgp->ip_vp = ndp->ni_vp; /* if set, need to vnode_put() at some point */
1553
1554 /*
1555 * Before we start the transition from binary A to binary B, make
1556 * sure another thread hasn't started exiting the process. We grab
1557 * the proc lock to check p_lflag initially, and the transition
1558 * mechanism ensures that the value doesn't change after we release
1559 * the lock.
1560 */
1561 proc_lock(p);
1562 if (p->p_lflag & P_LEXIT) {
1563 error = EDEADLK;
1564 proc_unlock(p);
1565 goto bad_notrans;
1566 }
1567 error = proc_transstart(p, 1, 0);
1568 proc_unlock(p);
1569 if (error) {
1570 goto bad_notrans;
1571 }
1572
1573 error = exec_check_permissions(imgp);
1574 if (error) {
1575 goto bad;
1576 }
1577
1578 /* Copy; avoid invocation of an interpreter overwriting the original */
1579 if (once) {
1580 once = 0;
1581 *imgp->ip_origvattr = *imgp->ip_vattr;
1582 }
1583
1584 error = vn_rdwr(UIO_READ, imgp->ip_vp, imgp->ip_vdata, PAGE_SIZE, 0,
1585 UIO_SYSSPACE, IO_NODELOCKED,
1586 vfs_context_ucred(imgp->ip_vfs_context),
1587 &resid, vfs_context_proc(imgp->ip_vfs_context));
1588 if (error) {
1589 goto bad;
1590 }
1591
1592 if (resid) {
1593 memset(imgp->ip_vdata + (PAGE_SIZE - resid), 0x0, resid);
1594 }
1595
1596 encapsulated_binary:
1597 /* Limit the number of iterations we will attempt on each binary */
1598 if (++itercount > EAI_ITERLIMIT) {
1599 error = EBADEXEC;
1600 goto bad;
1601 }
1602 error = -1;
1603 for (i = 0; error == -1 && execsw[i].ex_imgact != NULL; i++) {
1604 error = (*execsw[i].ex_imgact)(imgp);
1605
1606 switch (error) {
1607 /* case -1: not claimed: continue */
1608 case -2: /* Encapsulated binary, imgp->ip_XXX set for next iteration */
1609 goto encapsulated_binary;
1610
1611 case -3: /* Interpreter */
1612 #if CONFIG_MACF
1613 /*
1614 * Copy the script label for later use. Note that
1615 * the label can be different when the script is
1616 * actually read by the interpreter.
1617 */
1618 if (imgp->ip_scriptlabelp) {
1619 mac_vnode_label_free(imgp->ip_scriptlabelp);
1620 }
1621 imgp->ip_scriptlabelp = mac_vnode_label_alloc();
1622 if (imgp->ip_scriptlabelp == NULL) {
1623 error = ENOMEM;
1624 break;
1625 }
1626 mac_vnode_label_copy(imgp->ip_vp->v_label,
1627 imgp->ip_scriptlabelp);
1628
1629 /*
1630 * Take a ref of the script vnode for later use.
1631 */
1632 if (imgp->ip_scriptvp) {
1633 vnode_put(imgp->ip_scriptvp);
1634 imgp->ip_scriptvp = NULLVP;
1635 }
1636 if (vnode_getwithref(imgp->ip_vp) == 0) {
1637 imgp->ip_scriptvp = imgp->ip_vp;
1638 }
1639 #endif
1640
1641 nameidone(ndp);
1642
1643 vnode_put(imgp->ip_vp);
1644 imgp->ip_vp = NULL; /* already put */
1645 imgp->ip_ndp = NULL; /* already nameidone */
1646
1647 /* Use excpath, which exec_shell_imgact reset to the interpreter */
1648 NDINIT(ndp, LOOKUP, OP_LOOKUP, FOLLOW | LOCKLEAF,
1649 UIO_SYSSPACE, CAST_USER_ADDR_T(excpath), imgp->ip_vfs_context);
1650
1651 proc_transend(p, 0);
1652 goto again;
1653
1654 default:
1655 break;
1656 }
1657 }
1658
1659 if (error == 0) {
1660 if (imgp->ip_flags & IMGPF_INTERPRET && ndp->ni_vp) {
1661 AUDIT_ARG(vnpath, ndp->ni_vp, ARG_VNODE2);
1662 }
1663
1664 /*
1665 * Call out to allow 3rd party notification of exec.
1666 * Ignore result of kauth_authorize_fileop call.
1667 */
1668 if (kauth_authorize_fileop_has_listeners()) {
1669 kauth_authorize_fileop(vfs_context_ucred(imgp->ip_vfs_context),
1670 KAUTH_FILEOP_EXEC,
1671 (uintptr_t)ndp->ni_vp, 0);
1672 }
1673 }
1674 bad:
1675 proc_transend(p, 0);
1676
1677 bad_notrans:
1678 if (imgp->ip_strings) {
1679 execargs_free(imgp);
1680 }
1681 if (imgp->ip_ndp) {
1682 nameidone(imgp->ip_ndp);
1683 }
1684 if (ndp) {
1685 FREE(ndp, M_TEMP);
1686 }
1687
1688 return error;
1689 }
1690
1691 /*
1692 * exec_validate_spawnattr_policy
1693 *
1694 * Description: Validates the entitlements required to set the apptype.
1695 *
1696 * Parameters: int psa_apptype posix spawn attribute apptype
1697 *
1698 * Returns: 0 Success
1699 * EPERM Failure
1700 */
1701 static errno_t
1702 exec_validate_spawnattr_policy(int psa_apptype)
1703 {
1704 if ((psa_apptype & POSIX_SPAWN_PROC_TYPE_MASK) != 0) {
1705 int proctype = psa_apptype & POSIX_SPAWN_PROC_TYPE_MASK;
1706 if (proctype == POSIX_SPAWN_PROC_TYPE_DRIVER) {
1707 if (!IOTaskHasEntitlement(current_task(), POSIX_SPAWN_ENTITLEMENT_DRIVER)) {
1708 return EPERM;
1709 }
1710 }
1711 }
1712
1713 return 0;
1714 }
1715
1716 /*
1717 * exec_handle_spawnattr_policy
1718 *
1719 * Description: Decode and apply the posix_spawn apptype, qos clamp, and watchport ports to the task.
1720 *
1721 * Parameters: proc_t p process to apply attributes to
1722 * int psa_apptype posix spawn attribute apptype
1723 *
1724 * Returns: 0 Success
1725 */
1726 static errno_t
1727 exec_handle_spawnattr_policy(proc_t p, thread_t thread, int psa_apptype, uint64_t psa_qos_clamp,
1728 uint64_t psa_darwin_role, struct exec_port_actions *port_actions)
1729 {
1730 int apptype = TASK_APPTYPE_NONE;
1731 int qos_clamp = THREAD_QOS_UNSPECIFIED;
1732 int role = TASK_UNSPECIFIED;
1733
1734 if ((psa_apptype & POSIX_SPAWN_PROC_TYPE_MASK) != 0) {
1735 int proctype = psa_apptype & POSIX_SPAWN_PROC_TYPE_MASK;
1736
1737 switch (proctype) {
1738 case POSIX_SPAWN_PROC_TYPE_DAEMON_INTERACTIVE:
1739 apptype = TASK_APPTYPE_DAEMON_INTERACTIVE;
1740 break;
1741 case POSIX_SPAWN_PROC_TYPE_DAEMON_STANDARD:
1742 apptype = TASK_APPTYPE_DAEMON_STANDARD;
1743 break;
1744 case POSIX_SPAWN_PROC_TYPE_DAEMON_ADAPTIVE:
1745 apptype = TASK_APPTYPE_DAEMON_ADAPTIVE;
1746 break;
1747 case POSIX_SPAWN_PROC_TYPE_DAEMON_BACKGROUND:
1748 apptype = TASK_APPTYPE_DAEMON_BACKGROUND;
1749 break;
1750 case POSIX_SPAWN_PROC_TYPE_APP_DEFAULT:
1751 apptype = TASK_APPTYPE_APP_DEFAULT;
1752 break;
1753 #if !CONFIG_EMBEDDED
1754 case POSIX_SPAWN_PROC_TYPE_APP_TAL:
1755 apptype = TASK_APPTYPE_APP_TAL;
1756 break;
1757 #endif /* !CONFIG_EMBEDDED */
1758 case POSIX_SPAWN_PROC_TYPE_DRIVER:
1759 apptype = TASK_APPTYPE_DRIVER;
1760 break;
1761 default:
1762 apptype = TASK_APPTYPE_NONE;
1763 /* TODO: Should an invalid value here fail the spawn? */
1764 break;
1765 }
1766 }
1767
1768 if (psa_qos_clamp != POSIX_SPAWN_PROC_CLAMP_NONE) {
1769 switch (psa_qos_clamp) {
1770 case POSIX_SPAWN_PROC_CLAMP_UTILITY:
1771 qos_clamp = THREAD_QOS_UTILITY;
1772 break;
1773 case POSIX_SPAWN_PROC_CLAMP_BACKGROUND:
1774 qos_clamp = THREAD_QOS_BACKGROUND;
1775 break;
1776 case POSIX_SPAWN_PROC_CLAMP_MAINTENANCE:
1777 qos_clamp = THREAD_QOS_MAINTENANCE;
1778 break;
1779 default:
1780 qos_clamp = THREAD_QOS_UNSPECIFIED;
1781 /* TODO: Should an invalid value here fail the spawn? */
1782 break;
1783 }
1784 }
1785
1786 if (psa_darwin_role != PRIO_DARWIN_ROLE_DEFAULT) {
1787 proc_darwin_role_to_task_role(psa_darwin_role, &role);
1788 }
1789
1790 if (apptype != TASK_APPTYPE_NONE ||
1791 qos_clamp != THREAD_QOS_UNSPECIFIED ||
1792 role != TASK_UNSPECIFIED ||
1793 port_actions->portwatch_count) {
1794 proc_set_task_spawnpolicy(p->task, thread, apptype, qos_clamp, role,
1795 port_actions->portwatch_array, port_actions->portwatch_count);
1796 }
1797
1798 if (port_actions->registered_count) {
1799 if (mach_ports_register(p->task, port_actions->registered_array,
1800 port_actions->registered_count)) {
1801 return EINVAL;
1802 }
1803 /* mach_ports_register() consumed the array */
1804 port_actions->registered_array = NULL;
1805 port_actions->registered_count = 0;
1806 }
1807
1808 return 0;
1809 }
1810
1811 static void
1812 exec_port_actions_destroy(struct exec_port_actions *port_actions)
1813 {
1814 if (port_actions->portwatch_array) {
1815 for (uint32_t i = 0; i < port_actions->portwatch_count; i++) {
1816 ipc_port_t port = NULL;
1817 if ((port = port_actions->portwatch_array[i]) != NULL) {
1818 ipc_port_release_send(port);
1819 }
1820 }
1821 kfree(port_actions->portwatch_array,
1822 port_actions->portwatch_count * sizeof(ipc_port_t *));
1823 }
1824
1825 if (port_actions->registered_array) {
1826 for (uint32_t i = 0; i < port_actions->registered_count; i++) {
1827 ipc_port_t port = NULL;
1828 if ((port = port_actions->registered_array[i]) != NULL) {
1829 ipc_port_release_send(port);
1830 }
1831 }
1832 kfree(port_actions->registered_array,
1833 port_actions->registered_count * sizeof(ipc_port_t *));
1834 }
1835 }
1836
1837 /*
1838 * exec_handle_port_actions
1839 *
1840 * Description: Go through the _posix_port_actions_t contents,
1841 * calling task_set_special_port, task_set_exception_ports
1842 * and/or audit_session_spawnjoin for the current task.
1843 *
1844 * Parameters: struct image_params * Image parameter block
1845 *
1846 * Returns: 0 Success
1847 * EINVAL Failure
1848 * ENOTSUP Illegal posix_spawn attr flag was set
1849 */
1850 static errno_t
1851 exec_handle_port_actions(struct image_params *imgp,
1852 struct exec_port_actions *actions)
1853 {
1854 _posix_spawn_port_actions_t pacts = imgp->ip_px_spa;
1855 #if CONFIG_AUDIT
1856 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
1857 #endif
1858 _ps_port_action_t *act = NULL;
1859 task_t task = get_threadtask(imgp->ip_new_thread);
1860 ipc_port_t port = NULL;
1861 errno_t ret = 0;
1862 int i, portwatch_i = 0, registered_i = 0;
1863 kern_return_t kr;
1864 boolean_t task_has_watchport_boost = task_has_watchports(current_task());
1865 boolean_t in_exec = (imgp->ip_flags & IMGPF_EXEC);
1866 boolean_t suid_cred_specified = FALSE;
1867
1868 for (i = 0; i < pacts->pspa_count; i++) {
1869 act = &pacts->pspa_actions[i];
1870
1871 switch (act->port_type) {
1872 case PSPA_SPECIAL:
1873 case PSPA_EXCEPTION:
1874 #if CONFIG_AUDIT
1875 case PSPA_AU_SESSION:
1876 #endif
1877 break;
1878 case PSPA_IMP_WATCHPORTS:
1879 if (++actions->portwatch_count > TASK_MAX_WATCHPORT_COUNT) {
1880 ret = EINVAL;
1881 goto done;
1882 }
1883 break;
1884 case PSPA_REGISTERED_PORTS:
1885 if (++actions->registered_count > TASK_PORT_REGISTER_MAX) {
1886 ret = EINVAL;
1887 goto done;
1888 }
1889 break;
1890
1891 case PSPA_SUID_CRED:
1892 /* Only a single suid credential can be specified. */
1893 if (suid_cred_specified) {
1894 ret = EINVAL;
1895 goto done;
1896 }
1897 suid_cred_specified = TRUE;
1898 break;
1899
1900 default:
1901 ret = EINVAL;
1902 goto done;
1903 }
1904 }
1905
1906 if (actions->portwatch_count) {
1907 if (in_exec && task_has_watchport_boost) {
1908 ret = EINVAL;
1909 goto done;
1910 }
1911 actions->portwatch_array =
1912 kalloc(sizeof(ipc_port_t *) * actions->portwatch_count);
1913 if (actions->portwatch_array == NULL) {
1914 ret = ENOMEM;
1915 goto done;
1916 }
1917 bzero(actions->portwatch_array,
1918 sizeof(ipc_port_t *) * actions->portwatch_count);
1919 }
1920
1921 if (actions->registered_count) {
1922 actions->registered_array =
1923 kalloc(sizeof(ipc_port_t *) * actions->registered_count);
1924 if (actions->registered_array == NULL) {
1925 ret = ENOMEM;
1926 goto done;
1927 }
1928 bzero(actions->registered_array,
1929 sizeof(ipc_port_t *) * actions->registered_count);
1930 }
1931
1932 for (i = 0; i < pacts->pspa_count; i++) {
1933 act = &pacts->pspa_actions[i];
1934
1935 if (MACH_PORT_VALID(act->new_port)) {
1936 kr = ipc_object_copyin(get_task_ipcspace(current_task()),
1937 act->new_port, MACH_MSG_TYPE_COPY_SEND,
1938 (ipc_object_t *) &port, 0, NULL, IPC_KMSG_FLAGS_ALLOW_IMMOVABLE_SEND);
1939
1940 if (kr != KERN_SUCCESS) {
1941 ret = EINVAL;
1942 goto done;
1943 }
1944 } else {
1945 /* it's NULL or DEAD */
1946 port = CAST_MACH_NAME_TO_PORT(act->new_port);
1947 }
1948
1949 switch (act->port_type) {
1950 case PSPA_SPECIAL:
1951 kr = task_set_special_port(task, act->which, port);
1952
1953 if (kr != KERN_SUCCESS) {
1954 ret = EINVAL;
1955 }
1956 break;
1957
1958 case PSPA_EXCEPTION:
1959 kr = task_set_exception_ports(task, act->mask, port,
1960 act->behavior, act->flavor);
1961 if (kr != KERN_SUCCESS) {
1962 ret = EINVAL;
1963 }
1964 break;
1965 #if CONFIG_AUDIT
1966 case PSPA_AU_SESSION:
1967 ret = audit_session_spawnjoin(p, task, port);
1968 if (ret) {
1969 /* audit_session_spawnjoin() has already dropped the reference in case of error. */
1970 goto done;
1971 }
1972
1973 break;
1974 #endif
1975 case PSPA_IMP_WATCHPORTS:
1976 if (actions->portwatch_array) {
1977 /* hold on to this till end of spawn */
1978 actions->portwatch_array[portwatch_i++] = port;
1979 } else {
1980 ipc_port_release_send(port);
1981 }
1982 break;
1983 case PSPA_REGISTERED_PORTS:
1984 /* hold on to this till end of spawn */
1985 actions->registered_array[registered_i++] = port;
1986 break;
1987
1988 case PSPA_SUID_CRED:
1989 imgp->ip_sc_port = port;
1990 break;
1991
1992 default:
1993 ret = EINVAL;
1994 break;
1995 }
1996
1997 if (ret) {
1998 /* action failed, so release port resources */
1999 ipc_port_release_send(port);
2000 break;
2001 }
2002 }
2003
2004 done:
2005 if (0 != ret) {
2006 DTRACE_PROC1(spawn__port__failure, mach_port_name_t, act->new_port);
2007 }
2008 return ret;
2009 }
2010
2011 /*
2012 * exec_handle_file_actions
2013 *
2014 * Description: Go through the _posix_file_actions_t contents applying the
2015 * open, close, and dup2 operations to the open file table for
2016 * the current process.
2017 *
2018 * Parameters: struct image_params * Image parameter block
2019 *
2020 * Returns: 0 Success
2021 * ???
2022 *
2023 * Note: Actions are applied in the order specified, with the credential
2024 * of the parent process. This is done to permit the parent
2025 * process to utilize POSIX_SPAWN_RESETIDS to drop privilege in
2026 * the child following operations the child may in fact not be
2027 * normally permitted to perform.
2028 */
2029 static int
2030 exec_handle_file_actions(struct image_params *imgp, short psa_flags)
2031 {
2032 int error = 0;
2033 int action;
2034 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
2035 _posix_spawn_file_actions_t px_sfap = imgp->ip_px_sfa;
2036 int ival[2]; /* dummy retval for system calls) */
2037 #if CONFIG_AUDIT
2038 struct uthread *uthread = get_bsdthread_info(current_thread());
2039 #endif
2040
2041 for (action = 0; action < px_sfap->psfa_act_count; action++) {
2042 _psfa_action_t *psfa = &px_sfap->psfa_act_acts[action];
2043
2044 switch (psfa->psfaa_type) {
2045 case PSFA_OPEN: {
2046 /*
2047 * Open is different, in that it requires the use of
2048 * a path argument, which is normally copied in from
2049 * user space; because of this, we have to support an
2050 * open from kernel space that passes an address space
2051 * context of UIO_SYSSPACE, and casts the address
2052 * argument to a user_addr_t.
2053 */
2054 char *bufp = NULL;
2055 struct vnode_attr *vap;
2056 struct nameidata *ndp;
2057 int mode = psfa->psfaa_openargs.psfao_mode;
2058 struct dup2_args dup2a;
2059 struct close_nocancel_args ca;
2060 int origfd;
2061
2062 MALLOC(bufp, char *, sizeof(*vap) + sizeof(*ndp), M_TEMP, M_WAITOK | M_ZERO);
2063 if (bufp == NULL) {
2064 error = ENOMEM;
2065 break;
2066 }
2067
2068 vap = (struct vnode_attr *) bufp;
2069 ndp = (struct nameidata *) (bufp + sizeof(*vap));
2070
2071 VATTR_INIT(vap);
2072 /* Mask off all but regular access permissions */
2073 mode = ((mode & ~p->p_fd->fd_cmask) & ALLPERMS) & ~S_ISTXT;
2074 VATTR_SET(vap, va_mode, mode & ACCESSPERMS);
2075
2076 AUDIT_SUBCALL_ENTER(OPEN, p, uthread);
2077
2078 NDINIT(ndp, LOOKUP, OP_OPEN, FOLLOW | AUDITVNPATH1, UIO_SYSSPACE,
2079 CAST_USER_ADDR_T(psfa->psfaa_openargs.psfao_path),
2080 imgp->ip_vfs_context);
2081
2082 error = open1(imgp->ip_vfs_context,
2083 ndp,
2084 psfa->psfaa_openargs.psfao_oflag,
2085 vap,
2086 fileproc_alloc_init, NULL,
2087 ival);
2088
2089 FREE(bufp, M_TEMP);
2090
2091 AUDIT_SUBCALL_EXIT(uthread, error);
2092
2093 /*
2094 * If there's an error, or we get the right fd by
2095 * accident, then drop out here. This is easier than
2096 * reworking all the open code to preallocate fd
2097 * slots, and internally taking one as an argument.
2098 */
2099 if (error || ival[0] == psfa->psfaa_filedes) {
2100 break;
2101 }
2102
2103 origfd = ival[0];
2104 /*
2105 * If we didn't fall out from an error, we ended up
2106 * with the wrong fd; so now we've got to try to dup2
2107 * it to the right one.
2108 */
2109 dup2a.from = origfd;
2110 dup2a.to = psfa->psfaa_filedes;
2111
2112 /*
2113 * The dup2() system call implementation sets
2114 * ival to newfd in the success case, but we
2115 * can ignore that, since if we didn't get the
2116 * fd we wanted, the error will stop us.
2117 */
2118 AUDIT_SUBCALL_ENTER(DUP2, p, uthread);
2119 error = dup2(p, &dup2a, ival);
2120 AUDIT_SUBCALL_EXIT(uthread, error);
2121 if (error) {
2122 break;
2123 }
2124
2125 /*
2126 * Finally, close the original fd.
2127 */
2128 ca.fd = origfd;
2129
2130 AUDIT_SUBCALL_ENTER(CLOSE, p, uthread);
2131 error = close_nocancel(p, &ca, ival);
2132 AUDIT_SUBCALL_EXIT(uthread, error);
2133 }
2134 break;
2135
2136 case PSFA_DUP2: {
2137 struct dup2_args dup2a;
2138
2139 dup2a.from = psfa->psfaa_filedes;
2140 dup2a.to = psfa->psfaa_dup2args.psfad_newfiledes;
2141
2142 /*
2143 * The dup2() system call implementation sets
2144 * ival to newfd in the success case, but we
2145 * can ignore that, since if we didn't get the
2146 * fd we wanted, the error will stop us.
2147 */
2148 AUDIT_SUBCALL_ENTER(DUP2, p, uthread);
2149 error = dup2(p, &dup2a, ival);
2150 AUDIT_SUBCALL_EXIT(uthread, error);
2151 }
2152 break;
2153
2154 case PSFA_FILEPORT_DUP2: {
2155 ipc_port_t port;
2156 kern_return_t kr;
2157 struct dup2_args dup2a;
2158 struct close_nocancel_args ca;
2159
2160 if (!MACH_PORT_VALID(psfa->psfaa_fileport)) {
2161 error = EINVAL;
2162 break;
2163 }
2164
2165 kr = ipc_object_copyin(get_task_ipcspace(current_task()),
2166 psfa->psfaa_fileport, MACH_MSG_TYPE_COPY_SEND,
2167 (ipc_object_t *) &port, 0, NULL, IPC_KMSG_FLAGS_ALLOW_IMMOVABLE_SEND);
2168
2169 if (kr != KERN_SUCCESS) {
2170 error = EINVAL;
2171 break;
2172 }
2173
2174 error = fileport_makefd_internal(p, port, 0, ival);
2175
2176 if (IPC_PORT_NULL != port) {
2177 ipc_port_release_send(port);
2178 }
2179
2180 if (error || ival[0] == psfa->psfaa_dup2args.psfad_newfiledes) {
2181 break;
2182 }
2183
2184 dup2a.from = ca.fd = ival[0];
2185 dup2a.to = psfa->psfaa_dup2args.psfad_newfiledes;
2186 AUDIT_SUBCALL_ENTER(DUP2, p, uthread);
2187 error = dup2(p, &dup2a, ival);
2188 AUDIT_SUBCALL_EXIT(uthread, error);
2189 if (error) {
2190 break;
2191 }
2192
2193 AUDIT_SUBCALL_ENTER(CLOSE, p, uthread);
2194 error = close_nocancel(p, &ca, ival);
2195 AUDIT_SUBCALL_EXIT(uthread, error);
2196 }
2197 break;
2198
2199 case PSFA_CLOSE: {
2200 struct close_nocancel_args ca;
2201
2202 ca.fd = psfa->psfaa_filedes;
2203
2204 AUDIT_SUBCALL_ENTER(CLOSE, p, uthread);
2205 error = close_nocancel(p, &ca, ival);
2206 AUDIT_SUBCALL_EXIT(uthread, error);
2207 }
2208 break;
2209
2210 case PSFA_INHERIT: {
2211 struct fcntl_nocancel_args fcntla;
2212
2213 /*
2214 * Check to see if the descriptor exists, and
2215 * ensure it's -not- marked as close-on-exec.
2216 *
2217 * Attempting to "inherit" a guarded fd will
2218 * result in a error.
2219 */
2220 fcntla.fd = psfa->psfaa_filedes;
2221 fcntla.cmd = F_GETFD;
2222 if ((error = fcntl_nocancel(p, &fcntla, ival)) != 0) {
2223 break;
2224 }
2225
2226 if ((ival[0] & FD_CLOEXEC) == FD_CLOEXEC) {
2227 fcntla.fd = psfa->psfaa_filedes;
2228 fcntla.cmd = F_SETFD;
2229 fcntla.arg = ival[0] & ~FD_CLOEXEC;
2230 error = fcntl_nocancel(p, &fcntla, ival);
2231 }
2232 }
2233 break;
2234
2235 case PSFA_CHDIR: {
2236 /*
2237 * Chdir is different, in that it requires the use of
2238 * a path argument, which is normally copied in from
2239 * user space; because of this, we have to support a
2240 * chdir from kernel space that passes an address space
2241 * context of UIO_SYSSPACE, and casts the address
2242 * argument to a user_addr_t.
2243 */
2244 struct nameidata nd;
2245
2246 AUDIT_SUBCALL_ENTER(CHDIR, p, uthread);
2247 NDINIT(&nd, LOOKUP, OP_CHDIR, FOLLOW | AUDITVNPATH1, UIO_SYSSPACE,
2248 CAST_USER_ADDR_T(psfa->psfaa_chdirargs.psfac_path),
2249 imgp->ip_vfs_context);
2250
2251 error = chdir_internal(p, imgp->ip_vfs_context, &nd, 0);
2252 AUDIT_SUBCALL_EXIT(uthread, error);
2253 }
2254 break;
2255
2256 case PSFA_FCHDIR: {
2257 struct fchdir_args fchdira;
2258
2259 fchdira.fd = psfa->psfaa_filedes;
2260
2261 AUDIT_SUBCALL_ENTER(FCHDIR, p, uthread);
2262 error = fchdir(p, &fchdira, ival);
2263 AUDIT_SUBCALL_EXIT(uthread, error);
2264 }
2265 break;
2266
2267 default:
2268 error = EINVAL;
2269 break;
2270 }
2271
2272 /* All file actions failures are considered fatal, per POSIX */
2273
2274 if (error) {
2275 if (PSFA_OPEN == psfa->psfaa_type) {
2276 DTRACE_PROC1(spawn__open__failure, uintptr_t,
2277 psfa->psfaa_openargs.psfao_path);
2278 } else {
2279 DTRACE_PROC1(spawn__fd__failure, int, psfa->psfaa_filedes);
2280 }
2281 break;
2282 }
2283 }
2284
2285 if (error != 0 || (psa_flags & POSIX_SPAWN_CLOEXEC_DEFAULT) == 0) {
2286 return error;
2287 }
2288
2289 /*
2290 * If POSIX_SPAWN_CLOEXEC_DEFAULT is set, behave (during
2291 * this spawn only) as if "close on exec" is the default
2292 * disposition of all pre-existing file descriptors. In this case,
2293 * the list of file descriptors mentioned in the file actions
2294 * are the only ones that can be inherited, so mark them now.
2295 *
2296 * The actual closing part comes later, in fdexec().
2297 */
2298 proc_fdlock(p);
2299 for (action = 0; action < px_sfap->psfa_act_count; action++) {
2300 _psfa_action_t *psfa = &px_sfap->psfa_act_acts[action];
2301 int fd = psfa->psfaa_filedes;
2302
2303 switch (psfa->psfaa_type) {
2304 case PSFA_DUP2:
2305 case PSFA_FILEPORT_DUP2:
2306 fd = psfa->psfaa_dup2args.psfad_newfiledes;
2307 /*FALLTHROUGH*/
2308 case PSFA_OPEN:
2309 case PSFA_INHERIT:
2310 *fdflags(p, fd) |= UF_INHERIT;
2311 break;
2312
2313 case PSFA_CLOSE:
2314 case PSFA_CHDIR:
2315 case PSFA_FCHDIR:
2316 /*
2317 * Although PSFA_FCHDIR does have a file descriptor, it is not
2318 * *creating* one, thus we do not automatically mark it for
2319 * inheritance under POSIX_SPAWN_CLOEXEC_DEFAULT. A client that
2320 * wishes it to be inherited should use the PSFA_INHERIT action
2321 * explicitly.
2322 */
2323 break;
2324 }
2325 }
2326 proc_fdunlock(p);
2327
2328 return 0;
2329 }
2330
2331 #if CONFIG_MACF
2332 /*
2333 * exec_spawnattr_getmacpolicyinfo
2334 */
2335 void *
2336 exec_spawnattr_getmacpolicyinfo(const void *macextensions, const char *policyname, size_t *lenp)
2337 {
2338 const struct _posix_spawn_mac_policy_extensions *psmx = macextensions;
2339 int i;
2340
2341 if (psmx == NULL) {
2342 return NULL;
2343 }
2344
2345 for (i = 0; i < psmx->psmx_count; i++) {
2346 const _ps_mac_policy_extension_t *extension = &psmx->psmx_extensions[i];
2347 if (strncmp(extension->policyname, policyname, sizeof(extension->policyname)) == 0) {
2348 if (lenp != NULL) {
2349 *lenp = extension->datalen;
2350 }
2351 return extension->datap;
2352 }
2353 }
2354
2355 if (lenp != NULL) {
2356 *lenp = 0;
2357 }
2358 return NULL;
2359 }
2360
2361 static int
2362 spawn_copyin_macpolicyinfo(const struct user__posix_spawn_args_desc *px_args, _posix_spawn_mac_policy_extensions_t *psmxp)
2363 {
2364 _posix_spawn_mac_policy_extensions_t psmx = NULL;
2365 int error = 0;
2366 int copycnt = 0;
2367 int i = 0;
2368
2369 *psmxp = NULL;
2370
2371 if (px_args->mac_extensions_size < PS_MAC_EXTENSIONS_SIZE(1) ||
2372 px_args->mac_extensions_size > PAGE_SIZE) {
2373 error = EINVAL;
2374 goto bad;
2375 }
2376
2377 MALLOC(psmx, _posix_spawn_mac_policy_extensions_t, px_args->mac_extensions_size, M_TEMP, M_WAITOK);
2378 if ((error = copyin(px_args->mac_extensions, psmx, px_args->mac_extensions_size)) != 0) {
2379 goto bad;
2380 }
2381
2382 size_t extsize = PS_MAC_EXTENSIONS_SIZE(psmx->psmx_count);
2383 if (extsize == 0 || extsize > px_args->mac_extensions_size) {
2384 error = EINVAL;
2385 goto bad;
2386 }
2387
2388 for (i = 0; i < psmx->psmx_count; i++) {
2389 _ps_mac_policy_extension_t *extension = &psmx->psmx_extensions[i];
2390 if (extension->datalen == 0 || extension->datalen > PAGE_SIZE) {
2391 error = EINVAL;
2392 goto bad;
2393 }
2394 }
2395
2396 for (copycnt = 0; copycnt < psmx->psmx_count; copycnt++) {
2397 _ps_mac_policy_extension_t *extension = &psmx->psmx_extensions[copycnt];
2398 void *data = NULL;
2399
2400 MALLOC(data, void *, extension->datalen, M_TEMP, M_WAITOK);
2401 if ((error = copyin(extension->data, data, extension->datalen)) != 0) {
2402 FREE(data, M_TEMP);
2403 goto bad;
2404 }
2405 extension->datap = data;
2406 }
2407
2408 *psmxp = psmx;
2409 return 0;
2410
2411 bad:
2412 if (psmx != NULL) {
2413 for (i = 0; i < copycnt; i++) {
2414 FREE(psmx->psmx_extensions[i].datap, M_TEMP);
2415 }
2416 FREE(psmx, M_TEMP);
2417 }
2418 return error;
2419 }
2420
2421 static void
2422 spawn_free_macpolicyinfo(_posix_spawn_mac_policy_extensions_t psmx)
2423 {
2424 int i;
2425
2426 if (psmx == NULL) {
2427 return;
2428 }
2429 for (i = 0; i < psmx->psmx_count; i++) {
2430 FREE(psmx->psmx_extensions[i].datap, M_TEMP);
2431 }
2432 FREE(psmx, M_TEMP);
2433 }
2434 #endif /* CONFIG_MACF */
2435
2436 #if CONFIG_COALITIONS
2437 static inline void
2438 spawn_coalitions_release_all(coalition_t coal[COALITION_NUM_TYPES])
2439 {
2440 for (int c = 0; c < COALITION_NUM_TYPES; c++) {
2441 if (coal[c]) {
2442 coalition_remove_active(coal[c]);
2443 coalition_release(coal[c]);
2444 }
2445 }
2446 }
2447 #endif
2448
2449 #if CONFIG_PERSONAS
2450 static int
2451 spawn_validate_persona(struct _posix_spawn_persona_info *px_persona)
2452 {
2453 int error = 0;
2454 struct persona *persona = NULL;
2455 int verify = px_persona->pspi_flags & POSIX_SPAWN_PERSONA_FLAGS_VERIFY;
2456
2457 if (!IOTaskHasEntitlement(current_task(), PERSONA_MGMT_ENTITLEMENT)) {
2458 return EPERM;
2459 }
2460
2461 if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GROUPS) {
2462 if (px_persona->pspi_ngroups > NGROUPS_MAX) {
2463 return EINVAL;
2464 }
2465 }
2466
2467 persona = persona_lookup(px_persona->pspi_id);
2468 if (!persona) {
2469 error = ESRCH;
2470 goto out;
2471 }
2472
2473 if (verify) {
2474 if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_UID) {
2475 if (px_persona->pspi_uid != persona_get_uid(persona)) {
2476 error = EINVAL;
2477 goto out;
2478 }
2479 }
2480 if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GID) {
2481 if (px_persona->pspi_gid != persona_get_gid(persona)) {
2482 error = EINVAL;
2483 goto out;
2484 }
2485 }
2486 if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GROUPS) {
2487 unsigned ngroups = 0;
2488 gid_t groups[NGROUPS_MAX];
2489
2490 if (persona_get_groups(persona, &ngroups, groups,
2491 px_persona->pspi_ngroups) != 0) {
2492 error = EINVAL;
2493 goto out;
2494 }
2495 if (ngroups != px_persona->pspi_ngroups) {
2496 error = EINVAL;
2497 goto out;
2498 }
2499 while (ngroups--) {
2500 if (px_persona->pspi_groups[ngroups] != groups[ngroups]) {
2501 error = EINVAL;
2502 goto out;
2503 }
2504 }
2505 if (px_persona->pspi_gmuid != persona_get_gmuid(persona)) {
2506 error = EINVAL;
2507 goto out;
2508 }
2509 }
2510 }
2511
2512 out:
2513 if (persona) {
2514 persona_put(persona);
2515 }
2516
2517 return error;
2518 }
2519
2520 static int
2521 spawn_persona_adopt(proc_t p, struct _posix_spawn_persona_info *px_persona)
2522 {
2523 int ret;
2524 kauth_cred_t cred;
2525 struct persona *persona = NULL;
2526 int override = !!(px_persona->pspi_flags & POSIX_SPAWN_PERSONA_FLAGS_OVERRIDE);
2527
2528 if (!override) {
2529 return persona_proc_adopt_id(p, px_persona->pspi_id, NULL);
2530 }
2531
2532 /*
2533 * we want to spawn into the given persona, but we want to override
2534 * the kauth with a different UID/GID combo
2535 */
2536 persona = persona_lookup(px_persona->pspi_id);
2537 if (!persona) {
2538 return ESRCH;
2539 }
2540
2541 cred = persona_get_cred(persona);
2542 if (!cred) {
2543 ret = EINVAL;
2544 goto out;
2545 }
2546
2547 if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_UID) {
2548 cred = kauth_cred_setresuid(cred,
2549 px_persona->pspi_uid,
2550 px_persona->pspi_uid,
2551 px_persona->pspi_uid,
2552 KAUTH_UID_NONE);
2553 }
2554
2555 if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GID) {
2556 cred = kauth_cred_setresgid(cred,
2557 px_persona->pspi_gid,
2558 px_persona->pspi_gid,
2559 px_persona->pspi_gid);
2560 }
2561
2562 if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GROUPS) {
2563 cred = kauth_cred_setgroups(cred,
2564 px_persona->pspi_groups,
2565 px_persona->pspi_ngroups,
2566 px_persona->pspi_gmuid);
2567 }
2568
2569 ret = persona_proc_adopt(p, persona, cred);
2570
2571 out:
2572 persona_put(persona);
2573 return ret;
2574 }
2575 #endif
2576
2577 #if __arm64__
2578 extern int legacy_footprint_entitlement_mode;
2579 static inline void
2580 proc_legacy_footprint_entitled(proc_t p, task_t task, const char *caller)
2581 {
2582 #pragma unused(p, caller)
2583 boolean_t legacy_footprint_entitled;
2584
2585 switch (legacy_footprint_entitlement_mode) {
2586 case LEGACY_FOOTPRINT_ENTITLEMENT_IGNORE:
2587 /* the entitlement is ignored */
2588 break;
2589 case LEGACY_FOOTPRINT_ENTITLEMENT_IOS11_ACCT:
2590 /* the entitlement grants iOS11 legacy accounting */
2591 legacy_footprint_entitled = IOTaskHasEntitlement(task,
2592 "com.apple.private.memory.legacy_footprint");
2593 if (legacy_footprint_entitled) {
2594 task_set_legacy_footprint(task);
2595 }
2596 break;
2597 case LEGACY_FOOTPRINT_ENTITLEMENT_LIMIT_INCREASE:
2598 /* the entitlement grants a footprint limit increase */
2599 legacy_footprint_entitled = IOTaskHasEntitlement(task,
2600 "com.apple.private.memory.legacy_footprint");
2601 if (legacy_footprint_entitled) {
2602 task_set_extra_footprint_limit(task);
2603 }
2604 break;
2605 default:
2606 break;
2607 }
2608 }
2609
2610 static inline void
2611 proc_ios13extended_footprint_entitled(proc_t p, task_t task, const char *caller)
2612 {
2613 #pragma unused(p, caller)
2614 boolean_t ios13extended_footprint_entitled;
2615
2616 /* the entitlement grants a footprint limit increase */
2617 ios13extended_footprint_entitled = IOTaskHasEntitlement(task,
2618 "com.apple.developer.memory.ios13extended_footprint");
2619 if (ios13extended_footprint_entitled) {
2620 task_set_ios13extended_footprint_limit(task);
2621 }
2622 }
2623 #endif /* __arm64__ */
2624
2625 /*
2626 * Apply a modification on the proc's kauth cred until it converges.
2627 *
2628 * `update` consumes its argument to return a new kauth cred.
2629 */
2630 static void
2631 apply_kauth_cred_update(proc_t p,
2632 kauth_cred_t (^update)(kauth_cred_t orig_cred))
2633 {
2634 kauth_cred_t my_cred, my_new_cred;
2635
2636 my_cred = kauth_cred_proc_ref(p);
2637 for (;;) {
2638 my_new_cred = update(my_cred);
2639 if (my_cred == my_new_cred) {
2640 kauth_cred_unref(&my_new_cred);
2641 break;
2642 }
2643
2644 /* try update cred on proc */
2645 proc_ucred_lock(p);
2646
2647 if (p->p_ucred == my_cred) {
2648 /* base pointer didn't change, donate our ref */
2649 p->p_ucred = my_new_cred;
2650 PROC_UPDATE_CREDS_ONPROC(p);
2651 proc_ucred_unlock(p);
2652
2653 /* drop p->p_ucred reference */
2654 kauth_cred_unref(&my_cred);
2655 break;
2656 }
2657
2658 /* base pointer changed, retry */
2659 my_cred = p->p_ucred;
2660 kauth_cred_ref(my_cred);
2661 proc_ucred_unlock(p);
2662
2663 kauth_cred_unref(&my_new_cred);
2664 }
2665 }
2666
2667 static int
2668 spawn_posix_cred_adopt(proc_t p,
2669 struct _posix_spawn_posix_cred_info *px_pcred_info)
2670 {
2671 int error = 0;
2672
2673 if (px_pcred_info->pspci_flags & POSIX_SPAWN_POSIX_CRED_GID) {
2674 struct setgid_args args = {
2675 .gid = px_pcred_info->pspci_gid,
2676 };
2677 error = setgid(p, &args, NULL);
2678 if (error) {
2679 return error;
2680 }
2681 }
2682
2683 if (px_pcred_info->pspci_flags & POSIX_SPAWN_POSIX_CRED_GROUPS) {
2684 error = setgroups_internal(p,
2685 px_pcred_info->pspci_ngroups,
2686 px_pcred_info->pspci_groups,
2687 px_pcred_info->pspci_gmuid);
2688 if (error) {
2689 return error;
2690 }
2691 }
2692
2693 if (px_pcred_info->pspci_flags & POSIX_SPAWN_POSIX_CRED_UID) {
2694 struct setuid_args args = {
2695 .uid = px_pcred_info->pspci_uid,
2696 };
2697 error = setuid(p, &args, NULL);
2698 if (error) {
2699 return error;
2700 }
2701 }
2702 return 0;
2703 }
2704
2705 /*
2706 * posix_spawn
2707 *
2708 * Parameters: uap->pid Pointer to pid return area
2709 * uap->fname File name to exec
2710 * uap->argp Argument list
2711 * uap->envp Environment list
2712 *
2713 * Returns: 0 Success
2714 * EINVAL Invalid argument
2715 * ENOTSUP Not supported
2716 * ENOEXEC Executable file format error
2717 * exec_activate_image:EINVAL Invalid argument
2718 * exec_activate_image:EACCES Permission denied
2719 * exec_activate_image:EINTR Interrupted function
2720 * exec_activate_image:ENOMEM Not enough space
2721 * exec_activate_image:EFAULT Bad address
2722 * exec_activate_image:ENAMETOOLONG Filename too long
2723 * exec_activate_image:ENOEXEC Executable file format error
2724 * exec_activate_image:ETXTBSY Text file busy [misuse of error code]
2725 * exec_activate_image:EAUTH Image decryption failed
2726 * exec_activate_image:EBADEXEC The executable is corrupt/unknown
2727 * exec_activate_image:???
2728 * mac_execve_enter:???
2729 *
2730 * TODO: Expect to need __mac_posix_spawn() at some point...
2731 * Handle posix_spawnattr_t
2732 * Handle posix_spawn_file_actions_t
2733 */
2734 int
2735 posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
2736 {
2737 proc_t p = ap; /* quiet bogus GCC vfork() warning */
2738 user_addr_t pid = uap->pid;
2739 int ival[2]; /* dummy retval for setpgid() */
2740 char *bufp = NULL;
2741 struct image_params *imgp;
2742 struct vnode_attr *vap;
2743 struct vnode_attr *origvap;
2744 struct uthread *uthread = 0; /* compiler complains if not set to 0*/
2745 int error, sig;
2746 int is_64 = IS_64BIT_PROCESS(p);
2747 struct vfs_context context;
2748 struct user__posix_spawn_args_desc px_args;
2749 struct _posix_spawnattr px_sa;
2750 _posix_spawn_file_actions_t px_sfap = NULL;
2751 _posix_spawn_port_actions_t px_spap = NULL;
2752 struct __kern_sigaction vec;
2753 boolean_t spawn_no_exec = FALSE;
2754 boolean_t proc_transit_set = TRUE;
2755 boolean_t exec_done = FALSE;
2756 struct exec_port_actions port_actions = { };
2757 vm_size_t px_sa_offset = offsetof(struct _posix_spawnattr, psa_ports);
2758 task_t old_task = current_task();
2759 task_t new_task = NULL;
2760 boolean_t should_release_proc_ref = FALSE;
2761 void *inherit = NULL;
2762 #if CONFIG_PERSONAS
2763 struct _posix_spawn_persona_info *px_persona = NULL;
2764 #endif
2765 struct _posix_spawn_posix_cred_info *px_pcred_info = NULL;
2766
2767 /*
2768 * Allocate a big chunk for locals instead of using stack since these
2769 * structures are pretty big.
2770 */
2771 MALLOC(bufp, char *, (sizeof(*imgp) + sizeof(*vap) + sizeof(*origvap)), M_TEMP, M_WAITOK | M_ZERO);
2772 imgp = (struct image_params *) bufp;
2773 if (bufp == NULL) {
2774 error = ENOMEM;
2775 goto bad;
2776 }
2777 vap = (struct vnode_attr *) (bufp + sizeof(*imgp));
2778 origvap = (struct vnode_attr *) (bufp + sizeof(*imgp) + sizeof(*vap));
2779
2780 /* Initialize the common data in the image_params structure */
2781 imgp->ip_user_fname = uap->path;
2782 imgp->ip_user_argv = uap->argv;
2783 imgp->ip_user_envv = uap->envp;
2784 imgp->ip_vattr = vap;
2785 imgp->ip_origvattr = origvap;
2786 imgp->ip_vfs_context = &context;
2787 imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT_ADDR : IMGPF_NONE);
2788 imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
2789 imgp->ip_mac_return = 0;
2790 imgp->ip_px_persona = NULL;
2791 imgp->ip_px_pcred_info = NULL;
2792 imgp->ip_cs_error = OS_REASON_NULL;
2793 imgp->ip_simulator_binary = IMGPF_SB_DEFAULT;
2794
2795 if (uap->adesc != USER_ADDR_NULL) {
2796 if (is_64) {
2797 error = copyin(uap->adesc, &px_args, sizeof(px_args));
2798 } else {
2799 struct user32__posix_spawn_args_desc px_args32;
2800
2801 error = copyin(uap->adesc, &px_args32, sizeof(px_args32));
2802
2803 /*
2804 * Convert arguments descriptor from external 32 bit
2805 * representation to internal 64 bit representation
2806 */
2807 px_args.attr_size = px_args32.attr_size;
2808 px_args.attrp = CAST_USER_ADDR_T(px_args32.attrp);
2809 px_args.file_actions_size = px_args32.file_actions_size;
2810 px_args.file_actions = CAST_USER_ADDR_T(px_args32.file_actions);
2811 px_args.port_actions_size = px_args32.port_actions_size;
2812 px_args.port_actions = CAST_USER_ADDR_T(px_args32.port_actions);
2813 px_args.mac_extensions_size = px_args32.mac_extensions_size;
2814 px_args.mac_extensions = CAST_USER_ADDR_T(px_args32.mac_extensions);
2815 px_args.coal_info_size = px_args32.coal_info_size;
2816 px_args.coal_info = CAST_USER_ADDR_T(px_args32.coal_info);
2817 px_args.persona_info_size = px_args32.persona_info_size;
2818 px_args.persona_info = CAST_USER_ADDR_T(px_args32.persona_info);
2819 px_args.posix_cred_info_size = px_args32.posix_cred_info_size;
2820 px_args.posix_cred_info = CAST_USER_ADDR_T(px_args32.posix_cred_info);
2821 }
2822 if (error) {
2823 goto bad;
2824 }
2825
2826 if (px_args.attr_size != 0) {
2827 /*
2828 * We are not copying the port_actions pointer,
2829 * because we already have it from px_args.
2830 * This is a bit fragile: <rdar://problem/16427422>
2831 */
2832
2833 if ((error = copyin(px_args.attrp, &px_sa, px_sa_offset)) != 0) {
2834 goto bad;
2835 }
2836
2837 bzero((void *)((unsigned long) &px_sa + px_sa_offset), sizeof(px_sa) - px_sa_offset );
2838
2839 imgp->ip_px_sa = &px_sa;
2840 }
2841 if (px_args.file_actions_size != 0) {
2842 /* Limit file_actions to allowed number of open files */
2843 int maxfa = (p->p_limit ? p->p_rlimit[RLIMIT_NOFILE].rlim_cur : NOFILE);
2844 size_t maxfa_size = PSF_ACTIONS_SIZE(maxfa);
2845 if (px_args.file_actions_size < PSF_ACTIONS_SIZE(1) ||
2846 maxfa_size == 0 || px_args.file_actions_size > maxfa_size) {
2847 error = EINVAL;
2848 goto bad;
2849 }
2850 MALLOC(px_sfap, _posix_spawn_file_actions_t, px_args.file_actions_size, M_TEMP, M_WAITOK);
2851 if (px_sfap == NULL) {
2852 error = ENOMEM;
2853 goto bad;
2854 }
2855 imgp->ip_px_sfa = px_sfap;
2856
2857 if ((error = copyin(px_args.file_actions, px_sfap,
2858 px_args.file_actions_size)) != 0) {
2859 goto bad;
2860 }
2861
2862 /* Verify that the action count matches the struct size */
2863 size_t psfsize = PSF_ACTIONS_SIZE(px_sfap->psfa_act_count);
2864 if (psfsize == 0 || psfsize != px_args.file_actions_size) {
2865 error = EINVAL;
2866 goto bad;
2867 }
2868 }
2869 if (px_args.port_actions_size != 0) {
2870 /* Limit port_actions to one page of data */
2871 if (px_args.port_actions_size < PS_PORT_ACTIONS_SIZE(1) ||
2872 px_args.port_actions_size > PAGE_SIZE) {
2873 error = EINVAL;
2874 goto bad;
2875 }
2876
2877 MALLOC(px_spap, _posix_spawn_port_actions_t,
2878 px_args.port_actions_size, M_TEMP, M_WAITOK);
2879 if (px_spap == NULL) {
2880 error = ENOMEM;
2881 goto bad;
2882 }
2883 imgp->ip_px_spa = px_spap;
2884
2885 if ((error = copyin(px_args.port_actions, px_spap,
2886 px_args.port_actions_size)) != 0) {
2887 goto bad;
2888 }
2889
2890 /* Verify that the action count matches the struct size */
2891 size_t pasize = PS_PORT_ACTIONS_SIZE(px_spap->pspa_count);
2892 if (pasize == 0 || pasize != px_args.port_actions_size) {
2893 error = EINVAL;
2894 goto bad;
2895 }
2896 }
2897 #if CONFIG_PERSONAS
2898 /* copy in the persona info */
2899 if (px_args.persona_info_size != 0 && px_args.persona_info != 0) {
2900 /* for now, we need the exact same struct in user space */
2901 if (px_args.persona_info_size != sizeof(*px_persona)) {
2902 error = ERANGE;
2903 goto bad;
2904 }
2905
2906 MALLOC(px_persona, struct _posix_spawn_persona_info *, px_args.persona_info_size, M_TEMP, M_WAITOK | M_ZERO);
2907 if (px_persona == NULL) {
2908 error = ENOMEM;
2909 goto bad;
2910 }
2911 imgp->ip_px_persona = px_persona;
2912
2913 if ((error = copyin(px_args.persona_info, px_persona,
2914 px_args.persona_info_size)) != 0) {
2915 goto bad;
2916 }
2917 if ((error = spawn_validate_persona(px_persona)) != 0) {
2918 goto bad;
2919 }
2920 }
2921 #endif
2922 /* copy in the posix cred info */
2923 if (px_args.posix_cred_info_size != 0 && px_args.posix_cred_info != 0) {
2924 /* for now, we need the exact same struct in user space */
2925 if (px_args.posix_cred_info_size != sizeof(*px_pcred_info)) {
2926 error = ERANGE;
2927 goto bad;
2928 }
2929
2930 if (!kauth_cred_issuser(kauth_cred_get())) {
2931 error = EPERM;
2932 goto bad;
2933 }
2934
2935 MALLOC(px_pcred_info, struct _posix_spawn_posix_cred_info *,
2936 px_args.posix_cred_info_size, M_TEMP, M_WAITOK | M_ZERO);
2937 if (px_pcred_info == NULL) {
2938 error = ENOMEM;
2939 goto bad;
2940 }
2941 imgp->ip_px_pcred_info = px_pcred_info;
2942
2943 if ((error = copyin(px_args.posix_cred_info, px_pcred_info,
2944 px_args.posix_cred_info_size)) != 0) {
2945 goto bad;
2946 }
2947
2948 if (px_pcred_info->pspci_flags & POSIX_SPAWN_POSIX_CRED_GROUPS) {
2949 if (px_pcred_info->pspci_ngroups > NGROUPS_MAX) {
2950 error = EINVAL;
2951 goto bad;
2952 }
2953 }
2954 }
2955 #if CONFIG_MACF
2956 if (px_args.mac_extensions_size != 0) {
2957 if ((error = spawn_copyin_macpolicyinfo(&px_args, (_posix_spawn_mac_policy_extensions_t *)&imgp->ip_px_smpx)) != 0) {
2958 goto bad;
2959 }
2960 }
2961 #endif /* CONFIG_MACF */
2962 }
2963
2964 /* set uthread to parent */
2965 uthread = get_bsdthread_info(current_thread());
2966
2967 /*
2968 * <rdar://6640530>; this does not result in a behaviour change
2969 * relative to Leopard, so there should not be any existing code
2970 * which depends on it.
2971 */
2972 if (uthread->uu_flag & UT_VFORK) {
2973 error = EINVAL;
2974 goto bad;
2975 }
2976
2977 if (imgp->ip_px_sa != NULL) {
2978 struct _posix_spawnattr *psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
2979 if ((error = exec_validate_spawnattr_policy(psa->psa_apptype)) != 0) {
2980 goto bad;
2981 }
2982 }
2983
2984 /*
2985 * If we don't have the extension flag that turns "posix_spawn()"
2986 * into "execve() with options", then we will be creating a new
2987 * process which does not inherit memory from the parent process,
2988 * which is one of the most expensive things about using fork()
2989 * and execve().
2990 */
2991 if (imgp->ip_px_sa == NULL || !(px_sa.psa_flags & POSIX_SPAWN_SETEXEC)) {
2992 /* Set the new task's coalition, if it is requested. */
2993 coalition_t coal[COALITION_NUM_TYPES] = { COALITION_NULL };
2994 #if CONFIG_COALITIONS
2995 int i, ncoals;
2996 kern_return_t kr = KERN_SUCCESS;
2997 struct _posix_spawn_coalition_info coal_info;
2998 int coal_role[COALITION_NUM_TYPES];
2999
3000 if (imgp->ip_px_sa == NULL || !px_args.coal_info) {
3001 goto do_fork1;
3002 }
3003
3004 memset(&coal_info, 0, sizeof(coal_info));
3005
3006 if (px_args.coal_info_size > sizeof(coal_info)) {
3007 px_args.coal_info_size = sizeof(coal_info);
3008 }
3009 error = copyin(px_args.coal_info,
3010 &coal_info, px_args.coal_info_size);
3011 if (error != 0) {
3012 goto bad;
3013 }
3014
3015 ncoals = 0;
3016 for (i = 0; i < COALITION_NUM_TYPES; i++) {
3017 uint64_t cid = coal_info.psci_info[i].psci_id;
3018 if (cid != 0) {
3019 /*
3020 * don't allow tasks which are not in a
3021 * privileged coalition to spawn processes
3022 * into coalitions other than their own
3023 */
3024 if (!task_is_in_privileged_coalition(p->task, i)) {
3025 coal_dbg("ERROR: %d not in privilegd "
3026 "coalition of type %d",
3027 p->p_pid, i);
3028 spawn_coalitions_release_all(coal);
3029 error = EPERM;
3030 goto bad;
3031 }
3032
3033 coal_dbg("searching for coalition id:%llu", cid);
3034 /*
3035 * take a reference and activation on the
3036 * coalition to guard against free-while-spawn
3037 * races
3038 */
3039 coal[i] = coalition_find_and_activate_by_id(cid);
3040 if (coal[i] == COALITION_NULL) {
3041 coal_dbg("could not find coalition id:%llu "
3042 "(perhaps it has been terminated or reaped)", cid);
3043 /*
3044 * release any other coalition's we
3045 * may have a reference to
3046 */
3047 spawn_coalitions_release_all(coal);
3048 error = ESRCH;
3049 goto bad;
3050 }
3051 if (coalition_type(coal[i]) != i) {
3052 coal_dbg("coalition with id:%lld is not of type:%d"
3053 " (it's type:%d)", cid, i, coalition_type(coal[i]));
3054 error = ESRCH;
3055 goto bad;
3056 }
3057 coal_role[i] = coal_info.psci_info[i].psci_role;
3058 ncoals++;
3059 }
3060 }
3061 if (ncoals < COALITION_NUM_TYPES) {
3062 /*
3063 * If the user is attempting to spawn into a subset of
3064 * the known coalition types, then make sure they have
3065 * _at_least_ specified a resource coalition. If not,
3066 * the following fork1() call will implicitly force an
3067 * inheritance from 'p' and won't actually spawn the
3068 * new task into the coalitions the user specified.
3069 * (also the call to coalitions_set_roles will panic)
3070 */
3071 if (coal[COALITION_TYPE_RESOURCE] == COALITION_NULL) {
3072 spawn_coalitions_release_all(coal);
3073 error = EINVAL;
3074 goto bad;
3075 }
3076 }
3077 do_fork1:
3078 #endif /* CONFIG_COALITIONS */
3079
3080 /*
3081 * note that this will implicitly inherit the
3082 * caller's persona (if it exists)
3083 */
3084 error = fork1(p, &imgp->ip_new_thread, PROC_CREATE_SPAWN, coal);
3085 /* returns a thread and task reference */
3086
3087 if (error == 0) {
3088 new_task = get_threadtask(imgp->ip_new_thread);
3089 }
3090 #if CONFIG_COALITIONS
3091 /* set the roles of this task within each given coalition */
3092 if (error == 0) {
3093 kr = coalitions_set_roles(coal, new_task, coal_role);
3094 if (kr != KERN_SUCCESS) {
3095 error = EINVAL;
3096 }
3097 if (kdebug_debugid_enabled(MACHDBG_CODE(DBG_MACH_COALITION,
3098 MACH_COALITION_ADOPT))) {
3099 for (i = 0; i < COALITION_NUM_TYPES; i++) {
3100 if (coal[i] != COALITION_NULL) {
3101 /*
3102 * On 32-bit targets, uniqueid
3103 * will get truncated to 32 bits
3104 */
3105 KDBG_RELEASE(MACHDBG_CODE(
3106 DBG_MACH_COALITION,
3107 MACH_COALITION_ADOPT),
3108 coalition_id(coal[i]),
3109 get_task_uniqueid(new_task));
3110 }
3111 }
3112 }
3113 }
3114
3115 /* drop our references and activations - fork1() now holds them */
3116 spawn_coalitions_release_all(coal);
3117 #endif /* CONFIG_COALITIONS */
3118 if (error != 0) {
3119 goto bad;
3120 }
3121 imgp->ip_flags |= IMGPF_SPAWN; /* spawn w/o exec */
3122 spawn_no_exec = TRUE; /* used in later tests */
3123 } else {
3124 /*
3125 * For execve case, create a new task and thread
3126 * which points to current_proc. The current_proc will point
3127 * to the new task after image activation and proc ref drain.
3128 *
3129 * proc (current_proc) <----- old_task (current_task)
3130 * ^ | ^
3131 * | | |
3132 * | ----------------------------------
3133 * |
3134 * --------- new_task (task marked as TF_EXEC_COPY)
3135 *
3136 * After image activation, the proc will point to the new task
3137 * and would look like following.
3138 *
3139 * proc (current_proc) <----- old_task (current_task, marked as TPF_DID_EXEC)
3140 * ^ |
3141 * | |
3142 * | ----------> new_task
3143 * | |
3144 * -----------------
3145 *
3146 * During exec any transition from new_task -> proc is fine, but don't allow
3147 * transition from proc->task, since it will modify old_task.
3148 */
3149 imgp->ip_new_thread = fork_create_child(old_task,
3150 NULL,
3151 p,
3152 FALSE,
3153 p->p_flag & P_LP64,
3154 task_get_64bit_data(old_task),
3155 TRUE);
3156 /* task and thread ref returned by fork_create_child */
3157 if (imgp->ip_new_thread == NULL) {
3158 error = ENOMEM;
3159 goto bad;
3160 }
3161
3162 new_task = get_threadtask(imgp->ip_new_thread);
3163 imgp->ip_flags |= IMGPF_EXEC;
3164 }
3165
3166 if (spawn_no_exec) {
3167 p = (proc_t)get_bsdthreadtask_info(imgp->ip_new_thread);
3168
3169 /*
3170 * We had to wait until this point before firing the
3171 * proc:::create probe, otherwise p would not point to the
3172 * child process.
3173 */
3174 DTRACE_PROC1(create, proc_t, p);
3175 }
3176 assert(p != NULL);
3177
3178 context.vc_thread = imgp->ip_new_thread;
3179 context.vc_ucred = p->p_ucred; /* XXX must NOT be kauth_cred_get() */
3180
3181 /*
3182 * Post fdcopy(), pre exec_handle_sugid() - this is where we want
3183 * to handle the file_actions. Since vfork() also ends up setting
3184 * us into the parent process group, and saved off the signal flags,
3185 * this is also where we want to handle the spawn flags.
3186 */
3187
3188 /* Has spawn file actions? */
3189 if (imgp->ip_px_sfa != NULL) {
3190 /*
3191 * The POSIX_SPAWN_CLOEXEC_DEFAULT flag
3192 * is handled in exec_handle_file_actions().
3193 */
3194 #if CONFIG_AUDIT
3195 /*
3196 * The file actions auditing can overwrite the upath of
3197 * AUE_POSIX_SPAWN audit record. Save the audit record.
3198 */
3199 struct kaudit_record *save_uu_ar = uthread->uu_ar;
3200 uthread->uu_ar = NULL;
3201 #endif
3202 error = exec_handle_file_actions(imgp,
3203 imgp->ip_px_sa != NULL ? px_sa.psa_flags : 0);
3204 #if CONFIG_AUDIT
3205 /* Restore the AUE_POSIX_SPAWN audit record. */
3206 uthread->uu_ar = save_uu_ar;
3207 #endif
3208 if (error != 0) {
3209 goto bad;
3210 }
3211 }
3212
3213 /* Has spawn port actions? */
3214 if (imgp->ip_px_spa != NULL) {
3215 #if CONFIG_AUDIT
3216 /*
3217 * Do the same for the port actions as we did for the file
3218 * actions. Save the AUE_POSIX_SPAWN audit record.
3219 */
3220 struct kaudit_record *save_uu_ar = uthread->uu_ar;
3221 uthread->uu_ar = NULL;
3222 #endif
3223 error = exec_handle_port_actions(imgp, &port_actions);
3224 #if CONFIG_AUDIT
3225 /* Restore the AUE_POSIX_SPAWN audit record. */
3226 uthread->uu_ar = save_uu_ar;
3227 #endif
3228 if (error != 0) {
3229 goto bad;
3230 }
3231 }
3232
3233 /* Has spawn attr? */
3234 if (imgp->ip_px_sa != NULL) {
3235 /*
3236 * Reset UID/GID to parent's RUID/RGID; This works only
3237 * because the operation occurs *after* the vfork() and
3238 * before the call to exec_handle_sugid() by the image
3239 * activator called from exec_activate_image(). POSIX
3240 * requires that any setuid/setgid bits on the process
3241 * image will take precedence over the spawn attributes
3242 * (re)setting them.
3243 *
3244 * Modifications to p_ucred must be guarded using the
3245 * proc's ucred lock. This prevents others from accessing
3246 * a garbage credential.
3247 */
3248 if (px_sa.psa_flags & POSIX_SPAWN_RESETIDS) {
3249 apply_kauth_cred_update(p, ^kauth_cred_t (kauth_cred_t my_cred){
3250 return kauth_cred_setuidgid(my_cred,
3251 kauth_cred_getruid(my_cred),
3252 kauth_cred_getrgid(my_cred));
3253 });
3254 }
3255
3256 if (imgp->ip_px_pcred_info) {
3257 if (!spawn_no_exec) {
3258 error = ENOTSUP;
3259 goto bad;
3260 }
3261
3262 error = spawn_posix_cred_adopt(p, imgp->ip_px_pcred_info);
3263 if (error != 0) {
3264 goto bad;
3265 }
3266 }
3267
3268 #if CONFIG_PERSONAS
3269 if (imgp->ip_px_persona != NULL) {
3270 if (!spawn_no_exec) {
3271 error = ENOTSUP;
3272 goto bad;
3273 }
3274
3275 /*
3276 * If we were asked to spawn a process into a new persona,
3277 * do the credential switch now (which may override the UID/GID
3278 * inherit done just above). It's important to do this switch
3279 * before image activation both for reasons stated above, and
3280 * to ensure that the new persona has access to the image/file
3281 * being executed.
3282 */
3283 error = spawn_persona_adopt(p, imgp->ip_px_persona);
3284 if (error != 0) {
3285 goto bad;
3286 }
3287 }
3288 #endif /* CONFIG_PERSONAS */
3289 #if !SECURE_KERNEL
3290 /*
3291 * Disable ASLR for the spawned process.
3292 *
3293 * But only do so if we are not embedded + RELEASE.
3294 * While embedded allows for a boot-arg (-disable_aslr)
3295 * to deal with this (which itself is only honored on
3296 * DEVELOPMENT or DEBUG builds of xnu), it is often
3297 * useful or necessary to disable ASLR on a per-process
3298 * basis for unit testing and debugging.
3299 */
3300 if (px_sa.psa_flags & _POSIX_SPAWN_DISABLE_ASLR) {
3301 OSBitOrAtomic(P_DISABLE_ASLR, &p->p_flag);
3302 }
3303 #endif /* !SECURE_KERNEL */
3304
3305 /* Randomize high bits of ASLR slide */
3306 if (px_sa.psa_flags & _POSIX_SPAWN_HIGH_BITS_ASLR) {
3307 imgp->ip_flags |= IMGPF_HIGH_BITS_ASLR;
3308 }
3309
3310 #if !SECURE_KERNEL
3311 /*
3312 * Forcibly disallow execution from data pages for the spawned process
3313 * even if it would otherwise be permitted by the architecture default.
3314 */
3315 if (px_sa.psa_flags & _POSIX_SPAWN_ALLOW_DATA_EXEC) {
3316 imgp->ip_flags |= IMGPF_ALLOW_DATA_EXEC;
3317 }
3318 #endif /* !SECURE_KERNEL */
3319
3320 if ((px_sa.psa_apptype & POSIX_SPAWN_PROC_TYPE_MASK) ==
3321 POSIX_SPAWN_PROC_TYPE_DRIVER) {
3322 imgp->ip_flags |= IMGPF_DRIVER;
3323 }
3324 }
3325
3326 /*
3327 * Disable ASLR during image activation. This occurs either if the
3328 * _POSIX_SPAWN_DISABLE_ASLR attribute was found above or if
3329 * P_DISABLE_ASLR was inherited from the parent process.
3330 */
3331 if (p->p_flag & P_DISABLE_ASLR) {
3332 imgp->ip_flags |= IMGPF_DISABLE_ASLR;
3333 }
3334
3335 /*
3336 * Clear transition flag so we won't hang if exec_activate_image() causes
3337 * an automount (and launchd does a proc sysctl to service it).
3338 *
3339 * <rdar://problem/6848672>, <rdar://problem/5959568>.
3340 */
3341 if (spawn_no_exec) {
3342 proc_transend(p, 0);
3343 proc_transit_set = 0;
3344 }
3345
3346 #if MAC_SPAWN /* XXX */
3347 if (uap->mac_p != USER_ADDR_NULL) {
3348 error = mac_execve_enter(uap->mac_p, imgp);
3349 if (error) {
3350 goto bad;
3351 }
3352 }
3353 #endif
3354
3355 /*
3356 * Activate the image
3357 */
3358 error = exec_activate_image(imgp);
3359 #if defined(HAS_APPLE_PAC)
3360 ml_task_set_disable_user_jop(new_task, imgp->ip_flags & IMGPF_NOJOP ? TRUE : FALSE);
3361 ml_thread_set_disable_user_jop(imgp->ip_new_thread, imgp->ip_flags & IMGPF_NOJOP ? TRUE : FALSE);
3362 #endif
3363
3364 if (error == 0 && !spawn_no_exec) {
3365 p = proc_exec_switch_task(p, old_task, new_task, imgp->ip_new_thread);
3366 /* proc ref returned */
3367 should_release_proc_ref = TRUE;
3368
3369 /*
3370 * Need to transfer pending watch port boosts to the new task while still making
3371 * sure that the old task remains in the importance linkage. Create an importance
3372 * linkage from old task to new task, then switch the task importance base
3373 * of old task and new task. After the switch the port watch boost will be
3374 * boosting the new task and new task will be donating importance to old task.
3375 */
3376 inherit = ipc_importance_exec_switch_task(old_task, new_task);
3377 }
3378
3379 if (error == 0) {
3380 /* process completed the exec */
3381 exec_done = TRUE;
3382 } else if (error == -1) {
3383 /* Image not claimed by any activator? */
3384 error = ENOEXEC;
3385 }
3386
3387 if (!error && imgp->ip_px_sa != NULL) {
3388 thread_t child_thread = imgp->ip_new_thread;
3389 uthread_t child_uthread = get_bsdthread_info(child_thread);
3390
3391 /*
3392 * Because of POSIX_SPAWN_SETEXEC, we need to handle this after image
3393 * activation, else when image activation fails (before the point of no
3394 * return) would leave the parent process in a modified state.
3395 */
3396 if (px_sa.psa_flags & POSIX_SPAWN_SETPGROUP) {
3397 struct setpgid_args spga;
3398 spga.pid = p->p_pid;
3399 spga.pgid = px_sa.psa_pgroup;
3400 /*
3401 * Effectively, call setpgid() system call; works
3402 * because there are no pointer arguments.
3403 */
3404 if ((error = setpgid(p, &spga, ival)) != 0) {
3405 goto bad;
3406 }
3407 }
3408
3409 if (px_sa.psa_flags & POSIX_SPAWN_SETSID) {
3410 error = setsid_internal(p);
3411 if (error != 0) {
3412 goto bad;
3413 }
3414 }
3415
3416 /*
3417 * If we have a spawn attr, and it contains signal related flags,
3418 * the we need to process them in the "context" of the new child
3419 * process, so we have to process it following image activation,
3420 * prior to making the thread runnable in user space. This is
3421 * necessitated by some signal information being per-thread rather
3422 * than per-process, and we don't have the new allocation in hand
3423 * until after the image is activated.
3424 */
3425
3426 /*
3427 * Mask a list of signals, instead of them being unmasked, if
3428 * they were unmasked in the parent; note that some signals
3429 * are not maskable.
3430 */
3431 if (px_sa.psa_flags & POSIX_SPAWN_SETSIGMASK) {
3432 child_uthread->uu_sigmask = (px_sa.psa_sigmask & ~sigcantmask);
3433 }
3434 /*
3435 * Default a list of signals instead of ignoring them, if
3436 * they were ignored in the parent. Note that we pass
3437 * spawn_no_exec to setsigvec() to indicate that we called
3438 * fork1() and therefore do not need to call proc_signalstart()
3439 * internally.
3440 */
3441 if (px_sa.psa_flags & POSIX_SPAWN_SETSIGDEF) {
3442 vec.sa_handler = SIG_DFL;
3443 vec.sa_tramp = 0;
3444 vec.sa_mask = 0;
3445 vec.sa_flags = 0;
3446 for (sig = 1; sig < NSIG; sig++) {
3447 if (px_sa.psa_sigdefault & (1 << (sig - 1))) {
3448 error = setsigvec(p, child_thread, sig, &vec, spawn_no_exec);
3449 }
3450 }
3451 }
3452
3453 /*
3454 * Activate the CPU usage monitor, if requested. This is done via a task-wide, per-thread CPU
3455 * usage limit, which will generate a resource exceeded exception if any one thread exceeds the
3456 * limit.
3457 *
3458 * Userland gives us interval in seconds, and the kernel SPI expects nanoseconds.
3459 */
3460 if (px_sa.psa_cpumonitor_percent != 0) {
3461 /*
3462 * Always treat a CPU monitor activation coming from spawn as entitled. Requiring
3463 * an entitlement to configure the monitor a certain way seems silly, since
3464 * whomever is turning it on could just as easily choose not to do so.
3465 */
3466 error = proc_set_task_ruse_cpu(p->task,
3467 TASK_POLICY_RESOURCE_ATTRIBUTE_NOTIFY_EXC,
3468 px_sa.psa_cpumonitor_percent,
3469 px_sa.psa_cpumonitor_interval * NSEC_PER_SEC,
3470 0, TRUE);
3471 }
3472
3473
3474 if (px_pcred_info &&
3475 (px_pcred_info->pspci_flags & POSIX_SPAWN_POSIX_CRED_LOGIN)) {
3476 /*
3477 * setlogin() must happen after setsid()
3478 */
3479 setlogin_internal(p, px_pcred_info->pspci_login);
3480 }
3481 }
3482
3483 bad:
3484
3485 if (error == 0) {
3486 /* reset delay idle sleep status if set */
3487 #if !CONFIG_EMBEDDED
3488 if ((p->p_flag & P_DELAYIDLESLEEP) == P_DELAYIDLESLEEP) {
3489 OSBitAndAtomic(~((uint32_t)P_DELAYIDLESLEEP), &p->p_flag);
3490 }
3491 #endif /* !CONFIG_EMBEDDED */
3492 /* upon successful spawn, re/set the proc control state */
3493 if (imgp->ip_px_sa != NULL) {
3494 switch (px_sa.psa_pcontrol) {
3495 case POSIX_SPAWN_PCONTROL_THROTTLE:
3496 p->p_pcaction = P_PCTHROTTLE;
3497 break;
3498 case POSIX_SPAWN_PCONTROL_SUSPEND:
3499 p->p_pcaction = P_PCSUSP;
3500 break;
3501 case POSIX_SPAWN_PCONTROL_KILL:
3502 p->p_pcaction = P_PCKILL;
3503 break;
3504 case POSIX_SPAWN_PCONTROL_NONE:
3505 default:
3506 p->p_pcaction = 0;
3507 break;
3508 }
3509 ;
3510 }
3511 exec_resettextvp(p, imgp);
3512
3513 #if CONFIG_MEMORYSTATUS
3514 /* Set jetsam priority for DriverKit processes */
3515 if (px_sa.psa_apptype == POSIX_SPAWN_PROC_TYPE_DRIVER) {
3516 px_sa.psa_priority = JETSAM_PRIORITY_DRIVER_APPLE;
3517 }
3518
3519 /* Has jetsam attributes? */
3520 if (imgp->ip_px_sa != NULL && (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_SET)) {
3521 /*
3522 * With 2-level high-water-mark support, POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND is no
3523 * longer relevant, as background limits are described via the inactive limit slots.
3524 *
3525 * That said, however, if the POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND is passed in,
3526 * we attempt to mimic previous behavior by forcing the BG limit data into the
3527 * inactive/non-fatal mode and force the active slots to hold system_wide/fatal mode.
3528 */
3529
3530 if (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND) {
3531 memorystatus_update(p, px_sa.psa_priority, 0, FALSE, /* assertion priority */
3532 (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_USE_EFFECTIVE_PRIORITY),
3533 TRUE,
3534 -1, TRUE,
3535 px_sa.psa_memlimit_inactive, FALSE);
3536 } else {
3537 memorystatus_update(p, px_sa.psa_priority, 0, FALSE, /* assertion priority */
3538 (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_USE_EFFECTIVE_PRIORITY),
3539 TRUE,
3540 px_sa.psa_memlimit_active,
3541 (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_MEMLIMIT_ACTIVE_FATAL),
3542 px_sa.psa_memlimit_inactive,
3543 (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_MEMLIMIT_INACTIVE_FATAL));
3544 }
3545 }
3546
3547 /* Has jetsam relaunch behavior? */
3548 if (imgp->ip_px_sa != NULL && (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_RELAUNCH_BEHAVIOR_MASK)) {
3549 /*
3550 * Launchd has passed in data indicating the behavior of this process in response to jetsam.
3551 * This data would be used by the jetsam subsystem to determine the position and protection
3552 * offered to this process on dirty -> clean transitions.
3553 */
3554 int relaunch_flags = P_MEMSTAT_RELAUNCH_UNKNOWN;
3555 switch (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_RELAUNCH_BEHAVIOR_MASK) {
3556 case POSIX_SPAWN_JETSAM_RELAUNCH_BEHAVIOR_LOW:
3557 relaunch_flags = P_MEMSTAT_RELAUNCH_LOW;
3558 break;
3559 case POSIX_SPAWN_JETSAM_RELAUNCH_BEHAVIOR_MED:
3560 relaunch_flags = P_MEMSTAT_RELAUNCH_MED;
3561 break;
3562 case POSIX_SPAWN_JETSAM_RELAUNCH_BEHAVIOR_HIGH:
3563 relaunch_flags = P_MEMSTAT_RELAUNCH_HIGH;
3564 break;
3565 default:
3566 break;
3567 }
3568 memorystatus_relaunch_flags_update(p, relaunch_flags);
3569 }
3570
3571 #endif /* CONFIG_MEMORYSTATUS */
3572 if (imgp->ip_px_sa != NULL && px_sa.psa_thread_limit > 0) {
3573 task_set_thread_limit(new_task, (uint16_t)px_sa.psa_thread_limit);
3574 }
3575 }
3576
3577 /*
3578 * If we successfully called fork1(), we always need to do this;
3579 * we identify this case by noting the IMGPF_SPAWN flag. This is
3580 * because we come back from that call with signals blocked in the
3581 * child, and we have to unblock them, but we want to wait until
3582 * after we've performed any spawn actions. This has to happen
3583 * before check_for_signature(), which uses psignal.
3584 */
3585 if (spawn_no_exec) {
3586 if (proc_transit_set) {
3587 proc_transend(p, 0);
3588 }
3589
3590 /*
3591 * Drop the signal lock on the child which was taken on our
3592 * behalf by forkproc()/cloneproc() to prevent signals being
3593 * received by the child in a partially constructed state.
3594 */
3595 proc_signalend(p, 0);
3596
3597 /* flag the 'fork' has occurred */
3598 proc_knote(p->p_pptr, NOTE_FORK | p->p_pid);
3599 }
3600
3601 /* flag exec has occurred, notify only if it has not failed due to FP Key error */
3602 if (!error && ((p->p_lflag & P_LTERM_DECRYPTFAIL) == 0)) {
3603 proc_knote(p, NOTE_EXEC);
3604 }
3605
3606
3607 if (error == 0) {
3608 /*
3609 * We need to initialize the bank context behind the protection of
3610 * the proc_trans lock to prevent a race with exit. We can't do this during
3611 * exec_activate_image because task_bank_init checks entitlements that
3612 * aren't loaded until subsequent calls (including exec_resettextvp).
3613 */
3614 error = proc_transstart(p, 0, 0);
3615
3616 if (error == 0) {
3617 task_bank_init(new_task);
3618 proc_transend(p, 0);
3619 }
3620
3621 #if __arm64__
3622 proc_legacy_footprint_entitled(p, new_task, __FUNCTION__);
3623 proc_ios13extended_footprint_entitled(p, new_task, __FUNCTION__);
3624 #endif /* __arm64__ */
3625 }
3626
3627 /* Inherit task role from old task to new task for exec */
3628 if (error == 0 && !spawn_no_exec) {
3629 proc_inherit_task_role(new_task, old_task);
3630 }
3631
3632 #if CONFIG_ARCADE
3633 if (error == 0) {
3634 /*
3635 * Check to see if we need to trigger an arcade upcall AST now
3636 * that the vnode has been reset on the task.
3637 */
3638 arcade_prepare(new_task, imgp->ip_new_thread);
3639 }
3640 #endif /* CONFIG_ARCADE */
3641
3642 /* Clear the initial wait on the thread before handling spawn policy */
3643 if (imgp && imgp->ip_new_thread) {
3644 task_clear_return_wait(get_threadtask(imgp->ip_new_thread), TCRW_CLEAR_INITIAL_WAIT);
3645 }
3646
3647 /*
3648 * Apply the spawnattr policy, apptype (which primes the task for importance donation),
3649 * and bind any portwatch ports to the new task.
3650 * This must be done after the exec so that the child's thread is ready,
3651 * and after the in transit state has been released, because priority is
3652 * dropped here so we need to be prepared for a potentially long preemption interval
3653 *
3654 * TODO: Consider splitting this up into separate phases
3655 */
3656 if (error == 0 && imgp->ip_px_sa != NULL) {
3657 struct _posix_spawnattr *psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
3658
3659 error = exec_handle_spawnattr_policy(p, imgp->ip_new_thread, psa->psa_apptype, psa->psa_qos_clamp,
3660 psa->psa_darwin_role, &port_actions);
3661 }
3662
3663 /* Transfer the turnstile watchport boost to new task if in exec */
3664 if (error == 0 && !spawn_no_exec) {
3665 task_transfer_turnstile_watchports(old_task, new_task, imgp->ip_new_thread);
3666 }
3667
3668 /*
3669 * Apply the requested maximum address.
3670 */
3671 if (error == 0 && imgp->ip_px_sa != NULL) {
3672 struct _posix_spawnattr *psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
3673
3674 if (psa->psa_max_addr) {
3675 vm_map_set_max_addr(get_task_map(new_task), psa->psa_max_addr);
3676 }
3677 }
3678
3679 if (error == 0) {
3680 /* Apply the main thread qos */
3681 thread_t main_thread = imgp->ip_new_thread;
3682 task_set_main_thread_qos(new_task, main_thread);
3683
3684 #if CONFIG_MACF
3685 /*
3686 * Processes with the MAP_JIT entitlement are permitted to have
3687 * a jumbo-size map.
3688 */
3689 if (mac_proc_check_map_anon(p, 0, 0, 0, MAP_JIT, NULL) == 0) {
3690 vm_map_set_jumbo(get_task_map(new_task));
3691 vm_map_set_jit_entitled(get_task_map(new_task));
3692 }
3693 #endif /* CONFIG_MACF */
3694 }
3695
3696 /*
3697 * Release any ports we kept around for binding to the new task
3698 * We need to release the rights even if the posix_spawn has failed.
3699 */
3700 if (imgp->ip_px_spa != NULL) {
3701 exec_port_actions_destroy(&port_actions);
3702 }
3703
3704 /*
3705 * We have to delay operations which might throw a signal until after
3706 * the signals have been unblocked; however, we want that to happen
3707 * after exec_resettextvp() so that the textvp is correct when they
3708 * fire.
3709 */
3710 if (error == 0) {
3711 error = check_for_signature(p, imgp);
3712
3713 /*
3714 * Pay for our earlier safety; deliver the delayed signals from
3715 * the incomplete spawn process now that it's complete.
3716 */
3717 if (imgp != NULL && spawn_no_exec && (p->p_lflag & P_LTRACED)) {
3718 psignal_vfork(p, p->task, imgp->ip_new_thread, SIGTRAP);
3719 }
3720
3721 if (error == 0 && !spawn_no_exec) {
3722 KDBG(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXEC),
3723 p->p_pid);
3724 }
3725 }
3726
3727
3728 if (imgp != NULL) {
3729 if (imgp->ip_vp) {
3730 vnode_put(imgp->ip_vp);
3731 }
3732 if (imgp->ip_scriptvp) {
3733 vnode_put(imgp->ip_scriptvp);
3734 }
3735 if (imgp->ip_strings) {
3736 execargs_free(imgp);
3737 }
3738 if (imgp->ip_px_sfa != NULL) {
3739 FREE(imgp->ip_px_sfa, M_TEMP);
3740 }
3741 if (imgp->ip_px_spa != NULL) {
3742 FREE(imgp->ip_px_spa, M_TEMP);
3743 }
3744 #if CONFIG_PERSONAS
3745 if (imgp->ip_px_persona != NULL) {
3746 FREE(imgp->ip_px_persona, M_TEMP);
3747 }
3748 #endif
3749 if (imgp->ip_px_pcred_info != NULL) {
3750 FREE(imgp->ip_px_pcred_info, M_TEMP);
3751 }
3752 #if CONFIG_MACF
3753 if (imgp->ip_px_smpx != NULL) {
3754 spawn_free_macpolicyinfo(imgp->ip_px_smpx);
3755 }
3756 if (imgp->ip_execlabelp) {
3757 mac_cred_label_free(imgp->ip_execlabelp);
3758 }
3759 if (imgp->ip_scriptlabelp) {
3760 mac_vnode_label_free(imgp->ip_scriptlabelp);
3761 }
3762 if (imgp->ip_cs_error != OS_REASON_NULL) {
3763 os_reason_free(imgp->ip_cs_error);
3764 imgp->ip_cs_error = OS_REASON_NULL;
3765 }
3766 #endif
3767 if (imgp->ip_sc_port != NULL) {
3768 ipc_port_release_send(imgp->ip_sc_port);
3769 imgp->ip_sc_port = NULL;
3770 }
3771 }
3772
3773 #if CONFIG_DTRACE
3774 if (spawn_no_exec) {
3775 /*
3776 * In the original DTrace reference implementation,
3777 * posix_spawn() was a libc routine that just
3778 * did vfork(2) then exec(2). Thus the proc::: probes
3779 * are very fork/exec oriented. The details of this
3780 * in-kernel implementation of posix_spawn() is different
3781 * (while producing the same process-observable effects)
3782 * particularly w.r.t. errors, and which thread/process
3783 * is constructing what on behalf of whom.
3784 */
3785 if (error) {
3786 DTRACE_PROC1(spawn__failure, int, error);
3787 } else {
3788 DTRACE_PROC(spawn__success);
3789 /*
3790 * Some DTrace scripts, e.g. newproc.d in
3791 * /usr/bin, rely on the the 'exec-success'
3792 * probe being fired in the child after the
3793 * new process image has been constructed
3794 * in order to determine the associated pid.
3795 *
3796 * So, even though the parent built the image
3797 * here, for compatibility, mark the new thread
3798 * so 'exec-success' fires on it as it leaves
3799 * the kernel.
3800 */
3801 dtrace_thread_didexec(imgp->ip_new_thread);
3802 }
3803 } else {
3804 if (error) {
3805 DTRACE_PROC1(exec__failure, int, error);
3806 } else {
3807 dtrace_thread_didexec(imgp->ip_new_thread);
3808 }
3809 }
3810
3811 if ((dtrace_proc_waitfor_hook = dtrace_proc_waitfor_exec_ptr) != NULL) {
3812 (*dtrace_proc_waitfor_hook)(p);
3813 }
3814 #endif
3815
3816 #if CONFIG_AUDIT
3817 if (!error && AUDIT_ENABLED() && p) {
3818 /* Add the CDHash of the new process to the audit record */
3819 uint8_t *cdhash = cs_get_cdhash(p);
3820 if (cdhash) {
3821 AUDIT_ARG(data, cdhash, sizeof(uint8_t), CS_CDHASH_LEN);
3822 }
3823 }
3824 #endif
3825
3826 /*
3827 * clear bsd_info from old task if it did exec.
3828 */
3829 if (task_did_exec(old_task)) {
3830 set_bsdtask_info(old_task, NULL);
3831 }
3832
3833 /* clear bsd_info from new task and terminate it if exec failed */
3834 if (new_task != NULL && task_is_exec_copy(new_task)) {
3835 set_bsdtask_info(new_task, NULL);
3836 task_terminate_internal(new_task);
3837 }
3838
3839 /* Return to both the parent and the child? */
3840 if (imgp != NULL && spawn_no_exec) {
3841 /*
3842 * If the parent wants the pid, copy it out
3843 */
3844 if (pid != USER_ADDR_NULL) {
3845 _Static_assert(sizeof(p->p_pid) == 4, "posix_spawn() assumes a 32-bit pid_t");
3846 bool aligned = (pid & 3) == 0;
3847 if (aligned) {
3848 (void)copyout_atomic32(p->p_pid, pid);
3849 } else {
3850 (void)suword(pid, p->p_pid);
3851 }
3852 }
3853 retval[0] = error;
3854
3855 /*
3856 * If we had an error, perform an internal reap ; this is
3857 * entirely safe, as we have a real process backing us.
3858 */
3859 if (error) {
3860 proc_list_lock();
3861 p->p_listflag |= P_LIST_DEADPARENT;
3862 proc_list_unlock();
3863 proc_lock(p);
3864 /* make sure no one else has killed it off... */
3865 if (p->p_stat != SZOMB && p->exit_thread == NULL) {
3866 p->exit_thread = current_thread();
3867 proc_unlock(p);
3868 exit1(p, 1, (int *)NULL);
3869 } else {
3870 /* someone is doing it for us; just skip it */
3871 proc_unlock(p);
3872 }
3873 }
3874 }
3875
3876 /*
3877 * Do not terminate the current task, if proc_exec_switch_task did not
3878 * switch the tasks, terminating the current task without the switch would
3879 * result in loosing the SIGKILL status.
3880 */
3881 if (task_did_exec(old_task)) {
3882 /* Terminate the current task, since exec will start in new task */
3883 task_terminate_internal(old_task);
3884 }
3885
3886 /* Release the thread ref returned by fork_create_child/fork1 */
3887 if (imgp != NULL && imgp->ip_new_thread) {
3888 /* wake up the new thread */
3889 task_clear_return_wait(get_threadtask(imgp->ip_new_thread), TCRW_CLEAR_FINAL_WAIT);
3890 thread_deallocate(imgp->ip_new_thread);
3891 imgp->ip_new_thread = NULL;
3892 }
3893
3894 /* Release the ref returned by fork_create_child/fork1 */
3895 if (new_task) {
3896 task_deallocate(new_task);
3897 new_task = NULL;
3898 }
3899
3900 if (should_release_proc_ref) {
3901 proc_rele(p);
3902 }
3903
3904 if (bufp != NULL) {
3905 FREE(bufp, M_TEMP);
3906 }
3907
3908 if (inherit != NULL) {
3909 ipc_importance_release(inherit);
3910 }
3911
3912 return error;
3913 }
3914
3915 /*
3916 * proc_exec_switch_task
3917 *
3918 * Parameters: p proc
3919 * old_task task before exec
3920 * new_task task after exec
3921 * new_thread thread in new task
3922 *
3923 * Returns: proc.
3924 *
3925 * Note: The function will switch the task pointer of proc
3926 * from old task to new task. The switch needs to happen
3927 * after draining all proc refs and inside a proc translock.
3928 * In the case of failure to switch the task, which might happen
3929 * if the process received a SIGKILL or jetsam killed it, it will make
3930 * sure that the new tasks terminates. User proc ref returned
3931 * to caller.
3932 *
3933 * This function is called after point of no return, in the case
3934 * failure to switch, it will terminate the new task and swallow the
3935 * error and let the terminated process complete exec and die.
3936 */
3937 proc_t
3938 proc_exec_switch_task(proc_t p, task_t old_task, task_t new_task, thread_t new_thread)
3939 {
3940 int error = 0;
3941 boolean_t task_active;
3942 boolean_t proc_active;
3943 boolean_t thread_active;
3944 thread_t old_thread = current_thread();
3945
3946 /*
3947 * Switch the task pointer of proc to new task.
3948 * Before switching the task, wait for proc_refdrain.
3949 * After the switch happens, the proc can disappear,
3950 * take a ref before it disappears. Waiting for
3951 * proc_refdrain in exec will block all other threads
3952 * trying to take a proc ref, boost the current thread
3953 * to avoid priority inversion.
3954 */
3955 thread_set_exec_promotion(old_thread);
3956 p = proc_refdrain_with_refwait(p, TRUE);
3957 /* extra proc ref returned to the caller */
3958
3959 assert(get_threadtask(new_thread) == new_task);
3960 task_active = task_is_active(new_task);
3961
3962 /* Take the proc_translock to change the task ptr */
3963 proc_lock(p);
3964 proc_active = !(p->p_lflag & P_LEXIT);
3965
3966 /* Check if the current thread is not aborted due to SIGKILL */
3967 thread_active = thread_is_active(old_thread);
3968
3969 /*
3970 * Do not switch the task if the new task or proc is already terminated
3971 * as a result of error in exec past point of no return
3972 */
3973 if (proc_active && task_active && thread_active) {
3974 error = proc_transstart(p, 1, 0);
3975 if (error == 0) {
3976 uthread_t new_uthread = get_bsdthread_info(new_thread);
3977 uthread_t old_uthread = get_bsdthread_info(current_thread());
3978
3979 /*
3980 * bsd_info of old_task will get cleared in execve and posix_spawn
3981 * after firing exec-success/error dtrace probe.
3982 */
3983 p->task = new_task;
3984
3985 /* Clear dispatchqueue and workloop ast offset */
3986 p->p_dispatchqueue_offset = 0;
3987 p->p_dispatchqueue_serialno_offset = 0;
3988 p->p_dispatchqueue_label_offset = 0;
3989 p->p_return_to_kernel_offset = 0;
3990
3991 /* Copy the signal state, dtrace state and set bsd ast on new thread */
3992 act_set_astbsd(new_thread);
3993 new_uthread->uu_siglist = old_uthread->uu_siglist;
3994 new_uthread->uu_sigwait = old_uthread->uu_sigwait;
3995 new_uthread->uu_sigmask = old_uthread->uu_sigmask;
3996 new_uthread->uu_oldmask = old_uthread->uu_oldmask;
3997 new_uthread->uu_vforkmask = old_uthread->uu_vforkmask;
3998 new_uthread->uu_exit_reason = old_uthread->uu_exit_reason;
3999 #if CONFIG_DTRACE
4000 new_uthread->t_dtrace_sig = old_uthread->t_dtrace_sig;
4001 new_uthread->t_dtrace_stop = old_uthread->t_dtrace_stop;
4002 new_uthread->t_dtrace_resumepid = old_uthread->t_dtrace_resumepid;
4003 assert(new_uthread->t_dtrace_scratch == NULL);
4004 new_uthread->t_dtrace_scratch = old_uthread->t_dtrace_scratch;
4005
4006 old_uthread->t_dtrace_sig = 0;
4007 old_uthread->t_dtrace_stop = 0;
4008 old_uthread->t_dtrace_resumepid = 0;
4009 old_uthread->t_dtrace_scratch = NULL;
4010 #endif
4011 /* Copy the resource accounting info */
4012 thread_copy_resource_info(new_thread, current_thread());
4013
4014 /* Clear the exit reason and signal state on old thread */
4015 old_uthread->uu_exit_reason = NULL;
4016 old_uthread->uu_siglist = 0;
4017
4018 /* Add the new uthread to proc uthlist and remove the old one */
4019 TAILQ_INSERT_TAIL(&p->p_uthlist, new_uthread, uu_list);
4020 TAILQ_REMOVE(&p->p_uthlist, old_uthread, uu_list);
4021
4022 task_set_did_exec_flag(old_task);
4023 task_clear_exec_copy_flag(new_task);
4024
4025 task_copy_fields_for_exec(new_task, old_task);
4026
4027 proc_transend(p, 1);
4028 }
4029 }
4030
4031 proc_unlock(p);
4032 proc_refwake(p);
4033 thread_clear_exec_promotion(old_thread);
4034
4035 if (error != 0 || !task_active || !proc_active || !thread_active) {
4036 task_terminate_internal(new_task);
4037 }
4038
4039 return p;
4040 }
4041
4042 /*
4043 * execve
4044 *
4045 * Parameters: uap->fname File name to exec
4046 * uap->argp Argument list
4047 * uap->envp Environment list
4048 *
4049 * Returns: 0 Success
4050 * __mac_execve:EINVAL Invalid argument
4051 * __mac_execve:ENOTSUP Invalid argument
4052 * __mac_execve:EACCES Permission denied
4053 * __mac_execve:EINTR Interrupted function
4054 * __mac_execve:ENOMEM Not enough space
4055 * __mac_execve:EFAULT Bad address
4056 * __mac_execve:ENAMETOOLONG Filename too long
4057 * __mac_execve:ENOEXEC Executable file format error
4058 * __mac_execve:ETXTBSY Text file busy [misuse of error code]
4059 * __mac_execve:???
4060 *
4061 * TODO: Dynamic linker header address on stack is copied via suword()
4062 */
4063 /* ARGSUSED */
4064 int
4065 execve(proc_t p, struct execve_args *uap, int32_t *retval)
4066 {
4067 struct __mac_execve_args muap;
4068 int err;
4069
4070 memoryshot(VM_EXECVE, DBG_FUNC_NONE);
4071
4072 muap.fname = uap->fname;
4073 muap.argp = uap->argp;
4074 muap.envp = uap->envp;
4075 muap.mac_p = USER_ADDR_NULL;
4076 err = __mac_execve(p, &muap, retval);
4077
4078 return err;
4079 }
4080
4081 /*
4082 * __mac_execve
4083 *
4084 * Parameters: uap->fname File name to exec
4085 * uap->argp Argument list
4086 * uap->envp Environment list
4087 * uap->mac_p MAC label supplied by caller
4088 *
4089 * Returns: 0 Success
4090 * EINVAL Invalid argument
4091 * ENOTSUP Not supported
4092 * ENOEXEC Executable file format error
4093 * exec_activate_image:EINVAL Invalid argument
4094 * exec_activate_image:EACCES Permission denied
4095 * exec_activate_image:EINTR Interrupted function
4096 * exec_activate_image:ENOMEM Not enough space
4097 * exec_activate_image:EFAULT Bad address
4098 * exec_activate_image:ENAMETOOLONG Filename too long
4099 * exec_activate_image:ENOEXEC Executable file format error
4100 * exec_activate_image:ETXTBSY Text file busy [misuse of error code]
4101 * exec_activate_image:EBADEXEC The executable is corrupt/unknown
4102 * exec_activate_image:???
4103 * mac_execve_enter:???
4104 *
4105 * TODO: Dynamic linker header address on stack is copied via suword()
4106 */
4107 int
4108 __mac_execve(proc_t p, struct __mac_execve_args *uap, int32_t *retval)
4109 {
4110 char *bufp = NULL;
4111 struct image_params *imgp;
4112 struct vnode_attr *vap;
4113 struct vnode_attr *origvap;
4114 int error;
4115 int is_64 = IS_64BIT_PROCESS(p);
4116 struct vfs_context context;
4117 struct uthread *uthread;
4118 task_t old_task = current_task();
4119 task_t new_task = NULL;
4120 boolean_t should_release_proc_ref = FALSE;
4121 boolean_t exec_done = FALSE;
4122 boolean_t in_vfexec = FALSE;
4123 void *inherit = NULL;
4124
4125 context.vc_thread = current_thread();
4126 context.vc_ucred = kauth_cred_proc_ref(p); /* XXX must NOT be kauth_cred_get() */
4127
4128 /* Allocate a big chunk for locals instead of using stack since these
4129 * structures a pretty big.
4130 */
4131 MALLOC(bufp, char *, (sizeof(*imgp) + sizeof(*vap) + sizeof(*origvap)), M_TEMP, M_WAITOK | M_ZERO);
4132 imgp = (struct image_params *) bufp;
4133 if (bufp == NULL) {
4134 error = ENOMEM;
4135 goto exit_with_error;
4136 }
4137 vap = (struct vnode_attr *) (bufp + sizeof(*imgp));
4138 origvap = (struct vnode_attr *) (bufp + sizeof(*imgp) + sizeof(*vap));
4139
4140 /* Initialize the common data in the image_params structure */
4141 imgp->ip_user_fname = uap->fname;
4142 imgp->ip_user_argv = uap->argp;
4143 imgp->ip_user_envv = uap->envp;
4144 imgp->ip_vattr = vap;
4145 imgp->ip_origvattr = origvap;
4146 imgp->ip_vfs_context = &context;
4147 imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT_ADDR : IMGPF_NONE) | ((p->p_flag & P_DISABLE_ASLR) ? IMGPF_DISABLE_ASLR : IMGPF_NONE);
4148 imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
4149 imgp->ip_mac_return = 0;
4150 imgp->ip_cs_error = OS_REASON_NULL;
4151 imgp->ip_simulator_binary = IMGPF_SB_DEFAULT;
4152
4153 #if CONFIG_MACF
4154 if (uap->mac_p != USER_ADDR_NULL) {
4155 error = mac_execve_enter(uap->mac_p, imgp);
4156 if (error) {
4157 kauth_cred_unref(&context.vc_ucred);
4158 goto exit_with_error;
4159 }
4160 }
4161 #endif
4162 uthread = get_bsdthread_info(current_thread());
4163 if (uthread->uu_flag & UT_VFORK) {
4164 imgp->ip_flags |= IMGPF_VFORK_EXEC;
4165 in_vfexec = TRUE;
4166 } else {
4167 imgp->ip_flags |= IMGPF_EXEC;
4168
4169 /*
4170 * For execve case, create a new task and thread
4171 * which points to current_proc. The current_proc will point
4172 * to the new task after image activation and proc ref drain.
4173 *
4174 * proc (current_proc) <----- old_task (current_task)
4175 * ^ | ^
4176 * | | |
4177 * | ----------------------------------
4178 * |
4179 * --------- new_task (task marked as TF_EXEC_COPY)
4180 *
4181 * After image activation, the proc will point to the new task
4182 * and would look like following.
4183 *
4184 * proc (current_proc) <----- old_task (current_task, marked as TPF_DID_EXEC)
4185 * ^ |
4186 * | |
4187 * | ----------> new_task
4188 * | |
4189 * -----------------
4190 *
4191 * During exec any transition from new_task -> proc is fine, but don't allow
4192 * transition from proc->task, since it will modify old_task.
4193 */
4194 imgp->ip_new_thread = fork_create_child(old_task,
4195 NULL,
4196 p,
4197 FALSE,
4198 p->p_flag & P_LP64,
4199 task_get_64bit_data(old_task),
4200 TRUE);
4201 /* task and thread ref returned by fork_create_child */
4202 if (imgp->ip_new_thread == NULL) {
4203 error = ENOMEM;
4204 goto exit_with_error;
4205 }
4206
4207 new_task = get_threadtask(imgp->ip_new_thread);
4208 context.vc_thread = imgp->ip_new_thread;
4209 }
4210
4211 error = exec_activate_image(imgp);
4212 /* thread and task ref returned for vfexec case */
4213
4214 if (imgp->ip_new_thread != NULL) {
4215 /*
4216 * task reference might be returned by exec_activate_image
4217 * for vfexec.
4218 */
4219 new_task = get_threadtask(imgp->ip_new_thread);
4220 #if defined(HAS_APPLE_PAC)
4221 ml_task_set_disable_user_jop(new_task, imgp->ip_flags & IMGPF_NOJOP ? TRUE : FALSE);
4222 ml_thread_set_disable_user_jop(imgp->ip_new_thread, imgp->ip_flags & IMGPF_NOJOP ? TRUE : FALSE);
4223 #endif
4224 }
4225
4226 if (!error && !in_vfexec) {
4227 p = proc_exec_switch_task(p, old_task, new_task, imgp->ip_new_thread);
4228 /* proc ref returned */
4229 should_release_proc_ref = TRUE;
4230
4231 /*
4232 * Need to transfer pending watch port boosts to the new task while still making
4233 * sure that the old task remains in the importance linkage. Create an importance
4234 * linkage from old task to new task, then switch the task importance base
4235 * of old task and new task. After the switch the port watch boost will be
4236 * boosting the new task and new task will be donating importance to old task.
4237 */
4238 inherit = ipc_importance_exec_switch_task(old_task, new_task);
4239 }
4240
4241 kauth_cred_unref(&context.vc_ucred);
4242
4243 /* Image not claimed by any activator? */
4244 if (error == -1) {
4245 error = ENOEXEC;
4246 }
4247
4248 if (!error) {
4249 exec_done = TRUE;
4250 assert(imgp->ip_new_thread != NULL);
4251
4252 exec_resettextvp(p, imgp);
4253 error = check_for_signature(p, imgp);
4254 }
4255
4256 /* flag exec has occurred, notify only if it has not failed due to FP Key error */
4257 if (exec_done && ((p->p_lflag & P_LTERM_DECRYPTFAIL) == 0)) {
4258 proc_knote(p, NOTE_EXEC);
4259 }
4260
4261 if (imgp->ip_vp != NULLVP) {
4262 vnode_put(imgp->ip_vp);
4263 }
4264 if (imgp->ip_scriptvp != NULLVP) {
4265 vnode_put(imgp->ip_scriptvp);
4266 }
4267 if (imgp->ip_strings) {
4268 execargs_free(imgp);
4269 }
4270 #if CONFIG_MACF
4271 if (imgp->ip_execlabelp) {
4272 mac_cred_label_free(imgp->ip_execlabelp);
4273 }
4274 if (imgp->ip_scriptlabelp) {
4275 mac_vnode_label_free(imgp->ip_scriptlabelp);
4276 }
4277 #endif
4278 if (imgp->ip_cs_error != OS_REASON_NULL) {
4279 os_reason_free(imgp->ip_cs_error);
4280 imgp->ip_cs_error = OS_REASON_NULL;
4281 }
4282
4283 if (!error) {
4284 /*
4285 * We need to initialize the bank context behind the protection of
4286 * the proc_trans lock to prevent a race with exit. We can't do this during
4287 * exec_activate_image because task_bank_init checks entitlements that
4288 * aren't loaded until subsequent calls (including exec_resettextvp).
4289 */
4290 error = proc_transstart(p, 0, 0);
4291 }
4292
4293 if (!error) {
4294 task_bank_init(new_task);
4295 proc_transend(p, 0);
4296
4297 #if __arm64__
4298 proc_legacy_footprint_entitled(p, new_task, __FUNCTION__);
4299 proc_ios13extended_footprint_entitled(p, new_task, __FUNCTION__);
4300 #endif /* __arm64__ */
4301
4302 /* Sever any extant thread affinity */
4303 thread_affinity_exec(current_thread());
4304
4305 /* Inherit task role from old task to new task for exec */
4306 if (!in_vfexec) {
4307 proc_inherit_task_role(new_task, old_task);
4308 }
4309
4310 thread_t main_thread = imgp->ip_new_thread;
4311
4312 task_set_main_thread_qos(new_task, main_thread);
4313
4314 #if CONFIG_ARCADE
4315 /*
4316 * Check to see if we need to trigger an arcade upcall AST now
4317 * that the vnode has been reset on the task.
4318 */
4319 arcade_prepare(new_task, imgp->ip_new_thread);
4320 #endif /* CONFIG_ARCADE */
4321
4322 #if CONFIG_MACF
4323 /*
4324 * Processes with the MAP_JIT entitlement are permitted to have
4325 * a jumbo-size map.
4326 */
4327 if (mac_proc_check_map_anon(p, 0, 0, 0, MAP_JIT, NULL) == 0) {
4328 vm_map_set_jumbo(get_task_map(new_task));
4329 vm_map_set_jit_entitled(get_task_map(new_task));
4330 }
4331 #endif /* CONFIG_MACF */
4332
4333 if (vm_darkwake_mode == TRUE) {
4334 /*
4335 * This process is being launched when the system
4336 * is in darkwake. So mark it specially. This will
4337 * cause all its pages to be entered in the background Q.
4338 */
4339 task_set_darkwake_mode(new_task, vm_darkwake_mode);
4340 }
4341
4342 #if CONFIG_DTRACE
4343 dtrace_thread_didexec(imgp->ip_new_thread);
4344
4345 if ((dtrace_proc_waitfor_hook = dtrace_proc_waitfor_exec_ptr) != NULL) {
4346 (*dtrace_proc_waitfor_hook)(p);
4347 }
4348 #endif
4349
4350 #if CONFIG_AUDIT
4351 if (!error && AUDIT_ENABLED() && p) {
4352 /* Add the CDHash of the new process to the audit record */
4353 uint8_t *cdhash = cs_get_cdhash(p);
4354 if (cdhash) {
4355 AUDIT_ARG(data, cdhash, sizeof(uint8_t), CS_CDHASH_LEN);
4356 }
4357 }
4358 #endif
4359
4360 if (in_vfexec) {
4361 vfork_return(p, retval, p->p_pid);
4362 }
4363 } else {
4364 DTRACE_PROC1(exec__failure, int, error);
4365 }
4366
4367 exit_with_error:
4368
4369 /*
4370 * clear bsd_info from old task if it did exec.
4371 */
4372 if (task_did_exec(old_task)) {
4373 set_bsdtask_info(old_task, NULL);
4374 }
4375
4376 /* clear bsd_info from new task and terminate it if exec failed */
4377 if (new_task != NULL && task_is_exec_copy(new_task)) {
4378 set_bsdtask_info(new_task, NULL);
4379 task_terminate_internal(new_task);
4380 }
4381
4382 if (imgp != NULL) {
4383 /* Clear the initial wait on the thread transferring watchports */
4384 if (imgp->ip_new_thread) {
4385 task_clear_return_wait(get_threadtask(imgp->ip_new_thread), TCRW_CLEAR_INITIAL_WAIT);
4386 }
4387
4388 /* Transfer the watchport boost to new task */
4389 if (!error && !in_vfexec) {
4390 task_transfer_turnstile_watchports(old_task,
4391 new_task, imgp->ip_new_thread);
4392 }
4393 /*
4394 * Do not terminate the current task, if proc_exec_switch_task did not
4395 * switch the tasks, terminating the current task without the switch would
4396 * result in loosing the SIGKILL status.
4397 */
4398 if (task_did_exec(old_task)) {
4399 /* Terminate the current task, since exec will start in new task */
4400 task_terminate_internal(old_task);
4401 }
4402
4403 /* Release the thread ref returned by fork_create_child */
4404 if (imgp->ip_new_thread) {
4405 /* wake up the new exec thread */
4406 task_clear_return_wait(get_threadtask(imgp->ip_new_thread), TCRW_CLEAR_FINAL_WAIT);
4407 thread_deallocate(imgp->ip_new_thread);
4408 imgp->ip_new_thread = NULL;
4409 }
4410 }
4411
4412 /* Release the ref returned by fork_create_child */
4413 if (new_task) {
4414 task_deallocate(new_task);
4415 new_task = NULL;
4416 }
4417
4418 if (should_release_proc_ref) {
4419 proc_rele(p);
4420 }
4421
4422 if (bufp != NULL) {
4423 FREE(bufp, M_TEMP);
4424 }
4425
4426 if (inherit != NULL) {
4427 ipc_importance_release(inherit);
4428 }
4429
4430 return error;
4431 }
4432
4433
4434 /*
4435 * copyinptr
4436 *
4437 * Description: Copy a pointer in from user space to a user_addr_t in kernel
4438 * space, based on 32/64 bitness of the user space
4439 *
4440 * Parameters: froma User space address
4441 * toptr Address of kernel space user_addr_t
4442 * ptr_size 4/8, based on 'froma' address space
4443 *
4444 * Returns: 0 Success
4445 * EFAULT Bad 'froma'
4446 *
4447 * Implicit returns:
4448 * *ptr_size Modified
4449 */
4450 static int
4451 copyinptr(user_addr_t froma, user_addr_t *toptr, int ptr_size)
4452 {
4453 int error;
4454
4455 if (ptr_size == 4) {
4456 /* 64 bit value containing 32 bit address */
4457 unsigned int i = 0;
4458
4459 error = copyin(froma, &i, 4);
4460 *toptr = CAST_USER_ADDR_T(i); /* SAFE */
4461 } else {
4462 error = copyin(froma, toptr, 8);
4463 }
4464 return error;
4465 }
4466
4467
4468 /*
4469 * copyoutptr
4470 *
4471 * Description: Copy a pointer out from a user_addr_t in kernel space to
4472 * user space, based on 32/64 bitness of the user space
4473 *
4474 * Parameters: ua User space address to copy to
4475 * ptr Address of kernel space user_addr_t
4476 * ptr_size 4/8, based on 'ua' address space
4477 *
4478 * Returns: 0 Success
4479 * EFAULT Bad 'ua'
4480 *
4481 */
4482 static int
4483 copyoutptr(user_addr_t ua, user_addr_t ptr, int ptr_size)
4484 {
4485 int error;
4486
4487 if (ptr_size == 4) {
4488 /* 64 bit value containing 32 bit address */
4489 unsigned int i = CAST_DOWN_EXPLICIT(unsigned int, ua); /* SAFE */
4490
4491 error = copyout(&i, ptr, 4);
4492 } else {
4493 error = copyout(&ua, ptr, 8);
4494 }
4495 return error;
4496 }
4497
4498
4499 /*
4500 * exec_copyout_strings
4501 *
4502 * Copy out the strings segment to user space. The strings segment is put
4503 * on a preinitialized stack frame.
4504 *
4505 * Parameters: struct image_params * the image parameter block
4506 * int * a pointer to the stack offset variable
4507 *
4508 * Returns: 0 Success
4509 * !0 Faiure: errno
4510 *
4511 * Implicit returns:
4512 * (*stackp) The stack offset, modified
4513 *
4514 * Note: The strings segment layout is backward, from the beginning
4515 * of the top of the stack to consume the minimal amount of
4516 * space possible; the returned stack pointer points to the
4517 * end of the area consumed (stacks grow downward).
4518 *
4519 * argc is an int; arg[i] are pointers; env[i] are pointers;
4520 * the 0's are (void *)NULL's
4521 *
4522 * The stack frame layout is:
4523 *
4524 * +-------------+ <- p->user_stack
4525 * | 16b |
4526 * +-------------+
4527 * | STRING AREA |
4528 * | : |
4529 * | : |
4530 * | : |
4531 * +- -- -- -- --+
4532 * | PATH AREA |
4533 * +-------------+
4534 * | 0 |
4535 * +-------------+
4536 * | applev[n] |
4537 * +-------------+
4538 * :
4539 * :
4540 * +-------------+
4541 * | applev[1] |
4542 * +-------------+
4543 * | exec_path / |
4544 * | applev[0] |
4545 * +-------------+
4546 * | 0 |
4547 * +-------------+
4548 * | env[n] |
4549 * +-------------+
4550 * :
4551 * :
4552 * +-------------+
4553 * | env[0] |
4554 * +-------------+
4555 * | 0 |
4556 * +-------------+
4557 * | arg[argc-1] |
4558 * +-------------+
4559 * :
4560 * :
4561 * +-------------+
4562 * | arg[0] |
4563 * +-------------+
4564 * | argc |
4565 * sp-> +-------------+
4566 *
4567 * Although technically a part of the STRING AREA, we treat the PATH AREA as
4568 * a separate entity. This allows us to align the beginning of the PATH AREA
4569 * to a pointer boundary so that the exec_path, env[i], and argv[i] pointers
4570 * which preceed it on the stack are properly aligned.
4571 */
4572
4573 static int
4574 exec_copyout_strings(struct image_params *imgp, user_addr_t *stackp)
4575 {
4576 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
4577 int ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT_ADDR) ? 8 : 4;
4578 int ptr_area_size;
4579 void *ptr_buffer_start, *ptr_buffer;
4580 int string_size;
4581
4582 user_addr_t string_area; /* *argv[], *env[] */
4583 user_addr_t ptr_area; /* argv[], env[], applev[] */
4584 user_addr_t argc_area; /* argc */
4585 user_addr_t stack;
4586 int error;
4587
4588 unsigned i;
4589 struct copyout_desc {
4590 char *start_string;
4591 int count;
4592 #if CONFIG_DTRACE
4593 user_addr_t *dtrace_cookie;
4594 #endif
4595 boolean_t null_term;
4596 } descriptors[] = {
4597 {
4598 .start_string = imgp->ip_startargv,
4599 .count = imgp->ip_argc,
4600 #if CONFIG_DTRACE
4601 .dtrace_cookie = &p->p_dtrace_argv,
4602 #endif
4603 .null_term = TRUE
4604 },
4605 {
4606 .start_string = imgp->ip_endargv,
4607 .count = imgp->ip_envc,
4608 #if CONFIG_DTRACE
4609 .dtrace_cookie = &p->p_dtrace_envp,
4610 #endif
4611 .null_term = TRUE
4612 },
4613 {
4614 .start_string = imgp->ip_strings,
4615 .count = 1,
4616 #if CONFIG_DTRACE
4617 .dtrace_cookie = NULL,
4618 #endif
4619 .null_term = FALSE
4620 },
4621 {
4622 .start_string = imgp->ip_endenvv,
4623 .count = imgp->ip_applec - 1, /* exec_path handled above */
4624 #if CONFIG_DTRACE
4625 .dtrace_cookie = NULL,
4626 #endif
4627 .null_term = TRUE
4628 }
4629 };
4630
4631 stack = *stackp;
4632
4633 /*
4634 * All previous contributors to the string area
4635 * should have aligned their sub-area
4636 */
4637 if (imgp->ip_strspace % ptr_size != 0) {
4638 error = EINVAL;
4639 goto bad;
4640 }
4641
4642 /* Grow the stack down for the strings we've been building up */
4643 string_size = imgp->ip_strendp - imgp->ip_strings;
4644 stack -= string_size;
4645 string_area = stack;
4646
4647 /*
4648 * Need room for one pointer for each string, plus
4649 * one for the NULLs terminating the argv, envv, and apple areas.
4650 */
4651 ptr_area_size = (imgp->ip_argc + imgp->ip_envc + imgp->ip_applec + 3) * ptr_size;
4652 stack -= ptr_area_size;
4653 ptr_area = stack;
4654
4655 /* We'll construct all the pointer arrays in our string buffer,
4656 * which we already know is aligned properly, and ip_argspace
4657 * was used to verify we have enough space.
4658 */
4659 ptr_buffer_start = ptr_buffer = (void *)imgp->ip_strendp;
4660
4661 /*
4662 * Need room for pointer-aligned argc slot.
4663 */
4664 stack -= ptr_size;
4665 argc_area = stack;
4666
4667 /*
4668 * Record the size of the arguments area so that sysctl_procargs()
4669 * can return the argument area without having to parse the arguments.
4670 */
4671 proc_lock(p);
4672 p->p_argc = imgp->ip_argc;
4673 p->p_argslen = (int)(*stackp - string_area);
4674 proc_unlock(p);
4675
4676 /* Return the initial stack address: the location of argc */
4677 *stackp = stack;
4678
4679 /*
4680 * Copy out the entire strings area.
4681 */
4682 error = copyout(imgp->ip_strings, string_area,
4683 string_size);
4684 if (error) {
4685 goto bad;
4686 }
4687
4688 for (i = 0; i < sizeof(descriptors) / sizeof(descriptors[0]); i++) {
4689 char *cur_string = descriptors[i].start_string;
4690 int j;
4691
4692 #if CONFIG_DTRACE
4693 if (descriptors[i].dtrace_cookie) {
4694 proc_lock(p);
4695 *descriptors[i].dtrace_cookie = ptr_area + ((uintptr_t)ptr_buffer - (uintptr_t)ptr_buffer_start); /* dtrace convenience */
4696 proc_unlock(p);
4697 }
4698 #endif /* CONFIG_DTRACE */
4699
4700 /*
4701 * For each segment (argv, envv, applev), copy as many pointers as requested
4702 * to our pointer buffer.
4703 */
4704 for (j = 0; j < descriptors[i].count; j++) {
4705 user_addr_t cur_address = string_area + (cur_string - imgp->ip_strings);
4706
4707 /* Copy out the pointer to the current string. Alignment has been verified */
4708 if (ptr_size == 8) {
4709 *(uint64_t *)ptr_buffer = (uint64_t)cur_address;
4710 } else {
4711 *(uint32_t *)ptr_buffer = (uint32_t)cur_address;
4712 }
4713
4714 ptr_buffer = (void *)((uintptr_t)ptr_buffer + ptr_size);
4715 cur_string += strlen(cur_string) + 1; /* Only a NUL between strings in the same area */
4716 }
4717
4718 if (descriptors[i].null_term) {
4719 if (ptr_size == 8) {
4720 *(uint64_t *)ptr_buffer = 0ULL;
4721 } else {
4722 *(uint32_t *)ptr_buffer = 0;
4723 }
4724
4725 ptr_buffer = (void *)((uintptr_t)ptr_buffer + ptr_size);
4726 }
4727 }
4728
4729 /*
4730 * Copy out all our pointer arrays in bulk.
4731 */
4732 error = copyout(ptr_buffer_start, ptr_area,
4733 ptr_area_size);
4734 if (error) {
4735 goto bad;
4736 }
4737
4738 /* argc (int32, stored in a ptr_size area) */
4739 error = copyoutptr((user_addr_t)imgp->ip_argc, argc_area, ptr_size);
4740 if (error) {
4741 goto bad;
4742 }
4743
4744 bad:
4745 return error;
4746 }
4747
4748
4749 /*
4750 * exec_extract_strings
4751 *
4752 * Copy arguments and environment from user space into work area; we may
4753 * have already copied some early arguments into the work area, and if
4754 * so, any arguments opied in are appended to those already there.
4755 * This function is the primary manipulator of ip_argspace, since
4756 * these are the arguments the client of execve(2) knows about. After
4757 * each argv[]/envv[] string is copied, we charge the string length
4758 * and argv[]/envv[] pointer slot to ip_argspace, so that we can
4759 * full preflight the arg list size.
4760 *
4761 * Parameters: struct image_params * the image parameter block
4762 *
4763 * Returns: 0 Success
4764 * !0 Failure: errno
4765 *
4766 * Implicit returns;
4767 * (imgp->ip_argc) Count of arguments, updated
4768 * (imgp->ip_envc) Count of environment strings, updated
4769 * (imgp->ip_argspace) Count of remaining of NCARGS
4770 * (imgp->ip_interp_buffer) Interpreter and args (mutated in place)
4771 *
4772 *
4773 * Note: The argument and environment vectors are user space pointers
4774 * to arrays of user space pointers.
4775 */
4776 static int
4777 exec_extract_strings(struct image_params *imgp)
4778 {
4779 int error = 0;
4780 int ptr_size = (imgp->ip_flags & IMGPF_WAS_64BIT_ADDR) ? 8 : 4;
4781 int new_ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT_ADDR) ? 8 : 4;
4782 user_addr_t argv = imgp->ip_user_argv;
4783 user_addr_t envv = imgp->ip_user_envv;
4784
4785 /*
4786 * Adjust space reserved for the path name by however much padding it
4787 * needs. Doing this here since we didn't know if this would be a 32-
4788 * or 64-bit process back in exec_save_path.
4789 */
4790 while (imgp->ip_strspace % new_ptr_size != 0) {
4791 *imgp->ip_strendp++ = '\0';
4792 imgp->ip_strspace--;
4793 /* imgp->ip_argspace--; not counted towards exec args total */
4794 }
4795
4796 /*
4797 * From now on, we start attributing string space to ip_argspace
4798 */
4799 imgp->ip_startargv = imgp->ip_strendp;
4800 imgp->ip_argc = 0;
4801
4802 if ((imgp->ip_flags & IMGPF_INTERPRET) != 0) {
4803 user_addr_t arg;
4804 char *argstart, *ch;
4805
4806 /* First, the arguments in the "#!" string are tokenized and extracted. */
4807 argstart = imgp->ip_interp_buffer;
4808 while (argstart) {
4809 ch = argstart;
4810 while (*ch && !IS_WHITESPACE(*ch)) {
4811 ch++;
4812 }
4813
4814 if (*ch == '\0') {
4815 /* last argument, no need to NUL-terminate */
4816 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(argstart), UIO_SYSSPACE, TRUE);
4817 argstart = NULL;
4818 } else {
4819 /* NUL-terminate */
4820 *ch = '\0';
4821 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(argstart), UIO_SYSSPACE, TRUE);
4822
4823 /*
4824 * Find the next string. We know spaces at the end of the string have already
4825 * been stripped.
4826 */
4827 argstart = ch + 1;
4828 while (IS_WHITESPACE(*argstart)) {
4829 argstart++;
4830 }
4831 }
4832
4833 /* Error-check, regardless of whether this is the last interpreter arg or not */
4834 if (error) {
4835 goto bad;
4836 }
4837 if (imgp->ip_argspace < new_ptr_size) {
4838 error = E2BIG;
4839 goto bad;
4840 }
4841 imgp->ip_argspace -= new_ptr_size; /* to hold argv[] entry */
4842 imgp->ip_argc++;
4843 }
4844
4845 if (argv != 0LL) {
4846 /*
4847 * If we are running an interpreter, replace the av[0] that was
4848 * passed to execve() with the path name that was
4849 * passed to execve() for interpreters which do not use the PATH
4850 * to locate their script arguments.
4851 */
4852 error = copyinptr(argv, &arg, ptr_size);
4853 if (error) {
4854 goto bad;
4855 }
4856 if (arg != 0LL) {
4857 argv += ptr_size; /* consume without using */
4858 }
4859 }
4860
4861 if (imgp->ip_interp_sugid_fd != -1) {
4862 char temp[19]; /* "/dev/fd/" + 10 digits + NUL */
4863 snprintf(temp, sizeof(temp), "/dev/fd/%d", imgp->ip_interp_sugid_fd);
4864 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(temp), UIO_SYSSPACE, TRUE);
4865 } else {
4866 error = exec_add_user_string(imgp, imgp->ip_user_fname, imgp->ip_seg, TRUE);
4867 }
4868
4869 if (error) {
4870 goto bad;
4871 }
4872 if (imgp->ip_argspace < new_ptr_size) {
4873 error = E2BIG;
4874 goto bad;
4875 }
4876 imgp->ip_argspace -= new_ptr_size; /* to hold argv[] entry */
4877 imgp->ip_argc++;
4878 }
4879
4880 while (argv != 0LL) {
4881 user_addr_t arg;
4882
4883 error = copyinptr(argv, &arg, ptr_size);
4884 if (error) {
4885 goto bad;
4886 }
4887
4888 if (arg == 0LL) {
4889 break;
4890 }
4891
4892 argv += ptr_size;
4893
4894 /*
4895 * av[n...] = arg[n]
4896 */
4897 error = exec_add_user_string(imgp, arg, imgp->ip_seg, TRUE);
4898 if (error) {
4899 goto bad;
4900 }
4901 if (imgp->ip_argspace < new_ptr_size) {
4902 error = E2BIG;
4903 goto bad;
4904 }
4905 imgp->ip_argspace -= new_ptr_size; /* to hold argv[] entry */
4906 imgp->ip_argc++;
4907 }
4908
4909 /* Save space for argv[] NULL terminator */
4910 if (imgp->ip_argspace < new_ptr_size) {
4911 error = E2BIG;
4912 goto bad;
4913 }
4914 imgp->ip_argspace -= new_ptr_size;
4915
4916 /* Note where the args ends and env begins. */
4917 imgp->ip_endargv = imgp->ip_strendp;
4918 imgp->ip_envc = 0;
4919
4920 /* Now, get the environment */
4921 while (envv != 0LL) {
4922 user_addr_t env;
4923
4924 error = copyinptr(envv, &env, ptr_size);
4925 if (error) {
4926 goto bad;
4927 }
4928
4929 envv += ptr_size;
4930 if (env == 0LL) {
4931 break;
4932 }
4933 /*
4934 * av[n...] = env[n]
4935 */
4936 error = exec_add_user_string(imgp, env, imgp->ip_seg, TRUE);
4937 if (error) {
4938 goto bad;
4939 }
4940 if (imgp->ip_argspace < new_ptr_size) {
4941 error = E2BIG;
4942 goto bad;
4943 }
4944 imgp->ip_argspace -= new_ptr_size; /* to hold envv[] entry */
4945 imgp->ip_envc++;
4946 }
4947
4948 /* Save space for envv[] NULL terminator */
4949 if (imgp->ip_argspace < new_ptr_size) {
4950 error = E2BIG;
4951 goto bad;
4952 }
4953 imgp->ip_argspace -= new_ptr_size;
4954
4955 /* Align the tail of the combined argv+envv area */
4956 while (imgp->ip_strspace % new_ptr_size != 0) {
4957 if (imgp->ip_argspace < 1) {
4958 error = E2BIG;
4959 goto bad;
4960 }
4961 *imgp->ip_strendp++ = '\0';
4962 imgp->ip_strspace--;
4963 imgp->ip_argspace--;
4964 }
4965
4966 /* Note where the envv ends and applev begins. */
4967 imgp->ip_endenvv = imgp->ip_strendp;
4968
4969 /*
4970 * From now on, we are no longer charging argument
4971 * space to ip_argspace.
4972 */
4973
4974 bad:
4975 return error;
4976 }
4977
4978 /*
4979 * Libc has an 8-element array set up for stack guard values. It only fills
4980 * in one of those entries, and both gcc and llvm seem to use only a single
4981 * 8-byte guard. Until somebody needs more than an 8-byte guard value, don't
4982 * do the work to construct them.
4983 */
4984 #define GUARD_VALUES 1
4985 #define GUARD_KEY "stack_guard="
4986
4987 /*
4988 * System malloc needs some entropy when it is initialized.
4989 */
4990 #define ENTROPY_VALUES 2
4991 #define ENTROPY_KEY "malloc_entropy="
4992
4993 /*
4994 * libplatform needs a random pointer-obfuscation value when it is initialized.
4995 */
4996 #define PTR_MUNGE_VALUES 1
4997 #define PTR_MUNGE_KEY "ptr_munge="
4998
4999 /*
5000 * System malloc engages nanozone for UIAPP.
5001 */
5002 #define NANO_ENGAGE_KEY "MallocNanoZone=1"
5003
5004 #define PFZ_KEY "pfz="
5005 extern user32_addr_t commpage_text32_location;
5006 extern user64_addr_t commpage_text64_location;
5007
5008 #define MAIN_STACK_VALUES 4
5009 #define MAIN_STACK_KEY "main_stack="
5010
5011 #define FSID_KEY "executable_file="
5012 #define DYLD_FSID_KEY "dyld_file="
5013 #define CDHASH_KEY "executable_cdhash="
5014 #define DYLD_FLAGS_KEY "dyld_flags="
5015
5016 #define FSID_MAX_STRING "0x1234567890abcdef,0x1234567890abcdef"
5017
5018 #define HEX_STR_LEN 18 // 64-bit hex value "0x0123456701234567"
5019
5020 static int
5021 exec_add_entropy_key(struct image_params *imgp,
5022 const char *key,
5023 int values,
5024 boolean_t embedNUL)
5025 {
5026 const int limit = 8;
5027 uint64_t entropy[limit];
5028 char str[strlen(key) + (HEX_STR_LEN + 1) * limit + 1];
5029 if (values > limit) {
5030 values = limit;
5031 }
5032
5033 read_random(entropy, sizeof(entropy[0]) * values);
5034
5035 if (embedNUL) {
5036 entropy[0] &= ~(0xffull << 8);
5037 }
5038
5039 int len = scnprintf(str, sizeof(str), "%s0x%llx", key, entropy[0]);
5040 int remaining = sizeof(str) - len;
5041 for (int i = 1; i < values && remaining > 0; ++i) {
5042 int start = sizeof(str) - remaining;
5043 len = scnprintf(&str[start], remaining, ",0x%llx", entropy[i]);
5044 remaining -= len;
5045 }
5046
5047 return exec_add_user_string(imgp, CAST_USER_ADDR_T(str), UIO_SYSSPACE, FALSE);
5048 }
5049
5050 /*
5051 * Build up the contents of the apple[] string vector
5052 */
5053 #if (DEVELOPMENT || DEBUG)
5054 uint64_t dyld_flags = 0;
5055 #endif
5056
5057 static int
5058 exec_add_apple_strings(struct image_params *imgp,
5059 const load_result_t *load_result)
5060 {
5061 int error;
5062 int img_ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT_ADDR) ? 8 : 4;
5063
5064 /* exec_save_path stored the first string */
5065 imgp->ip_applec = 1;
5066
5067 /* adding the pfz string */
5068 {
5069 char pfz_string[strlen(PFZ_KEY) + HEX_STR_LEN + 1];
5070
5071 if (img_ptr_size == 8) {
5072 snprintf(pfz_string, sizeof(pfz_string), PFZ_KEY "0x%llx", commpage_text64_location);
5073 } else {
5074 snprintf(pfz_string, sizeof(pfz_string), PFZ_KEY "0x%x", commpage_text32_location);
5075 }
5076 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(pfz_string), UIO_SYSSPACE, FALSE);
5077 if (error) {
5078 goto bad;
5079 }
5080 imgp->ip_applec++;
5081 }
5082
5083 /* adding the NANO_ENGAGE_KEY key */
5084 if (imgp->ip_px_sa) {
5085 int proc_flags = (((struct _posix_spawnattr *) imgp->ip_px_sa)->psa_flags);
5086
5087 if ((proc_flags & _POSIX_SPAWN_NANO_ALLOCATOR) == _POSIX_SPAWN_NANO_ALLOCATOR) {
5088 const char *nano_string = NANO_ENGAGE_KEY;
5089 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(nano_string), UIO_SYSSPACE, FALSE);
5090 if (error) {
5091 goto bad;
5092 }
5093 imgp->ip_applec++;
5094 }
5095 }
5096
5097 /*
5098 * Supply libc with a collection of random values to use when
5099 * implementing -fstack-protector.
5100 *
5101 * (The first random string always contains an embedded NUL so that
5102 * __stack_chk_guard also protects against C string vulnerabilities)
5103 */
5104 error = exec_add_entropy_key(imgp, GUARD_KEY, GUARD_VALUES, TRUE);
5105 if (error) {
5106 goto bad;
5107 }
5108 imgp->ip_applec++;
5109
5110 /*
5111 * Supply libc with entropy for system malloc.
5112 */
5113 error = exec_add_entropy_key(imgp, ENTROPY_KEY, ENTROPY_VALUES, FALSE);
5114 if (error) {
5115 goto bad;
5116 }
5117 imgp->ip_applec++;
5118
5119 /*
5120 * Supply libpthread & libplatform with a random value to use for pointer
5121 * obfuscation.
5122 */
5123 error = exec_add_entropy_key(imgp, PTR_MUNGE_KEY, PTR_MUNGE_VALUES, FALSE);
5124 if (error) {
5125 goto bad;
5126 }
5127 imgp->ip_applec++;
5128
5129 /*
5130 * Add MAIN_STACK_KEY: Supplies the address and size of the main thread's
5131 * stack if it was allocated by the kernel.
5132 *
5133 * The guard page is not included in this stack size as libpthread
5134 * expects to add it back in after receiving this value.
5135 */
5136 if (load_result->unixproc) {
5137 char stack_string[strlen(MAIN_STACK_KEY) + (HEX_STR_LEN + 1) * MAIN_STACK_VALUES + 1];
5138 snprintf(stack_string, sizeof(stack_string),
5139 MAIN_STACK_KEY "0x%llx,0x%llx,0x%llx,0x%llx",
5140 (uint64_t)load_result->user_stack,
5141 (uint64_t)load_result->user_stack_size,
5142 (uint64_t)load_result->user_stack_alloc,
5143 (uint64_t)load_result->user_stack_alloc_size);
5144 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(stack_string), UIO_SYSSPACE, FALSE);
5145 if (error) {
5146 goto bad;
5147 }
5148 imgp->ip_applec++;
5149 }
5150
5151 if (imgp->ip_vattr) {
5152 uint64_t fsid = vnode_get_va_fsid(imgp->ip_vattr);
5153 uint64_t fsobjid = imgp->ip_vattr->va_fileid;
5154
5155 char fsid_string[strlen(FSID_KEY) + strlen(FSID_MAX_STRING) + 1];
5156 snprintf(fsid_string, sizeof(fsid_string),
5157 FSID_KEY "0x%llx,0x%llx", fsid, fsobjid);
5158 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(fsid_string), UIO_SYSSPACE, FALSE);
5159 if (error) {
5160 goto bad;
5161 }
5162 imgp->ip_applec++;
5163 }
5164
5165 if (imgp->ip_dyld_fsid || imgp->ip_dyld_fsobjid) {
5166 char fsid_string[strlen(DYLD_FSID_KEY) + strlen(FSID_MAX_STRING) + 1];
5167 snprintf(fsid_string, sizeof(fsid_string),
5168 DYLD_FSID_KEY "0x%llx,0x%llx", imgp->ip_dyld_fsid, imgp->ip_dyld_fsobjid);
5169 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(fsid_string), UIO_SYSSPACE, FALSE);
5170 if (error) {
5171 goto bad;
5172 }
5173 imgp->ip_applec++;
5174 }
5175
5176 uint8_t cdhash[SHA1_RESULTLEN];
5177 int cdhash_errror = ubc_cs_getcdhash(imgp->ip_vp, imgp->ip_arch_offset, cdhash);
5178 if (cdhash_errror == 0) {
5179 char hash_string[strlen(CDHASH_KEY) + 2 * SHA1_RESULTLEN + 1];
5180 strncpy(hash_string, CDHASH_KEY, sizeof(hash_string));
5181 char *p = hash_string + sizeof(CDHASH_KEY) - 1;
5182 for (int i = 0; i < SHA1_RESULTLEN; i++) {
5183 snprintf(p, 3, "%02x", (int) cdhash[i]);
5184 p += 2;
5185 }
5186 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(hash_string), UIO_SYSSPACE, FALSE);
5187 if (error) {
5188 goto bad;
5189 }
5190 imgp->ip_applec++;
5191 }
5192 #if (DEVELOPMENT || DEBUG)
5193 if (dyld_flags) {
5194 char dyld_flags_string[strlen(DYLD_FLAGS_KEY) + HEX_STR_LEN + 1];
5195 snprintf(dyld_flags_string, sizeof(dyld_flags_string), DYLD_FLAGS_KEY "0x%llx", dyld_flags);
5196 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(dyld_flags_string), UIO_SYSSPACE, FALSE);
5197 if (error) {
5198 goto bad;
5199 }
5200 imgp->ip_applec++;
5201 }
5202 #endif
5203
5204 /* Align the tail of the combined applev area */
5205 while (imgp->ip_strspace % img_ptr_size != 0) {
5206 *imgp->ip_strendp++ = '\0';
5207 imgp->ip_strspace--;
5208 }
5209
5210 bad:
5211 return error;
5212 }
5213
5214 #define unix_stack_size(p) (p->p_rlimit[RLIMIT_STACK].rlim_cur)
5215
5216 /*
5217 * exec_check_permissions
5218 *
5219 * Description: Verify that the file that is being attempted to be executed
5220 * is in fact allowed to be executed based on it POSIX file
5221 * permissions and other access control criteria
5222 *
5223 * Parameters: struct image_params * the image parameter block
5224 *
5225 * Returns: 0 Success
5226 * EACCES Permission denied
5227 * ENOEXEC Executable file format error
5228 * ETXTBSY Text file busy [misuse of error code]
5229 * vnode_getattr:???
5230 * vnode_authorize:???
5231 */
5232 static int
5233 exec_check_permissions(struct image_params *imgp)
5234 {
5235 struct vnode *vp = imgp->ip_vp;
5236 struct vnode_attr *vap = imgp->ip_vattr;
5237 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
5238 int error;
5239 kauth_action_t action;
5240
5241 /* Only allow execution of regular files */
5242 if (!vnode_isreg(vp)) {
5243 return EACCES;
5244 }
5245
5246 /* Get the file attributes that we will be using here and elsewhere */
5247 VATTR_INIT(vap);
5248 VATTR_WANTED(vap, va_uid);
5249 VATTR_WANTED(vap, va_gid);
5250 VATTR_WANTED(vap, va_mode);
5251 VATTR_WANTED(vap, va_fsid);
5252 VATTR_WANTED(vap, va_fsid64);
5253 VATTR_WANTED(vap, va_fileid);
5254 VATTR_WANTED(vap, va_data_size);
5255 if ((error = vnode_getattr(vp, vap, imgp->ip_vfs_context)) != 0) {
5256 return error;
5257 }
5258
5259 /*
5260 * Ensure that at least one execute bit is on - otherwise root
5261 * will always succeed, and we don't want to happen unless the
5262 * file really is executable.
5263 */
5264 if (!vfs_authopaque(vnode_mount(vp)) && ((vap->va_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0)) {
5265 return EACCES;
5266 }
5267
5268 /* Disallow zero length files */
5269 if (vap->va_data_size == 0) {
5270 return ENOEXEC;
5271 }
5272
5273 imgp->ip_arch_offset = (user_size_t)0;
5274 imgp->ip_arch_size = vap->va_data_size;
5275
5276 /* Disable setuid-ness for traced programs or if MNT_NOSUID */
5277 if ((vp->v_mount->mnt_flag & MNT_NOSUID) || (p->p_lflag & P_LTRACED)) {
5278 vap->va_mode &= ~(VSUID | VSGID);
5279 }
5280
5281 /*
5282 * Disable _POSIX_SPAWN_ALLOW_DATA_EXEC and _POSIX_SPAWN_DISABLE_ASLR
5283 * flags for setuid/setgid binaries.
5284 */
5285 if (vap->va_mode & (VSUID | VSGID)) {
5286 imgp->ip_flags &= ~(IMGPF_ALLOW_DATA_EXEC | IMGPF_DISABLE_ASLR);
5287 }
5288
5289 #if CONFIG_MACF
5290 error = mac_vnode_check_exec(imgp->ip_vfs_context, vp, imgp);
5291 if (error) {
5292 return error;
5293 }
5294 #endif
5295
5296 /* Check for execute permission */
5297 action = KAUTH_VNODE_EXECUTE;
5298 /* Traced images must also be readable */
5299 if (p->p_lflag & P_LTRACED) {
5300 action |= KAUTH_VNODE_READ_DATA;
5301 }
5302 if ((error = vnode_authorize(vp, NULL, action, imgp->ip_vfs_context)) != 0) {
5303 return error;
5304 }
5305
5306 #if 0
5307 /* Don't let it run if anyone had it open for writing */
5308 vnode_lock(vp);
5309 if (vp->v_writecount) {
5310 panic("going to return ETXTBSY %x", vp);
5311 vnode_unlock(vp);
5312 return ETXTBSY;
5313 }
5314 vnode_unlock(vp);
5315 #endif
5316
5317
5318 /* XXX May want to indicate to underlying FS that vnode is open */
5319
5320 return error;
5321 }
5322
5323
5324 /*
5325 * exec_handle_sugid
5326 *
5327 * Initially clear the P_SUGID in the process flags; if an SUGID process is
5328 * exec'ing a non-SUGID image, then this is the point of no return.
5329 *
5330 * If the image being activated is SUGID, then replace the credential with a
5331 * copy, disable tracing (unless the tracing process is root), reset the
5332 * mach task port to revoke it, set the P_SUGID bit,
5333 *
5334 * If the saved user and group ID will be changing, then make sure it happens
5335 * to a new credential, rather than a shared one.
5336 *
5337 * Set the security token (this is probably obsolete, given that the token
5338 * should not technically be separate from the credential itself).
5339 *
5340 * Parameters: struct image_params * the image parameter block
5341 *
5342 * Returns: void No failure indication
5343 *
5344 * Implicit returns:
5345 * <process credential> Potentially modified/replaced
5346 * <task port> Potentially revoked
5347 * <process flags> P_SUGID bit potentially modified
5348 * <security token> Potentially modified
5349 */
5350 static int
5351 exec_handle_sugid(struct image_params *imgp)
5352 {
5353 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
5354 kauth_cred_t cred = vfs_context_ucred(imgp->ip_vfs_context);
5355 int i;
5356 int leave_sugid_clear = 0;
5357 int mac_reset_ipc = 0;
5358 int error = 0;
5359 task_t task = NULL;
5360 #if CONFIG_MACF
5361 int mac_transition, disjoint_cred = 0;
5362 int label_update_return = 0;
5363
5364 /*
5365 * Determine whether a call to update the MAC label will result in the
5366 * credential changing.
5367 *
5368 * Note: MAC policies which do not actually end up modifying
5369 * the label subsequently are strongly encouraged to
5370 * return 0 for this check, since a non-zero answer will
5371 * slow down the exec fast path for normal binaries.
5372 */
5373 mac_transition = mac_cred_check_label_update_execve(
5374 imgp->ip_vfs_context,
5375 imgp->ip_vp,
5376 imgp->ip_arch_offset,
5377 imgp->ip_scriptvp,
5378 imgp->ip_scriptlabelp,
5379 imgp->ip_execlabelp,
5380 p,
5381 imgp->ip_px_smpx);
5382 #endif
5383
5384 OSBitAndAtomic(~((uint32_t)P_SUGID), &p->p_flag);
5385
5386 /*
5387 * Order of the following is important; group checks must go last,
5388 * as we use the success of the 'ismember' check combined with the
5389 * failure of the explicit match to indicate that we will be setting
5390 * the egid of the process even though the new process did not
5391 * require VSUID/VSGID bits in order for it to set the new group as
5392 * its egid.
5393 *
5394 * Note: Technically, by this we are implying a call to
5395 * setegid() in the new process, rather than implying
5396 * it used its VSGID bit to set the effective group,
5397 * even though there is no code in that process to make
5398 * such a call.
5399 */
5400 if (((imgp->ip_origvattr->va_mode & VSUID) != 0 &&
5401 kauth_cred_getuid(cred) != imgp->ip_origvattr->va_uid) ||
5402 ((imgp->ip_origvattr->va_mode & VSGID) != 0 &&
5403 ((kauth_cred_ismember_gid(cred, imgp->ip_origvattr->va_gid, &leave_sugid_clear) || !leave_sugid_clear) ||
5404 (kauth_cred_getgid(cred) != imgp->ip_origvattr->va_gid))) ||
5405 (imgp->ip_sc_port != NULL)) {
5406 #if CONFIG_MACF
5407 /* label for MAC transition and neither VSUID nor VSGID */
5408 handle_mac_transition:
5409 #endif
5410
5411 #if !SECURE_KERNEL
5412 /*
5413 * Replace the credential with a copy of itself if euid or
5414 * egid change.
5415 *
5416 * Note: setuid binaries will automatically opt out of
5417 * group resolver participation as a side effect
5418 * of this operation. This is an intentional
5419 * part of the security model, which requires a
5420 * participating credential be established by
5421 * escalating privilege, setting up all other
5422 * aspects of the credential including whether
5423 * or not to participate in external group
5424 * membership resolution, then dropping their
5425 * effective privilege to that of the desired
5426 * final credential state.
5427 *
5428 * Modifications to p_ucred must be guarded using the
5429 * proc's ucred lock. This prevents others from accessing
5430 * a garbage credential.
5431 */
5432
5433 if (imgp->ip_sc_port != NULL) {
5434 extern int suid_cred_verify(ipc_port_t, vnode_t, uint32_t *);
5435 int ret = -1;
5436 uid_t uid = UINT32_MAX;
5437
5438 /*
5439 * Check that the vnodes match. If a script is being
5440 * executed check the script's vnode rather than the
5441 * interpreter's.
5442 */
5443 struct vnode *vp = imgp->ip_scriptvp != NULL ? imgp->ip_scriptvp : imgp->ip_vp;
5444
5445 ret = suid_cred_verify(imgp->ip_sc_port, vp, &uid);
5446 if (ret == 0) {
5447 apply_kauth_cred_update(p, ^kauth_cred_t (kauth_cred_t my_cred) {
5448 return kauth_cred_setresuid(my_cred,
5449 KAUTH_UID_NONE,
5450 uid,
5451 uid,
5452 KAUTH_UID_NONE);
5453 });
5454 } else {
5455 error = EPERM;
5456 }
5457 }
5458
5459 if (imgp->ip_origvattr->va_mode & VSUID) {
5460 apply_kauth_cred_update(p, ^kauth_cred_t (kauth_cred_t my_cred) {
5461 return kauth_cred_setresuid(my_cred,
5462 KAUTH_UID_NONE,
5463 imgp->ip_origvattr->va_uid,
5464 imgp->ip_origvattr->va_uid,
5465 KAUTH_UID_NONE);
5466 });
5467 }
5468
5469 if (imgp->ip_origvattr->va_mode & VSGID) {
5470 apply_kauth_cred_update(p, ^kauth_cred_t (kauth_cred_t my_cred) {
5471 return kauth_cred_setresgid(my_cred,
5472 KAUTH_GID_NONE,
5473 imgp->ip_origvattr->va_gid,
5474 imgp->ip_origvattr->va_gid);
5475 });
5476 }
5477 #endif /* !SECURE_KERNEL */
5478
5479 #if CONFIG_MACF
5480 /*
5481 * If a policy has indicated that it will transition the label,
5482 * before making the call into the MAC policies, get a new
5483 * duplicate credential, so they can modify it without
5484 * modifying any others sharing it.
5485 */
5486 if (mac_transition) {
5487 /*
5488 * This hook may generate upcalls that require
5489 * importance donation from the kernel.
5490 * (23925818)
5491 */
5492 thread_t thread = current_thread();
5493 thread_enable_send_importance(thread, TRUE);
5494 kauth_proc_label_update_execve(p,
5495 imgp->ip_vfs_context,
5496 imgp->ip_vp,
5497 imgp->ip_arch_offset,
5498 imgp->ip_scriptvp,
5499 imgp->ip_scriptlabelp,
5500 imgp->ip_execlabelp,
5501 &imgp->ip_csflags,
5502 imgp->ip_px_smpx,
5503 &disjoint_cred, /* will be non zero if disjoint */
5504 &label_update_return);
5505 thread_enable_send_importance(thread, FALSE);
5506
5507 if (disjoint_cred) {
5508 /*
5509 * If updating the MAC label resulted in a
5510 * disjoint credential, flag that we need to
5511 * set the P_SUGID bit. This protects
5512 * against debuggers being attached by an
5513 * insufficiently privileged process onto the
5514 * result of a transition to a more privileged
5515 * credential.
5516 */
5517 leave_sugid_clear = 0;
5518 }
5519
5520 imgp->ip_mac_return = label_update_return;
5521 }
5522
5523 mac_reset_ipc = mac_proc_check_inherit_ipc_ports(p, p->p_textvp, p->p_textoff, imgp->ip_vp, imgp->ip_arch_offset, imgp->ip_scriptvp);
5524
5525 #endif /* CONFIG_MACF */
5526
5527 /*
5528 * If 'leave_sugid_clear' is non-zero, then we passed the
5529 * VSUID and MACF checks, and successfully determined that
5530 * the previous cred was a member of the VSGID group, but
5531 * that it was not the default at the time of the execve,
5532 * and that the post-labelling credential was not disjoint.
5533 * So we don't set the P_SUGID or reset mach ports and fds
5534 * on the basis of simply running this code.
5535 */
5536 if (mac_reset_ipc || !leave_sugid_clear) {
5537 /*
5538 * Have mach reset the task and thread ports.
5539 * We don't want anyone who had the ports before
5540 * a setuid exec to be able to access/control the
5541 * task/thread after.
5542 */
5543 ipc_task_reset((imgp->ip_new_thread != NULL) ?
5544 get_threadtask(imgp->ip_new_thread) : p->task);
5545 ipc_thread_reset((imgp->ip_new_thread != NULL) ?
5546 imgp->ip_new_thread : current_thread());
5547 }
5548
5549 if (!leave_sugid_clear) {
5550 /*
5551 * Flag the process as setuid.
5552 */
5553 OSBitOrAtomic(P_SUGID, &p->p_flag);
5554
5555 /*
5556 * Radar 2261856; setuid security hole fix
5557 * XXX For setuid processes, attempt to ensure that
5558 * stdin, stdout, and stderr are already allocated.
5559 * We do not want userland to accidentally allocate
5560 * descriptors in this range which has implied meaning
5561 * to libc.
5562 */
5563 for (i = 0; i < 3; i++) {
5564 if (p->p_fd->fd_ofiles[i] != NULL) {
5565 continue;
5566 }
5567
5568 /*
5569 * Do the kernel equivalent of
5570 *
5571 * if i == 0
5572 * (void) open("/dev/null", O_RDONLY);
5573 * else
5574 * (void) open("/dev/null", O_WRONLY);
5575 */
5576
5577 struct fileproc *fp;
5578 int indx;
5579 int flag;
5580 struct nameidata *ndp = NULL;
5581
5582 if (i == 0) {
5583 flag = FREAD;
5584 } else {
5585 flag = FWRITE;
5586 }
5587
5588 if ((error = falloc(p,
5589 &fp, &indx, imgp->ip_vfs_context)) != 0) {
5590 continue;
5591 }
5592
5593 MALLOC(ndp, struct nameidata *, sizeof(*ndp), M_TEMP, M_WAITOK | M_ZERO);
5594 if (ndp == NULL) {
5595 fp_free(p, indx, fp);
5596 error = ENOMEM;
5597 break;
5598 }
5599
5600 NDINIT(ndp, LOOKUP, OP_OPEN, FOLLOW, UIO_SYSSPACE,
5601 CAST_USER_ADDR_T("/dev/null"),
5602 imgp->ip_vfs_context);
5603
5604 if ((error = vn_open(ndp, flag, 0)) != 0) {
5605 fp_free(p, indx, fp);
5606 FREE(ndp, M_TEMP);
5607 break;
5608 }
5609
5610 struct fileglob *fg = fp->f_fglob;
5611
5612 fg->fg_flag = flag;
5613 fg->fg_ops = &vnops;
5614 fg->fg_data = ndp->ni_vp;
5615
5616 vnode_put(ndp->ni_vp);
5617
5618 proc_fdlock(p);
5619 procfdtbl_releasefd(p, indx, NULL);
5620 fp_drop(p, indx, fp, 1);
5621 proc_fdunlock(p);
5622
5623 FREE(ndp, M_TEMP);
5624 }
5625 }
5626 }
5627 #if CONFIG_MACF
5628 else {
5629 /*
5630 * We are here because we were told that the MAC label will
5631 * be transitioned, and the binary is not VSUID or VSGID; to
5632 * deal with this case, we could either duplicate a lot of
5633 * code, or we can indicate we want to default the P_SUGID
5634 * bit clear and jump back up.
5635 */
5636 if (mac_transition) {
5637 leave_sugid_clear = 1;
5638 goto handle_mac_transition;
5639 }
5640 }
5641
5642 #endif /* CONFIG_MACF */
5643
5644 /*
5645 * Implement the semantic where the effective user and group become
5646 * the saved user and group in exec'ed programs.
5647 *
5648 * Modifications to p_ucred must be guarded using the
5649 * proc's ucred lock. This prevents others from accessing
5650 * a garbage credential.
5651 */
5652 apply_kauth_cred_update(p, ^kauth_cred_t (kauth_cred_t my_cred) {
5653 return kauth_cred_setsvuidgid(my_cred,
5654 kauth_cred_getuid(my_cred),
5655 kauth_cred_getgid(my_cred));
5656 });
5657
5658 /* Update the process' identity version and set the security token */
5659 p->p_idversion = OSIncrementAtomic(&nextpidversion);
5660
5661 if (imgp->ip_new_thread != NULL) {
5662 task = get_threadtask(imgp->ip_new_thread);
5663 } else {
5664 task = p->task;
5665 }
5666 set_security_token_task_internal(p, task);
5667
5668 return error;
5669 }
5670
5671
5672 /*
5673 * create_unix_stack
5674 *
5675 * Description: Set the user stack address for the process to the provided
5676 * address. If a custom stack was not set as a result of the
5677 * load process (i.e. as specified by the image file for the
5678 * executable), then allocate the stack in the provided map and
5679 * set up appropriate guard pages for enforcing administrative
5680 * limits on stack growth, if they end up being needed.
5681 *
5682 * Parameters: p Process to set stack on
5683 * load_result Information from mach-o load commands
5684 * map Address map in which to allocate the new stack
5685 *
5686 * Returns: KERN_SUCCESS Stack successfully created
5687 * !KERN_SUCCESS Mach failure code
5688 */
5689 static kern_return_t
5690 create_unix_stack(vm_map_t map, load_result_t* load_result,
5691 proc_t p)
5692 {
5693 mach_vm_size_t size, prot_size;
5694 mach_vm_offset_t addr, prot_addr;
5695 kern_return_t kr;
5696
5697 mach_vm_address_t user_stack = load_result->user_stack;
5698
5699 proc_lock(p);
5700 p->user_stack = user_stack;
5701 if (load_result->custom_stack) {
5702 p->p_lflag |= P_LCUSTOM_STACK;
5703 }
5704 proc_unlock(p);
5705
5706 if (load_result->user_stack_alloc_size > 0) {
5707 /*
5708 * Allocate enough space for the maximum stack size we
5709 * will ever authorize and an extra page to act as
5710 * a guard page for stack overflows. For default stacks,
5711 * vm_initial_limit_stack takes care of the extra guard page.
5712 * Otherwise we must allocate it ourselves.
5713 */
5714 if (mach_vm_round_page_overflow(load_result->user_stack_alloc_size, &size)) {
5715 return KERN_INVALID_ARGUMENT;
5716 }
5717 addr = mach_vm_trunc_page(load_result->user_stack - size);
5718 kr = mach_vm_allocate_kernel(map, &addr, size,
5719 VM_FLAGS_FIXED, VM_MEMORY_STACK);
5720 if (kr != KERN_SUCCESS) {
5721 // Can't allocate at default location, try anywhere
5722 addr = 0;
5723 kr = mach_vm_allocate_kernel(map, &addr, size,
5724 VM_FLAGS_ANYWHERE, VM_MEMORY_STACK);
5725 if (kr != KERN_SUCCESS) {
5726 return kr;
5727 }
5728
5729 user_stack = addr + size;
5730 load_result->user_stack = user_stack;
5731
5732 proc_lock(p);
5733 p->user_stack = user_stack;
5734 proc_unlock(p);
5735 }
5736
5737 load_result->user_stack_alloc = addr;
5738
5739 /*
5740 * And prevent access to what's above the current stack
5741 * size limit for this process.
5742 */
5743 if (load_result->user_stack_size == 0) {
5744 proc_list_lock();
5745 load_result->user_stack_size = unix_stack_size(p);
5746 proc_list_unlock();
5747 prot_size = mach_vm_trunc_page(size - load_result->user_stack_size);
5748 } else {
5749 prot_size = PAGE_SIZE;
5750 }
5751
5752 prot_addr = addr;
5753 kr = mach_vm_protect(map,
5754 prot_addr,
5755 prot_size,
5756 FALSE,
5757 VM_PROT_NONE);
5758 if (kr != KERN_SUCCESS) {
5759 (void)mach_vm_deallocate(map, addr, size);
5760 return kr;
5761 }
5762 }
5763
5764 return KERN_SUCCESS;
5765 }
5766
5767 #include <sys/reboot.h>
5768
5769 /*
5770 * load_init_program_at_path
5771 *
5772 * Description: Load the "init" program; in most cases, this will be "launchd"
5773 *
5774 * Parameters: p Process to call execve() to create
5775 * the "init" program
5776 * scratch_addr Page in p, scratch space
5777 * path NULL terminated path
5778 *
5779 * Returns: KERN_SUCCESS Success
5780 * !KERN_SUCCESS See execve/mac_execve for error codes
5781 *
5782 * Notes: The process that is passed in is the first manufactured
5783 * process on the system, and gets here via bsd_ast() firing
5784 * for the first time. This is done to ensure that bsd_init()
5785 * has run to completion.
5786 *
5787 * The address map of the first manufactured process matches the
5788 * word width of the kernel. Once the self-exec completes, the
5789 * initproc might be different.
5790 */
5791 static int
5792 load_init_program_at_path(proc_t p, user_addr_t scratch_addr, const char* path)
5793 {
5794 int retval[2];
5795 int error;
5796 struct execve_args init_exec_args;
5797 user_addr_t argv0 = USER_ADDR_NULL, argv1 = USER_ADDR_NULL;
5798
5799 /*
5800 * Validate inputs and pre-conditions
5801 */
5802 assert(p);
5803 assert(scratch_addr);
5804 assert(path);
5805
5806 /*
5807 * Copy out program name.
5808 */
5809 size_t path_length = strlen(path) + 1;
5810 argv0 = scratch_addr;
5811 error = copyout(path, argv0, path_length);
5812 if (error) {
5813 return error;
5814 }
5815
5816 scratch_addr = USER_ADDR_ALIGN(scratch_addr + path_length, sizeof(user_addr_t));
5817
5818 /*
5819 * Put out first (and only) argument, similarly.
5820 * Assumes everything fits in a page as allocated above.
5821 */
5822 if (boothowto & RB_SINGLE) {
5823 const char *init_args = "-s";
5824 size_t init_args_length = strlen(init_args) + 1;
5825
5826 argv1 = scratch_addr;
5827 error = copyout(init_args, argv1, init_args_length);
5828 if (error) {
5829 return error;
5830 }
5831
5832 scratch_addr = USER_ADDR_ALIGN(scratch_addr + init_args_length, sizeof(user_addr_t));
5833 }
5834
5835 if (proc_is64bit(p)) {
5836 user64_addr_t argv64bit[3] = {};
5837
5838 argv64bit[0] = argv0;
5839 argv64bit[1] = argv1;
5840 argv64bit[2] = USER_ADDR_NULL;
5841
5842 error = copyout(argv64bit, scratch_addr, sizeof(argv64bit));
5843 if (error) {
5844 return error;
5845 }
5846 } else {
5847 user32_addr_t argv32bit[3] = {};
5848
5849 argv32bit[0] = (user32_addr_t)argv0;
5850 argv32bit[1] = (user32_addr_t)argv1;
5851 argv32bit[2] = USER_ADDR_NULL;
5852
5853 error = copyout(argv32bit, scratch_addr, sizeof(argv32bit));
5854 if (error) {
5855 return error;
5856 }
5857 }
5858
5859 /*
5860 * Set up argument block for fake call to execve.
5861 */
5862 init_exec_args.fname = argv0;
5863 init_exec_args.argp = scratch_addr;
5864 init_exec_args.envp = USER_ADDR_NULL;
5865
5866 /*
5867 * So that init task is set with uid,gid 0 token
5868 */
5869 set_security_token(p);
5870
5871 return execve(p, &init_exec_args, retval);
5872 }
5873
5874 static const char * init_programs[] = {
5875 #if DEBUG
5876 "/usr/local/sbin/launchd.debug",
5877 #endif
5878 #if DEVELOPMENT || DEBUG
5879 "/usr/local/sbin/launchd.development",
5880 #endif
5881 "/sbin/launchd",
5882 };
5883
5884 /*
5885 * load_init_program
5886 *
5887 * Description: Load the "init" program; in most cases, this will be "launchd"
5888 *
5889 * Parameters: p Process to call execve() to create
5890 * the "init" program
5891 *
5892 * Returns: (void)
5893 *
5894 * Notes: The process that is passed in is the first manufactured
5895 * process on the system, and gets here via bsd_ast() firing
5896 * for the first time. This is done to ensure that bsd_init()
5897 * has run to completion.
5898 *
5899 * In DEBUG & DEVELOPMENT builds, the launchdsuffix boot-arg
5900 * may be used to select a specific launchd executable. As with
5901 * the kcsuffix boot-arg, setting launchdsuffix to "" or "release"
5902 * will force /sbin/launchd to be selected.
5903 *
5904 * Search order by build:
5905 *
5906 * DEBUG DEVELOPMENT RELEASE PATH
5907 * ----------------------------------------------------------------------------------
5908 * 1 1 NA /usr/local/sbin/launchd.$LAUNCHDSUFFIX
5909 * 2 NA NA /usr/local/sbin/launchd.debug
5910 * 3 2 NA /usr/local/sbin/launchd.development
5911 * 4 3 1 /sbin/launchd
5912 */
5913 void
5914 load_init_program(proc_t p)
5915 {
5916 uint32_t i;
5917 int error;
5918 vm_map_t map = current_map();
5919 mach_vm_offset_t scratch_addr = 0;
5920 mach_vm_size_t map_page_size = vm_map_page_size(map);
5921
5922 (void) mach_vm_allocate_kernel(map, &scratch_addr, map_page_size, VM_FLAGS_ANYWHERE, VM_KERN_MEMORY_NONE);
5923 #if CONFIG_MEMORYSTATUS
5924 (void) memorystatus_init_at_boot_snapshot();
5925 #endif /* CONFIG_MEMORYSTATUS */
5926
5927 #if DEBUG || DEVELOPMENT
5928 /* Check for boot-arg suffix first */
5929 char launchd_suffix[64];
5930 if (PE_parse_boot_argn("launchdsuffix", launchd_suffix, sizeof(launchd_suffix))) {
5931 char launchd_path[128];
5932 boolean_t is_release_suffix = ((launchd_suffix[0] == 0) ||
5933 (strcmp(launchd_suffix, "release") == 0));
5934
5935 if (is_release_suffix) {
5936 printf("load_init_program: attempting to load /sbin/launchd\n");
5937 error = load_init_program_at_path(p, (user_addr_t)scratch_addr, "/sbin/launchd");
5938 if (!error) {
5939 return;
5940 }
5941
5942 panic("Process 1 exec of launchd.release failed, errno %d", error);
5943 } else {
5944 strlcpy(launchd_path, "/usr/local/sbin/launchd.", sizeof(launchd_path));
5945 strlcat(launchd_path, launchd_suffix, sizeof(launchd_path));
5946
5947 printf("load_init_program: attempting to load %s\n", launchd_path);
5948 error = load_init_program_at_path(p, (user_addr_t)scratch_addr, launchd_path);
5949 if (!error) {
5950 return;
5951 } else {
5952 printf("load_init_program: failed loading %s: errno %d\n", launchd_path, error);
5953 }
5954 }
5955 }
5956 #endif
5957
5958 error = ENOENT;
5959 for (i = 0; i < sizeof(init_programs) / sizeof(init_programs[0]); i++) {
5960 printf("load_init_program: attempting to load %s\n", init_programs[i]);
5961 error = load_init_program_at_path(p, (user_addr_t)scratch_addr, init_programs[i]);
5962 if (!error) {
5963 return;
5964 } else {
5965 printf("load_init_program: failed loading %s: errno %d\n", init_programs[i], error);
5966 }
5967 }
5968
5969 panic("Process 1 exec of %s failed, errno %d", ((i == 0) ? "<null>" : init_programs[i - 1]), error);
5970 }
5971
5972 /*
5973 * load_return_to_errno
5974 *
5975 * Description: Convert a load_return_t (Mach error) to an errno (BSD error)
5976 *
5977 * Parameters: lrtn Mach error number
5978 *
5979 * Returns: (int) BSD error number
5980 * 0 Success
5981 * EBADARCH Bad architecture
5982 * EBADMACHO Bad Mach object file
5983 * ESHLIBVERS Bad shared library version
5984 * ENOMEM Out of memory/resource shortage
5985 * EACCES Access denied
5986 * ENOENT Entry not found (usually "file does
5987 * does not exist")
5988 * EIO An I/O error occurred
5989 * EBADEXEC The executable is corrupt/unknown
5990 */
5991 static int
5992 load_return_to_errno(load_return_t lrtn)
5993 {
5994 switch (lrtn) {
5995 case LOAD_SUCCESS:
5996 return 0;
5997 case LOAD_BADARCH:
5998 return EBADARCH;
5999 case LOAD_BADMACHO:
6000 case LOAD_BADMACHO_UPX:
6001 return EBADMACHO;
6002 case LOAD_SHLIB:
6003 return ESHLIBVERS;
6004 case LOAD_NOSPACE:
6005 case LOAD_RESOURCE:
6006 return ENOMEM;
6007 case LOAD_PROTECT:
6008 return EACCES;
6009 case LOAD_ENOENT:
6010 return ENOENT;
6011 case LOAD_IOERROR:
6012 return EIO;
6013 case LOAD_DECRYPTFAIL:
6014 return EAUTH;
6015 case LOAD_FAILURE:
6016 default:
6017 return EBADEXEC;
6018 }
6019 }
6020
6021 #include <mach/mach_types.h>
6022 #include <mach/vm_prot.h>
6023 #include <mach/semaphore.h>
6024 #include <mach/sync_policy.h>
6025 #include <kern/clock.h>
6026 #include <mach/kern_return.h>
6027
6028 /*
6029 * execargs_alloc
6030 *
6031 * Description: Allocate the block of memory used by the execve arguments.
6032 * At the same time, we allocate a page so that we can read in
6033 * the first page of the image.
6034 *
6035 * Parameters: struct image_params * the image parameter block
6036 *
6037 * Returns: 0 Success
6038 * EINVAL Invalid argument
6039 * EACCES Permission denied
6040 * EINTR Interrupted function
6041 * ENOMEM Not enough space
6042 *
6043 * Notes: This is a temporary allocation into the kernel address space
6044 * to enable us to copy arguments in from user space. This is
6045 * necessitated by not mapping the process calling execve() into
6046 * the kernel address space during the execve() system call.
6047 *
6048 * We assemble the argument and environment, etc., into this
6049 * region before copying it as a single block into the child
6050 * process address space (at the top or bottom of the stack,
6051 * depending on which way the stack grows; see the function
6052 * exec_copyout_strings() for details).
6053 *
6054 * This ends up with a second (possibly unnecessary) copy compared
6055 * with assembing the data directly into the child address space,
6056 * instead, but since we cannot be guaranteed that the parent has
6057 * not modified its environment, we can't really know that it's
6058 * really a block there as well.
6059 */
6060
6061
6062 static int execargs_waiters = 0;
6063 lck_mtx_t *execargs_cache_lock;
6064
6065 static void
6066 execargs_lock_lock(void)
6067 {
6068 lck_mtx_lock_spin(execargs_cache_lock);
6069 }
6070
6071 static void
6072 execargs_lock_unlock(void)
6073 {
6074 lck_mtx_unlock(execargs_cache_lock);
6075 }
6076
6077 static wait_result_t
6078 execargs_lock_sleep(void)
6079 {
6080 return lck_mtx_sleep(execargs_cache_lock, LCK_SLEEP_DEFAULT, &execargs_free_count, THREAD_INTERRUPTIBLE);
6081 }
6082
6083 static kern_return_t
6084 execargs_purgeable_allocate(char **execarg_address)
6085 {
6086 kern_return_t kr = vm_allocate_kernel(bsd_pageable_map, (vm_offset_t *)execarg_address, BSD_PAGEABLE_SIZE_PER_EXEC, VM_FLAGS_ANYWHERE | VM_FLAGS_PURGABLE, VM_KERN_MEMORY_NONE);
6087 assert(kr == KERN_SUCCESS);
6088 return kr;
6089 }
6090
6091 static kern_return_t
6092 execargs_purgeable_reference(void *execarg_address)
6093 {
6094 int state = VM_PURGABLE_NONVOLATILE;
6095 kern_return_t kr = vm_purgable_control(bsd_pageable_map, (vm_offset_t) execarg_address, VM_PURGABLE_SET_STATE, &state);
6096
6097 assert(kr == KERN_SUCCESS);
6098 return kr;
6099 }
6100
6101 static kern_return_t
6102 execargs_purgeable_volatilize(void *execarg_address)
6103 {
6104 int state = VM_PURGABLE_VOLATILE | VM_PURGABLE_ORDERING_OBSOLETE;
6105 kern_return_t kr;
6106 kr = vm_purgable_control(bsd_pageable_map, (vm_offset_t) execarg_address, VM_PURGABLE_SET_STATE, &state);
6107
6108 assert(kr == KERN_SUCCESS);
6109
6110 return kr;
6111 }
6112
6113 static void
6114 execargs_wakeup_waiters(void)
6115 {
6116 thread_wakeup(&execargs_free_count);
6117 }
6118
6119 static int
6120 execargs_alloc(struct image_params *imgp)
6121 {
6122 kern_return_t kret;
6123 wait_result_t res;
6124 int i, cache_index = -1;
6125
6126 execargs_lock_lock();
6127
6128 while (execargs_free_count == 0) {
6129 execargs_waiters++;
6130 res = execargs_lock_sleep();
6131 execargs_waiters--;
6132 if (res != THREAD_AWAKENED) {
6133 execargs_lock_unlock();
6134 return EINTR;
6135 }
6136 }
6137
6138 execargs_free_count--;
6139
6140 for (i = 0; i < execargs_cache_size; i++) {
6141 vm_offset_t element = execargs_cache[i];
6142 if (element) {
6143 cache_index = i;
6144 imgp->ip_strings = (char *)(execargs_cache[i]);
6145 execargs_cache[i] = 0;
6146 break;
6147 }
6148 }
6149
6150 assert(execargs_free_count >= 0);
6151
6152 execargs_lock_unlock();
6153
6154 if (cache_index == -1) {
6155 kret = execargs_purgeable_allocate(&imgp->ip_strings);
6156 } else {
6157 kret = execargs_purgeable_reference(imgp->ip_strings);
6158 }
6159
6160 assert(kret == KERN_SUCCESS);
6161 if (kret != KERN_SUCCESS) {
6162 return ENOMEM;
6163 }
6164
6165 /* last page used to read in file headers */
6166 imgp->ip_vdata = imgp->ip_strings + (NCARGS + PAGE_SIZE);
6167 imgp->ip_strendp = imgp->ip_strings;
6168 imgp->ip_argspace = NCARGS;
6169 imgp->ip_strspace = (NCARGS + PAGE_SIZE);
6170
6171 return 0;
6172 }
6173
6174 /*
6175 * execargs_free
6176 *
6177 * Description: Free the block of memory used by the execve arguments and the
6178 * first page of the executable by a previous call to the function
6179 * execargs_alloc().
6180 *
6181 * Parameters: struct image_params * the image parameter block
6182 *
6183 * Returns: 0 Success
6184 * EINVAL Invalid argument
6185 * EINTR Oeration interrupted
6186 */
6187 static int
6188 execargs_free(struct image_params *imgp)
6189 {
6190 kern_return_t kret;
6191 int i;
6192 boolean_t needs_wakeup = FALSE;
6193
6194 kret = execargs_purgeable_volatilize(imgp->ip_strings);
6195
6196 execargs_lock_lock();
6197 execargs_free_count++;
6198
6199 for (i = 0; i < execargs_cache_size; i++) {
6200 vm_offset_t element = execargs_cache[i];
6201 if (element == 0) {
6202 execargs_cache[i] = (vm_offset_t) imgp->ip_strings;
6203 imgp->ip_strings = NULL;
6204 break;
6205 }
6206 }
6207
6208 assert(imgp->ip_strings == NULL);
6209
6210 if (execargs_waiters > 0) {
6211 needs_wakeup = TRUE;
6212 }
6213
6214 execargs_lock_unlock();
6215
6216 if (needs_wakeup == TRUE) {
6217 execargs_wakeup_waiters();
6218 }
6219
6220 return kret == KERN_SUCCESS ? 0 : EINVAL;
6221 }
6222
6223 static void
6224 exec_resettextvp(proc_t p, struct image_params *imgp)
6225 {
6226 vnode_t vp;
6227 off_t offset;
6228 vnode_t tvp = p->p_textvp;
6229 int ret;
6230
6231 vp = imgp->ip_vp;
6232 offset = imgp->ip_arch_offset;
6233
6234 if (vp == NULLVP) {
6235 panic("exec_resettextvp: expected valid vp");
6236 }
6237
6238 ret = vnode_ref(vp);
6239 proc_lock(p);
6240 if (ret == 0) {
6241 p->p_textvp = vp;
6242 p->p_textoff = offset;
6243 } else {
6244 p->p_textvp = NULLVP; /* this is paranoia */
6245 p->p_textoff = 0;
6246 }
6247 proc_unlock(p);
6248
6249 if (tvp != NULLVP) {
6250 if (vnode_getwithref(tvp) == 0) {
6251 vnode_rele(tvp);
6252 vnode_put(tvp);
6253 }
6254 }
6255 }
6256
6257 // Includes the 0-byte (therefore "SIZE" instead of "LEN").
6258 static const size_t CS_CDHASH_STRING_SIZE = CS_CDHASH_LEN * 2 + 1;
6259
6260 static void
6261 cdhash_to_string(char str[CS_CDHASH_STRING_SIZE], uint8_t const * const cdhash)
6262 {
6263 static char const nibble[] = "0123456789abcdef";
6264
6265 /* Apparently still the safest way to get a hex representation
6266 * of binary data.
6267 * xnu's printf routines have %*D/%20D in theory, but "not really", see:
6268 * <rdar://problem/33328859> confusion around %*D/%nD in printf
6269 */
6270 for (int i = 0; i < CS_CDHASH_LEN; ++i) {
6271 str[i * 2] = nibble[(cdhash[i] & 0xf0) >> 4];
6272 str[i * 2 + 1] = nibble[cdhash[i] & 0x0f];
6273 }
6274 str[CS_CDHASH_STRING_SIZE - 1] = 0;
6275 }
6276
6277 /*
6278 * __EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__
6279 *
6280 * Description: Waits for the userspace daemon to respond to the request
6281 * we made. Function declared non inline to be visible in
6282 * stackshots and spindumps as well as debugging.
6283 */
6284 __attribute__((noinline)) int
6285 __EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__(mach_port_t task_access_port, int32_t new_pid)
6286 {
6287 return find_code_signature(task_access_port, new_pid);
6288 }
6289
6290 static int
6291 check_for_signature(proc_t p, struct image_params *imgp)
6292 {
6293 mach_port_t port = IPC_PORT_NULL;
6294 kern_return_t kr = KERN_FAILURE;
6295 int error = EACCES;
6296 boolean_t unexpected_failure = FALSE;
6297 struct cs_blob *csb;
6298 boolean_t require_success = FALSE;
6299 int spawn = (imgp->ip_flags & IMGPF_SPAWN);
6300 int vfexec = (imgp->ip_flags & IMGPF_VFORK_EXEC);
6301 os_reason_t signature_failure_reason = OS_REASON_NULL;
6302
6303 /*
6304 * Override inherited code signing flags with the
6305 * ones for the process that is being successfully
6306 * loaded
6307 */
6308 proc_lock(p);
6309 p->p_csflags = imgp->ip_csflags;
6310 proc_unlock(p);
6311
6312 /* Set the switch_protect flag on the map */
6313 if (p->p_csflags & (CS_HARD | CS_KILL)) {
6314 vm_map_switch_protect(get_task_map(p->task), TRUE);
6315 }
6316
6317 /*
6318 * image activation may be failed due to policy
6319 * which is unexpected but security framework does not
6320 * approve of exec, kill and return immediately.
6321 */
6322 if (imgp->ip_mac_return != 0) {
6323 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
6324 p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_SECURITY_POLICY, 0, 0);
6325 signature_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_SECURITY_POLICY);
6326 error = imgp->ip_mac_return;
6327 unexpected_failure = TRUE;
6328 goto done;
6329 }
6330
6331 if (imgp->ip_cs_error != OS_REASON_NULL) {
6332 signature_failure_reason = imgp->ip_cs_error;
6333 imgp->ip_cs_error = OS_REASON_NULL;
6334 error = EACCES;
6335 goto done;
6336 }
6337
6338 /* If the code signature came through the image activation path, we skip the
6339 * taskgated / externally attached path. */
6340 if (imgp->ip_csflags & CS_SIGNED) {
6341 error = 0;
6342 goto done;
6343 }
6344
6345 /* The rest of the code is for signatures that either already have been externally
6346 * attached (likely, but not necessarily by a previous run through the taskgated
6347 * path), or that will now be attached by taskgated. */
6348
6349 kr = task_get_task_access_port(p->task, &port);
6350 if (KERN_SUCCESS != kr || !IPC_PORT_VALID(port)) {
6351 error = 0;
6352 if (require_success) {
6353 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
6354 p->p_pid, OS_REASON_CODESIGNING, CODESIGNING_EXIT_REASON_TASK_ACCESS_PORT, 0, 0);
6355 signature_failure_reason = os_reason_create(OS_REASON_CODESIGNING, CODESIGNING_EXIT_REASON_TASK_ACCESS_PORT);
6356 error = EACCES;
6357 }
6358 goto done;
6359 }
6360
6361 /*
6362 * taskgated returns KERN_SUCCESS if it has completed its work
6363 * and the exec should continue, KERN_FAILURE if the exec should
6364 * fail, or it may error out with different error code in an
6365 * event of mig failure (e.g. process was signalled during the
6366 * rpc call, taskgated died, mig server died etc.).
6367 */
6368
6369 kr = __EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__(port, p->p_pid);
6370 switch (kr) {
6371 case KERN_SUCCESS:
6372 error = 0;
6373 break;
6374 case KERN_FAILURE:
6375 error = EACCES;
6376
6377 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
6378 p->p_pid, OS_REASON_CODESIGNING, CODESIGNING_EXIT_REASON_TASKGATED_INVALID_SIG, 0, 0);
6379 signature_failure_reason = os_reason_create(OS_REASON_CODESIGNING, CODESIGNING_EXIT_REASON_TASKGATED_INVALID_SIG);
6380 goto done;
6381 default:
6382 error = EACCES;
6383
6384 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
6385 p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_TASKGATED_OTHER, 0, 0);
6386 signature_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_TASKGATED_OTHER);
6387 unexpected_failure = TRUE;
6388 goto done;
6389 }
6390
6391 /* Only do this if exec_resettextvp() did not fail */
6392 if (p->p_textvp != NULLVP) {
6393 csb = ubc_cs_blob_get(p->p_textvp, -1, p->p_textoff);
6394
6395 if (csb != NULL) {
6396 /* As the enforcement we can do here is very limited, we only allow things that
6397 * are the only reason why this code path still exists:
6398 * Adhoc signed non-platform binaries without special cs_flags and without any
6399 * entitlements (unrestricted ones still pass AMFI). */
6400 if (
6401 /* Revalidate the blob if necessary through bumped generation count. */
6402 (ubc_cs_generation_check(p->p_textvp) == 0 ||
6403 ubc_cs_blob_revalidate(p->p_textvp, csb, imgp, 0) == 0) &&
6404 /* Only CS_ADHOC, no CS_KILL, CS_HARD etc. */
6405 (csb->csb_flags & CS_ALLOWED_MACHO) == CS_ADHOC &&
6406 /* If it has a CMS blob, it's not adhoc. The CS_ADHOC flag can lie. */
6407 csblob_find_blob_bytes((const uint8_t *)csb->csb_mem_kaddr, csb->csb_mem_size,
6408 CSSLOT_SIGNATURESLOT,
6409 CSMAGIC_BLOBWRAPPER) == NULL &&
6410 /* It could still be in a trust cache (unlikely with CS_ADHOC), or a magic path. */
6411 csb->csb_platform_binary == 0 &&
6412 /* No entitlements, not even unrestricted ones. */
6413 csb->csb_entitlements_blob == NULL) {
6414 proc_lock(p);
6415 p->p_csflags |= CS_SIGNED | CS_VALID;
6416 proc_unlock(p);
6417 } else {
6418 uint8_t cdhash[CS_CDHASH_LEN];
6419 char cdhash_string[CS_CDHASH_STRING_SIZE];
6420 proc_getcdhash(p, cdhash);
6421 cdhash_to_string(cdhash_string, cdhash);
6422 printf("ignoring detached code signature on '%s' with cdhash '%s' "
6423 "because it is invalid, or not a simple adhoc signature.\n",
6424 p->p_name, cdhash_string);
6425 }
6426 }
6427 }
6428
6429 done:
6430 if (0 == error) {
6431 /* The process's code signature related properties are
6432 * fully set up, so this is an opportune moment to log
6433 * platform binary execution, if desired. */
6434 if (platform_exec_logging != 0 && csproc_get_platform_binary(p)) {
6435 uint8_t cdhash[CS_CDHASH_LEN];
6436 char cdhash_string[CS_CDHASH_STRING_SIZE];
6437 proc_getcdhash(p, cdhash);
6438 cdhash_to_string(cdhash_string, cdhash);
6439
6440 os_log(peLog, "CS Platform Exec Logging: Executing platform signed binary "
6441 "'%s' with cdhash %s\n", p->p_name, cdhash_string);
6442 }
6443 } else {
6444 if (!unexpected_failure) {
6445 p->p_csflags |= CS_KILLED;
6446 }
6447 /* make very sure execution fails */
6448 if (vfexec || spawn) {
6449 assert(signature_failure_reason != OS_REASON_NULL);
6450 psignal_vfork_with_reason(p, p->task, imgp->ip_new_thread,
6451 SIGKILL, signature_failure_reason);
6452 signature_failure_reason = OS_REASON_NULL;
6453 error = 0;
6454 } else {
6455 assert(signature_failure_reason != OS_REASON_NULL);
6456 psignal_with_reason(p, SIGKILL, signature_failure_reason);
6457 signature_failure_reason = OS_REASON_NULL;
6458 }
6459 }
6460
6461 if (port != IPC_PORT_NULL) {
6462 ipc_port_release_send(port);
6463 }
6464
6465 /* If we hit this, we likely would have leaked an exit reason */
6466 assert(signature_failure_reason == OS_REASON_NULL);
6467 return error;
6468 }
6469
6470 /*
6471 * Typically as soon as we start executing this process, the
6472 * first instruction will trigger a VM fault to bring the text
6473 * pages (as executable) into the address space, followed soon
6474 * thereafter by dyld data structures (for dynamic executable).
6475 * To optimize this, as well as improve support for hardware
6476 * debuggers that can only access resident pages present
6477 * in the process' page tables, we prefault some pages if
6478 * possible. Errors are non-fatal.
6479 */
6480 static void
6481 exec_prefault_data(proc_t p __unused, struct image_params *imgp, load_result_t *load_result)
6482 {
6483 int ret;
6484 size_t expected_all_image_infos_size;
6485
6486 /*
6487 * Prefault executable or dyld entry point.
6488 */
6489 vm_fault(current_map(),
6490 vm_map_trunc_page(load_result->entry_point,
6491 vm_map_page_mask(current_map())),
6492 VM_PROT_READ | VM_PROT_EXECUTE,
6493 FALSE, VM_KERN_MEMORY_NONE,
6494 THREAD_UNINT, NULL, 0);
6495
6496 if (imgp->ip_flags & IMGPF_IS_64BIT_ADDR) {
6497 expected_all_image_infos_size = sizeof(struct user64_dyld_all_image_infos);
6498 } else {
6499 expected_all_image_infos_size = sizeof(struct user32_dyld_all_image_infos);
6500 }
6501
6502 /* Decode dyld anchor structure from <mach-o/dyld_images.h> */
6503 if (load_result->dynlinker &&
6504 load_result->all_image_info_addr &&
6505 load_result->all_image_info_size >= expected_all_image_infos_size) {
6506 union {
6507 struct user64_dyld_all_image_infos infos64;
6508 struct user32_dyld_all_image_infos infos32;
6509 } all_image_infos;
6510
6511 /*
6512 * Pre-fault to avoid copyin() going through the trap handler
6513 * and recovery path.
6514 */
6515 vm_fault(current_map(),
6516 vm_map_trunc_page(load_result->all_image_info_addr,
6517 vm_map_page_mask(current_map())),
6518 VM_PROT_READ | VM_PROT_WRITE,
6519 FALSE, VM_KERN_MEMORY_NONE,
6520 THREAD_UNINT, NULL, 0);
6521 if ((load_result->all_image_info_addr & PAGE_MASK) + expected_all_image_infos_size > PAGE_SIZE) {
6522 /* all_image_infos straddles a page */
6523 vm_fault(current_map(),
6524 vm_map_trunc_page(load_result->all_image_info_addr + expected_all_image_infos_size - 1,
6525 vm_map_page_mask(current_map())),
6526 VM_PROT_READ | VM_PROT_WRITE,
6527 FALSE, VM_KERN_MEMORY_NONE,
6528 THREAD_UNINT, NULL, 0);
6529 }
6530
6531 ret = copyin(load_result->all_image_info_addr,
6532 &all_image_infos,
6533 expected_all_image_infos_size);
6534 if (ret == 0 && all_image_infos.infos32.version >= DYLD_ALL_IMAGE_INFOS_ADDRESS_MINIMUM_VERSION) {
6535 user_addr_t notification_address;
6536 user_addr_t dyld_image_address;
6537 user_addr_t dyld_version_address;
6538 user_addr_t dyld_all_image_infos_address;
6539 user_addr_t dyld_slide_amount;
6540
6541 if (imgp->ip_flags & IMGPF_IS_64BIT_ADDR) {
6542 notification_address = all_image_infos.infos64.notification;
6543 dyld_image_address = all_image_infos.infos64.dyldImageLoadAddress;
6544 dyld_version_address = all_image_infos.infos64.dyldVersion;
6545 dyld_all_image_infos_address = all_image_infos.infos64.dyldAllImageInfosAddress;
6546 } else {
6547 notification_address = all_image_infos.infos32.notification;
6548 dyld_image_address = all_image_infos.infos32.dyldImageLoadAddress;
6549 dyld_version_address = all_image_infos.infos32.dyldVersion;
6550 dyld_all_image_infos_address = all_image_infos.infos32.dyldAllImageInfosAddress;
6551 }
6552
6553 /*
6554 * dyld statically sets up the all_image_infos in its Mach-O
6555 * binary at static link time, with pointers relative to its default
6556 * load address. Since ASLR might slide dyld before its first
6557 * instruction is executed, "dyld_slide_amount" tells us how far
6558 * dyld was loaded compared to its default expected load address.
6559 * All other pointers into dyld's image should be adjusted by this
6560 * amount. At some point later, dyld will fix up pointers to take
6561 * into account the slide, at which point the all_image_infos_address
6562 * field in the structure will match the runtime load address, and
6563 * "dyld_slide_amount" will be 0, if we were to consult it again.
6564 */
6565
6566 dyld_slide_amount = load_result->all_image_info_addr - dyld_all_image_infos_address;
6567
6568 #if 0
6569 kprintf("exec_prefault: 0x%016llx 0x%08x 0x%016llx 0x%016llx 0x%016llx 0x%016llx\n",
6570 (uint64_t)load_result->all_image_info_addr,
6571 all_image_infos.infos32.version,
6572 (uint64_t)notification_address,
6573 (uint64_t)dyld_image_address,
6574 (uint64_t)dyld_version_address,
6575 (uint64_t)dyld_all_image_infos_address);
6576 #endif
6577
6578 vm_fault(current_map(),
6579 vm_map_trunc_page(notification_address + dyld_slide_amount,
6580 vm_map_page_mask(current_map())),
6581 VM_PROT_READ | VM_PROT_EXECUTE,
6582 FALSE, VM_KERN_MEMORY_NONE,
6583 THREAD_UNINT, NULL, 0);
6584 vm_fault(current_map(),
6585 vm_map_trunc_page(dyld_image_address + dyld_slide_amount,
6586 vm_map_page_mask(current_map())),
6587 VM_PROT_READ | VM_PROT_EXECUTE,
6588 FALSE, VM_KERN_MEMORY_NONE,
6589 THREAD_UNINT, NULL, 0);
6590 vm_fault(current_map(),
6591 vm_map_trunc_page(dyld_version_address + dyld_slide_amount,
6592 vm_map_page_mask(current_map())),
6593 VM_PROT_READ,
6594 FALSE, VM_KERN_MEMORY_NONE,
6595 THREAD_UNINT, NULL, 0);
6596 vm_fault(current_map(),
6597 vm_map_trunc_page(dyld_all_image_infos_address + dyld_slide_amount,
6598 vm_map_page_mask(current_map())),
6599 VM_PROT_READ | VM_PROT_WRITE,
6600 FALSE, VM_KERN_MEMORY_NONE,
6601 THREAD_UNINT, NULL, 0);
6602 }
6603 }
6604 }
mirror of XNU