]> git.saurik.com Git - apple/xnu.git/blob - bsd/kern/kern_exec.c
projects / apple / xnu.git / blob
? search:


dde1b3c40f124e912847571272c89a3079c436ad
[apple/xnu.git] / bsd / kern / kern_exec.c
1 /*
2 * Copyright (c) 2000-2011 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28 /* Copyright (c) 1995 NeXT Computer, Inc. All Rights Reserved */
29 /*
30 * Mach Operating System
31 * Copyright (c) 1987 Carnegie-Mellon University
32 * All rights reserved. The CMU software License Agreement specifies
33 * the terms and conditions for use and redistribution.
34 */
35
36 #include <cputypes.h>
37
38 /*-
39 * Copyright (c) 1982, 1986, 1991, 1993
40 * The Regents of the University of California. All rights reserved.
41 * (c) UNIX System Laboratories, Inc.
42 * All or some portions of this file are derived from material licensed
43 * to the University of California by American Telephone and Telegraph
44 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
45 * the permission of UNIX System Laboratories, Inc.
46 *
47 * Redistribution and use in source and binary forms, with or without
48 * modification, are permitted provided that the following conditions
49 * are met:
50 * 1. Redistributions of source code must retain the above copyright
51 * notice, this list of conditions and the following disclaimer.
52 * 2. Redistributions in binary form must reproduce the above copyright
53 * notice, this list of conditions and the following disclaimer in the
54 * documentation and/or other materials provided with the distribution.
55 * 3. All advertising materials mentioning features or use of this software
56 * must display the following acknowledgement:
57 * This product includes software developed by the University of
58 * California, Berkeley and its contributors.
59 * 4. Neither the name of the University nor the names of its contributors
60 * may be used to endorse or promote products derived from this software
61 * without specific prior written permission.
62 *
63 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
64 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
65 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
66 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
67 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
68 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
69 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
70 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
71 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
72 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
73 * SUCH DAMAGE.
74 *
75 * from: @(#)kern_exec.c 8.1 (Berkeley) 6/10/93
76 */
77 /*
78 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
79 * support for mandatory and extensible security protections. This notice
80 * is included in support of clause 2.2 (b) of the Apple Public License,
81 * Version 2.0.
82 */
83 #include <machine/reg.h>
84 #include <machine/cpu_capabilities.h>
85
86 #include <sys/param.h>
87 #include <sys/systm.h>
88 #include <sys/filedesc.h>
89 #include <sys/kernel.h>
90 #include <sys/proc_internal.h>
91 #include <sys/kauth.h>
92 #include <sys/user.h>
93 #include <sys/socketvar.h>
94 #include <sys/malloc.h>
95 #include <sys/namei.h>
96 #include <sys/mount_internal.h>
97 #include <sys/vnode_internal.h>
98 #include <sys/file_internal.h>
99 #include <sys/stat.h>
100 #include <sys/uio_internal.h>
101 #include <sys/acct.h>
102 #include <sys/exec.h>
103 #include <sys/kdebug.h>
104 #include <sys/signal.h>
105 #include <sys/aio_kern.h>
106 #include <sys/sysproto.h>
107 #if SYSV_SHM
108 #include <sys/shm_internal.h> /* shmexec() */
109 #endif
110 #include <sys/ubc_internal.h> /* ubc_map() */
111 #include <sys/spawn.h>
112 #include <sys/spawn_internal.h>
113 #include <sys/codesign.h>
114 #include <crypto/sha1.h>
115
116 #include <security/audit/audit.h>
117
118 #include <ipc/ipc_types.h>
119
120 #include <mach/mach_types.h>
121 #include <mach/port.h>
122 #include <mach/task.h>
123 #include <mach/task_access.h>
124 #include <mach/thread_act.h>
125 #include <mach/vm_map.h>
126 #include <mach/mach_vm.h>
127 #include <mach/vm_param.h>
128
129 #include <kern/sched_prim.h> /* thread_wakeup() */
130 #include <kern/affinity.h>
131 #include <kern/assert.h>
132 #include <kern/task.h>
133
134 #if CONFIG_MACF
135 #include <security/mac.h>
136 #include <security/mac_mach_internal.h>
137 #endif
138
139 #include <vm/vm_map.h>
140 #include <vm/vm_kern.h>
141 #include <vm/vm_protos.h>
142 #include <vm/vm_kern.h>
143 #include <vm/vm_fault.h>
144
145 #include <kdp/kdp_dyld.h>
146
147 #include <machine/pal_routines.h>
148
149 #include <pexpert/pexpert.h>
150
151 #if CONFIG_MEMORYSTATUS
152 #include <sys/kern_memorystatus.h>
153 #endif
154
155 #if CONFIG_DTRACE
156 /* Do not include dtrace.h, it redefines kmem_[alloc/free] */
157 extern void (*dtrace_fasttrap_exec_ptr)(proc_t);
158 extern void (*dtrace_helpers_cleanup)(proc_t);
159 extern void dtrace_lazy_dofs_destroy(proc_t);
160
161 #include <sys/dtrace_ptss.h>
162 #endif
163
164 /* support for child creation in exec after vfork */
165 thread_t fork_create_child(task_t parent_task, proc_t child_proc, int inherit_memory, int is64bit);
166 void vfork_exit(proc_t p, int rv);
167 int setsigvec(proc_t, thread_t, int, struct __kern_sigaction *, boolean_t in_sigstart);
168 extern void proc_apply_task_networkbg_internal(proc_t, thread_t);
169 int task_set_cpuusage(task_t task, uint64_t percentage, uint64_t interval, uint64_t deadline, int scope);
170
171 /*
172 * Mach things for which prototypes are unavailable from Mach headers
173 */
174 void ipc_task_reset(
175 task_t task);
176 void ipc_thread_reset(
177 thread_t thread);
178 kern_return_t ipc_object_copyin(
179 ipc_space_t space,
180 mach_port_name_t name,
181 mach_msg_type_name_t msgt_name,
182 ipc_object_t *objectp);
183 void ipc_port_release_send(ipc_port_t);
184
185 extern struct savearea *get_user_regs(thread_t);
186
187
188 #include <kern/thread.h>
189 #include <kern/task.h>
190 #include <kern/ast.h>
191 #include <kern/mach_loader.h>
192 #include <kern/mach_fat.h>
193 #include <mach-o/fat.h>
194 #include <mach-o/loader.h>
195 #include <machine/vmparam.h>
196 #include <sys/imgact.h>
197
198 #include <sys/sdt.h>
199
200
201 /*
202 * EAI_ITERLIMIT The maximum number of times to iterate an image
203 * activator in exec_activate_image() before treating
204 * it as malformed/corrupt.
205 */
206 #define EAI_ITERLIMIT 10
207
208 /*
209 * For #! interpreter parsing
210 */
211 #define IS_WHITESPACE(ch) ((ch == ' ') || (ch == '\t'))
212 #define IS_EOL(ch) ((ch == '#') || (ch == '\n'))
213
214 extern vm_map_t bsd_pageable_map;
215 extern struct fileops vnops;
216
217 #define ROUND_PTR(type, addr) \
218 (type *)( ( (uintptr_t)(addr) + 16 - 1) \
219 & ~(16 - 1) )
220
221 struct image_params; /* Forward */
222 static int exec_activate_image(struct image_params *imgp);
223 static int exec_copyout_strings(struct image_params *imgp, user_addr_t *stackp);
224 static int load_return_to_errno(load_return_t lrtn);
225 static int execargs_alloc(struct image_params *imgp);
226 static int execargs_free(struct image_params *imgp);
227 static int exec_check_permissions(struct image_params *imgp);
228 static int exec_extract_strings(struct image_params *imgp);
229 static int exec_add_apple_strings(struct image_params *imgp);
230 static int exec_handle_sugid(struct image_params *imgp);
231 static int sugid_scripts = 0;
232 SYSCTL_INT (_kern, OID_AUTO, sugid_scripts, CTLFLAG_RW | CTLFLAG_LOCKED, &sugid_scripts, 0, "");
233 static kern_return_t create_unix_stack(vm_map_t map, load_result_t* load_result, proc_t p);
234 static int copyoutptr(user_addr_t ua, user_addr_t ptr, int ptr_size);
235 static void exec_resettextvp(proc_t, struct image_params *);
236 static int check_for_signature(proc_t, struct image_params *);
237 static void exec_prefault_data(proc_t, struct image_params *, load_result_t *);
238
239 #if !CONFIG_EMBEDDED
240
241 /* Identify process during exec and opt into legacy behaviors */
242
243 struct legacy_behavior {
244 uuid_t process_uuid;
245 uint32_t legacy_mask;
246 };
247
248 static const struct legacy_behavior legacy_behaviors[] =
249 {
250 {{ 0xF8, 0x7C, 0xC3, 0x67, 0xFB, 0x68, 0x37, 0x93, 0xBC, 0x34, 0xB2, 0xB6, 0x05, 0x2B, 0xCD, 0xE2 }, PROC_LEGACY_BEHAVIOR_IOTHROTTLE },
251 {{ 0x0B, 0x4E, 0xDF, 0xD8, 0x76, 0xD1, 0x3D, 0x4D, 0x9D, 0xD7, 0x37, 0x43, 0x1C, 0xA8, 0xFB, 0x26 }, PROC_LEGACY_BEHAVIOR_IOTHROTTLE },
252 };
253 #endif /* !CONFIG_EMBEDDED */
254
255 /* We don't want this one exported */
256 __private_extern__
257 int open1(vfs_context_t, struct nameidata *, int, struct vnode_attr *, int32_t *);
258
259 /*
260 * exec_add_user_string
261 *
262 * Add the requested string to the string space area.
263 *
264 * Parameters; struct image_params * image parameter block
265 * user_addr_t string to add to strings area
266 * int segment from which string comes
267 * boolean_t TRUE if string contributes to NCARGS
268 *
269 * Returns: 0 Success
270 * !0 Failure errno from copyinstr()
271 *
272 * Implicit returns:
273 * (imgp->ip_strendp) updated location of next add, if any
274 * (imgp->ip_strspace) updated byte count of space remaining
275 * (imgp->ip_argspace) updated byte count of space in NCARGS
276 */
277 static int
278 exec_add_user_string(struct image_params *imgp, user_addr_t str, int seg, boolean_t is_ncargs)
279 {
280 int error = 0;
281
282 do {
283 size_t len = 0;
284 int space;
285
286 if (is_ncargs)
287 space = imgp->ip_argspace; /* by definition smaller than ip_strspace */
288 else
289 space = imgp->ip_strspace;
290
291 if (space <= 0) {
292 error = E2BIG;
293 break;
294 }
295
296 if (!UIO_SEG_IS_USER_SPACE(seg)) {
297 char *kstr = CAST_DOWN(char *,str); /* SAFE */
298 error = copystr(kstr, imgp->ip_strendp, space, &len);
299 } else {
300 error = copyinstr(str, imgp->ip_strendp, space, &len);
301 }
302
303 imgp->ip_strendp += len;
304 imgp->ip_strspace -= len;
305 if (is_ncargs)
306 imgp->ip_argspace -= len;
307
308 } while (error == ENAMETOOLONG);
309
310 return error;
311 }
312
313 /*
314 * exec_save_path
315 *
316 * To support new app package launching for Mac OS X, the dyld needs the
317 * first argument to execve() stored on the user stack.
318 *
319 * Save the executable path name at the bottom of the strings area and set
320 * the argument vector pointer to the location following that to indicate
321 * the start of the argument and environment tuples, setting the remaining
322 * string space count to the size of the string area minus the path length.
323 *
324 * Parameters; struct image_params * image parameter block
325 * char * path used to invoke program
326 * int segment from which path comes
327 *
328 * Returns: int 0 Success
329 * EFAULT Bad address
330 * copy[in]str:EFAULT Bad address
331 * copy[in]str:ENAMETOOLONG Filename too long
332 *
333 * Implicit returns:
334 * (imgp->ip_strings) saved path
335 * (imgp->ip_strspace) space remaining in ip_strings
336 * (imgp->ip_strendp) start of remaining copy area
337 * (imgp->ip_argspace) space remaining of NCARGS
338 * (imgp->ip_applec) Initial applev[0]
339 *
340 * Note: We have to do this before the initial namei() since in the
341 * path contains symbolic links, namei() will overwrite the
342 * original path buffer contents. If the last symbolic link
343 * resolved was a relative pathname, we would lose the original
344 * "path", which could be an absolute pathname. This might be
345 * unacceptable for dyld.
346 */
347 static int
348 exec_save_path(struct image_params *imgp, user_addr_t path, int seg)
349 {
350 int error;
351 size_t len;
352 char *kpath;
353
354 len = MIN(MAXPATHLEN, imgp->ip_strspace);
355
356 switch(seg) {
357 case UIO_USERSPACE32:
358 case UIO_USERSPACE64: /* Same for copyin()... */
359 error = copyinstr(path, imgp->ip_strings, len, &len);
360 break;
361 case UIO_SYSSPACE:
362 kpath = CAST_DOWN(char *,path); /* SAFE */
363 error = copystr(kpath, imgp->ip_strings, len, &len);
364 break;
365 default:
366 error = EFAULT;
367 break;
368 }
369
370 if (!error) {
371 imgp->ip_strendp += len;
372 imgp->ip_strspace -= len;
373 }
374
375 return(error);
376 }
377
378 /*
379 * exec_reset_save_path
380 *
381 * If we detect a shell script, we need to reset the string area
382 * state so that the interpreter can be saved onto the stack.
383
384 * Parameters; struct image_params * image parameter block
385 *
386 * Returns: int 0 Success
387 *
388 * Implicit returns:
389 * (imgp->ip_strings) saved path
390 * (imgp->ip_strspace) space remaining in ip_strings
391 * (imgp->ip_strendp) start of remaining copy area
392 * (imgp->ip_argspace) space remaining of NCARGS
393 *
394 */
395 static int
396 exec_reset_save_path(struct image_params *imgp)
397 {
398 imgp->ip_strendp = imgp->ip_strings;
399 imgp->ip_argspace = NCARGS;
400 imgp->ip_strspace = ( NCARGS + PAGE_SIZE );
401
402 return (0);
403 }
404
405 /*
406 * exec_shell_imgact
407 *
408 * Image activator for interpreter scripts. If the image begins with the
409 * characters "#!", then it is an interpreter script. Verify that we are
410 * not already executing in PowerPC mode, and that the length of the script
411 * line indicating the interpreter is not in excess of the maximum allowed
412 * size. If this is the case, then break out the arguments, if any, which
413 * are separated by white space, and copy them into the argument save area
414 * as if they were provided on the command line before all other arguments.
415 * The line ends when we encounter a comment character ('#') or newline.
416 *
417 * Parameters; struct image_params * image parameter block
418 *
419 * Returns: -1 not an interpreter (keep looking)
420 * -3 Success: interpreter: relookup
421 * >0 Failure: interpreter: error number
422 *
423 * A return value other than -1 indicates subsequent image activators should
424 * not be given the opportunity to attempt to activate the image.
425 */
426 static int
427 exec_shell_imgact(struct image_params *imgp)
428 {
429 char *vdata = imgp->ip_vdata;
430 char *ihp;
431 char *line_startp, *line_endp;
432 char *interp;
433 proc_t p;
434 struct fileproc *fp;
435 int fd;
436 int error;
437
438 /*
439 * Make sure it's a shell script. If we've already redirected
440 * from an interpreted file once, don't do it again.
441 *
442 * Note: We disallow PowerPC, since the expectation is that we
443 * may run a PowerPC interpreter, but not an interpret a PowerPC
444 * image. This is consistent with historical behaviour.
445 */
446 if (vdata[0] != '#' ||
447 vdata[1] != '!' ||
448 (imgp->ip_flags & IMGPF_INTERPRET) != 0) {
449 return (-1);
450 }
451
452 imgp->ip_flags |= IMGPF_INTERPRET;
453 imgp->ip_interp_sugid_fd = -1;
454 imgp->ip_interp_buffer[0] = '\0';
455
456 /* Check to see if SUGID scripts are permitted. If they aren't then
457 * clear the SUGID bits.
458 * imgp->ip_vattr is known to be valid.
459 */
460 if (sugid_scripts == 0) {
461 imgp->ip_origvattr->va_mode &= ~(VSUID | VSGID);
462 }
463
464 /* Try to find the first non-whitespace character */
465 for( ihp = &vdata[2]; ihp < &vdata[IMG_SHSIZE]; ihp++ ) {
466 if (IS_EOL(*ihp)) {
467 /* Did not find interpreter, "#!\n" */
468 return (ENOEXEC);
469 } else if (IS_WHITESPACE(*ihp)) {
470 /* Whitespace, like "#! /bin/sh\n", keep going. */
471 } else {
472 /* Found start of interpreter */
473 break;
474 }
475 }
476
477 if (ihp == &vdata[IMG_SHSIZE]) {
478 /* All whitespace, like "#! " */
479 return (ENOEXEC);
480 }
481
482 line_startp = ihp;
483
484 /* Try to find the end of the interpreter+args string */
485 for ( ; ihp < &vdata[IMG_SHSIZE]; ihp++ ) {
486 if (IS_EOL(*ihp)) {
487 /* Got it */
488 break;
489 } else {
490 /* Still part of interpreter or args */
491 }
492 }
493
494 if (ihp == &vdata[IMG_SHSIZE]) {
495 /* A long line, like "#! blah blah blah" without end */
496 return (ENOEXEC);
497 }
498
499 /* Backtrack until we find the last non-whitespace */
500 while (IS_EOL(*ihp) || IS_WHITESPACE(*ihp)) {
501 ihp--;
502 }
503
504 /* The character after the last non-whitespace is our logical end of line */
505 line_endp = ihp + 1;
506
507 /*
508 * Now we have pointers to the usable part of:
509 *
510 * "#! /usr/bin/int first second third \n"
511 * ^ line_startp ^ line_endp
512 */
513
514 /* copy the interpreter name */
515 interp = imgp->ip_interp_buffer;
516 for ( ihp = line_startp; (ihp < line_endp) && !IS_WHITESPACE(*ihp); ihp++)
517 *interp++ = *ihp;
518 *interp = '\0';
519
520 exec_reset_save_path(imgp);
521 exec_save_path(imgp, CAST_USER_ADDR_T(imgp->ip_interp_buffer),
522 UIO_SYSSPACE);
523
524 /* Copy the entire interpreter + args for later processing into argv[] */
525 interp = imgp->ip_interp_buffer;
526 for ( ihp = line_startp; (ihp < line_endp); ihp++)
527 *interp++ = *ihp;
528 *interp = '\0';
529
530 /*
531 * If we have a SUID oder SGID script, create a file descriptor
532 * from the vnode and pass /dev/fd/%d instead of the actual
533 * path name so that the script does not get opened twice
534 */
535 if (imgp->ip_origvattr->va_mode & (VSUID | VSGID)) {
536 p = vfs_context_proc(imgp->ip_vfs_context);
537 error = falloc(p, &fp, &fd, imgp->ip_vfs_context);
538 if (error)
539 return(error);
540
541 fp->f_fglob->fg_flag = FREAD;
542 fp->f_fglob->fg_type = DTYPE_VNODE;
543 fp->f_fglob->fg_ops = &vnops;
544 fp->f_fglob->fg_data = (caddr_t)imgp->ip_vp;
545
546 proc_fdlock(p);
547 procfdtbl_releasefd(p, fd, NULL);
548 fp_drop(p, fd, fp, 1);
549 proc_fdunlock(p);
550 vnode_ref(imgp->ip_vp);
551
552 imgp->ip_interp_sugid_fd = fd;
553 }
554
555 return (-3);
556 }
557
558
559
560 /*
561 * exec_fat_imgact
562 *
563 * Image activator for fat 1.0 binaries. If the binary is fat, then we
564 * need to select an image from it internally, and make that the image
565 * we are going to attempt to execute. At present, this consists of
566 * reloading the first page for the image with a first page from the
567 * offset location indicated by the fat header.
568 *
569 * Parameters; struct image_params * image parameter block
570 *
571 * Returns: -1 not a fat binary (keep looking)
572 * -2 Success: encapsulated binary: reread
573 * >0 Failure: error number
574 *
575 * Important: This image activator is byte order neutral.
576 *
577 * Note: A return value other than -1 indicates subsequent image
578 * activators should not be given the opportunity to attempt
579 * to activate the image.
580 *
581 * If we find an encapsulated binary, we make no assertions
582 * about its validity; instead, we leave that up to a rescan
583 * for an activator to claim it, and, if it is claimed by one,
584 * that activator is responsible for determining validity.
585 */
586 static int
587 exec_fat_imgact(struct image_params *imgp)
588 {
589 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
590 kauth_cred_t cred = kauth_cred_proc_ref(p);
591 struct fat_header *fat_header = (struct fat_header *)imgp->ip_vdata;
592 struct _posix_spawnattr *psa = NULL;
593 struct fat_arch fat_arch;
594 int resid, error;
595 load_return_t lret;
596
597 /* Make sure it's a fat binary */
598 if ((fat_header->magic != FAT_MAGIC) &&
599 (fat_header->magic != FAT_CIGAM)) {
600 error = -1;
601 goto bad;
602 }
603
604 /* If posix_spawn binprefs exist, respect those prefs. */
605 psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
606 if (psa != NULL && psa->psa_binprefs[0] != 0) {
607 struct fat_arch *arches = (struct fat_arch *) (fat_header + 1);
608 int nfat_arch = 0, pr = 0, f = 0;
609
610 nfat_arch = OSSwapBigToHostInt32(fat_header->nfat_arch);
611 /* Check each preference listed against all arches in header */
612 for (pr = 0; pr < NBINPREFS; pr++) {
613 cpu_type_t pref = psa->psa_binprefs[pr];
614 if (pref == 0) {
615 /* No suitable arch in the pref list */
616 error = EBADARCH;
617 goto bad;
618 }
619
620 if (pref == CPU_TYPE_ANY) {
621 /* Fall through to regular grading */
622 break;
623 }
624
625 for (f = 0; f < nfat_arch; f++) {
626 cpu_type_t archtype = OSSwapBigToHostInt32(
627 arches[f].cputype);
628 cpu_type_t archsubtype = OSSwapBigToHostInt32(
629 arches[f].cpusubtype) & ~CPU_SUBTYPE_MASK;
630 if (pref == archtype &&
631 grade_binary(archtype, archsubtype)) {
632 /* We have a winner! */
633 fat_arch.cputype = archtype;
634 fat_arch.cpusubtype = archsubtype;
635 fat_arch.offset = OSSwapBigToHostInt32(
636 arches[f].offset);
637 fat_arch.size = OSSwapBigToHostInt32(
638 arches[f].size);
639 fat_arch.align = OSSwapBigToHostInt32(
640 arches[f].align);
641 goto use_arch;
642 }
643 }
644 }
645 }
646
647 /* Look up our preferred architecture in the fat file. */
648 lret = fatfile_getarch_affinity(imgp->ip_vp,
649 (vm_offset_t)fat_header,
650 &fat_arch,
651 (p->p_flag & P_AFFINITY));
652 if (lret != LOAD_SUCCESS) {
653 error = load_return_to_errno(lret);
654 goto bad;
655 }
656
657 use_arch:
658 /* Read the Mach-O header out of fat_arch */
659 error = vn_rdwr(UIO_READ, imgp->ip_vp, imgp->ip_vdata,
660 PAGE_SIZE, fat_arch.offset,
661 UIO_SYSSPACE, (IO_UNIT|IO_NODELOCKED),
662 cred, &resid, p);
663 if (error) {
664 goto bad;
665 }
666
667 /* Did we read a complete header? */
668 if (resid) {
669 error = EBADEXEC;
670 goto bad;
671 }
672
673 /* Success. Indicate we have identified an encapsulated binary */
674 error = -2;
675 imgp->ip_arch_offset = (user_size_t)fat_arch.offset;
676 imgp->ip_arch_size = (user_size_t)fat_arch.size;
677
678 bad:
679 kauth_cred_unref(&cred);
680 return (error);
681 }
682
683 /*
684 * exec_mach_imgact
685 *
686 * Image activator for mach-o 1.0 binaries.
687 *
688 * Parameters; struct image_params * image parameter block
689 *
690 * Returns: -1 not a fat binary (keep looking)
691 * -2 Success: encapsulated binary: reread
692 * >0 Failure: error number
693 * EBADARCH Mach-o binary, but with an unrecognized
694 * architecture
695 * ENOMEM No memory for child process after -
696 * can only happen after vfork()
697 *
698 * Important: This image activator is NOT byte order neutral.
699 *
700 * Note: A return value other than -1 indicates subsequent image
701 * activators should not be given the opportunity to attempt
702 * to activate the image.
703 *
704 * TODO: More gracefully handle failures after vfork
705 */
706 static int
707 exec_mach_imgact(struct image_params *imgp)
708 {
709 struct mach_header *mach_header = (struct mach_header *)imgp->ip_vdata;
710 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
711 int error = 0;
712 int vfexec = 0;
713 task_t task;
714 task_t new_task = NULL; /* protected by vfexec */
715 thread_t thread;
716 struct uthread *uthread;
717 vm_map_t old_map = VM_MAP_NULL;
718 vm_map_t map;
719 load_return_t lret;
720 load_result_t load_result;
721 struct _posix_spawnattr *psa = NULL;
722 int spawn = (imgp->ip_flags & IMGPF_SPAWN);
723 int apptype = 0;
724
725 /*
726 * make sure it's a Mach-O 1.0 or Mach-O 2.0 binary; the difference
727 * is a reserved field on the end, so for the most part, we can
728 * treat them as if they were identical. Reverse-endian Mach-O
729 * binaries are recognized but not compatible.
730 */
731 if ((mach_header->magic == MH_CIGAM) ||
732 (mach_header->magic == MH_CIGAM_64)) {
733 error = EBADARCH;
734 goto bad;
735 }
736
737 if ((mach_header->magic != MH_MAGIC) &&
738 (mach_header->magic != MH_MAGIC_64)) {
739 error = -1;
740 goto bad;
741 }
742
743 switch (mach_header->filetype) {
744 case MH_DYLIB:
745 case MH_BUNDLE:
746 error = -1;
747 goto bad;
748 }
749
750 if (!imgp->ip_origcputype) {
751 imgp->ip_origcputype = mach_header->cputype;
752 imgp->ip_origcpusubtype = mach_header->cpusubtype;
753 }
754
755 task = current_task();
756 thread = current_thread();
757 uthread = get_bsdthread_info(thread);
758
759 /*
760 * Save off the vfexec state up front; we have to do this, because
761 * we need to know if we were in this state initially subsequent to
762 * creating the backing task, thread, and uthread for the child
763 * process (from the vfs_context_t from in img_parms).
764 */
765 if (uthread->uu_flag & UT_VFORK)
766 vfexec = 1; /* Mark in exec */
767
768 if ((mach_header->cputype & CPU_ARCH_ABI64) == CPU_ARCH_ABI64)
769 imgp->ip_flags |= IMGPF_IS_64BIT;
770
771 /* If posix_spawn binprefs exist, respect those prefs. */
772 psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
773 if (psa != NULL && psa->psa_binprefs[0] != 0) {
774 int pr = 0;
775 for (pr = 0; pr < NBINPREFS; pr++) {
776 cpu_type_t pref = psa->psa_binprefs[pr];
777 if (pref == 0) {
778 /* No suitable arch in the pref list */
779 error = EBADARCH;
780 goto bad;
781 }
782
783 if (pref == CPU_TYPE_ANY) {
784 /* Jump to regular grading */
785 goto grade;
786 }
787
788 if (pref == imgp->ip_origcputype) {
789 /* We have a match! */
790 goto grade;
791 }
792 }
793 error = EBADARCH;
794 goto bad;
795 }
796 grade:
797 if (!grade_binary(imgp->ip_origcputype & ~CPU_SUBTYPE_LIB64,
798 imgp->ip_origcpusubtype & ~CPU_SUBTYPE_MASK)) {
799 error = EBADARCH;
800 goto bad;
801 }
802
803 /* Copy in arguments/environment from the old process */
804 error = exec_extract_strings(imgp);
805 if (error)
806 goto bad;
807
808 error = exec_add_apple_strings(imgp);
809 if (error)
810 goto bad;
811
812 AUDIT_ARG(argv, imgp->ip_startargv, imgp->ip_argc,
813 imgp->ip_endargv - imgp->ip_startargv);
814 AUDIT_ARG(envv, imgp->ip_endargv, imgp->ip_envc,
815 imgp->ip_endenvv - imgp->ip_endargv);
816
817 /*
818 * We are being called to activate an image subsequent to a vfork()
819 * operation; in this case, we know that our task, thread, and
820 * uthread are actually those of our parent, and our proc, which we
821 * obtained indirectly from the image_params vfs_context_t, is the
822 * new child process.
823 */
824 if (vfexec || spawn) {
825 if (vfexec) {
826 imgp->ip_new_thread = fork_create_child(task, p, FALSE, (imgp->ip_flags & IMGPF_IS_64BIT));
827 if (imgp->ip_new_thread == NULL) {
828 error = ENOMEM;
829 goto bad;
830 }
831 }
832
833 /* reset local idea of thread, uthread, task */
834 thread = imgp->ip_new_thread;
835 uthread = get_bsdthread_info(thread);
836 task = new_task = get_threadtask(thread);
837 map = get_task_map(task);
838 } else {
839 map = VM_MAP_NULL;
840 }
841
842 /*
843 * We set these flags here; this is OK, since if we fail after
844 * this point, we have already destroyed the parent process anyway.
845 */
846 task_set_dyld_info(task, MACH_VM_MIN_ADDRESS, 0);
847 if (imgp->ip_flags & IMGPF_IS_64BIT) {
848 task_set_64bit(task, TRUE);
849 OSBitOrAtomic(P_LP64, &p->p_flag);
850 } else {
851 task_set_64bit(task, FALSE);
852 OSBitAndAtomic(~((uint32_t)P_LP64), &p->p_flag);
853 }
854
855 /*
856 * Load the Mach-O file.
857 *
858 * NOTE: An error after this point indicates we have potentially
859 * destroyed or overwritten some process state while attempting an
860 * execve() following a vfork(), which is an unrecoverable condition.
861 */
862
863 /*
864 * Actually load the image file we previously decided to load.
865 */
866 lret = load_machfile(imgp, mach_header, thread, map, &load_result);
867
868 if (lret != LOAD_SUCCESS) {
869 error = load_return_to_errno(lret);
870 goto badtoolate;
871 }
872
873 vm_map_set_user_wire_limit(get_task_map(task), p->p_rlimit[RLIMIT_MEMLOCK].rlim_cur);
874
875 /*
876 * Set code-signing flags if this binary is signed, or if parent has
877 * requested them on exec.
878 */
879 if (load_result.csflags & CS_VALID) {
880 imgp->ip_csflags |= load_result.csflags &
881 (CS_VALID|
882 CS_HARD|CS_KILL|CS_EXEC_SET_HARD|CS_EXEC_SET_KILL);
883 } else {
884 imgp->ip_csflags &= ~CS_VALID;
885 }
886
887 if (p->p_csflags & CS_EXEC_SET_HARD)
888 imgp->ip_csflags |= CS_HARD;
889 if (p->p_csflags & CS_EXEC_SET_KILL)
890 imgp->ip_csflags |= CS_KILL;
891
892
893 /*
894 * Set up the system reserved areas in the new address space.
895 */
896 vm_map_exec(get_task_map(task),
897 task,
898 (void *) p->p_fd->fd_rdir,
899 cpu_type());
900
901 /*
902 * Close file descriptors which specify close-on-exec.
903 */
904 fdexec(p, psa != NULL ? psa->psa_flags : 0);
905
906 /*
907 * deal with set[ug]id.
908 */
909 error = exec_handle_sugid(imgp);
910
911 /* Make sure we won't interrupt ourself signalling a partial process */
912 if (!vfexec && !spawn && (p->p_lflag & P_LTRACED))
913 psignal(p, SIGTRAP);
914
915 if (error) {
916 goto badtoolate;
917 }
918
919 if (load_result.unixproc &&
920 create_unix_stack(get_task_map(task),
921 &load_result,
922 p) != KERN_SUCCESS) {
923 error = load_return_to_errno(LOAD_NOSPACE);
924 goto badtoolate;
925 }
926
927 if (vfexec || spawn) {
928 old_map = vm_map_switch(get_task_map(task));
929 }
930
931 if (load_result.unixproc) {
932 user_addr_t ap;
933
934 /*
935 * Copy the strings area out into the new process address
936 * space.
937 */
938 ap = p->user_stack;
939 error = exec_copyout_strings(imgp, &ap);
940 if (error) {
941 if (vfexec || spawn)
942 vm_map_switch(old_map);
943 goto badtoolate;
944 }
945 /* Set the stack */
946 thread_setuserstack(thread, ap);
947 }
948
949 if (load_result.dynlinker) {
950 uint64_t ap;
951 int new_ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT) ? 8 : 4;
952
953 /* Adjust the stack */
954 ap = thread_adjuserstack(thread, -new_ptr_size);
955 error = copyoutptr(load_result.mach_header, ap, new_ptr_size);
956
957 if (error) {
958 if (vfexec || spawn)
959 vm_map_switch(old_map);
960 goto badtoolate;
961 }
962 task_set_dyld_info(task, load_result.all_image_info_addr,
963 load_result.all_image_info_size);
964 }
965
966 /* Avoid immediate VM faults back into kernel */
967 exec_prefault_data(p, imgp, &load_result);
968
969 if (vfexec || spawn) {
970 vm_map_switch(old_map);
971 }
972 /* Set the entry point */
973 thread_setentrypoint(thread, load_result.entry_point);
974
975 /* Stop profiling */
976 stopprofclock(p);
977
978 /*
979 * Reset signal state.
980 */
981 execsigs(p, thread);
982
983 /*
984 * need to cancel async IO requests that can be cancelled and wait for those
985 * already active. MAY BLOCK!
986 */
987 _aio_exec( p );
988
989 #if SYSV_SHM
990 /* FIXME: Till vmspace inherit is fixed: */
991 if (!vfexec && p->vm_shm)
992 shmexec(p);
993 #endif
994 #if SYSV_SEM
995 /* Clean up the semaphores */
996 semexit(p);
997 #endif
998
999 /*
1000 * Remember file name for accounting.
1001 */
1002 p->p_acflag &= ~AFORK;
1003 /* If the translated name isn't NULL, then we want to use
1004 * that translated name as the name we show as the "real" name.
1005 * Otherwise, use the name passed into exec.
1006 */
1007 if (0 != imgp->ip_p_comm[0]) {
1008 bcopy((caddr_t)imgp->ip_p_comm, (caddr_t)p->p_comm,
1009 sizeof(p->p_comm));
1010 } else {
1011 if (imgp->ip_ndp->ni_cnd.cn_namelen > MAXCOMLEN)
1012 imgp->ip_ndp->ni_cnd.cn_namelen = MAXCOMLEN;
1013 bcopy((caddr_t)imgp->ip_ndp->ni_cnd.cn_nameptr, (caddr_t)p->p_comm,
1014 (unsigned)imgp->ip_ndp->ni_cnd.cn_namelen);
1015 p->p_comm[imgp->ip_ndp->ni_cnd.cn_namelen] = '\0';
1016 }
1017
1018 pal_dbg_set_task_name( p->task );
1019
1020 memcpy(&p->p_uuid[0], &load_result.uuid[0], sizeof(p->p_uuid));
1021
1022 #if !CONFIG_EMBEDDED
1023 unsigned int i;
1024
1025 if (!vfexec && !spawn) {
1026 if (p->p_legacy_behavior & PROC_LEGACY_BEHAVIOR_IOTHROTTLE) {
1027 throttle_legacy_process_decr();
1028 }
1029 }
1030
1031 p->p_legacy_behavior = 0;
1032 for (i=0; i < sizeof(legacy_behaviors)/sizeof(legacy_behaviors[0]); i++) {
1033 if (0 == uuid_compare(legacy_behaviors[i].process_uuid, p->p_uuid)) {
1034 p->p_legacy_behavior = legacy_behaviors[i].legacy_mask;
1035 break;
1036 }
1037 }
1038
1039 if (p->p_legacy_behavior & PROC_LEGACY_BEHAVIOR_IOTHROTTLE) {
1040 throttle_legacy_process_incr();
1041 }
1042 #endif
1043
1044 // <rdar://6598155> dtrace code cleanup needed
1045 #if CONFIG_DTRACE
1046 /*
1047 * Invalidate any predicate evaluation already cached for this thread by DTrace.
1048 * That's because we've just stored to p_comm and DTrace refers to that when it
1049 * evaluates the "execname" special variable. uid and gid may have changed as well.
1050 */
1051 dtrace_set_thread_predcache(current_thread(), 0);
1052
1053 /*
1054 * Free any outstanding lazy dof entries. It is imperative we
1055 * always call dtrace_lazy_dofs_destroy, rather than null check
1056 * and call if !NULL. If we NULL test, during lazy dof faulting
1057 * we can race with the faulting code and proceed from here to
1058 * beyond the helpers cleanup. The lazy dof faulting will then
1059 * install new helpers which no longer belong to this process!
1060 */
1061 dtrace_lazy_dofs_destroy(p);
1062
1063
1064 /*
1065 * Clean up any DTrace helpers for the process.
1066 */
1067 if (p->p_dtrace_helpers != NULL && dtrace_helpers_cleanup) {
1068 (*dtrace_helpers_cleanup)(p);
1069 }
1070
1071 /*
1072 * Cleanup the DTrace provider associated with this process.
1073 */
1074 proc_lock(p);
1075 if (p->p_dtrace_probes && dtrace_fasttrap_exec_ptr) {
1076 (*dtrace_fasttrap_exec_ptr)(p);
1077 }
1078 proc_unlock(p);
1079 #endif
1080
1081 if (kdebug_enable) {
1082 long dbg_arg1, dbg_arg2, dbg_arg3, dbg_arg4;
1083
1084 /*
1085 * Collect the pathname for tracing
1086 */
1087 kdbg_trace_string(p, &dbg_arg1, &dbg_arg2, &dbg_arg3, &dbg_arg4);
1088
1089 if (vfexec || spawn) {
1090 KERNEL_DEBUG_CONSTANT1((TRACEDBG_CODE(DBG_TRACE_DATA, 2)) | DBG_FUNC_NONE,
1091 p->p_pid ,0,0,0, (uintptr_t)thread_tid(thread));
1092 KERNEL_DEBUG_CONSTANT1((TRACEDBG_CODE(DBG_TRACE_STRING, 2)) | DBG_FUNC_NONE,
1093 dbg_arg1, dbg_arg2, dbg_arg3, dbg_arg4, (uintptr_t)thread_tid(thread));
1094 } else {
1095 KERNEL_DEBUG_CONSTANT((TRACEDBG_CODE(DBG_TRACE_DATA, 2)) | DBG_FUNC_NONE,
1096 p->p_pid ,0,0,0,0);
1097 KERNEL_DEBUG_CONSTANT((TRACEDBG_CODE(DBG_TRACE_STRING, 2)) | DBG_FUNC_NONE,
1098 dbg_arg1, dbg_arg2, dbg_arg3, dbg_arg4, 0);
1099 }
1100 }
1101
1102 /*
1103 * Ensure the 'translated' and 'affinity' flags are cleared, since we
1104 * no longer run PowerPC binaries.
1105 */
1106 OSBitAndAtomic(~((uint32_t)(P_TRANSLATED | P_AFFINITY)), &p->p_flag);
1107
1108 /*
1109 * If posix_spawned with the START_SUSPENDED flag, stop the
1110 * process before it runs.
1111 */
1112 if (imgp->ip_px_sa != NULL) {
1113 psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
1114 if (psa->psa_flags & POSIX_SPAWN_START_SUSPENDED) {
1115 proc_lock(p);
1116 p->p_stat = SSTOP;
1117 proc_unlock(p);
1118 (void) task_suspend(p->task);
1119 }
1120 #if CONFIG_EMBEDDED
1121 if ((psa->psa_flags & POSIX_SPAWN_IOS_RESV1_APP_START) || (psa->psa_flags & POSIX_SPAWN_IOS_APPLE_DAEMON_START) || (psa->psa_flags & POSIX_SPAWN_IOS_APP_START)) {
1122 if ((psa->psa_flags & POSIX_SPAWN_IOS_RESV1_APP_START))
1123 apptype = PROC_POLICY_IOS_RESV1_APPTYPE;
1124 else if (psa->psa_flags & POSIX_SPAWN_IOS_APPLE_DAEMON_START)
1125 apptype = PROC_POLICY_IOS_APPLE_DAEMON;
1126 else if (psa->psa_flags & POSIX_SPAWN_IOS_APP_START)
1127 apptype = PROC_POLICY_IOS_APPTYPE;
1128 else
1129 apptype = PROC_POLICY_OSX_APPTYPE_NONE;
1130 proc_set_task_apptype(p->task, apptype, imgp->ip_new_thread);
1131 if (apptype == PROC_POLICY_IOS_RESV1_APPTYPE)
1132 proc_apply_task_networkbg_internal(p, NULL);
1133 }
1134
1135 if (psa->psa_apptype & POSIX_SPAWN_APPTYPE_IOS_APPLEDAEMON) {
1136 apptype = PROC_POLICY_IOS_APPLE_DAEMON;
1137 proc_set_task_apptype(p->task, apptype, imgp->ip_new_thread);
1138 }
1139 #else /* CONFIG_EMBEDDED */
1140 if ((psa->psa_flags & POSIX_SPAWN_OSX_TALAPP_START) || (psa->psa_flags & POSIX_SPAWN_OSX_DBCLIENT_START)) {
1141 if ((psa->psa_flags & POSIX_SPAWN_OSX_TALAPP_START))
1142 apptype = PROC_POLICY_OSX_APPTYPE_TAL;
1143 else if (psa->psa_flags & POSIX_SPAWN_OSX_DBCLIENT_START)
1144 apptype = PROC_POLICY_OSX_APPTYPE_DBCLIENT;
1145 else
1146 apptype = PROC_POLICY_OSX_APPTYPE_NONE;
1147 proc_set_task_apptype(p->task, apptype, NULL);
1148 if ((apptype == PROC_POLICY_OSX_APPTYPE_TAL) ||
1149 (apptype == PROC_POLICY_OSX_APPTYPE_DBCLIENT)) {
1150 proc_apply_task_networkbg_internal(p, NULL);
1151 }
1152 }
1153 if ((psa->psa_apptype & POSIX_SPAWN_APPTYPE_OSX_TAL) ||
1154 (psa->psa_apptype & POSIX_SPAWN_APPTYPE_OSX_WIDGET)) {
1155 if ((psa->psa_apptype & POSIX_SPAWN_APPTYPE_OSX_TAL))
1156 apptype = PROC_POLICY_OSX_APPTYPE_TAL;
1157 else if (psa->psa_flags & POSIX_SPAWN_APPTYPE_OSX_WIDGET)
1158 apptype = PROC_POLICY_OSX_APPTYPE_DBCLIENT;
1159 else
1160 apptype = PROC_POLICY_OSX_APPTYPE_NONE;
1161 proc_set_task_apptype(p->task, apptype, imgp->ip_new_thread);
1162 if ((apptype == PROC_POLICY_OSX_APPTYPE_TAL) ||
1163 (apptype == PROC_POLICY_OSX_APPTYPE_DBCLIENT)) {
1164 proc_apply_task_networkbg_internal(p, NULL);
1165 }
1166 }
1167 #endif /* CONFIG_EMBEDDED */
1168 }
1169
1170 /*
1171 * mark as execed, wakeup the process that vforked (if any) and tell
1172 * it that it now has its own resources back
1173 */
1174 OSBitOrAtomic(P_EXEC, &p->p_flag);
1175 proc_resetregister(p);
1176 if (p->p_pptr && (p->p_lflag & P_LPPWAIT)) {
1177 proc_lock(p);
1178 p->p_lflag &= ~P_LPPWAIT;
1179 proc_unlock(p);
1180 wakeup((caddr_t)p->p_pptr);
1181 }
1182
1183 /*
1184 * Pay for our earlier safety; deliver the delayed signals from
1185 * the incomplete vfexec process now that it's complete.
1186 */
1187 if (vfexec && (p->p_lflag & P_LTRACED)) {
1188 psignal_vfork(p, new_task, thread, SIGTRAP);
1189 }
1190
1191 badtoolate:
1192 if (!spawn)
1193 proc_knote(p, NOTE_EXEC);
1194
1195 if (vfexec || spawn) {
1196 task_deallocate(new_task);
1197 thread_deallocate(thread);
1198 if (error)
1199 error = 0;
1200 }
1201
1202 bad:
1203 return(error);
1204 }
1205
1206
1207
1208
1209 /*
1210 * Our image activator table; this is the table of the image types we are
1211 * capable of loading. We list them in order of preference to ensure the
1212 * fastest image load speed.
1213 *
1214 * XXX hardcoded, for now; should use linker sets
1215 */
1216 struct execsw {
1217 int (*ex_imgact)(struct image_params *);
1218 const char *ex_name;
1219 } execsw[] = {
1220 { exec_mach_imgact, "Mach-o Binary" },
1221 { exec_fat_imgact, "Fat Binary" },
1222 { exec_shell_imgact, "Interpreter Script" },
1223 { NULL, NULL}
1224 };
1225
1226
1227 /*
1228 * exec_activate_image
1229 *
1230 * Description: Iterate through the available image activators, and activate
1231 * the image associated with the imgp structure. We start with
1232 * the
1233 *
1234 * Parameters: struct image_params * Image parameter block
1235 *
1236 * Returns: 0 Success
1237 * EBADEXEC The executable is corrupt/unknown
1238 * execargs_alloc:EINVAL Invalid argument
1239 * execargs_alloc:EACCES Permission denied
1240 * execargs_alloc:EINTR Interrupted function
1241 * execargs_alloc:ENOMEM Not enough space
1242 * exec_save_path:EFAULT Bad address
1243 * exec_save_path:ENAMETOOLONG Filename too long
1244 * exec_check_permissions:EACCES Permission denied
1245 * exec_check_permissions:ENOEXEC Executable file format error
1246 * exec_check_permissions:ETXTBSY Text file busy [misuse of error code]
1247 * exec_check_permissions:???
1248 * namei:???
1249 * vn_rdwr:??? [anything vn_rdwr can return]
1250 * <ex_imgact>:??? [anything an imgact can return]
1251 */
1252 static int
1253 exec_activate_image(struct image_params *imgp)
1254 {
1255 struct nameidata nd;
1256 int error;
1257 int resid;
1258 int once = 1; /* save SGUID-ness for interpreted files */
1259 int i;
1260 int iterlimit = EAI_ITERLIMIT;
1261 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
1262
1263 error = execargs_alloc(imgp);
1264 if (error)
1265 goto bad;
1266
1267 error = exec_save_path(imgp, imgp->ip_user_fname, imgp->ip_seg);
1268 if (error) {
1269 goto bad_notrans;
1270 }
1271
1272 /* Use imgp->ip_strings, which contains the copyin-ed exec path */
1273 DTRACE_PROC1(exec, uintptr_t, imgp->ip_strings);
1274
1275 NDINIT(&nd, LOOKUP, OP_LOOKUP, FOLLOW | LOCKLEAF | AUDITVNPATH1,
1276 UIO_SYSSPACE, CAST_USER_ADDR_T(imgp->ip_strings), imgp->ip_vfs_context);
1277
1278 again:
1279 error = namei(&nd);
1280 if (error)
1281 goto bad_notrans;
1282 imgp->ip_ndp = &nd; /* successful namei(); call nameidone() later */
1283 imgp->ip_vp = nd.ni_vp; /* if set, need to vnode_put() at some point */
1284
1285 /*
1286 * Before we start the transition from binary A to binary B, make
1287 * sure another thread hasn't started exiting the process. We grab
1288 * the proc lock to check p_lflag initially, and the transition
1289 * mechanism ensures that the value doesn't change after we release
1290 * the lock.
1291 */
1292 proc_lock(p);
1293 if (p->p_lflag & P_LEXIT) {
1294 proc_unlock(p);
1295 goto bad_notrans;
1296 }
1297 error = proc_transstart(p, 1);
1298 proc_unlock(p);
1299 if (error)
1300 goto bad_notrans;
1301
1302 error = exec_check_permissions(imgp);
1303 if (error)
1304 goto bad;
1305
1306 /* Copy; avoid invocation of an interpreter overwriting the original */
1307 if (once) {
1308 once = 0;
1309 *imgp->ip_origvattr = *imgp->ip_vattr;
1310 }
1311
1312 error = vn_rdwr(UIO_READ, imgp->ip_vp, imgp->ip_vdata, PAGE_SIZE, 0,
1313 UIO_SYSSPACE, IO_NODELOCKED,
1314 vfs_context_ucred(imgp->ip_vfs_context),
1315 &resid, vfs_context_proc(imgp->ip_vfs_context));
1316 if (error)
1317 goto bad;
1318
1319 encapsulated_binary:
1320 /* Limit the number of iterations we will attempt on each binary */
1321 if (--iterlimit == 0) {
1322 error = EBADEXEC;
1323 goto bad;
1324 }
1325 error = -1;
1326 for(i = 0; error == -1 && execsw[i].ex_imgact != NULL; i++) {
1327
1328 error = (*execsw[i].ex_imgact)(imgp);
1329
1330 switch (error) {
1331 /* case -1: not claimed: continue */
1332 case -2: /* Encapsulated binary */
1333 goto encapsulated_binary;
1334
1335 case -3: /* Interpreter */
1336 #if CONFIG_MACF
1337 /*
1338 * Copy the script label for later use. Note that
1339 * the label can be different when the script is
1340 * actually read by the interpreter.
1341 */
1342 if (imgp->ip_scriptlabelp)
1343 mac_vnode_label_free(imgp->ip_scriptlabelp);
1344 imgp->ip_scriptlabelp = mac_vnode_label_alloc();
1345 if (imgp->ip_scriptlabelp == NULL) {
1346 error = ENOMEM;
1347 break;
1348 }
1349 mac_vnode_label_copy(imgp->ip_vp->v_label,
1350 imgp->ip_scriptlabelp);
1351 #endif
1352
1353 nameidone(&nd);
1354
1355 vnode_put(imgp->ip_vp);
1356 imgp->ip_vp = NULL; /* already put */
1357 imgp->ip_ndp = NULL; /* already nameidone */
1358
1359 /* Use imgp->ip_strings, which exec_shell_imgact reset to the interpreter */
1360 NDINIT(&nd, LOOKUP, OP_LOOKUP, FOLLOW | LOCKLEAF,
1361 UIO_SYSSPACE, CAST_USER_ADDR_T(imgp->ip_strings), imgp->ip_vfs_context);
1362
1363 proc_transend(p, 0);
1364 goto again;
1365
1366 default:
1367 break;
1368 }
1369 }
1370
1371 /*
1372 * Call out to allow 3rd party notification of exec.
1373 * Ignore result of kauth_authorize_fileop call.
1374 */
1375 if (error == 0 && kauth_authorize_fileop_has_listeners()) {
1376 kauth_authorize_fileop(vfs_context_ucred(imgp->ip_vfs_context),
1377 KAUTH_FILEOP_EXEC,
1378 (uintptr_t)nd.ni_vp, 0);
1379 }
1380
1381 bad:
1382 proc_transend(p, 0);
1383
1384 bad_notrans:
1385 if (imgp->ip_strings)
1386 execargs_free(imgp);
1387 if (imgp->ip_ndp)
1388 nameidone(imgp->ip_ndp);
1389
1390 return (error);
1391 }
1392
1393 /*
1394 * exec_handle_port_actions
1395 *
1396 * Description: Go through the _posix_port_actions_t contents,
1397 * calling task_set_special_port, task_set_exception_ports
1398 * and/or audit_session_spawnjoin for the current task.
1399 *
1400 * Parameters: struct image_params * Image parameter block
1401 * short psa_flags posix spawn attribute flags
1402 *
1403 * Returns: 0 Success
1404 * EINVAL Failure
1405 * ENOTSUP Illegal posix_spawn attr flag was set
1406 */
1407 static errno_t
1408 exec_handle_port_actions(struct image_params *imgp, short psa_flags)
1409 {
1410 _posix_spawn_port_actions_t pacts = imgp->ip_px_spa;
1411 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
1412 _ps_port_action_t *act = NULL;
1413 task_t task = p->task;
1414 ipc_port_t port = NULL;
1415 errno_t ret = 0;
1416 int i;
1417
1418 for (i = 0; i < pacts->pspa_count; i++) {
1419 act = &pacts->pspa_actions[i];
1420
1421 if (ipc_object_copyin(get_task_ipcspace(current_task()),
1422 act->new_port, MACH_MSG_TYPE_COPY_SEND,
1423 (ipc_object_t *) &port) != KERN_SUCCESS)
1424 return (EINVAL);
1425
1426 switch (act->port_type) {
1427 case PSPA_SPECIAL:
1428 /* Only allowed when not under vfork */
1429 if (!(psa_flags & POSIX_SPAWN_SETEXEC))
1430 ret = ENOTSUP;
1431 else if (task_set_special_port(task,
1432 act->which, port) != KERN_SUCCESS)
1433 ret = EINVAL;
1434 break;
1435
1436 case PSPA_EXCEPTION:
1437 /* Only allowed when not under vfork */
1438 if (!(psa_flags & POSIX_SPAWN_SETEXEC))
1439 ret = ENOTSUP;
1440 else if (task_set_exception_ports(task,
1441 act->mask, port, act->behavior,
1442 act->flavor) != KERN_SUCCESS)
1443 ret = EINVAL;
1444 break;
1445 #if CONFIG_AUDIT
1446 case PSPA_AU_SESSION:
1447 ret = audit_session_spawnjoin(p, port);
1448 break;
1449 #endif
1450 default:
1451 ret = EINVAL;
1452 break;
1453 }
1454
1455 /* action failed, so release port resources */
1456
1457 if (ret) {
1458 ipc_port_release_send(port);
1459 break;
1460 }
1461 }
1462
1463 return (ret);
1464 }
1465
1466 /*
1467 * exec_handle_file_actions
1468 *
1469 * Description: Go through the _posix_file_actions_t contents applying the
1470 * open, close, and dup2 operations to the open file table for
1471 * the current process.
1472 *
1473 * Parameters: struct image_params * Image parameter block
1474 *
1475 * Returns: 0 Success
1476 * ???
1477 *
1478 * Note: Actions are applied in the order specified, with the credential
1479 * of the parent process. This is done to permit the parent
1480 * process to utilize POSIX_SPAWN_RESETIDS to drop privilege in
1481 * the child following operations the child may in fact not be
1482 * normally permitted to perform.
1483 */
1484 static int
1485 exec_handle_file_actions(struct image_params *imgp, short psa_flags)
1486 {
1487 int error = 0;
1488 int action;
1489 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
1490 _posix_spawn_file_actions_t px_sfap = imgp->ip_px_sfa;
1491 int ival[2]; /* dummy retval for system calls) */
1492
1493 for (action = 0; action < px_sfap->psfa_act_count; action++) {
1494 _psfa_action_t *psfa = &px_sfap->psfa_act_acts[ action];
1495
1496 switch(psfa->psfaa_type) {
1497 case PSFA_OPEN: {
1498 /*
1499 * Open is different, in that it requires the use of
1500 * a path argument, which is normally copied in from
1501 * user space; because of this, we have to support an
1502 * open from kernel space that passes an address space
1503 * context of UIO_SYSSPACE, and casts the address
1504 * argument to a user_addr_t.
1505 */
1506 struct vnode_attr va;
1507 struct nameidata nd;
1508 int mode = psfa->psfaa_openargs.psfao_mode;
1509 struct dup2_args dup2a;
1510 struct close_nocancel_args ca;
1511 int origfd;
1512
1513 VATTR_INIT(&va);
1514 /* Mask off all but regular access permissions */
1515 mode = ((mode &~ p->p_fd->fd_cmask) & ALLPERMS) & ~S_ISTXT;
1516 VATTR_SET(&va, va_mode, mode & ACCESSPERMS);
1517
1518 NDINIT(&nd, LOOKUP, OP_OPEN, FOLLOW | AUDITVNPATH1, UIO_SYSSPACE,
1519 CAST_USER_ADDR_T(psfa->psfaa_openargs.psfao_path),
1520 imgp->ip_vfs_context);
1521
1522 error = open1(imgp->ip_vfs_context,
1523 &nd,
1524 psfa->psfaa_openargs.psfao_oflag,
1525 &va,
1526 ival);
1527
1528 /*
1529 * If there's an error, or we get the right fd by
1530 * accident, then drop out here. This is easier than
1531 * reworking all the open code to preallocate fd
1532 * slots, and internally taking one as an argument.
1533 */
1534 if (error || ival[0] == psfa->psfaa_filedes)
1535 break;
1536
1537 origfd = ival[0];
1538 /*
1539 * If we didn't fall out from an error, we ended up
1540 * with the wrong fd; so now we've got to try to dup2
1541 * it to the right one.
1542 */
1543 dup2a.from = origfd;
1544 dup2a.to = psfa->psfaa_filedes;
1545
1546 /*
1547 * The dup2() system call implementation sets
1548 * ival to newfd in the success case, but we
1549 * can ignore that, since if we didn't get the
1550 * fd we wanted, the error will stop us.
1551 */
1552 error = dup2(p, &dup2a, ival);
1553 if (error)
1554 break;
1555
1556 /*
1557 * Finally, close the original fd.
1558 */
1559 ca.fd = origfd;
1560
1561 error = close_nocancel(p, &ca, ival);
1562 }
1563 break;
1564
1565 case PSFA_DUP2: {
1566 struct dup2_args dup2a;
1567
1568 dup2a.from = psfa->psfaa_filedes;
1569 dup2a.to = psfa->psfaa_openargs.psfao_oflag;
1570
1571 /*
1572 * The dup2() system call implementation sets
1573 * ival to newfd in the success case, but we
1574 * can ignore that, since if we didn't get the
1575 * fd we wanted, the error will stop us.
1576 */
1577 error = dup2(p, &dup2a, ival);
1578 }
1579 break;
1580
1581 case PSFA_CLOSE: {
1582 struct close_nocancel_args ca;
1583
1584 ca.fd = psfa->psfaa_filedes;
1585
1586 error = close_nocancel(p, &ca, ival);
1587 }
1588 break;
1589
1590 case PSFA_INHERIT: {
1591 struct fileproc *fp;
1592 int fd = psfa->psfaa_filedes;
1593
1594 /*
1595 * Check to see if the descriptor exists, and
1596 * ensure it's -not- marked as close-on-exec.
1597 * [Less code than the equivalent F_GETFD/F_SETFD.]
1598 */
1599 proc_fdlock(p);
1600 if ((error = fp_lookup(p, fd, &fp, 1)) == 0) {
1601 *fdflags(p, fd) &= ~UF_EXCLOSE;
1602 (void) fp_drop(p, fd, fp, 1);
1603 }
1604 proc_fdunlock(p);
1605 }
1606 break;
1607
1608 default:
1609 error = EINVAL;
1610 break;
1611 }
1612
1613 /* All file actions failures are considered fatal, per POSIX */
1614
1615 if (error)
1616 break;
1617 }
1618
1619 if (error != 0 || (psa_flags & POSIX_SPAWN_CLOEXEC_DEFAULT) == 0)
1620 return (error);
1621
1622 /*
1623 * If POSIX_SPAWN_CLOEXEC_DEFAULT is set, behave (during
1624 * this spawn only) as if "close on exec" is the default
1625 * disposition of all pre-existing file descriptors. In this case,
1626 * the list of file descriptors mentioned in the file actions
1627 * are the only ones that can be inherited, so mark them now.
1628 *
1629 * The actual closing part comes later, in fdexec().
1630 */
1631 proc_fdlock(p);
1632 for (action = 0; action < px_sfap->psfa_act_count; action++) {
1633 _psfa_action_t *psfa = &px_sfap->psfa_act_acts[action];
1634 int fd = psfa->psfaa_filedes;
1635
1636 switch (psfa->psfaa_type) {
1637 case PSFA_DUP2:
1638 fd = psfa->psfaa_openargs.psfao_oflag;
1639 /*FALLTHROUGH*/
1640 case PSFA_OPEN:
1641 case PSFA_INHERIT:
1642 *fdflags(p, fd) |= UF_INHERIT;
1643 break;
1644
1645 case PSFA_CLOSE:
1646 break;
1647 }
1648 }
1649 proc_fdunlock(p);
1650
1651 return (0);
1652 }
1653
1654
1655 /*
1656 * posix_spawn
1657 *
1658 * Parameters: uap->pid Pointer to pid return area
1659 * uap->fname File name to exec
1660 * uap->argp Argument list
1661 * uap->envp Environment list
1662 *
1663 * Returns: 0 Success
1664 * EINVAL Invalid argument
1665 * ENOTSUP Not supported
1666 * ENOEXEC Executable file format error
1667 * exec_activate_image:EINVAL Invalid argument
1668 * exec_activate_image:EACCES Permission denied
1669 * exec_activate_image:EINTR Interrupted function
1670 * exec_activate_image:ENOMEM Not enough space
1671 * exec_activate_image:EFAULT Bad address
1672 * exec_activate_image:ENAMETOOLONG Filename too long
1673 * exec_activate_image:ENOEXEC Executable file format error
1674 * exec_activate_image:ETXTBSY Text file busy [misuse of error code]
1675 * exec_activate_image:EBADEXEC The executable is corrupt/unknown
1676 * exec_activate_image:???
1677 * mac_execve_enter:???
1678 *
1679 * TODO: Expect to need __mac_posix_spawn() at some point...
1680 * Handle posix_spawnattr_t
1681 * Handle posix_spawn_file_actions_t
1682 */
1683 int
1684 posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
1685 {
1686 proc_t p = ap; /* quiet bogus GCC vfork() warning */
1687 user_addr_t pid = uap->pid;
1688 int ival[2]; /* dummy retval for setpgid() */
1689 char *bufp = NULL;
1690 struct image_params *imgp;
1691 struct vnode_attr *vap;
1692 struct vnode_attr *origvap;
1693 struct uthread *uthread = 0; /* compiler complains if not set to 0*/
1694 int error, sig;
1695 char alt_p_comm[sizeof(p->p_comm)] = {0}; /* for PowerPC */
1696 int is_64 = IS_64BIT_PROCESS(p);
1697 struct vfs_context context;
1698 struct user__posix_spawn_args_desc px_args;
1699 struct _posix_spawnattr px_sa;
1700 _posix_spawn_file_actions_t px_sfap = NULL;
1701 _posix_spawn_port_actions_t px_spap = NULL;
1702 struct __kern_sigaction vec;
1703 boolean_t spawn_no_exec = FALSE;
1704 boolean_t proc_transit_set = TRUE;
1705 boolean_t exec_done = FALSE;
1706
1707 /*
1708 * Allocate a big chunk for locals instead of using stack since these
1709 * structures are pretty big.
1710 */
1711 MALLOC(bufp, char *, (sizeof(*imgp) + sizeof(*vap) + sizeof(*origvap)), M_TEMP, M_WAITOK | M_ZERO);
1712 imgp = (struct image_params *) bufp;
1713 if (bufp == NULL) {
1714 error = ENOMEM;
1715 goto bad;
1716 }
1717 vap = (struct vnode_attr *) (bufp + sizeof(*imgp));
1718 origvap = (struct vnode_attr *) (bufp + sizeof(*imgp) + sizeof(*vap));
1719
1720 /* Initialize the common data in the image_params structure */
1721 imgp->ip_user_fname = uap->path;
1722 imgp->ip_user_argv = uap->argv;
1723 imgp->ip_user_envv = uap->envp;
1724 imgp->ip_vattr = vap;
1725 imgp->ip_origvattr = origvap;
1726 imgp->ip_vfs_context = &context;
1727 imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT : IMGPF_NONE);
1728 imgp->ip_p_comm = alt_p_comm; /* for PowerPC */
1729 imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
1730
1731 if (uap->adesc != USER_ADDR_NULL) {
1732 if(is_64) {
1733 error = copyin(uap->adesc, &px_args, sizeof(px_args));
1734 } else {
1735 struct user32__posix_spawn_args_desc px_args32;
1736
1737 error = copyin(uap->adesc, &px_args32, sizeof(px_args32));
1738
1739 /*
1740 * Convert arguments descriptor from external 32 bit
1741 * representation to internal 64 bit representation
1742 */
1743 px_args.attr_size = px_args32.attr_size;
1744 px_args.attrp = CAST_USER_ADDR_T(px_args32.attrp);
1745 px_args.file_actions_size = px_args32.file_actions_size;
1746 px_args.file_actions = CAST_USER_ADDR_T(px_args32.file_actions);
1747 px_args.port_actions_size = px_args32.port_actions_size;
1748 px_args.port_actions = CAST_USER_ADDR_T(px_args32.port_actions);
1749 }
1750 if (error)
1751 goto bad;
1752
1753 if (px_args.attr_size != 0) {
1754 /*
1755 * This could lose some of the port_actions pointer,
1756 * but we already have it from px_args.
1757 */
1758 if ((error = copyin(px_args.attrp, &px_sa, sizeof(px_sa))) != 0)
1759 goto bad;
1760
1761 imgp->ip_px_sa = &px_sa;
1762 }
1763 if (px_args.file_actions_size != 0) {
1764 /* Limit file_actions to allowed number of open files */
1765 int maxfa = (p->p_limit ? p->p_rlimit[RLIMIT_NOFILE].rlim_cur : NOFILE);
1766 if (px_args.file_actions_size < PSF_ACTIONS_SIZE(1) ||
1767 px_args.file_actions_size > PSF_ACTIONS_SIZE(maxfa)) {
1768 error = EINVAL;
1769 goto bad;
1770 }
1771 MALLOC(px_sfap, _posix_spawn_file_actions_t, px_args.file_actions_size, M_TEMP, M_WAITOK);
1772 if (px_sfap == NULL) {
1773 error = ENOMEM;
1774 goto bad;
1775 }
1776 imgp->ip_px_sfa = px_sfap;
1777
1778 if ((error = copyin(px_args.file_actions, px_sfap,
1779 px_args.file_actions_size)) != 0)
1780 goto bad;
1781 }
1782 if (px_args.port_actions_size != 0) {
1783 /* Limit port_actions to one page of data */
1784 if (px_args.port_actions_size < PS_PORT_ACTIONS_SIZE(1) ||
1785 px_args.port_actions_size > PAGE_SIZE) {
1786 error = EINVAL;
1787 goto bad;
1788 }
1789
1790 MALLOC(px_spap, _posix_spawn_port_actions_t,
1791 px_args.port_actions_size, M_TEMP, M_WAITOK);
1792 if (px_spap == NULL) {
1793 error = ENOMEM;
1794 goto bad;
1795 }
1796 imgp->ip_px_spa = px_spap;
1797
1798 if ((error = copyin(px_args.port_actions, px_spap,
1799 px_args.port_actions_size)) != 0)
1800 goto bad;
1801 }
1802 }
1803
1804 /* set uthread to parent */
1805 uthread = get_bsdthread_info(current_thread());
1806
1807 /*
1808 * <rdar://6640530>; this does not result in a behaviour change
1809 * relative to Leopard, so there should not be any existing code
1810 * which depends on it.
1811 */
1812 if (uthread->uu_flag & UT_VFORK) {
1813 error = EINVAL;
1814 goto bad;
1815 }
1816
1817 /*
1818 * If we don't have the extension flag that turns "posix_spawn()"
1819 * into "execve() with options", then we will be creating a new
1820 * process which does not inherit memory from the parent process,
1821 * which is one of the most expensive things about using fork()
1822 * and execve().
1823 */
1824 if (imgp->ip_px_sa == NULL || !(px_sa.psa_flags & POSIX_SPAWN_SETEXEC)){
1825 if ((error = fork1(p, &imgp->ip_new_thread, PROC_CREATE_SPAWN)) != 0)
1826 goto bad;
1827 imgp->ip_flags |= IMGPF_SPAWN; /* spawn w/o exec */
1828 spawn_no_exec = TRUE; /* used in later tests */
1829 }
1830
1831 if (spawn_no_exec)
1832 p = (proc_t)get_bsdthreadtask_info(imgp->ip_new_thread);
1833 assert(p != NULL);
1834
1835 /* By default, the thread everyone plays with is the parent */
1836 context.vc_thread = current_thread();
1837 context.vc_ucred = p->p_ucred; /* XXX must NOT be kauth_cred_get() */
1838
1839 /*
1840 * However, if we're not in the setexec case, redirect the context
1841 * to the newly created process instead
1842 */
1843 if (spawn_no_exec)
1844 context.vc_thread = imgp->ip_new_thread;
1845
1846 /*
1847 * Post fdcopy(), pre exec_handle_sugid() - this is where we want
1848 * to handle the file_actions. Since vfork() also ends up setting
1849 * us into the parent process group, and saved off the signal flags,
1850 * this is also where we want to handle the spawn flags.
1851 */
1852
1853 /* Has spawn file actions? */
1854 if (imgp->ip_px_sfa != NULL) {
1855 /*
1856 * The POSIX_SPAWN_CLOEXEC_DEFAULT flag
1857 * is handled in exec_handle_file_actions().
1858 */
1859 if ((error = exec_handle_file_actions(imgp,
1860 imgp->ip_px_sa != NULL ? px_sa.psa_flags : 0)) != 0)
1861 goto bad;
1862 }
1863
1864 /* Has spawn port actions? */
1865 if (imgp->ip_px_spa != NULL) {
1866 /*
1867 * The check for the POSIX_SPAWN_SETEXEC flag is done in
1868 * exec_handle_port_actions().
1869 */
1870 if ((error = exec_handle_port_actions(imgp,
1871 imgp->ip_px_sa != NULL ? px_sa.psa_flags : 0)) != 0)
1872 goto bad;
1873 }
1874
1875 /* Has spawn attr? */
1876 if (imgp->ip_px_sa != NULL) {
1877 /*
1878 * Set the process group ID of the child process; this has
1879 * to happen before the image activation.
1880 */
1881 if (px_sa.psa_flags & POSIX_SPAWN_SETPGROUP) {
1882 struct setpgid_args spga;
1883 spga.pid = p->p_pid;
1884 spga.pgid = px_sa.psa_pgroup;
1885 /*
1886 * Effectively, call setpgid() system call; works
1887 * because there are no pointer arguments.
1888 */
1889 if((error = setpgid(p, &spga, ival)) != 0)
1890 goto bad;
1891 }
1892
1893 /*
1894 * Reset UID/GID to parent's RUID/RGID; This works only
1895 * because the operation occurs *after* the vfork() and
1896 * before the call to exec_handle_sugid() by the image
1897 * activator called from exec_activate_image(). POSIX
1898 * requires that any setuid/setgid bits on the process
1899 * image will take precedence over the spawn attributes
1900 * (re)setting them.
1901 *
1902 * The use of p_ucred is safe, since we are acting on the
1903 * new process, and it has no threads other than the one
1904 * we are creating for it.
1905 */
1906 if (px_sa.psa_flags & POSIX_SPAWN_RESETIDS) {
1907 kauth_cred_t my_cred = p->p_ucred;
1908 kauth_cred_t my_new_cred = kauth_cred_setuidgid(my_cred, kauth_cred_getruid(my_cred), kauth_cred_getrgid(my_cred));
1909 if (my_new_cred != my_cred) {
1910 p->p_ucred = my_new_cred;
1911 /* update cred on proc */
1912 PROC_UPDATE_CREDS_ONPROC(p);
1913 }
1914 }
1915
1916 /*
1917 * Disable ASLR for the spawned process.
1918 */
1919 if (px_sa.psa_flags & _POSIX_SPAWN_DISABLE_ASLR)
1920 OSBitOrAtomic(P_DISABLE_ASLR, &p->p_flag);
1921
1922 /*
1923 * Forcibly disallow execution from data pages for the spawned process
1924 * even if it would otherwise be permitted by the architecture default.
1925 */
1926 if (px_sa.psa_flags & _POSIX_SPAWN_ALLOW_DATA_EXEC)
1927 imgp->ip_flags |= IMGPF_ALLOW_DATA_EXEC;
1928 }
1929
1930 /*
1931 * Disable ASLR during image activation. This occurs either if the
1932 * _POSIX_SPAWN_DISABLE_ASLR attribute was found above or if
1933 * P_DISABLE_ASLR was inherited from the parent process.
1934 */
1935 if (p->p_flag & P_DISABLE_ASLR)
1936 imgp->ip_flags |= IMGPF_DISABLE_ASLR;
1937
1938 /*
1939 * Clear transition flag so we won't hang if exec_activate_image() causes
1940 * an automount (and launchd does a proc sysctl to service it).
1941 *
1942 * <rdar://problem/6848672>, <rdar://problem/5959568>.
1943 */
1944 if (spawn_no_exec) {
1945 proc_transend(p, 0);
1946 proc_transit_set = 0;
1947 }
1948
1949 #if MAC_SPAWN /* XXX */
1950 if (uap->mac_p != USER_ADDR_NULL) {
1951 error = mac_execve_enter(uap->mac_p, imgp);
1952 if (error)
1953 goto bad;
1954 }
1955 #endif
1956
1957 /*
1958 * Activate the image
1959 */
1960 error = exec_activate_image(imgp);
1961
1962 if (error == 0) {
1963 /* process completed the exec */
1964 exec_done = TRUE;
1965 } else if (error == -1) {
1966 /* Image not claimed by any activator? */
1967 error = ENOEXEC;
1968 }
1969
1970 /*
1971 * If we have a spawn attr, and it contains signal related flags,
1972 * the we need to process them in the "context" of the new child
1973 * process, so we have to process it following image activation,
1974 * prior to making the thread runnable in user space. This is
1975 * necessitated by some signal information being per-thread rather
1976 * than per-process, and we don't have the new allocation in hand
1977 * until after the image is activated.
1978 */
1979 if (!error && imgp->ip_px_sa != NULL) {
1980 thread_t child_thread = current_thread();
1981 uthread_t child_uthread = uthread;
1982
1983 /*
1984 * If we created a new child thread, then the thread and
1985 * uthread are different than the current ones; otherwise,
1986 * we leave them, since we are in the exec case instead.
1987 */
1988 if (spawn_no_exec) {
1989 child_thread = imgp->ip_new_thread;
1990 child_uthread = get_bsdthread_info(child_thread);
1991 }
1992
1993 /*
1994 * Mask a list of signals, instead of them being unmasked, if
1995 * they were unmasked in the parent; note that some signals
1996 * are not maskable.
1997 */
1998 if (px_sa.psa_flags & POSIX_SPAWN_SETSIGMASK)
1999 child_uthread->uu_sigmask = (px_sa.psa_sigmask & ~sigcantmask);
2000 /*
2001 * Default a list of signals instead of ignoring them, if
2002 * they were ignored in the parent. Note that we pass
2003 * spawn_no_exec to setsigvec() to indicate that we called
2004 * fork1() and therefore do not need to call proc_signalstart()
2005 * internally.
2006 */
2007 if (px_sa.psa_flags & POSIX_SPAWN_SETSIGDEF) {
2008 vec.sa_handler = SIG_DFL;
2009 vec.sa_tramp = 0;
2010 vec.sa_mask = 0;
2011 vec.sa_flags = 0;
2012 for (sig = 0; sig < NSIG; sig++)
2013 if (px_sa.psa_sigdefault & (1 << sig)) {
2014 error = setsigvec(p, child_thread, sig + 1, &vec, spawn_no_exec);
2015 }
2016 }
2017
2018 /*
2019 * Activate the CPU usage monitor, if requested. This is done via a task-wide, per-thread CPU
2020 * usage limit, which will generate a resource exceeded exception if any one thread exceeds the
2021 * limit.
2022 *
2023 * Userland gives us interval in seconds, and the kernel SPI expects nanoseconds.
2024 */
2025 if (px_sa.psa_cpumonitor_percent != 0) {
2026 error = proc_set_task_ruse_cpu(p->task,
2027 TASK_POLICY_RESOURCE_ATTRIBUTE_NOTIFY_EXC,
2028 px_sa.psa_cpumonitor_percent,
2029 px_sa.psa_cpumonitor_interval * NSEC_PER_SEC,
2030 0);
2031 }
2032 }
2033
2034 bad:
2035 if (error == 0) {
2036 /* reset delay idle sleep status if set */
2037 #if !CONFIG_EMBEDDED
2038 if ((p->p_flag & P_DELAYIDLESLEEP) == P_DELAYIDLESLEEP)
2039 OSBitAndAtomic(~((uint32_t)P_DELAYIDLESLEEP), &p->p_flag);
2040 #endif /* !CONFIG_EMBEDDED */
2041 /* upon successful spawn, re/set the proc control state */
2042 if (imgp->ip_px_sa != NULL) {
2043 switch (px_sa.psa_pcontrol) {
2044 case POSIX_SPAWN_PCONTROL_THROTTLE:
2045 p->p_pcaction = P_PCTHROTTLE;
2046 break;
2047 case POSIX_SPAWN_PCONTROL_SUSPEND:
2048 p->p_pcaction = P_PCSUSP;
2049 break;
2050 case POSIX_SPAWN_PCONTROL_KILL:
2051 p->p_pcaction = P_PCKILL;
2052 break;
2053 case POSIX_SPAWN_PCONTROL_NONE:
2054 default:
2055 p->p_pcaction = 0;
2056 break;
2057 };
2058 #if !CONFIG_EMBEDDED
2059 if ((px_sa.psa_apptype & POSIX_SPAWN_APPTYPE_DELAYIDLESLEEP) != 0)
2060 OSBitOrAtomic(P_DELAYIDLESLEEP, &p->p_flag);
2061 #endif /* !CONFIG_EMBEDDED */
2062 }
2063 exec_resettextvp(p, imgp);
2064
2065 #if CONFIG_EMBEDDED
2066 /* Has jetsam attributes? */
2067 if (imgp->ip_px_sa != NULL) {
2068 memorystatus_list_change((px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_USE_EFFECTIVE_PRIORITY),
2069 p->p_pid, px_sa.psa_priority, -1, px_sa.psa_high_water_mark);
2070 }
2071 #endif
2072 }
2073
2074 /*
2075 * If we successfully called fork1(), we always need to do this;
2076 * we identify this case by noting the IMGPF_SPAWN flag. This is
2077 * because we come back from that call with signals blocked in the
2078 * child, and we have to unblock them, but we want to wait until
2079 * after we've performed any spawn actions. This has to happen
2080 * before check_for_signature(), which uses psignal.
2081 */
2082 if (spawn_no_exec) {
2083 if (proc_transit_set)
2084 proc_transend(p, 0);
2085
2086 /*
2087 * Drop the signal lock on the child which was taken on our
2088 * behalf by forkproc()/cloneproc() to prevent signals being
2089 * received by the child in a partially constructed state.
2090 */
2091 proc_signalend(p, 0);
2092
2093 /* flag the 'fork' has occurred */
2094 proc_knote(p->p_pptr, NOTE_FORK | p->p_pid);
2095 /* then flag exec has occurred */
2096 proc_knote(p, NOTE_EXEC);
2097 DTRACE_PROC1(create, proc_t, p);
2098 }
2099
2100 /*
2101 * We have to delay operations which might throw a signal until after
2102 * the signals have been unblocked; however, we want that to happen
2103 * after exec_resettextvp() so that the textvp is correct when they
2104 * fire.
2105 */
2106 if (error == 0) {
2107 error = check_for_signature(p, imgp);
2108
2109 /*
2110 * Pay for our earlier safety; deliver the delayed signals from
2111 * the incomplete spawn process now that it's complete.
2112 */
2113 if (imgp != NULL && spawn_no_exec && (p->p_lflag & P_LTRACED)) {
2114 psignal_vfork(p, p->task, imgp->ip_new_thread, SIGTRAP);
2115 }
2116 }
2117
2118
2119 if (imgp != NULL) {
2120 if (imgp->ip_vp)
2121 vnode_put(imgp->ip_vp);
2122 if (imgp->ip_strings)
2123 execargs_free(imgp);
2124 if (imgp->ip_px_sfa != NULL)
2125 FREE(imgp->ip_px_sfa, M_TEMP);
2126 if (imgp->ip_px_spa != NULL)
2127 FREE(imgp->ip_px_spa, M_TEMP);
2128
2129 #if CONFIG_MACF
2130 if (imgp->ip_execlabelp)
2131 mac_cred_label_free(imgp->ip_execlabelp);
2132 if (imgp->ip_scriptlabelp)
2133 mac_vnode_label_free(imgp->ip_scriptlabelp);
2134 #endif
2135 }
2136
2137 if (error) {
2138 DTRACE_PROC1(exec__failure, int, error);
2139 } else {
2140 /*
2141 * <rdar://6609474> temporary - so dtrace call to current_proc()
2142 * returns the child process instead of the parent.
2143 */
2144 if (imgp != NULL && imgp->ip_flags & IMGPF_SPAWN) {
2145 p->p_lflag |= P_LINVFORK;
2146 p->p_vforkact = current_thread();
2147 uthread->uu_proc = p;
2148 uthread->uu_flag |= UT_VFORK;
2149 }
2150
2151 DTRACE_PROC(exec__success);
2152
2153 /*
2154 * <rdar://6609474> temporary - so dtrace call to current_proc()
2155 * returns the child process instead of the parent.
2156 */
2157 if (imgp != NULL && imgp->ip_flags & IMGPF_SPAWN) {
2158 p->p_lflag &= ~P_LINVFORK;
2159 p->p_vforkact = NULL;
2160 uthread->uu_proc = PROC_NULL;
2161 uthread->uu_flag &= ~UT_VFORK;
2162 }
2163 }
2164
2165 /* Return to both the parent and the child? */
2166 if (imgp != NULL && spawn_no_exec) {
2167 /*
2168 * If the parent wants the pid, copy it out
2169 */
2170 if (pid != USER_ADDR_NULL)
2171 (void)suword(pid, p->p_pid);
2172 retval[0] = error;
2173
2174 /*
2175 * If we had an error, perform an internal reap ; this is
2176 * entirely safe, as we have a real process backing us.
2177 */
2178 if (error) {
2179 proc_list_lock();
2180 p->p_listflag |= P_LIST_DEADPARENT;
2181 proc_list_unlock();
2182 proc_lock(p);
2183 /* make sure no one else has killed it off... */
2184 if (p->p_stat != SZOMB && p->exit_thread == NULL) {
2185 p->exit_thread = current_thread();
2186 proc_unlock(p);
2187 exit1(p, 1, (int *)NULL);
2188 if (exec_done == FALSE) {
2189 task_deallocate(get_threadtask(imgp->ip_new_thread));
2190 thread_deallocate(imgp->ip_new_thread);
2191 }
2192 } else {
2193 /* someone is doing it for us; just skip it */
2194 proc_unlock(p);
2195 }
2196 } else {
2197
2198 /*
2199 * Return" to the child
2200 *
2201 * Note: the image activator earlier dropped the
2202 * task/thread references to the newly spawned
2203 * process; this is OK, since we still have suspended
2204 * queue references on them, so we should be fine
2205 * with the delayed resume of the thread here.
2206 */
2207 (void)thread_resume(imgp->ip_new_thread);
2208 }
2209 }
2210 if (bufp != NULL) {
2211 FREE(bufp, M_TEMP);
2212 }
2213
2214 return(error);
2215 }
2216
2217
2218 /*
2219 * execve
2220 *
2221 * Parameters: uap->fname File name to exec
2222 * uap->argp Argument list
2223 * uap->envp Environment list
2224 *
2225 * Returns: 0 Success
2226 * __mac_execve:EINVAL Invalid argument
2227 * __mac_execve:ENOTSUP Invalid argument
2228 * __mac_execve:EACCES Permission denied
2229 * __mac_execve:EINTR Interrupted function
2230 * __mac_execve:ENOMEM Not enough space
2231 * __mac_execve:EFAULT Bad address
2232 * __mac_execve:ENAMETOOLONG Filename too long
2233 * __mac_execve:ENOEXEC Executable file format error
2234 * __mac_execve:ETXTBSY Text file busy [misuse of error code]
2235 * __mac_execve:???
2236 *
2237 * TODO: Dynamic linker header address on stack is copied via suword()
2238 */
2239 /* ARGSUSED */
2240 int
2241 execve(proc_t p, struct execve_args *uap, int32_t *retval)
2242 {
2243 struct __mac_execve_args muap;
2244 int err;
2245
2246 muap.fname = uap->fname;
2247 muap.argp = uap->argp;
2248 muap.envp = uap->envp;
2249 muap.mac_p = USER_ADDR_NULL;
2250 err = __mac_execve(p, &muap, retval);
2251
2252 return(err);
2253 }
2254
2255 /*
2256 * __mac_execve
2257 *
2258 * Parameters: uap->fname File name to exec
2259 * uap->argp Argument list
2260 * uap->envp Environment list
2261 * uap->mac_p MAC label supplied by caller
2262 *
2263 * Returns: 0 Success
2264 * EINVAL Invalid argument
2265 * ENOTSUP Not supported
2266 * ENOEXEC Executable file format error
2267 * exec_activate_image:EINVAL Invalid argument
2268 * exec_activate_image:EACCES Permission denied
2269 * exec_activate_image:EINTR Interrupted function
2270 * exec_activate_image:ENOMEM Not enough space
2271 * exec_activate_image:EFAULT Bad address
2272 * exec_activate_image:ENAMETOOLONG Filename too long
2273 * exec_activate_image:ENOEXEC Executable file format error
2274 * exec_activate_image:ETXTBSY Text file busy [misuse of error code]
2275 * exec_activate_image:EBADEXEC The executable is corrupt/unknown
2276 * exec_activate_image:???
2277 * mac_execve_enter:???
2278 *
2279 * TODO: Dynamic linker header address on stack is copied via suword()
2280 */
2281 int
2282 __mac_execve(proc_t p, struct __mac_execve_args *uap, int32_t *retval)
2283 {
2284 char *bufp = NULL;
2285 struct image_params *imgp;
2286 struct vnode_attr *vap;
2287 struct vnode_attr *origvap;
2288 int error;
2289 char alt_p_comm[sizeof(p->p_comm)] = {0}; /* for PowerPC */
2290 int is_64 = IS_64BIT_PROCESS(p);
2291 struct vfs_context context;
2292
2293 context.vc_thread = current_thread();
2294 context.vc_ucred = kauth_cred_proc_ref(p); /* XXX must NOT be kauth_cred_get() */
2295
2296 /* Allocate a big chunk for locals instead of using stack since these
2297 * structures a pretty big.
2298 */
2299 MALLOC(bufp, char *, (sizeof(*imgp) + sizeof(*vap) + sizeof(*origvap)), M_TEMP, M_WAITOK | M_ZERO);
2300 imgp = (struct image_params *) bufp;
2301 if (bufp == NULL) {
2302 error = ENOMEM;
2303 goto exit_with_error;
2304 }
2305 vap = (struct vnode_attr *) (bufp + sizeof(*imgp));
2306 origvap = (struct vnode_attr *) (bufp + sizeof(*imgp) + sizeof(*vap));
2307
2308 /* Initialize the common data in the image_params structure */
2309 imgp->ip_user_fname = uap->fname;
2310 imgp->ip_user_argv = uap->argp;
2311 imgp->ip_user_envv = uap->envp;
2312 imgp->ip_vattr = vap;
2313 imgp->ip_origvattr = origvap;
2314 imgp->ip_vfs_context = &context;
2315 imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT : IMGPF_NONE) | ((p->p_flag & P_DISABLE_ASLR) ? IMGPF_DISABLE_ASLR : IMGPF_NONE);
2316 imgp->ip_p_comm = alt_p_comm; /* for PowerPC */
2317 imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
2318
2319 #if CONFIG_MACF
2320 if (uap->mac_p != USER_ADDR_NULL) {
2321 error = mac_execve_enter(uap->mac_p, imgp);
2322 if (error) {
2323 kauth_cred_unref(&context.vc_ucred);
2324 goto exit_with_error;
2325 }
2326 }
2327 #endif
2328
2329 error = exec_activate_image(imgp);
2330
2331 kauth_cred_unref(&context.vc_ucred);
2332
2333 /* Image not claimed by any activator? */
2334 if (error == -1)
2335 error = ENOEXEC;
2336
2337 if (error == 0) {
2338 exec_resettextvp(p, imgp);
2339 error = check_for_signature(p, imgp);
2340 }
2341 if (imgp->ip_vp != NULLVP)
2342 vnode_put(imgp->ip_vp);
2343 if (imgp->ip_strings)
2344 execargs_free(imgp);
2345 #if CONFIG_MACF
2346 if (imgp->ip_execlabelp)
2347 mac_cred_label_free(imgp->ip_execlabelp);
2348 if (imgp->ip_scriptlabelp)
2349 mac_vnode_label_free(imgp->ip_scriptlabelp);
2350 #endif
2351 if (!error) {
2352 struct uthread *uthread;
2353
2354 /* Sever any extant thread affinity */
2355 thread_affinity_exec(current_thread());
2356
2357 DTRACE_PROC(exec__success);
2358 uthread = get_bsdthread_info(current_thread());
2359 if (uthread->uu_flag & UT_VFORK) {
2360 vfork_return(p, retval, p->p_pid);
2361 (void)thread_resume(imgp->ip_new_thread);
2362 }
2363 } else {
2364 DTRACE_PROC1(exec__failure, int, error);
2365 }
2366
2367 exit_with_error:
2368 if (bufp != NULL) {
2369 FREE(bufp, M_TEMP);
2370 }
2371
2372 return(error);
2373 }
2374
2375
2376 /*
2377 * copyinptr
2378 *
2379 * Description: Copy a pointer in from user space to a user_addr_t in kernel
2380 * space, based on 32/64 bitness of the user space
2381 *
2382 * Parameters: froma User space address
2383 * toptr Address of kernel space user_addr_t
2384 * ptr_size 4/8, based on 'froma' address space
2385 *
2386 * Returns: 0 Success
2387 * EFAULT Bad 'froma'
2388 *
2389 * Implicit returns:
2390 * *ptr_size Modified
2391 */
2392 static int
2393 copyinptr(user_addr_t froma, user_addr_t *toptr, int ptr_size)
2394 {
2395 int error;
2396
2397 if (ptr_size == 4) {
2398 /* 64 bit value containing 32 bit address */
2399 unsigned int i;
2400
2401 error = copyin(froma, &i, 4);
2402 *toptr = CAST_USER_ADDR_T(i); /* SAFE */
2403 } else {
2404 error = copyin(froma, toptr, 8);
2405 }
2406 return (error);
2407 }
2408
2409
2410 /*
2411 * copyoutptr
2412 *
2413 * Description: Copy a pointer out from a user_addr_t in kernel space to
2414 * user space, based on 32/64 bitness of the user space
2415 *
2416 * Parameters: ua User space address to copy to
2417 * ptr Address of kernel space user_addr_t
2418 * ptr_size 4/8, based on 'ua' address space
2419 *
2420 * Returns: 0 Success
2421 * EFAULT Bad 'ua'
2422 *
2423 */
2424 static int
2425 copyoutptr(user_addr_t ua, user_addr_t ptr, int ptr_size)
2426 {
2427 int error;
2428
2429 if (ptr_size == 4) {
2430 /* 64 bit value containing 32 bit address */
2431 unsigned int i = CAST_DOWN_EXPLICIT(unsigned int,ua); /* SAFE */
2432
2433 error = copyout(&i, ptr, 4);
2434 } else {
2435 error = copyout(&ua, ptr, 8);
2436 }
2437 return (error);
2438 }
2439
2440
2441 /*
2442 * exec_copyout_strings
2443 *
2444 * Copy out the strings segment to user space. The strings segment is put
2445 * on a preinitialized stack frame.
2446 *
2447 * Parameters: struct image_params * the image parameter block
2448 * int * a pointer to the stack offset variable
2449 *
2450 * Returns: 0 Success
2451 * !0 Faiure: errno
2452 *
2453 * Implicit returns:
2454 * (*stackp) The stack offset, modified
2455 *
2456 * Note: The strings segment layout is backward, from the beginning
2457 * of the top of the stack to consume the minimal amount of
2458 * space possible; the returned stack pointer points to the
2459 * end of the area consumed (stacks grow downward).
2460 *
2461 * argc is an int; arg[i] are pointers; env[i] are pointers;
2462 * the 0's are (void *)NULL's
2463 *
2464 * The stack frame layout is:
2465 *
2466 * +-------------+ <- p->user_stack
2467 * | 16b |
2468 * +-------------+
2469 * | STRING AREA |
2470 * | : |
2471 * | : |
2472 * | : |
2473 * +- -- -- -- --+
2474 * | PATH AREA |
2475 * +-------------+
2476 * | 0 |
2477 * +-------------+
2478 * | applev[n] |
2479 * +-------------+
2480 * :
2481 * :
2482 * +-------------+
2483 * | applev[1] |
2484 * +-------------+
2485 * | exec_path / |
2486 * | applev[0] |
2487 * +-------------+
2488 * | 0 |
2489 * +-------------+
2490 * | env[n] |
2491 * +-------------+
2492 * :
2493 * :
2494 * +-------------+
2495 * | env[0] |
2496 * +-------------+
2497 * | 0 |
2498 * +-------------+
2499 * | arg[argc-1] |
2500 * +-------------+
2501 * :
2502 * :
2503 * +-------------+
2504 * | arg[0] |
2505 * +-------------+
2506 * | argc |
2507 * sp-> +-------------+
2508 *
2509 * Although technically a part of the STRING AREA, we treat the PATH AREA as
2510 * a separate entity. This allows us to align the beginning of the PATH AREA
2511 * to a pointer boundary so that the exec_path, env[i], and argv[i] pointers
2512 * which preceed it on the stack are properly aligned.
2513 */
2514
2515 static int
2516 exec_copyout_strings(struct image_params *imgp, user_addr_t *stackp)
2517 {
2518 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
2519 int ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT) ? 8 : 4;
2520 int ptr_area_size;
2521 void *ptr_buffer_start, *ptr_buffer;
2522 int string_size;
2523
2524 user_addr_t string_area; /* *argv[], *env[] */
2525 user_addr_t ptr_area; /* argv[], env[], applev[] */
2526 user_addr_t argc_area; /* argc */
2527 user_addr_t stack;
2528 int error;
2529
2530 unsigned i;
2531 struct copyout_desc {
2532 char *start_string;
2533 int count;
2534 #if CONFIG_DTRACE
2535 user_addr_t *dtrace_cookie;
2536 #endif
2537 boolean_t null_term;
2538 } descriptors[] = {
2539 {
2540 .start_string = imgp->ip_startargv,
2541 .count = imgp->ip_argc,
2542 #if CONFIG_DTRACE
2543 .dtrace_cookie = &p->p_dtrace_argv,
2544 #endif
2545 .null_term = TRUE
2546 },
2547 {
2548 .start_string = imgp->ip_endargv,
2549 .count = imgp->ip_envc,
2550 #if CONFIG_DTRACE
2551 .dtrace_cookie = &p->p_dtrace_envp,
2552 #endif
2553 .null_term = TRUE
2554 },
2555 {
2556 .start_string = imgp->ip_strings,
2557 .count = 1,
2558 #if CONFIG_DTRACE
2559 .dtrace_cookie = NULL,
2560 #endif
2561 .null_term = FALSE
2562 },
2563 {
2564 .start_string = imgp->ip_endenvv,
2565 .count = imgp->ip_applec - 1, /* exec_path handled above */
2566 #if CONFIG_DTRACE
2567 .dtrace_cookie = NULL,
2568 #endif
2569 .null_term = TRUE
2570 }
2571 };
2572
2573 stack = *stackp;
2574
2575 /*
2576 * All previous contributors to the string area
2577 * should have aligned their sub-area
2578 */
2579 if (imgp->ip_strspace % ptr_size != 0) {
2580 error = EINVAL;
2581 goto bad;
2582 }
2583
2584 /* Grow the stack down for the strings we've been building up */
2585 string_size = imgp->ip_strendp - imgp->ip_strings;
2586 stack -= string_size;
2587 string_area = stack;
2588
2589 /*
2590 * Need room for one pointer for each string, plus
2591 * one for the NULLs terminating the argv, envv, and apple areas.
2592 */
2593 ptr_area_size = (imgp->ip_argc + imgp->ip_envc + imgp->ip_applec + 3) *
2594 ptr_size;
2595 stack -= ptr_area_size;
2596 ptr_area = stack;
2597
2598 /* We'll construct all the pointer arrays in our string buffer,
2599 * which we already know is aligned properly, and ip_argspace
2600 * was used to verify we have enough space.
2601 */
2602 ptr_buffer_start = ptr_buffer = (void *)imgp->ip_strendp;
2603
2604 /*
2605 * Need room for pointer-aligned argc slot.
2606 */
2607 stack -= ptr_size;
2608 argc_area = stack;
2609
2610 /*
2611 * Record the size of the arguments area so that sysctl_procargs()
2612 * can return the argument area without having to parse the arguments.
2613 */
2614 proc_lock(p);
2615 p->p_argc = imgp->ip_argc;
2616 p->p_argslen = (int)(*stackp - string_area);
2617 proc_unlock(p);
2618
2619 /* Return the initial stack address: the location of argc */
2620 *stackp = stack;
2621
2622 /*
2623 * Copy out the entire strings area.
2624 */
2625 error = copyout(imgp->ip_strings, string_area,
2626 string_size);
2627 if (error)
2628 goto bad;
2629
2630 for (i = 0; i < sizeof(descriptors)/sizeof(descriptors[0]); i++) {
2631 char *cur_string = descriptors[i].start_string;
2632 int j;
2633
2634 #if CONFIG_DTRACE
2635 if (descriptors[i].dtrace_cookie) {
2636 proc_lock(p);
2637 *descriptors[i].dtrace_cookie = ptr_area + ((uintptr_t)ptr_buffer - (uintptr_t)ptr_buffer_start); /* dtrace convenience */
2638 proc_unlock(p);
2639 }
2640 #endif /* CONFIG_DTRACE */
2641
2642 /*
2643 * For each segment (argv, envv, applev), copy as many pointers as requested
2644 * to our pointer buffer.
2645 */
2646 for (j = 0; j < descriptors[i].count; j++) {
2647 user_addr_t cur_address = string_area + (cur_string - imgp->ip_strings);
2648
2649 /* Copy out the pointer to the current string. Alignment has been verified */
2650 if (ptr_size == 8) {
2651 *(uint64_t *)ptr_buffer = (uint64_t)cur_address;
2652 } else {
2653 *(uint32_t *)ptr_buffer = (uint32_t)cur_address;
2654 }
2655
2656 ptr_buffer = (void *)((uintptr_t)ptr_buffer + ptr_size);
2657 cur_string += strlen(cur_string) + 1; /* Only a NUL between strings in the same area */
2658 }
2659
2660 if (descriptors[i].null_term) {
2661 if (ptr_size == 8) {
2662 *(uint64_t *)ptr_buffer = 0ULL;
2663 } else {
2664 *(uint32_t *)ptr_buffer = 0;
2665 }
2666
2667 ptr_buffer = (void *)((uintptr_t)ptr_buffer + ptr_size);
2668 }
2669 }
2670
2671 /*
2672 * Copy out all our pointer arrays in bulk.
2673 */
2674 error = copyout(ptr_buffer_start, ptr_area,
2675 ptr_area_size);
2676 if (error)
2677 goto bad;
2678
2679 /* argc (int32, stored in a ptr_size area) */
2680 error = copyoutptr((user_addr_t)imgp->ip_argc, argc_area, ptr_size);
2681 if (error)
2682 goto bad;
2683
2684 bad:
2685 return(error);
2686 }
2687
2688
2689 /*
2690 * exec_extract_strings
2691 *
2692 * Copy arguments and environment from user space into work area; we may
2693 * have already copied some early arguments into the work area, and if
2694 * so, any arguments opied in are appended to those already there.
2695 * This function is the primary manipulator of ip_argspace, since
2696 * these are the arguments the client of execve(2) knows about. After
2697 * each argv[]/envv[] string is copied, we charge the string length
2698 * and argv[]/envv[] pointer slot to ip_argspace, so that we can
2699 * full preflight the arg list size.
2700 *
2701 * Parameters: struct image_params * the image parameter block
2702 *
2703 * Returns: 0 Success
2704 * !0 Failure: errno
2705 *
2706 * Implicit returns;
2707 * (imgp->ip_argc) Count of arguments, updated
2708 * (imgp->ip_envc) Count of environment strings, updated
2709 * (imgp->ip_argspace) Count of remaining of NCARGS
2710 * (imgp->ip_interp_buffer) Interpreter and args (mutated in place)
2711 *
2712 *
2713 * Note: The argument and environment vectors are user space pointers
2714 * to arrays of user space pointers.
2715 */
2716 static int
2717 exec_extract_strings(struct image_params *imgp)
2718 {
2719 int error = 0;
2720 int ptr_size = (imgp->ip_flags & IMGPF_WAS_64BIT) ? 8 : 4;
2721 int new_ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT) ? 8 : 4;
2722 user_addr_t argv = imgp->ip_user_argv;
2723 user_addr_t envv = imgp->ip_user_envv;
2724
2725 /*
2726 * Adjust space reserved for the path name by however much padding it
2727 * needs. Doing this here since we didn't know if this would be a 32-
2728 * or 64-bit process back in exec_save_path.
2729 */
2730 while (imgp->ip_strspace % new_ptr_size != 0) {
2731 *imgp->ip_strendp++ = '\0';
2732 imgp->ip_strspace--;
2733 /* imgp->ip_argspace--; not counted towards exec args total */
2734 }
2735
2736 /*
2737 * From now on, we start attributing string space to ip_argspace
2738 */
2739 imgp->ip_startargv = imgp->ip_strendp;
2740 imgp->ip_argc = 0;
2741
2742 if((imgp->ip_flags & IMGPF_INTERPRET) != 0) {
2743 user_addr_t arg;
2744 char *argstart, *ch;
2745
2746 /* First, the arguments in the "#!" string are tokenized and extracted. */
2747 argstart = imgp->ip_interp_buffer;
2748 while (argstart) {
2749 ch = argstart;
2750 while (*ch && !IS_WHITESPACE(*ch)) {
2751 ch++;
2752 }
2753
2754 if (*ch == '\0') {
2755 /* last argument, no need to NUL-terminate */
2756 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(argstart), UIO_SYSSPACE, TRUE);
2757 argstart = NULL;
2758 } else {
2759 /* NUL-terminate */
2760 *ch = '\0';
2761 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(argstart), UIO_SYSSPACE, TRUE);
2762
2763 /*
2764 * Find the next string. We know spaces at the end of the string have already
2765 * been stripped.
2766 */
2767 argstart = ch + 1;
2768 while (IS_WHITESPACE(*argstart)) {
2769 argstart++;
2770 }
2771 }
2772
2773 /* Error-check, regardless of whether this is the last interpreter arg or not */
2774 if (error)
2775 goto bad;
2776 if (imgp->ip_argspace < new_ptr_size) {
2777 error = E2BIG;
2778 goto bad;
2779 }
2780 imgp->ip_argspace -= new_ptr_size; /* to hold argv[] entry */
2781 imgp->ip_argc++;
2782 }
2783
2784 if (argv != 0LL) {
2785 /*
2786 * If we are running an interpreter, replace the av[0] that was
2787 * passed to execve() with the path name that was
2788 * passed to execve() for interpreters which do not use the PATH
2789 * to locate their script arguments.
2790 */
2791 error = copyinptr(argv, &arg, ptr_size);
2792 if (error)
2793 goto bad;
2794 if (arg != 0LL) {
2795 argv += ptr_size; /* consume without using */
2796 }
2797 }
2798
2799 if (imgp->ip_interp_sugid_fd != -1) {
2800 char temp[19]; /* "/dev/fd/" + 10 digits + NUL */
2801 snprintf(temp, sizeof(temp), "/dev/fd/%d", imgp->ip_interp_sugid_fd);
2802 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(temp), UIO_SYSSPACE, TRUE);
2803 } else {
2804 error = exec_add_user_string(imgp, imgp->ip_user_fname, imgp->ip_seg, TRUE);
2805 }
2806
2807 if (error)
2808 goto bad;
2809 if (imgp->ip_argspace < new_ptr_size) {
2810 error = E2BIG;
2811 goto bad;
2812 }
2813 imgp->ip_argspace -= new_ptr_size; /* to hold argv[] entry */
2814 imgp->ip_argc++;
2815 }
2816
2817 while (argv != 0LL) {
2818 user_addr_t arg;
2819
2820 error = copyinptr(argv, &arg, ptr_size);
2821 if (error)
2822 goto bad;
2823
2824 if (arg == 0LL) {
2825 break;
2826 }
2827
2828 argv += ptr_size;
2829
2830 /*
2831 * av[n...] = arg[n]
2832 */
2833 error = exec_add_user_string(imgp, arg, imgp->ip_seg, TRUE);
2834 if (error)
2835 goto bad;
2836 if (imgp->ip_argspace < new_ptr_size) {
2837 error = E2BIG;
2838 goto bad;
2839 }
2840 imgp->ip_argspace -= new_ptr_size; /* to hold argv[] entry */
2841 imgp->ip_argc++;
2842 }
2843
2844 /* Save space for argv[] NULL terminator */
2845 if (imgp->ip_argspace < new_ptr_size) {
2846 error = E2BIG;
2847 goto bad;
2848 }
2849 imgp->ip_argspace -= new_ptr_size;
2850
2851 /* Note where the args ends and env begins. */
2852 imgp->ip_endargv = imgp->ip_strendp;
2853 imgp->ip_envc = 0;
2854
2855 /* Now, get the environment */
2856 while (envv != 0LL) {
2857 user_addr_t env;
2858
2859 error = copyinptr(envv, &env, ptr_size);
2860 if (error)
2861 goto bad;
2862
2863 envv += ptr_size;
2864 if (env == 0LL) {
2865 break;
2866 }
2867 /*
2868 * av[n...] = env[n]
2869 */
2870 error = exec_add_user_string(imgp, env, imgp->ip_seg, TRUE);
2871 if (error)
2872 goto bad;
2873 if (imgp->ip_argspace < new_ptr_size) {
2874 error = E2BIG;
2875 goto bad;
2876 }
2877 imgp->ip_argspace -= new_ptr_size; /* to hold envv[] entry */
2878 imgp->ip_envc++;
2879 }
2880
2881 /* Save space for envv[] NULL terminator */
2882 if (imgp->ip_argspace < new_ptr_size) {
2883 error = E2BIG;
2884 goto bad;
2885 }
2886 imgp->ip_argspace -= new_ptr_size;
2887
2888 /* Align the tail of the combined argv+envv area */
2889 while (imgp->ip_strspace % new_ptr_size != 0) {
2890 if (imgp->ip_argspace < 1) {
2891 error = E2BIG;
2892 goto bad;
2893 }
2894 *imgp->ip_strendp++ = '\0';
2895 imgp->ip_strspace--;
2896 imgp->ip_argspace--;
2897 }
2898
2899 /* Note where the envv ends and applev begins. */
2900 imgp->ip_endenvv = imgp->ip_strendp;
2901
2902 /*
2903 * From now on, we are no longer charging argument
2904 * space to ip_argspace.
2905 */
2906
2907 bad:
2908 return error;
2909 }
2910
2911 static char *
2912 random_hex_str(char *str, int len)
2913 {
2914 uint64_t low, high, value;
2915 int idx;
2916 char digit;
2917
2918 /* A 64-bit value will only take 16 characters, plus '0x' and NULL. */
2919 if (len > 19)
2920 len = 19;
2921
2922 /* We need enough room for at least 1 digit */
2923 if (len < 4)
2924 return (NULL);
2925
2926 low = random();
2927 high = random();
2928 value = high << 32 | low;
2929
2930 str[0] = '0';
2931 str[1] = 'x';
2932 for (idx = 2; idx < len - 1; idx++) {
2933 digit = value & 0xf;
2934 value = value >> 4;
2935 if (digit < 10)
2936 str[idx] = '0' + digit;
2937 else
2938 str[idx] = 'a' + (digit - 10);
2939 }
2940 str[idx] = '\0';
2941 return (str);
2942 }
2943
2944 /*
2945 * Libc has an 8-element array set up for stack guard values. It only fills
2946 * in one of those entries, and both gcc and llvm seem to use only a single
2947 * 8-byte guard. Until somebody needs more than an 8-byte guard value, don't
2948 * do the work to construct them.
2949 */
2950 #define GUARD_VALUES 1
2951 #define GUARD_KEY "stack_guard="
2952
2953 /*
2954 * System malloc needs some entropy when it is initialized.
2955 */
2956 #define ENTROPY_VALUES 2
2957 #define ENTROPY_KEY "malloc_entropy="
2958
2959 #define PFZ_KEY "pfz="
2960 extern user32_addr_t commpage_text32_location;
2961 extern user64_addr_t commpage_text64_location;
2962 /*
2963 * Build up the contents of the apple[] string vector
2964 */
2965 static int
2966 exec_add_apple_strings(struct image_params *imgp)
2967 {
2968 int i, error;
2969 int new_ptr_size=4;
2970 char guard[19];
2971 char guard_vec[strlen(GUARD_KEY) + 19 * GUARD_VALUES + 1];
2972
2973 char entropy[19];
2974 char entropy_vec[strlen(ENTROPY_KEY) + 19 * ENTROPY_VALUES + 1];
2975
2976 char pfz_string[strlen(PFZ_KEY) + 16 + 4 +1];
2977
2978 if( imgp->ip_flags & IMGPF_IS_64BIT) {
2979 new_ptr_size = 8;
2980 snprintf(pfz_string, sizeof(pfz_string),PFZ_KEY "0x%llx",commpage_text64_location);
2981 }else{
2982 snprintf(pfz_string, sizeof(pfz_string),PFZ_KEY "0x%x",commpage_text32_location);
2983 }
2984
2985 /* exec_save_path stored the first string */
2986 imgp->ip_applec = 1;
2987
2988 /* adding the pfz string */
2989 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(pfz_string),UIO_SYSSPACE,FALSE);
2990 if(error)
2991 goto bad;
2992 imgp->ip_applec++;
2993
2994 /*
2995 * Supply libc with a collection of random values to use when
2996 * implementing -fstack-protector.
2997 */
2998 (void)strlcpy(guard_vec, GUARD_KEY, sizeof (guard_vec));
2999 for (i = 0; i < GUARD_VALUES; i++) {
3000 random_hex_str(guard, sizeof (guard));
3001 if (i)
3002 (void)strlcat(guard_vec, ",", sizeof (guard_vec));
3003 (void)strlcat(guard_vec, guard, sizeof (guard_vec));
3004 }
3005
3006 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(guard_vec), UIO_SYSSPACE, FALSE);
3007 if (error)
3008 goto bad;
3009 imgp->ip_applec++;
3010
3011 /*
3012 * Supply libc with entropy for system malloc.
3013 */
3014 (void)strlcpy(entropy_vec, ENTROPY_KEY, sizeof(entropy_vec));
3015 for (i = 0; i < ENTROPY_VALUES; i++) {
3016 random_hex_str(entropy, sizeof (entropy));
3017 if (i)
3018 (void)strlcat(entropy_vec, ",", sizeof (entropy_vec));
3019 (void)strlcat(entropy_vec, entropy, sizeof (entropy_vec));
3020 }
3021
3022 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(entropy_vec), UIO_SYSSPACE, FALSE);
3023 if (error)
3024 goto bad;
3025 imgp->ip_applec++;
3026
3027 /* Align the tail of the combined applev area */
3028 while (imgp->ip_strspace % new_ptr_size != 0) {
3029 *imgp->ip_strendp++ = '\0';
3030 imgp->ip_strspace--;
3031 }
3032
3033 bad:
3034 return error;
3035 }
3036
3037 #define unix_stack_size(p) (p->p_rlimit[RLIMIT_STACK].rlim_cur)
3038
3039 /*
3040 * exec_check_permissions
3041 *
3042 * Description: Verify that the file that is being attempted to be executed
3043 * is in fact allowed to be executed based on it POSIX file
3044 * permissions and other access control criteria
3045 *
3046 * Parameters: struct image_params * the image parameter block
3047 *
3048 * Returns: 0 Success
3049 * EACCES Permission denied
3050 * ENOEXEC Executable file format error
3051 * ETXTBSY Text file busy [misuse of error code]
3052 * vnode_getattr:???
3053 * vnode_authorize:???
3054 */
3055 static int
3056 exec_check_permissions(struct image_params *imgp)
3057 {
3058 struct vnode *vp = imgp->ip_vp;
3059 struct vnode_attr *vap = imgp->ip_vattr;
3060 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
3061 int error;
3062 kauth_action_t action;
3063
3064 /* Only allow execution of regular files */
3065 if (!vnode_isreg(vp))
3066 return (EACCES);
3067
3068 /* Get the file attributes that we will be using here and elsewhere */
3069 VATTR_INIT(vap);
3070 VATTR_WANTED(vap, va_uid);
3071 VATTR_WANTED(vap, va_gid);
3072 VATTR_WANTED(vap, va_mode);
3073 VATTR_WANTED(vap, va_fsid);
3074 VATTR_WANTED(vap, va_fileid);
3075 VATTR_WANTED(vap, va_data_size);
3076 if ((error = vnode_getattr(vp, vap, imgp->ip_vfs_context)) != 0)
3077 return (error);
3078
3079 /*
3080 * Ensure that at least one execute bit is on - otherwise root
3081 * will always succeed, and we don't want to happen unless the
3082 * file really is executable.
3083 */
3084 if (!vfs_authopaque(vnode_mount(vp)) && ((vap->va_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0))
3085 return (EACCES);
3086
3087 /* Disallow zero length files */
3088 if (vap->va_data_size == 0)
3089 return (ENOEXEC);
3090
3091 imgp->ip_arch_offset = (user_size_t)0;
3092 imgp->ip_arch_size = vap->va_data_size;
3093
3094 /* Disable setuid-ness for traced programs or if MNT_NOSUID */
3095 if ((vp->v_mount->mnt_flag & MNT_NOSUID) || (p->p_lflag & P_LTRACED))
3096 vap->va_mode &= ~(VSUID | VSGID);
3097
3098 #if CONFIG_MACF
3099 error = mac_vnode_check_exec(imgp->ip_vfs_context, vp, imgp);
3100 if (error)
3101 return (error);
3102 #endif
3103
3104 /* Check for execute permission */
3105 action = KAUTH_VNODE_EXECUTE;
3106 /* Traced images must also be readable */
3107 if (p->p_lflag & P_LTRACED)
3108 action |= KAUTH_VNODE_READ_DATA;
3109 if ((error = vnode_authorize(vp, NULL, action, imgp->ip_vfs_context)) != 0)
3110 return (error);
3111
3112 #if 0
3113 /* Don't let it run if anyone had it open for writing */
3114 vnode_lock(vp);
3115 if (vp->v_writecount) {
3116 panic("going to return ETXTBSY %x", vp);
3117 vnode_unlock(vp);
3118 return (ETXTBSY);
3119 }
3120 vnode_unlock(vp);
3121 #endif
3122
3123
3124 /* XXX May want to indicate to underlying FS that vnode is open */
3125
3126 return (error);
3127 }
3128
3129
3130 /*
3131 * exec_handle_sugid
3132 *
3133 * Initially clear the P_SUGID in the process flags; if an SUGID process is
3134 * exec'ing a non-SUGID image, then this is the point of no return.
3135 *
3136 * If the image being activated is SUGID, then replace the credential with a
3137 * copy, disable tracing (unless the tracing process is root), reset the
3138 * mach task port to revoke it, set the P_SUGID bit,
3139 *
3140 * If the saved user and group ID will be changing, then make sure it happens
3141 * to a new credential, rather than a shared one.
3142 *
3143 * Set the security token (this is probably obsolete, given that the token
3144 * should not technically be separate from the credential itself).
3145 *
3146 * Parameters: struct image_params * the image parameter block
3147 *
3148 * Returns: void No failure indication
3149 *
3150 * Implicit returns:
3151 * <process credential> Potentially modified/replaced
3152 * <task port> Potentially revoked
3153 * <process flags> P_SUGID bit potentially modified
3154 * <security token> Potentially modified
3155 */
3156 static int
3157 exec_handle_sugid(struct image_params *imgp)
3158 {
3159 kauth_cred_t cred = vfs_context_ucred(imgp->ip_vfs_context);
3160 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
3161 int i;
3162 int leave_sugid_clear = 0;
3163 int error = 0;
3164 #if CONFIG_MACF
3165 int mac_transition;
3166
3167 /*
3168 * Determine whether a call to update the MAC label will result in the
3169 * credential changing.
3170 *
3171 * Note: MAC policies which do not actually end up modifying
3172 * the label subsequently are strongly encouraged to
3173 * return 0 for this check, since a non-zero answer will
3174 * slow down the exec fast path for normal binaries.
3175 */
3176 mac_transition = mac_cred_check_label_update_execve(
3177 imgp->ip_vfs_context,
3178 imgp->ip_vp,
3179 imgp->ip_scriptlabelp,
3180 imgp->ip_execlabelp, p);
3181 #endif
3182
3183 OSBitAndAtomic(~((uint32_t)P_SUGID), &p->p_flag);
3184
3185 /*
3186 * Order of the following is important; group checks must go last,
3187 * as we use the success of the 'ismember' check combined with the
3188 * failure of the explicit match to indicate that we will be setting
3189 * the egid of the process even though the new process did not
3190 * require VSUID/VSGID bits in order for it to set the new group as
3191 * its egid.
3192 *
3193 * Note: Technically, by this we are implying a call to
3194 * setegid() in the new process, rather than implying
3195 * it used its VSGID bit to set the effective group,
3196 * even though there is no code in that process to make
3197 * such a call.
3198 */
3199 if (((imgp->ip_origvattr->va_mode & VSUID) != 0 &&
3200 kauth_cred_getuid(cred) != imgp->ip_origvattr->va_uid) ||
3201 ((imgp->ip_origvattr->va_mode & VSGID) != 0 &&
3202 ((kauth_cred_ismember_gid(cred, imgp->ip_origvattr->va_gid, &leave_sugid_clear) || !leave_sugid_clear) ||
3203 (kauth_cred_getgid(cred) != imgp->ip_origvattr->va_gid)))) {
3204
3205 #if CONFIG_MACF
3206 /* label for MAC transition and neither VSUID nor VSGID */
3207 handle_mac_transition:
3208 #endif
3209
3210 /*
3211 * Replace the credential with a copy of itself if euid or
3212 * egid change.
3213 *
3214 * Note: setuid binaries will automatically opt out of
3215 * group resolver participation as a side effect
3216 * of this operation. This is an intentional
3217 * part of the security model, which requires a
3218 * participating credential be established by
3219 * escalating privilege, setting up all other
3220 * aspects of the credential including whether
3221 * or not to participate in external group
3222 * membership resolution, then dropping their
3223 * effective privilege to that of the desired
3224 * final credential state.
3225 */
3226 if (imgp->ip_origvattr->va_mode & VSUID) {
3227 p->p_ucred = kauth_cred_setresuid(p->p_ucred, KAUTH_UID_NONE, imgp->ip_origvattr->va_uid, imgp->ip_origvattr->va_uid, KAUTH_UID_NONE);
3228 /* update cred on proc */
3229 PROC_UPDATE_CREDS_ONPROC(p);
3230 }
3231 if (imgp->ip_origvattr->va_mode & VSGID) {
3232 p->p_ucred = kauth_cred_setresgid(p->p_ucred, KAUTH_GID_NONE, imgp->ip_origvattr->va_gid, imgp->ip_origvattr->va_gid);
3233 /* update cred on proc */
3234 PROC_UPDATE_CREDS_ONPROC(p);
3235 }
3236
3237 #if CONFIG_MACF
3238 /*
3239 * If a policy has indicated that it will transition the label,
3240 * before making the call into the MAC policies, get a new
3241 * duplicate credential, so they can modify it without
3242 * modifying any others sharing it.
3243 */
3244 if (mac_transition) {
3245 kauth_cred_t my_cred;
3246 if (kauth_proc_label_update_execve(p,
3247 imgp->ip_vfs_context,
3248 imgp->ip_vp,
3249 imgp->ip_scriptlabelp,
3250 imgp->ip_execlabelp)) {
3251 /*
3252 * If updating the MAC label resulted in a
3253 * disjoint credential, flag that we need to
3254 * set the P_SUGID bit. This protects
3255 * against debuggers being attached by an
3256 * insufficiently privileged process onto the
3257 * result of a transition to a more privileged
3258 * credential.
3259 */
3260 leave_sugid_clear = 0;
3261 }
3262
3263 my_cred = kauth_cred_proc_ref(p);
3264 mac_task_label_update_cred(my_cred, p->task);
3265 kauth_cred_unref(&my_cred);
3266 }
3267 #endif /* CONFIG_MACF */
3268
3269 /*
3270 * Have mach reset the task and thread ports.
3271 * We don't want anyone who had the ports before
3272 * a setuid exec to be able to access/control the
3273 * task/thread after.
3274 */
3275 ipc_task_reset(p->task);
3276 ipc_thread_reset((imgp->ip_new_thread != NULL) ?
3277 imgp->ip_new_thread : current_thread());
3278
3279 /*
3280 * If 'leave_sugid_clear' is non-zero, then we passed the
3281 * VSUID and MACF checks, and successfully determined that
3282 * the previous cred was a member of the VSGID group, but
3283 * that it was not the default at the time of the execve,
3284 * and that the post-labelling credential was not disjoint.
3285 * So we don't set the P_SUGID on the basis of simply
3286 * running this code.
3287 */
3288 if (!leave_sugid_clear)
3289 OSBitOrAtomic(P_SUGID, &p->p_flag);
3290
3291 /*
3292 * Radar 2261856; setuid security hole fix
3293 * XXX For setuid processes, attempt to ensure that
3294 * stdin, stdout, and stderr are already allocated.
3295 * We do not want userland to accidentally allocate
3296 * descriptors in this range which has implied meaning
3297 * to libc.
3298 */
3299 for (i = 0; i < 3; i++) {
3300
3301 if (p->p_fd->fd_ofiles[i] != NULL)
3302 continue;
3303
3304 /*
3305 * Do the kernel equivalent of
3306 *
3307 * (void) open("/dev/null", O_RDONLY);
3308 */
3309
3310 struct fileproc *fp;
3311 int indx;
3312
3313 if ((error = falloc(p,
3314 &fp, &indx, imgp->ip_vfs_context)) != 0)
3315 continue;
3316
3317 struct nameidata nd1;
3318
3319 NDINIT(&nd1, LOOKUP, OP_OPEN, FOLLOW, UIO_SYSSPACE,
3320 CAST_USER_ADDR_T("/dev/null"),
3321 imgp->ip_vfs_context);
3322
3323 if ((error = vn_open(&nd1, FREAD, 0)) != 0) {
3324 fp_free(p, indx, fp);
3325 break;
3326 }
3327
3328 struct fileglob *fg = fp->f_fglob;
3329
3330 fg->fg_flag = FREAD;
3331 fg->fg_type = DTYPE_VNODE;
3332 fg->fg_ops = &vnops;
3333 fg->fg_data = nd1.ni_vp;
3334
3335 vnode_put(nd1.ni_vp);
3336
3337 proc_fdlock(p);
3338 procfdtbl_releasefd(p, indx, NULL);
3339 fp_drop(p, indx, fp, 1);
3340 proc_fdunlock(p);
3341 }
3342 }
3343 #if CONFIG_MACF
3344 else {
3345 /*
3346 * We are here because we were told that the MAC label will
3347 * be transitioned, and the binary is not VSUID or VSGID; to
3348 * deal with this case, we could either duplicate a lot of
3349 * code, or we can indicate we want to default the P_SUGID
3350 * bit clear and jump back up.
3351 */
3352 if (mac_transition) {
3353 leave_sugid_clear = 1;
3354 goto handle_mac_transition;
3355 }
3356 }
3357 #endif /* CONFIG_MACF */
3358
3359 /*
3360 * Implement the semantic where the effective user and group become
3361 * the saved user and group in exec'ed programs.
3362 */
3363 p->p_ucred = kauth_cred_setsvuidgid(p->p_ucred, kauth_cred_getuid(p->p_ucred), kauth_cred_getgid(p->p_ucred));
3364 /* update cred on proc */
3365 PROC_UPDATE_CREDS_ONPROC(p);
3366
3367 /* Update the process' identity version and set the security token */
3368 p->p_idversion++;
3369 set_security_token(p);
3370
3371 return(error);
3372 }
3373
3374
3375 /*
3376 * create_unix_stack
3377 *
3378 * Description: Set the user stack address for the process to the provided
3379 * address. If a custom stack was not set as a result of the
3380 * load process (i.e. as specified by the image file for the
3381 * executable), then allocate the stack in the provided map and
3382 * set up appropriate guard pages for enforcing administrative
3383 * limits on stack growth, if they end up being needed.
3384 *
3385 * Parameters: p Process to set stack on
3386 * load_result Information from mach-o load commands
3387 * map Address map in which to allocate the new stack
3388 *
3389 * Returns: KERN_SUCCESS Stack successfully created
3390 * !KERN_SUCCESS Mach failure code
3391 */
3392 static kern_return_t
3393 create_unix_stack(vm_map_t map, load_result_t* load_result,
3394 proc_t p)
3395 {
3396 mach_vm_size_t size, prot_size;
3397 mach_vm_offset_t addr, prot_addr;
3398 kern_return_t kr;
3399
3400 mach_vm_address_t user_stack = load_result->user_stack;
3401
3402 proc_lock(p);
3403 p->user_stack = user_stack;
3404 proc_unlock(p);
3405
3406 if (!load_result->prog_allocated_stack) {
3407 /*
3408 * Allocate enough space for the maximum stack size we
3409 * will ever authorize and an extra page to act as
3410 * a guard page for stack overflows. For default stacks,
3411 * vm_initial_limit_stack takes care of the extra guard page.
3412 * Otherwise we must allocate it ourselves.
3413 */
3414
3415 size = mach_vm_round_page(load_result->user_stack_size);
3416 if (load_result->prog_stack_size)
3417 size += PAGE_SIZE;
3418 addr = mach_vm_trunc_page(load_result->user_stack - size);
3419 kr = mach_vm_allocate(map, &addr, size,
3420 VM_MAKE_TAG(VM_MEMORY_STACK) |
3421 VM_FLAGS_FIXED);
3422 if (kr != KERN_SUCCESS) {
3423 /* If can't allocate at default location, try anywhere */
3424 addr = 0;
3425 kr = mach_vm_allocate(map, &addr, size,
3426 VM_MAKE_TAG(VM_MEMORY_STACK) |
3427 VM_FLAGS_ANYWHERE);
3428 if (kr != KERN_SUCCESS)
3429 return kr;
3430
3431 user_stack = addr + size;
3432 load_result->user_stack = user_stack;
3433
3434 proc_lock(p);
3435 p->user_stack = user_stack;
3436 proc_unlock(p);
3437 }
3438
3439 /*
3440 * And prevent access to what's above the current stack
3441 * size limit for this process.
3442 */
3443 prot_addr = addr;
3444 if (load_result->prog_stack_size)
3445 prot_size = PAGE_SIZE;
3446 else
3447 prot_size = mach_vm_trunc_page(size - unix_stack_size(p));
3448 kr = mach_vm_protect(map,
3449 prot_addr,
3450 prot_size,
3451 FALSE,
3452 VM_PROT_NONE);
3453 if (kr != KERN_SUCCESS) {
3454 (void) mach_vm_deallocate(map, addr, size);
3455 return kr;
3456 }
3457 }
3458
3459 return KERN_SUCCESS;
3460 }
3461
3462 #include <sys/reboot.h>
3463
3464 static char init_program_name[128] = "/sbin/launchd";
3465
3466 struct execve_args init_exec_args;
3467
3468 /*
3469 * load_init_program
3470 *
3471 * Description: Load the "init" program; in most cases, this will be "launchd"
3472 *
3473 * Parameters: p Process to call execve() to create
3474 * the "init" program
3475 *
3476 * Returns: (void)
3477 *
3478 * Notes: The process that is passed in is the first manufactured
3479 * process on the system, and gets here via bsd_ast() firing
3480 * for the first time. This is done to ensure that bsd_init()
3481 * has run to completion.
3482 */
3483 void
3484 load_init_program(proc_t p)
3485 {
3486 vm_offset_t init_addr;
3487 int argc = 0;
3488 uint32_t argv[3];
3489 int error;
3490 int retval[2];
3491
3492 /*
3493 * Copy out program name.
3494 */
3495
3496 init_addr = VM_MIN_ADDRESS;
3497 (void) vm_allocate(current_map(), &init_addr, PAGE_SIZE,
3498 VM_FLAGS_ANYWHERE);
3499 if (init_addr == 0)
3500 init_addr++;
3501
3502 (void) copyout((caddr_t) init_program_name, CAST_USER_ADDR_T(init_addr),
3503 (unsigned) sizeof(init_program_name)+1);
3504
3505 argv[argc++] = (uint32_t)init_addr;
3506 init_addr += sizeof(init_program_name);
3507 init_addr = (vm_offset_t)ROUND_PTR(char, init_addr);
3508
3509 /*
3510 * Put out first (and only) argument, similarly.
3511 * Assumes everything fits in a page as allocated
3512 * above.
3513 */
3514 if (boothowto & RB_SINGLE) {
3515 const char *init_args = "-s";
3516
3517 copyout(init_args, CAST_USER_ADDR_T(init_addr),
3518 strlen(init_args));
3519
3520 argv[argc++] = (uint32_t)init_addr;
3521 init_addr += strlen(init_args);
3522 init_addr = (vm_offset_t)ROUND_PTR(char, init_addr);
3523
3524 }
3525
3526 /*
3527 * Null-end the argument list
3528 */
3529 argv[argc] = 0;
3530
3531 /*
3532 * Copy out the argument list.
3533 */
3534
3535 (void) copyout((caddr_t) argv, CAST_USER_ADDR_T(init_addr),
3536 (unsigned) sizeof(argv));
3537
3538 /*
3539 * Set up argument block for fake call to execve.
3540 */
3541
3542 init_exec_args.fname = CAST_USER_ADDR_T(argv[0]);
3543 init_exec_args.argp = CAST_USER_ADDR_T((char **)init_addr);
3544 init_exec_args.envp = CAST_USER_ADDR_T(0);
3545
3546 /*
3547 * So that mach_init task is set with uid,gid 0 token
3548 */
3549 set_security_token(p);
3550
3551 error = execve(p,&init_exec_args,retval);
3552 if (error)
3553 panic("Process 1 exec of %s failed, errno %d",
3554 init_program_name, error);
3555 }
3556
3557 /*
3558 * load_return_to_errno
3559 *
3560 * Description: Convert a load_return_t (Mach error) to an errno (BSD error)
3561 *
3562 * Parameters: lrtn Mach error number
3563 *
3564 * Returns: (int) BSD error number
3565 * 0 Success
3566 * EBADARCH Bad architecture
3567 * EBADMACHO Bad Mach object file
3568 * ESHLIBVERS Bad shared library version
3569 * ENOMEM Out of memory/resource shortage
3570 * EACCES Access denied
3571 * ENOENT Entry not found (usually "file does
3572 * does not exist")
3573 * EIO An I/O error occurred
3574 * EBADEXEC The executable is corrupt/unknown
3575 */
3576 static int
3577 load_return_to_errno(load_return_t lrtn)
3578 {
3579 switch (lrtn) {
3580 case LOAD_SUCCESS:
3581 return 0;
3582 case LOAD_BADARCH:
3583 return EBADARCH;
3584 case LOAD_BADMACHO:
3585 return EBADMACHO;
3586 case LOAD_SHLIB:
3587 return ESHLIBVERS;
3588 case LOAD_NOSPACE:
3589 case LOAD_RESOURCE:
3590 return ENOMEM;
3591 case LOAD_PROTECT:
3592 return EACCES;
3593 case LOAD_ENOENT:
3594 return ENOENT;
3595 case LOAD_IOERROR:
3596 return EIO;
3597 case LOAD_FAILURE:
3598 default:
3599 return EBADEXEC;
3600 }
3601 }
3602
3603 #include <mach/mach_types.h>
3604 #include <mach/vm_prot.h>
3605 #include <mach/semaphore.h>
3606 #include <mach/sync_policy.h>
3607 #include <kern/clock.h>
3608 #include <mach/kern_return.h>
3609
3610 /*
3611 * execargs_alloc
3612 *
3613 * Description: Allocate the block of memory used by the execve arguments.
3614 * At the same time, we allocate a page so that we can read in
3615 * the first page of the image.
3616 *
3617 * Parameters: struct image_params * the image parameter block
3618 *
3619 * Returns: 0 Success
3620 * EINVAL Invalid argument
3621 * EACCES Permission denied
3622 * EINTR Interrupted function
3623 * ENOMEM Not enough space
3624 *
3625 * Notes: This is a temporary allocation into the kernel address space
3626 * to enable us to copy arguments in from user space. This is
3627 * necessitated by not mapping the process calling execve() into
3628 * the kernel address space during the execve() system call.
3629 *
3630 * We assemble the argument and environment, etc., into this
3631 * region before copying it as a single block into the child
3632 * process address space (at the top or bottom of the stack,
3633 * depending on which way the stack grows; see the function
3634 * exec_copyout_strings() for details).
3635 *
3636 * This ends up with a second (possibly unnecessary) copy compared
3637 * with assembing the data directly into the child address space,
3638 * instead, but since we cannot be guaranteed that the parent has
3639 * not modified its environment, we can't really know that it's
3640 * really a block there as well.
3641 */
3642
3643
3644 static int execargs_waiters = 0;
3645 lck_mtx_t *execargs_cache_lock;
3646
3647 static void
3648 execargs_lock_lock(void) {
3649 lck_mtx_lock_spin(execargs_cache_lock);
3650 }
3651
3652 static void
3653 execargs_lock_unlock(void) {
3654 lck_mtx_unlock(execargs_cache_lock);
3655 }
3656
3657 static void
3658 execargs_lock_sleep(void) {
3659 lck_mtx_sleep(execargs_cache_lock, LCK_SLEEP_DEFAULT, &execargs_free_count, THREAD_UNINT);
3660 }
3661
3662 static kern_return_t
3663 execargs_purgeable_allocate(char **execarg_address) {
3664 kern_return_t kr = vm_allocate(bsd_pageable_map, (vm_offset_t *)execarg_address, BSD_PAGEABLE_SIZE_PER_EXEC, VM_FLAGS_ANYWHERE | VM_FLAGS_PURGABLE);
3665 assert(kr == KERN_SUCCESS);
3666 return kr;
3667 }
3668
3669 static kern_return_t
3670 execargs_purgeable_reference(void *execarg_address) {
3671 int state = VM_PURGABLE_NONVOLATILE;
3672 kern_return_t kr = vm_purgable_control(bsd_pageable_map, (vm_offset_t) execarg_address, VM_PURGABLE_SET_STATE, &state);
3673
3674 assert(kr == KERN_SUCCESS);
3675 return kr;
3676 }
3677
3678 static kern_return_t
3679 execargs_purgeable_volatilize(void *execarg_address) {
3680 int state = VM_PURGABLE_VOLATILE | VM_PURGABLE_ORDERING_OBSOLETE;
3681 kern_return_t kr;
3682 kr = vm_purgable_control(bsd_pageable_map, (vm_offset_t) execarg_address, VM_PURGABLE_SET_STATE, &state);
3683
3684 assert(kr == KERN_SUCCESS);
3685
3686 return kr;
3687 }
3688
3689 static void
3690 execargs_wakeup_waiters(void) {
3691 thread_wakeup(&execargs_free_count);
3692 }
3693
3694 static int
3695 execargs_alloc(struct image_params *imgp)
3696 {
3697 kern_return_t kret;
3698 int i, cache_index = -1;
3699
3700 execargs_lock_lock();
3701
3702 while (execargs_free_count == 0) {
3703 execargs_waiters++;
3704 execargs_lock_sleep();
3705 execargs_waiters--;
3706 }
3707
3708 execargs_free_count--;
3709
3710 for (i = 0; i < execargs_cache_size; i++) {
3711 vm_offset_t element = execargs_cache[i];
3712 if (element) {
3713 cache_index = i;
3714 imgp->ip_strings = (char *)(execargs_cache[i]);
3715 execargs_cache[i] = 0;
3716 break;
3717 }
3718 }
3719
3720 assert(execargs_free_count >= 0);
3721
3722 execargs_lock_unlock();
3723
3724 if (cache_index == -1) {
3725 kret = execargs_purgeable_allocate(&imgp->ip_strings);
3726 }
3727 else
3728 kret = execargs_purgeable_reference(imgp->ip_strings);
3729
3730 assert(kret == KERN_SUCCESS);
3731 if (kret != KERN_SUCCESS) {
3732 return (ENOMEM);
3733 }
3734
3735 /* last page used to read in file headers */
3736 imgp->ip_vdata = imgp->ip_strings + ( NCARGS + PAGE_SIZE );
3737 imgp->ip_strendp = imgp->ip_strings;
3738 imgp->ip_argspace = NCARGS;
3739 imgp->ip_strspace = ( NCARGS + PAGE_SIZE );
3740
3741 return (0);
3742 }
3743
3744 /*
3745 * execargs_free
3746 *
3747 * Description: Free the block of memory used by the execve arguments and the
3748 * first page of the executable by a previous call to the function
3749 * execargs_alloc().
3750 *
3751 * Parameters: struct image_params * the image parameter block
3752 *
3753 * Returns: 0 Success
3754 * EINVAL Invalid argument
3755 * EINTR Oeration interrupted
3756 */
3757 static int
3758 execargs_free(struct image_params *imgp)
3759 {
3760 kern_return_t kret;
3761 int i;
3762 boolean_t needs_wakeup = FALSE;
3763
3764 kret = execargs_purgeable_volatilize(imgp->ip_strings);
3765
3766 execargs_lock_lock();
3767 execargs_free_count++;
3768
3769 for (i = 0; i < execargs_cache_size; i++) {
3770 vm_offset_t element = execargs_cache[i];
3771 if (element == 0) {
3772 execargs_cache[i] = (vm_offset_t) imgp->ip_strings;
3773 imgp->ip_strings = NULL;
3774 break;
3775 }
3776 }
3777
3778 assert(imgp->ip_strings == NULL);
3779
3780 if (execargs_waiters > 0)
3781 needs_wakeup = TRUE;
3782
3783 execargs_lock_unlock();
3784
3785 if (needs_wakeup == TRUE)
3786 execargs_wakeup_waiters();
3787
3788 return ((kret == KERN_SUCCESS ? 0 : EINVAL));
3789 }
3790
3791 static void
3792 exec_resettextvp(proc_t p, struct image_params *imgp)
3793 {
3794 vnode_t vp;
3795 off_t offset;
3796 vnode_t tvp = p->p_textvp;
3797 int ret;
3798
3799 vp = imgp->ip_vp;
3800 offset = imgp->ip_arch_offset;
3801
3802 if (vp == NULLVP)
3803 panic("exec_resettextvp: expected valid vp");
3804
3805 ret = vnode_ref(vp);
3806 proc_lock(p);
3807 if (ret == 0) {
3808 p->p_textvp = vp;
3809 p->p_textoff = offset;
3810 } else {
3811 p->p_textvp = NULLVP; /* this is paranoia */
3812 p->p_textoff = 0;
3813 }
3814 proc_unlock(p);
3815
3816 if ( tvp != NULLVP) {
3817 if (vnode_getwithref(tvp) == 0) {
3818 vnode_rele(tvp);
3819 vnode_put(tvp);
3820 }
3821 }
3822
3823 }
3824
3825 static int
3826 check_for_signature(proc_t p, struct image_params *imgp)
3827 {
3828 void *blob = NULL;
3829 size_t length = 0;
3830 mach_port_t port = NULL;
3831 kern_return_t kr = KERN_FAILURE;
3832 int error = EACCES;
3833 unsigned char hash[SHA1_RESULTLEN];
3834
3835 /*
3836 * Override inherited code signing flags with the
3837 * ones for the process that is being successfully
3838 * loaded
3839 */
3840 proc_lock(p);
3841 p->p_csflags = imgp->ip_csflags;
3842 proc_unlock(p);
3843
3844 /* Set the switch_protect flag on the map */
3845 if(p->p_csflags & (CS_HARD|CS_KILL)) {
3846 vm_map_switch_protect(get_task_map(p->task), TRUE);
3847 }
3848
3849 /* If the process is not signed or if it contains
3850 * entitlements, we need to communicate through the
3851 * task_access_port to taskgated. taskgated will provide a
3852 * detached code signature if present, and will enforce any
3853 * restrictions on entitlements. taskgated returns
3854 * KERN_SUCCESS if it has completed its work and the exec
3855 * should continue, or KERN_FAILURE if the exec should fail.
3856 */
3857 error = cs_entitlements_blob_get(p, &blob, &length);
3858
3859 /* if signed and no entitlements, then we're done here */
3860 if ((p->p_csflags & CS_VALID) && NULL == blob) {
3861 error = 0;
3862 goto done;
3863 }
3864
3865 kr = task_get_task_access_port(p->task, &port);
3866 if (KERN_SUCCESS != kr || !IPC_PORT_VALID(port)) {
3867 error = 0;
3868 #if !CONFIG_EMBEDDED
3869 /* fatal on the desktop when entitlements are present */
3870 if (NULL != blob)
3871 error = EACCES;
3872 #endif
3873 goto done;
3874 }
3875
3876 kr = find_code_signature(port, p->p_pid);
3877 if (KERN_SUCCESS != kr) {
3878 error = EACCES;
3879 goto done;
3880 }
3881
3882 /* Only do this if exec_resettextvp() did not fail */
3883 if (p->p_textvp != NULLVP) {
3884 /*
3885 * If there's a new code directory, mark this process
3886 * as signed.
3887 */
3888 if (0 == ubc_cs_getcdhash(p->p_textvp, p->p_textoff, hash)) {
3889 proc_lock(p);
3890 p->p_csflags |= CS_VALID;
3891 proc_unlock(p);
3892 }
3893 }
3894
3895 done:
3896 if (0 != error)
3897 /* make very sure execution fails */
3898 psignal(p, SIGKILL);
3899 return error;
3900 }
3901
3902 /*
3903 * Typically as soon as we start executing this process, the
3904 * first instruction will trigger a VM fault to bring the text
3905 * pages (as executable) into the address space, followed soon
3906 * thereafter by dyld data structures (for dynamic executable).
3907 * To optimize this, as well as improve support for hardware
3908 * debuggers that can only access resident pages present
3909 * in the process' page tables, we prefault some pages if
3910 * possible. Errors are non-fatal.
3911 */
3912 static void exec_prefault_data(proc_t p __unused, struct image_params *imgp, load_result_t *load_result)
3913 {
3914 int ret;
3915 size_t expected_all_image_infos_size;
3916
3917 /*
3918 * Prefault executable or dyld entry point.
3919 */
3920 vm_fault( current_map(),
3921 vm_map_trunc_page(load_result->entry_point),
3922 VM_PROT_READ | VM_PROT_EXECUTE,
3923 FALSE,
3924 THREAD_UNINT, NULL, 0);
3925
3926 if (imgp->ip_flags & IMGPF_IS_64BIT) {
3927 expected_all_image_infos_size = sizeof(struct user64_dyld_all_image_infos);
3928 } else {
3929 expected_all_image_infos_size = sizeof(struct user32_dyld_all_image_infos);
3930 }
3931
3932 /* Decode dyld anchor structure from <mach-o/dyld_images.h> */
3933 if (load_result->dynlinker &&
3934 load_result->all_image_info_addr &&
3935 load_result->all_image_info_size >= expected_all_image_infos_size) {
3936 union {
3937 struct user64_dyld_all_image_infos infos64;
3938 struct user32_dyld_all_image_infos infos32;
3939 } all_image_infos;
3940
3941 /*
3942 * Pre-fault to avoid copyin() going through the trap handler
3943 * and recovery path.
3944 */
3945 vm_fault( current_map(),
3946 vm_map_trunc_page(load_result->all_image_info_addr),
3947 VM_PROT_READ | VM_PROT_WRITE,
3948 FALSE,
3949 THREAD_UNINT, NULL, 0);
3950 if ((load_result->all_image_info_addr & PAGE_MASK) + expected_all_image_infos_size > PAGE_SIZE) {
3951 /* all_image_infos straddles a page */
3952 vm_fault( current_map(),
3953 vm_map_trunc_page(load_result->all_image_info_addr + expected_all_image_infos_size - 1),
3954 VM_PROT_READ | VM_PROT_WRITE,
3955 FALSE,
3956 THREAD_UNINT, NULL, 0);
3957 }
3958
3959 ret = copyin(load_result->all_image_info_addr,
3960 &all_image_infos,
3961 expected_all_image_infos_size);
3962 if (ret == 0 && all_image_infos.infos32.version >= 9) {
3963
3964 user_addr_t notification_address;
3965 user_addr_t dyld_image_address;
3966 user_addr_t dyld_version_address;
3967 user_addr_t dyld_all_image_infos_address;
3968 user_addr_t dyld_slide_amount;
3969
3970 if (imgp->ip_flags & IMGPF_IS_64BIT) {
3971 notification_address = all_image_infos.infos64.notification;
3972 dyld_image_address = all_image_infos.infos64.dyldImageLoadAddress;
3973 dyld_version_address = all_image_infos.infos64.dyldVersion;
3974 dyld_all_image_infos_address = all_image_infos.infos64.dyldAllImageInfosAddress;
3975 } else {
3976 notification_address = all_image_infos.infos32.notification;
3977 dyld_image_address = all_image_infos.infos32.dyldImageLoadAddress;
3978 dyld_version_address = all_image_infos.infos32.dyldVersion;
3979 dyld_all_image_infos_address = all_image_infos.infos32.dyldAllImageInfosAddress;
3980 }
3981
3982 /*
3983 * dyld statically sets up the all_image_infos in its Mach-O
3984 * binary at static link time, with pointers relative to its default
3985 * load address. Since ASLR might slide dyld before its first
3986 * instruction is executed, "dyld_slide_amount" tells us how far
3987 * dyld was loaded compared to its default expected load address.
3988 * All other pointers into dyld's image should be adjusted by this
3989 * amount. At some point later, dyld will fix up pointers to take
3990 * into account the slide, at which point the all_image_infos_address
3991 * field in the structure will match the runtime load address, and
3992 * "dyld_slide_amount" will be 0, if we were to consult it again.
3993 */
3994
3995 dyld_slide_amount = load_result->all_image_info_addr - dyld_all_image_infos_address;
3996
3997 #if 0
3998 kprintf("exec_prefault: 0x%016llx 0x%08x 0x%016llx 0x%016llx 0x%016llx 0x%016llx\n",
3999 (uint64_t)load_result->all_image_info_addr,
4000 all_image_infos.infos32.version,
4001 (uint64_t)notification_address,
4002 (uint64_t)dyld_image_address,
4003 (uint64_t)dyld_version_address,
4004 (uint64_t)dyld_all_image_infos_address);
4005 #endif
4006
4007 vm_fault( current_map(),
4008 vm_map_trunc_page(notification_address + dyld_slide_amount),
4009 VM_PROT_READ | VM_PROT_EXECUTE,
4010 FALSE,
4011 THREAD_UNINT, NULL, 0);
4012 vm_fault( current_map(),
4013 vm_map_trunc_page(dyld_image_address + dyld_slide_amount),
4014 VM_PROT_READ | VM_PROT_EXECUTE,
4015 FALSE,
4016 THREAD_UNINT, NULL, 0);
4017 vm_fault( current_map(),
4018 vm_map_trunc_page(dyld_version_address + dyld_slide_amount),
4019 VM_PROT_READ,
4020 FALSE,
4021 THREAD_UNINT, NULL, 0);
4022 vm_fault( current_map(),
4023 vm_map_trunc_page(dyld_all_image_infos_address + dyld_slide_amount),
4024 VM_PROT_READ | VM_PROT_WRITE,
4025 FALSE,
4026 THREAD_UNINT, NULL, 0);
4027 }
4028 }
4029 }
mirror of XNU