]> git.saurik.com Git - apple/xnu.git/blob - bsd/kern/kern_exec.c
projects / apple / xnu.git / blob
? search:


fea51a17250fa9fab4a580963ef3e88012ab9bbb
[apple/xnu.git] / bsd / kern / kern_exec.c
1 /*
2 * Copyright (c) 2000-2013 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28 /* Copyright (c) 1995 NeXT Computer, Inc. All Rights Reserved */
29 /*
30 * Mach Operating System
31 * Copyright (c) 1987 Carnegie-Mellon University
32 * All rights reserved. The CMU software License Agreement specifies
33 * the terms and conditions for use and redistribution.
34 */
35
36 /*-
37 * Copyright (c) 1982, 1986, 1991, 1993
38 * The Regents of the University of California. All rights reserved.
39 * (c) UNIX System Laboratories, Inc.
40 * All or some portions of this file are derived from material licensed
41 * to the University of California by American Telephone and Telegraph
42 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
43 * the permission of UNIX System Laboratories, Inc.
44 *
45 * Redistribution and use in source and binary forms, with or without
46 * modification, are permitted provided that the following conditions
47 * are met:
48 * 1. Redistributions of source code must retain the above copyright
49 * notice, this list of conditions and the following disclaimer.
50 * 2. Redistributions in binary form must reproduce the above copyright
51 * notice, this list of conditions and the following disclaimer in the
52 * documentation and/or other materials provided with the distribution.
53 * 3. All advertising materials mentioning features or use of this software
54 * must display the following acknowledgement:
55 * This product includes software developed by the University of
56 * California, Berkeley and its contributors.
57 * 4. Neither the name of the University nor the names of its contributors
58 * may be used to endorse or promote products derived from this software
59 * without specific prior written permission.
60 *
61 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
62 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
63 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
64 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
65 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
66 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
67 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
68 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
69 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
70 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
71 * SUCH DAMAGE.
72 *
73 * from: @(#)kern_exec.c 8.1 (Berkeley) 6/10/93
74 */
75 /*
76 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
77 * support for mandatory and extensible security protections. This notice
78 * is included in support of clause 2.2 (b) of the Apple Public License,
79 * Version 2.0.
80 */
81 #include <machine/reg.h>
82 #include <machine/cpu_capabilities.h>
83
84 #include <sys/param.h>
85 #include <sys/systm.h>
86 #include <sys/filedesc.h>
87 #include <sys/kernel.h>
88 #include <sys/proc_internal.h>
89 #include <sys/kauth.h>
90 #include <sys/user.h>
91 #include <sys/socketvar.h>
92 #include <sys/malloc.h>
93 #include <sys/namei.h>
94 #include <sys/mount_internal.h>
95 #include <sys/vnode_internal.h>
96 #include <sys/file_internal.h>
97 #include <sys/stat.h>
98 #include <sys/uio_internal.h>
99 #include <sys/acct.h>
100 #include <sys/exec.h>
101 #include <sys/kdebug.h>
102 #include <sys/signal.h>
103 #include <sys/aio_kern.h>
104 #include <sys/sysproto.h>
105 #include <sys/persona.h>
106 #include <sys/reason.h>
107 #if SYSV_SHM
108 #include <sys/shm_internal.h> /* shmexec() */
109 #endif
110 #include <sys/ubc_internal.h> /* ubc_map() */
111 #include <sys/spawn.h>
112 #include <sys/spawn_internal.h>
113 #include <sys/process_policy.h>
114 #include <sys/codesign.h>
115 #include <sys/random.h>
116 #include <crypto/sha1.h>
117
118 #include <libkern/libkern.h>
119
120 #include <security/audit/audit.h>
121
122 #include <ipc/ipc_types.h>
123
124 #include <mach/mach_types.h>
125 #include <mach/port.h>
126 #include <mach/task.h>
127 #include <mach/task_access.h>
128 #include <mach/thread_act.h>
129 #include <mach/vm_map.h>
130 #include <mach/mach_vm.h>
131 #include <mach/vm_param.h>
132
133 #include <kern/sched_prim.h> /* thread_wakeup() */
134 #include <kern/affinity.h>
135 #include <kern/assert.h>
136 #include <kern/task.h>
137 #include <kern/coalition.h>
138 #include <kern/policy_internal.h>
139 #include <kern/kalloc.h>
140
141 #include <os/log.h>
142
143 #if CONFIG_MACF
144 #include <security/mac_framework.h>
145 #include <security/mac_mach_internal.h>
146 #endif
147
148 #include <vm/vm_map.h>
149 #include <vm/vm_kern.h>
150 #include <vm/vm_protos.h>
151 #include <vm/vm_kern.h>
152 #include <vm/vm_fault.h>
153 #include <vm/vm_pageout.h>
154
155 #include <kdp/kdp_dyld.h>
156
157 #include <machine/pal_routines.h>
158
159 #include <pexpert/pexpert.h>
160
161 #if CONFIG_MEMORYSTATUS
162 #include <sys/kern_memorystatus.h>
163 #endif
164
165 #include <IOKit/IOBSD.h>
166
167 extern boolean_t vm_darkwake_mode;
168
169 #if CONFIG_DTRACE
170 /* Do not include dtrace.h, it redefines kmem_[alloc/free] */
171 extern void dtrace_proc_exec(proc_t);
172 extern void (*dtrace_proc_waitfor_exec_ptr)(proc_t);
173
174 /*
175 * Since dtrace_proc_waitfor_exec_ptr can be added/removed in dtrace_subr.c,
176 * we will store its value before actually calling it.
177 */
178 static void (*dtrace_proc_waitfor_hook)(proc_t) = NULL;
179
180 #include <sys/dtrace_ptss.h>
181 #endif
182
183 /* support for child creation in exec after vfork */
184 thread_t fork_create_child(task_t parent_task,
185 coalition_t *parent_coalition,
186 proc_t child_proc,
187 int inherit_memory,
188 int is_64bit_addr,
189 int is_64bit_data,
190 int in_exec);
191 void vfork_exit(proc_t p, int rv);
192 extern void proc_apply_task_networkbg_internal(proc_t, thread_t);
193 extern void task_set_did_exec_flag(task_t task);
194 extern void task_clear_exec_copy_flag(task_t task);
195 proc_t proc_exec_switch_task(proc_t p, task_t old_task, task_t new_task, thread_t new_thread);
196 boolean_t task_is_active(task_t);
197 boolean_t thread_is_active(thread_t thread);
198 void thread_copy_resource_info(thread_t dst_thread, thread_t src_thread);
199 void *ipc_importance_exec_switch_task(task_t old_task, task_t new_task);
200 extern void ipc_importance_release(void *elem);
201
202 /*
203 * Mach things for which prototypes are unavailable from Mach headers
204 */
205 void ipc_task_reset(
206 task_t task);
207 void ipc_thread_reset(
208 thread_t thread);
209 kern_return_t ipc_object_copyin(
210 ipc_space_t space,
211 mach_port_name_t name,
212 mach_msg_type_name_t msgt_name,
213 ipc_object_t *objectp);
214 void ipc_port_release_send(ipc_port_t);
215
216 #if DEVELOPMENT || DEBUG
217 void task_importance_update_owner_info(task_t);
218 #endif
219
220 extern struct savearea *get_user_regs(thread_t);
221
222 __attribute__((noinline)) int __EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__(mach_port_t task_access_port, int32_t new_pid);
223
224 #include <kern/thread.h>
225 #include <kern/task.h>
226 #include <kern/ast.h>
227 #include <kern/mach_loader.h>
228 #include <kern/mach_fat.h>
229 #include <mach-o/fat.h>
230 #include <mach-o/loader.h>
231 #include <machine/vmparam.h>
232 #include <sys/imgact.h>
233
234 #include <sys/sdt.h>
235
236
237 /*
238 * EAI_ITERLIMIT The maximum number of times to iterate an image
239 * activator in exec_activate_image() before treating
240 * it as malformed/corrupt.
241 */
242 #define EAI_ITERLIMIT 3
243
244 /*
245 * For #! interpreter parsing
246 */
247 #define IS_WHITESPACE(ch) ((ch == ' ') || (ch == '\t'))
248 #define IS_EOL(ch) ((ch == '#') || (ch == '\n'))
249
250 extern vm_map_t bsd_pageable_map;
251 extern const struct fileops vnops;
252 extern int nextpidversion;
253
254 #define USER_ADDR_ALIGN(addr, val) \
255 ( ( (user_addr_t)(addr) + (val) - 1) \
256 & ~((val) - 1) )
257
258 /* Platform Code Exec Logging */
259 static int platform_exec_logging = 0;
260
261 SYSCTL_DECL(_security_mac);
262
263 SYSCTL_INT(_security_mac, OID_AUTO, platform_exec_logging, CTLFLAG_RW, &platform_exec_logging, 0,
264 "log cdhashes for all platform binary executions");
265
266 static os_log_t peLog = OS_LOG_DEFAULT;
267
268 struct image_params; /* Forward */
269 static int exec_activate_image(struct image_params *imgp);
270 static int exec_copyout_strings(struct image_params *imgp, user_addr_t *stackp);
271 static int load_return_to_errno(load_return_t lrtn);
272 static int execargs_alloc(struct image_params *imgp);
273 static int execargs_free(struct image_params *imgp);
274 static int exec_check_permissions(struct image_params *imgp);
275 static int exec_extract_strings(struct image_params *imgp);
276 static int exec_add_apple_strings(struct image_params *imgp, const load_result_t *load_result);
277 static int exec_handle_sugid(struct image_params *imgp);
278 static int sugid_scripts = 0;
279 SYSCTL_INT(_kern, OID_AUTO, sugid_scripts, CTLFLAG_RW | CTLFLAG_LOCKED, &sugid_scripts, 0, "");
280 static kern_return_t create_unix_stack(vm_map_t map, load_result_t* load_result, proc_t p);
281 static int copyoutptr(user_addr_t ua, user_addr_t ptr, int ptr_size);
282 static void exec_resettextvp(proc_t, struct image_params *);
283 static int check_for_signature(proc_t, struct image_params *);
284 static void exec_prefault_data(proc_t, struct image_params *, load_result_t *);
285 static errno_t exec_handle_port_actions(struct image_params *imgp, boolean_t * portwatch_present, ipc_port_t * portwatch_ports);
286 static errno_t exec_handle_spawnattr_policy(proc_t p, int psa_apptype, uint64_t psa_qos_clamp, uint64_t psa_darwin_role,
287 ipc_port_t * portwatch_ports, int portwatch_count);
288
289 /*
290 * exec_add_user_string
291 *
292 * Add the requested string to the string space area.
293 *
294 * Parameters; struct image_params * image parameter block
295 * user_addr_t string to add to strings area
296 * int segment from which string comes
297 * boolean_t TRUE if string contributes to NCARGS
298 *
299 * Returns: 0 Success
300 * !0 Failure errno from copyinstr()
301 *
302 * Implicit returns:
303 * (imgp->ip_strendp) updated location of next add, if any
304 * (imgp->ip_strspace) updated byte count of space remaining
305 * (imgp->ip_argspace) updated byte count of space in NCARGS
306 */
307 static int
308 exec_add_user_string(struct image_params *imgp, user_addr_t str, int seg, boolean_t is_ncargs)
309 {
310 int error = 0;
311
312 do {
313 size_t len = 0;
314 int space;
315
316 if (is_ncargs) {
317 space = imgp->ip_argspace; /* by definition smaller than ip_strspace */
318 } else {
319 space = imgp->ip_strspace;
320 }
321
322 if (space <= 0) {
323 error = E2BIG;
324 break;
325 }
326
327 if (!UIO_SEG_IS_USER_SPACE(seg)) {
328 char *kstr = CAST_DOWN(char *, str); /* SAFE */
329 error = copystr(kstr, imgp->ip_strendp, space, &len);
330 } else {
331 error = copyinstr(str, imgp->ip_strendp, space, &len);
332 }
333
334 imgp->ip_strendp += len;
335 imgp->ip_strspace -= len;
336 if (is_ncargs) {
337 imgp->ip_argspace -= len;
338 }
339 } while (error == ENAMETOOLONG);
340
341 return error;
342 }
343
344 /*
345 * dyld is now passed the executable path as a getenv-like variable
346 * in the same fashion as the stack_guard and malloc_entropy keys.
347 */
348 #define EXECUTABLE_KEY "executable_path="
349
350 /*
351 * exec_save_path
352 *
353 * To support new app package launching for Mac OS X, the dyld needs the
354 * first argument to execve() stored on the user stack.
355 *
356 * Save the executable path name at the bottom of the strings area and set
357 * the argument vector pointer to the location following that to indicate
358 * the start of the argument and environment tuples, setting the remaining
359 * string space count to the size of the string area minus the path length.
360 *
361 * Parameters; struct image_params * image parameter block
362 * char * path used to invoke program
363 * int segment from which path comes
364 *
365 * Returns: int 0 Success
366 * EFAULT Bad address
367 * copy[in]str:EFAULT Bad address
368 * copy[in]str:ENAMETOOLONG Filename too long
369 *
370 * Implicit returns:
371 * (imgp->ip_strings) saved path
372 * (imgp->ip_strspace) space remaining in ip_strings
373 * (imgp->ip_strendp) start of remaining copy area
374 * (imgp->ip_argspace) space remaining of NCARGS
375 * (imgp->ip_applec) Initial applev[0]
376 *
377 * Note: We have to do this before the initial namei() since in the
378 * path contains symbolic links, namei() will overwrite the
379 * original path buffer contents. If the last symbolic link
380 * resolved was a relative pathname, we would lose the original
381 * "path", which could be an absolute pathname. This might be
382 * unacceptable for dyld.
383 */
384 static int
385 exec_save_path(struct image_params *imgp, user_addr_t path, int seg, const char **excpath)
386 {
387 int error;
388 size_t len;
389 char *kpath;
390
391 // imgp->ip_strings can come out of a cache, so we need to obliterate the
392 // old path.
393 memset(imgp->ip_strings, '\0', strlen(EXECUTABLE_KEY) + MAXPATHLEN);
394
395 len = MIN(MAXPATHLEN, imgp->ip_strspace);
396
397 switch (seg) {
398 case UIO_USERSPACE32:
399 case UIO_USERSPACE64: /* Same for copyin()... */
400 error = copyinstr(path, imgp->ip_strings + strlen(EXECUTABLE_KEY), len, &len);
401 break;
402 case UIO_SYSSPACE:
403 kpath = CAST_DOWN(char *, path); /* SAFE */
404 error = copystr(kpath, imgp->ip_strings + strlen(EXECUTABLE_KEY), len, &len);
405 break;
406 default:
407 error = EFAULT;
408 break;
409 }
410
411 if (!error) {
412 bcopy(EXECUTABLE_KEY, imgp->ip_strings, strlen(EXECUTABLE_KEY));
413 len += strlen(EXECUTABLE_KEY);
414
415 imgp->ip_strendp += len;
416 imgp->ip_strspace -= len;
417
418 if (excpath) {
419 *excpath = imgp->ip_strings + strlen(EXECUTABLE_KEY);
420 }
421 }
422
423 return error;
424 }
425
426 /*
427 * exec_reset_save_path
428 *
429 * If we detect a shell script, we need to reset the string area
430 * state so that the interpreter can be saved onto the stack.
431 *
432 * Parameters; struct image_params * image parameter block
433 *
434 * Returns: int 0 Success
435 *
436 * Implicit returns:
437 * (imgp->ip_strings) saved path
438 * (imgp->ip_strspace) space remaining in ip_strings
439 * (imgp->ip_strendp) start of remaining copy area
440 * (imgp->ip_argspace) space remaining of NCARGS
441 *
442 */
443 static int
444 exec_reset_save_path(struct image_params *imgp)
445 {
446 imgp->ip_strendp = imgp->ip_strings;
447 imgp->ip_argspace = NCARGS;
448 imgp->ip_strspace = (NCARGS + PAGE_SIZE);
449
450 return 0;
451 }
452
453 /*
454 * exec_shell_imgact
455 *
456 * Image activator for interpreter scripts. If the image begins with
457 * the characters "#!", then it is an interpreter script. Verify the
458 * length of the script line indicating the interpreter is not in
459 * excess of the maximum allowed size. If this is the case, then
460 * break out the arguments, if any, which are separated by white
461 * space, and copy them into the argument save area as if they were
462 * provided on the command line before all other arguments. The line
463 * ends when we encounter a comment character ('#') or newline.
464 *
465 * Parameters; struct image_params * image parameter block
466 *
467 * Returns: -1 not an interpreter (keep looking)
468 * -3 Success: interpreter: relookup
469 * >0 Failure: interpreter: error number
470 *
471 * A return value other than -1 indicates subsequent image activators should
472 * not be given the opportunity to attempt to activate the image.
473 */
474 static int
475 exec_shell_imgact(struct image_params *imgp)
476 {
477 char *vdata = imgp->ip_vdata;
478 char *ihp;
479 char *line_startp, *line_endp;
480 char *interp;
481
482 /*
483 * Make sure it's a shell script. If we've already redirected
484 * from an interpreted file once, don't do it again.
485 */
486 if (vdata[0] != '#' ||
487 vdata[1] != '!' ||
488 (imgp->ip_flags & IMGPF_INTERPRET) != 0) {
489 return -1;
490 }
491
492 if (imgp->ip_origcputype != 0) {
493 /* Fat header previously matched, don't allow shell script inside */
494 return -1;
495 }
496
497 imgp->ip_flags |= IMGPF_INTERPRET;
498 imgp->ip_interp_sugid_fd = -1;
499 imgp->ip_interp_buffer[0] = '\0';
500
501 /* Check to see if SUGID scripts are permitted. If they aren't then
502 * clear the SUGID bits.
503 * imgp->ip_vattr is known to be valid.
504 */
505 if (sugid_scripts == 0) {
506 imgp->ip_origvattr->va_mode &= ~(VSUID | VSGID);
507 }
508
509 /* Try to find the first non-whitespace character */
510 for (ihp = &vdata[2]; ihp < &vdata[IMG_SHSIZE]; ihp++) {
511 if (IS_EOL(*ihp)) {
512 /* Did not find interpreter, "#!\n" */
513 return ENOEXEC;
514 } else if (IS_WHITESPACE(*ihp)) {
515 /* Whitespace, like "#! /bin/sh\n", keep going. */
516 } else {
517 /* Found start of interpreter */
518 break;
519 }
520 }
521
522 if (ihp == &vdata[IMG_SHSIZE]) {
523 /* All whitespace, like "#! " */
524 return ENOEXEC;
525 }
526
527 line_startp = ihp;
528
529 /* Try to find the end of the interpreter+args string */
530 for (; ihp < &vdata[IMG_SHSIZE]; ihp++) {
531 if (IS_EOL(*ihp)) {
532 /* Got it */
533 break;
534 } else {
535 /* Still part of interpreter or args */
536 }
537 }
538
539 if (ihp == &vdata[IMG_SHSIZE]) {
540 /* A long line, like "#! blah blah blah" without end */
541 return ENOEXEC;
542 }
543
544 /* Backtrack until we find the last non-whitespace */
545 while (IS_EOL(*ihp) || IS_WHITESPACE(*ihp)) {
546 ihp--;
547 }
548
549 /* The character after the last non-whitespace is our logical end of line */
550 line_endp = ihp + 1;
551
552 /*
553 * Now we have pointers to the usable part of:
554 *
555 * "#! /usr/bin/int first second third \n"
556 * ^ line_startp ^ line_endp
557 */
558
559 /* copy the interpreter name */
560 interp = imgp->ip_interp_buffer;
561 for (ihp = line_startp; (ihp < line_endp) && !IS_WHITESPACE(*ihp); ihp++) {
562 *interp++ = *ihp;
563 }
564 *interp = '\0';
565
566 exec_reset_save_path(imgp);
567 exec_save_path(imgp, CAST_USER_ADDR_T(imgp->ip_interp_buffer),
568 UIO_SYSSPACE, NULL);
569
570 /* Copy the entire interpreter + args for later processing into argv[] */
571 interp = imgp->ip_interp_buffer;
572 for (ihp = line_startp; (ihp < line_endp); ihp++) {
573 *interp++ = *ihp;
574 }
575 *interp = '\0';
576
577 #if !SECURE_KERNEL
578 /*
579 * If we have an SUID or SGID script, create a file descriptor
580 * from the vnode and pass /dev/fd/%d instead of the actual
581 * path name so that the script does not get opened twice
582 */
583 if (imgp->ip_origvattr->va_mode & (VSUID | VSGID)) {
584 proc_t p;
585 struct fileproc *fp;
586 int fd;
587 int error;
588
589 p = vfs_context_proc(imgp->ip_vfs_context);
590 error = falloc(p, &fp, &fd, imgp->ip_vfs_context);
591 if (error) {
592 return error;
593 }
594
595 fp->f_fglob->fg_flag = FREAD;
596 fp->f_fglob->fg_ops = &vnops;
597 fp->f_fglob->fg_data = (caddr_t)imgp->ip_vp;
598
599 proc_fdlock(p);
600 procfdtbl_releasefd(p, fd, NULL);
601 fp_drop(p, fd, fp, 1);
602 proc_fdunlock(p);
603 vnode_ref(imgp->ip_vp);
604
605 imgp->ip_interp_sugid_fd = fd;
606 }
607 #endif
608
609 return -3;
610 }
611
612
613
614 /*
615 * exec_fat_imgact
616 *
617 * Image activator for fat 1.0 binaries. If the binary is fat, then we
618 * need to select an image from it internally, and make that the image
619 * we are going to attempt to execute. At present, this consists of
620 * reloading the first page for the image with a first page from the
621 * offset location indicated by the fat header.
622 *
623 * Parameters; struct image_params * image parameter block
624 *
625 * Returns: -1 not a fat binary (keep looking)
626 * -2 Success: encapsulated binary: reread
627 * >0 Failure: error number
628 *
629 * Important: This image activator is byte order neutral.
630 *
631 * Note: A return value other than -1 indicates subsequent image
632 * activators should not be given the opportunity to attempt
633 * to activate the image.
634 *
635 * If we find an encapsulated binary, we make no assertions
636 * about its validity; instead, we leave that up to a rescan
637 * for an activator to claim it, and, if it is claimed by one,
638 * that activator is responsible for determining validity.
639 */
640 static int
641 exec_fat_imgact(struct image_params *imgp)
642 {
643 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
644 kauth_cred_t cred = kauth_cred_proc_ref(p);
645 struct fat_header *fat_header = (struct fat_header *)imgp->ip_vdata;
646 struct _posix_spawnattr *psa = NULL;
647 struct fat_arch fat_arch;
648 int resid, error;
649 load_return_t lret;
650
651 if (imgp->ip_origcputype != 0) {
652 /* Fat header previously matched, don't allow another fat file inside */
653 error = -1; /* not claimed */
654 goto bad;
655 }
656
657 /* Make sure it's a fat binary */
658 if (OSSwapBigToHostInt32(fat_header->magic) != FAT_MAGIC) {
659 error = -1; /* not claimed */
660 goto bad;
661 }
662
663 /* imgp->ip_vdata has PAGE_SIZE, zerofilled if the file is smaller */
664 lret = fatfile_validate_fatarches((vm_offset_t)fat_header, PAGE_SIZE);
665 if (lret != LOAD_SUCCESS) {
666 error = load_return_to_errno(lret);
667 goto bad;
668 }
669
670 /* If posix_spawn binprefs exist, respect those prefs. */
671 psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
672 if (psa != NULL && psa->psa_binprefs[0] != 0) {
673 uint32_t pr = 0;
674
675 /* Check each preference listed against all arches in header */
676 for (pr = 0; pr < NBINPREFS; pr++) {
677 cpu_type_t pref = psa->psa_binprefs[pr];
678 if (pref == 0) {
679 /* No suitable arch in the pref list */
680 error = EBADARCH;
681 goto bad;
682 }
683
684 if (pref == CPU_TYPE_ANY) {
685 /* Fall through to regular grading */
686 goto regular_grading;
687 }
688
689 lret = fatfile_getbestarch_for_cputype(pref,
690 (vm_offset_t)fat_header,
691 PAGE_SIZE,
692 &fat_arch);
693 if (lret == LOAD_SUCCESS) {
694 goto use_arch;
695 }
696 }
697
698 /* Requested binary preference was not honored */
699 error = EBADEXEC;
700 goto bad;
701 }
702
703 regular_grading:
704 /* Look up our preferred architecture in the fat file. */
705 lret = fatfile_getbestarch((vm_offset_t)fat_header,
706 PAGE_SIZE,
707 &fat_arch);
708 if (lret != LOAD_SUCCESS) {
709 error = load_return_to_errno(lret);
710 goto bad;
711 }
712
713 use_arch:
714 /* Read the Mach-O header out of fat_arch */
715 error = vn_rdwr(UIO_READ, imgp->ip_vp, imgp->ip_vdata,
716 PAGE_SIZE, fat_arch.offset,
717 UIO_SYSSPACE, (IO_UNIT | IO_NODELOCKED),
718 cred, &resid, p);
719 if (error) {
720 goto bad;
721 }
722
723 if (resid) {
724 memset(imgp->ip_vdata + (PAGE_SIZE - resid), 0x0, resid);
725 }
726
727 /* Success. Indicate we have identified an encapsulated binary */
728 error = -2;
729 imgp->ip_arch_offset = (user_size_t)fat_arch.offset;
730 imgp->ip_arch_size = (user_size_t)fat_arch.size;
731 imgp->ip_origcputype = fat_arch.cputype;
732 imgp->ip_origcpusubtype = fat_arch.cpusubtype;
733
734 bad:
735 kauth_cred_unref(&cred);
736 return error;
737 }
738
739 static int
740 activate_exec_state(task_t task, proc_t p, thread_t thread, load_result_t *result)
741 {
742 int ret;
743
744 task_set_dyld_info(task, MACH_VM_MIN_ADDRESS, 0);
745 task_set_64bit(task, result->is_64bit_addr, result->is_64bit_data);
746 if (result->is_64bit_addr) {
747 OSBitOrAtomic(P_LP64, &p->p_flag);
748 } else {
749 OSBitAndAtomic(~((uint32_t)P_LP64), &p->p_flag);
750 }
751
752 ret = thread_state_initialize(thread);
753 if (ret != KERN_SUCCESS) {
754 return ret;
755 }
756
757 if (result->threadstate) {
758 uint32_t *ts = result->threadstate;
759 uint32_t total_size = result->threadstate_sz;
760
761 while (total_size > 0) {
762 uint32_t flavor = *ts++;
763 uint32_t size = *ts++;
764
765 ret = thread_setstatus(thread, flavor, (thread_state_t)ts, size);
766 if (ret) {
767 return ret;
768 }
769 ts += size;
770 total_size -= (size + 2) * sizeof(uint32_t);
771 }
772 }
773
774 thread_setentrypoint(thread, result->entry_point);
775
776 return KERN_SUCCESS;
777 }
778
779
780 /*
781 * Set p->p_comm and p->p_name to the name passed to exec
782 */
783 static void
784 set_proc_name(struct image_params *imgp, proc_t p)
785 {
786 int p_name_len = sizeof(p->p_name) - 1;
787
788 if (imgp->ip_ndp->ni_cnd.cn_namelen > p_name_len) {
789 imgp->ip_ndp->ni_cnd.cn_namelen = p_name_len;
790 }
791
792 bcopy((caddr_t)imgp->ip_ndp->ni_cnd.cn_nameptr, (caddr_t)p->p_name,
793 (unsigned)imgp->ip_ndp->ni_cnd.cn_namelen);
794 p->p_name[imgp->ip_ndp->ni_cnd.cn_namelen] = '\0';
795
796 if (imgp->ip_ndp->ni_cnd.cn_namelen > MAXCOMLEN) {
797 imgp->ip_ndp->ni_cnd.cn_namelen = MAXCOMLEN;
798 }
799
800 bcopy((caddr_t)imgp->ip_ndp->ni_cnd.cn_nameptr, (caddr_t)p->p_comm,
801 (unsigned)imgp->ip_ndp->ni_cnd.cn_namelen);
802 p->p_comm[imgp->ip_ndp->ni_cnd.cn_namelen] = '\0';
803 }
804
805 /*
806 * exec_mach_imgact
807 *
808 * Image activator for mach-o 1.0 binaries.
809 *
810 * Parameters; struct image_params * image parameter block
811 *
812 * Returns: -1 not a fat binary (keep looking)
813 * -2 Success: encapsulated binary: reread
814 * >0 Failure: error number
815 * EBADARCH Mach-o binary, but with an unrecognized
816 * architecture
817 * ENOMEM No memory for child process after -
818 * can only happen after vfork()
819 *
820 * Important: This image activator is NOT byte order neutral.
821 *
822 * Note: A return value other than -1 indicates subsequent image
823 * activators should not be given the opportunity to attempt
824 * to activate the image.
825 *
826 * TODO: More gracefully handle failures after vfork
827 */
828 static int
829 exec_mach_imgact(struct image_params *imgp)
830 {
831 struct mach_header *mach_header = (struct mach_header *)imgp->ip_vdata;
832 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
833 int error = 0;
834 task_t task;
835 task_t new_task = NULL; /* protected by vfexec */
836 thread_t thread;
837 struct uthread *uthread;
838 vm_map_t old_map = VM_MAP_NULL;
839 vm_map_t map = VM_MAP_NULL;
840 load_return_t lret;
841 load_result_t load_result = {};
842 struct _posix_spawnattr *psa = NULL;
843 int spawn = (imgp->ip_flags & IMGPF_SPAWN);
844 int vfexec = (imgp->ip_flags & IMGPF_VFORK_EXEC);
845 int exec = (imgp->ip_flags & IMGPF_EXEC);
846 os_reason_t exec_failure_reason = OS_REASON_NULL;
847
848 /*
849 * make sure it's a Mach-O 1.0 or Mach-O 2.0 binary; the difference
850 * is a reserved field on the end, so for the most part, we can
851 * treat them as if they were identical. Reverse-endian Mach-O
852 * binaries are recognized but not compatible.
853 */
854 if ((mach_header->magic == MH_CIGAM) ||
855 (mach_header->magic == MH_CIGAM_64)) {
856 error = EBADARCH;
857 goto bad;
858 }
859
860 if ((mach_header->magic != MH_MAGIC) &&
861 (mach_header->magic != MH_MAGIC_64)) {
862 error = -1;
863 goto bad;
864 }
865
866 if (mach_header->filetype != MH_EXECUTE) {
867 error = -1;
868 goto bad;
869 }
870
871 if (imgp->ip_origcputype != 0) {
872 /* Fat header previously had an idea about this thin file */
873 if (imgp->ip_origcputype != mach_header->cputype ||
874 imgp->ip_origcpusubtype != mach_header->cpusubtype) {
875 error = EBADARCH;
876 goto bad;
877 }
878 } else {
879 imgp->ip_origcputype = mach_header->cputype;
880 imgp->ip_origcpusubtype = mach_header->cpusubtype;
881 }
882
883 task = current_task();
884 thread = current_thread();
885 uthread = get_bsdthread_info(thread);
886
887 if ((mach_header->cputype & CPU_ARCH_ABI64) == CPU_ARCH_ABI64) {
888 imgp->ip_flags |= IMGPF_IS_64BIT_ADDR | IMGPF_IS_64BIT_DATA;
889 }
890
891 /* If posix_spawn binprefs exist, respect those prefs. */
892 psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
893 if (psa != NULL && psa->psa_binprefs[0] != 0) {
894 int pr = 0;
895 for (pr = 0; pr < NBINPREFS; pr++) {
896 cpu_type_t pref = psa->psa_binprefs[pr];
897 if (pref == 0) {
898 /* No suitable arch in the pref list */
899 error = EBADARCH;
900 goto bad;
901 }
902
903 if (pref == CPU_TYPE_ANY) {
904 /* Jump to regular grading */
905 goto grade;
906 }
907
908 if (pref == imgp->ip_origcputype) {
909 /* We have a match! */
910 goto grade;
911 }
912 }
913 error = EBADARCH;
914 goto bad;
915 }
916 grade:
917 if (!grade_binary(imgp->ip_origcputype, imgp->ip_origcpusubtype & ~CPU_SUBTYPE_MASK)) {
918 error = EBADARCH;
919 goto bad;
920 }
921
922
923 /* Copy in arguments/environment from the old process */
924 error = exec_extract_strings(imgp);
925 if (error) {
926 goto bad;
927 }
928
929 AUDIT_ARG(argv, imgp->ip_startargv, imgp->ip_argc,
930 imgp->ip_endargv - imgp->ip_startargv);
931 AUDIT_ARG(envv, imgp->ip_endargv, imgp->ip_envc,
932 imgp->ip_endenvv - imgp->ip_endargv);
933
934 /*
935 * We are being called to activate an image subsequent to a vfork()
936 * operation; in this case, we know that our task, thread, and
937 * uthread are actually those of our parent, and our proc, which we
938 * obtained indirectly from the image_params vfs_context_t, is the
939 * new child process.
940 */
941 if (vfexec) {
942 imgp->ip_new_thread = fork_create_child(task,
943 NULL,
944 p,
945 FALSE,
946 (imgp->ip_flags & IMGPF_IS_64BIT_ADDR),
947 (imgp->ip_flags & IMGPF_IS_64BIT_DATA),
948 FALSE);
949 /* task and thread ref returned, will be released in __mac_execve */
950 if (imgp->ip_new_thread == NULL) {
951 error = ENOMEM;
952 goto bad;
953 }
954 }
955
956
957 /* reset local idea of thread, uthread, task */
958 thread = imgp->ip_new_thread;
959 uthread = get_bsdthread_info(thread);
960 task = new_task = get_threadtask(thread);
961
962 /*
963 * Load the Mach-O file.
964 *
965 * NOTE: An error after this point indicates we have potentially
966 * destroyed or overwritten some process state while attempting an
967 * execve() following a vfork(), which is an unrecoverable condition.
968 * We send the new process an immediate SIGKILL to avoid it executing
969 * any instructions in the mutated address space. For true spawns,
970 * this is not the case, and "too late" is still not too late to
971 * return an error code to the parent process.
972 */
973
974 /*
975 * Actually load the image file we previously decided to load.
976 */
977 lret = load_machfile(imgp, mach_header, thread, &map, &load_result);
978 if (lret != LOAD_SUCCESS) {
979 error = load_return_to_errno(lret);
980
981 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
982 p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_BAD_MACHO, 0, 0);
983 if (lret == LOAD_BADMACHO_UPX) {
984 /* set anything that might be useful in the crash report */
985 set_proc_name(imgp, p);
986
987 exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_UPX);
988 exec_failure_reason->osr_flags |= OS_REASON_FLAG_GENERATE_CRASH_REPORT;
989 exec_failure_reason->osr_flags |= OS_REASON_FLAG_CONSISTENT_FAILURE;
990 } else if (lret == LOAD_BADARCH_X86) {
991 /* set anything that might be useful in the crash report */
992 set_proc_name(imgp, p);
993
994 exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_NO32EXEC);
995 exec_failure_reason->osr_flags |= OS_REASON_FLAG_GENERATE_CRASH_REPORT;
996 exec_failure_reason->osr_flags |= OS_REASON_FLAG_CONSISTENT_FAILURE;
997 } else {
998 exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_BAD_MACHO);
999 }
1000
1001 goto badtoolate;
1002 }
1003
1004 proc_lock(p);
1005 p->p_cputype = imgp->ip_origcputype;
1006 p->p_cpusubtype = imgp->ip_origcpusubtype;
1007 proc_unlock(p);
1008
1009 vm_map_set_user_wire_limit(map, p->p_rlimit[RLIMIT_MEMLOCK].rlim_cur);
1010
1011 /*
1012 * Set code-signing flags if this binary is signed, or if parent has
1013 * requested them on exec.
1014 */
1015 if (load_result.csflags & CS_VALID) {
1016 imgp->ip_csflags |= load_result.csflags &
1017 (CS_VALID | CS_SIGNED | CS_DEV_CODE |
1018 CS_HARD | CS_KILL | CS_RESTRICT | CS_ENFORCEMENT | CS_REQUIRE_LV |
1019 CS_FORCED_LV | CS_ENTITLEMENTS_VALIDATED | CS_DYLD_PLATFORM | CS_RUNTIME |
1020 CS_ENTITLEMENT_FLAGS |
1021 CS_EXEC_SET_HARD | CS_EXEC_SET_KILL | CS_EXEC_SET_ENFORCEMENT);
1022 } else {
1023 imgp->ip_csflags &= ~CS_VALID;
1024 }
1025
1026 if (p->p_csflags & CS_EXEC_SET_HARD) {
1027 imgp->ip_csflags |= CS_HARD;
1028 }
1029 if (p->p_csflags & CS_EXEC_SET_KILL) {
1030 imgp->ip_csflags |= CS_KILL;
1031 }
1032 if (p->p_csflags & CS_EXEC_SET_ENFORCEMENT) {
1033 imgp->ip_csflags |= CS_ENFORCEMENT;
1034 }
1035 if (p->p_csflags & CS_EXEC_INHERIT_SIP) {
1036 if (p->p_csflags & CS_INSTALLER) {
1037 imgp->ip_csflags |= CS_INSTALLER;
1038 }
1039 if (p->p_csflags & CS_DATAVAULT_CONTROLLER) {
1040 imgp->ip_csflags |= CS_DATAVAULT_CONTROLLER;
1041 }
1042 if (p->p_csflags & CS_NVRAM_UNRESTRICTED) {
1043 imgp->ip_csflags |= CS_NVRAM_UNRESTRICTED;
1044 }
1045 }
1046
1047 /*
1048 * Set up the system reserved areas in the new address space.
1049 */
1050 int cpu_subtype;
1051 cpu_subtype = 0; /* all cpu_subtypes use the same shared region */
1052 vm_map_exec(map, task, load_result.is_64bit_addr, (void *)p->p_fd->fd_rdir, cpu_type(), cpu_subtype);
1053
1054 /*
1055 * Close file descriptors which specify close-on-exec.
1056 */
1057 fdexec(p, psa != NULL ? psa->psa_flags : 0, exec);
1058
1059 /*
1060 * deal with set[ug]id.
1061 */
1062 error = exec_handle_sugid(imgp);
1063 if (error) {
1064 vm_map_deallocate(map);
1065
1066 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
1067 p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_SUGID_FAILURE, 0, 0);
1068 exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_SUGID_FAILURE);
1069 goto badtoolate;
1070 }
1071
1072 /*
1073 * Commit to new map.
1074 *
1075 * Swap the new map for the old for target task, which consumes
1076 * our new map reference but each leaves us responsible for the
1077 * old_map reference. That lets us get off the pmap associated
1078 * with it, and then we can release it.
1079 *
1080 * The map needs to be set on the target task which is different
1081 * than current task, thus swap_task_map is used instead of
1082 * vm_map_switch.
1083 */
1084 old_map = swap_task_map(task, thread, map);
1085 vm_map_deallocate(old_map);
1086 old_map = NULL;
1087
1088 lret = activate_exec_state(task, p, thread, &load_result);
1089 if (lret != KERN_SUCCESS) {
1090 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
1091 p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_ACTV_THREADSTATE, 0, 0);
1092 exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_ACTV_THREADSTATE);
1093 goto badtoolate;
1094 }
1095
1096 /*
1097 * deal with voucher on exec-calling thread.
1098 */
1099 if (imgp->ip_new_thread == NULL) {
1100 thread_set_mach_voucher(current_thread(), IPC_VOUCHER_NULL);
1101 }
1102
1103 /* Make sure we won't interrupt ourself signalling a partial process */
1104 if (!vfexec && !spawn && (p->p_lflag & P_LTRACED)) {
1105 psignal(p, SIGTRAP);
1106 }
1107
1108 if (load_result.unixproc &&
1109 create_unix_stack(get_task_map(task),
1110 &load_result,
1111 p) != KERN_SUCCESS) {
1112 error = load_return_to_errno(LOAD_NOSPACE);
1113
1114 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
1115 p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_STACK_ALLOC, 0, 0);
1116 exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_STACK_ALLOC);
1117 goto badtoolate;
1118 }
1119
1120 error = exec_add_apple_strings(imgp, &load_result);
1121 if (error) {
1122 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
1123 p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_APPLE_STRING_INIT, 0, 0);
1124 exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_APPLE_STRING_INIT);
1125 goto badtoolate;
1126 }
1127
1128 /* Switch to target task's map to copy out strings */
1129 old_map = vm_map_switch(get_task_map(task));
1130
1131 if (load_result.unixproc) {
1132 user_addr_t ap;
1133
1134 /*
1135 * Copy the strings area out into the new process address
1136 * space.
1137 */
1138 ap = p->user_stack;
1139 error = exec_copyout_strings(imgp, &ap);
1140 if (error) {
1141 vm_map_switch(old_map);
1142
1143 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
1144 p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_COPYOUT_STRINGS, 0, 0);
1145 exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_COPYOUT_STRINGS);
1146 goto badtoolate;
1147 }
1148 /* Set the stack */
1149 thread_setuserstack(thread, ap);
1150 }
1151
1152 if (load_result.dynlinker) {
1153 uint64_t ap;
1154 int new_ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT_ADDR) ? 8 : 4;
1155
1156 /* Adjust the stack */
1157 ap = thread_adjuserstack(thread, -new_ptr_size);
1158 error = copyoutptr(load_result.mach_header, ap, new_ptr_size);
1159
1160 if (error) {
1161 vm_map_switch(old_map);
1162
1163 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
1164 p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_COPYOUT_DYNLINKER, 0, 0);
1165 exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_COPYOUT_DYNLINKER);
1166 goto badtoolate;
1167 }
1168 task_set_dyld_info(task, load_result.all_image_info_addr,
1169 load_result.all_image_info_size);
1170 }
1171
1172 /* Avoid immediate VM faults back into kernel */
1173 exec_prefault_data(p, imgp, &load_result);
1174
1175 vm_map_switch(old_map);
1176
1177 /* Stop profiling */
1178 stopprofclock(p);
1179
1180 /*
1181 * Reset signal state.
1182 */
1183 execsigs(p, thread);
1184
1185 /*
1186 * need to cancel async IO requests that can be cancelled and wait for those
1187 * already active. MAY BLOCK!
1188 */
1189 _aio_exec( p );
1190
1191 #if SYSV_SHM
1192 /* FIXME: Till vmspace inherit is fixed: */
1193 if (!vfexec && p->vm_shm) {
1194 shmexec(p);
1195 }
1196 #endif
1197 #if SYSV_SEM
1198 /* Clean up the semaphores */
1199 semexit(p);
1200 #endif
1201
1202 /*
1203 * Remember file name for accounting.
1204 */
1205 p->p_acflag &= ~AFORK;
1206
1207 set_proc_name(imgp, p);
1208
1209 #if CONFIG_SECLUDED_MEMORY
1210 if (secluded_for_apps &&
1211 load_result.platform_binary) {
1212 if (strncmp(p->p_name,
1213 "Camera",
1214 sizeof(p->p_name)) == 0) {
1215 task_set_could_use_secluded_mem(task, TRUE);
1216 } else {
1217 task_set_could_use_secluded_mem(task, FALSE);
1218 }
1219 if (strncmp(p->p_name,
1220 "mediaserverd",
1221 sizeof(p->p_name)) == 0) {
1222 task_set_could_also_use_secluded_mem(task, TRUE);
1223 }
1224 }
1225 #endif /* CONFIG_SECLUDED_MEMORY */
1226
1227 #if __arm64__
1228 if (load_result.legacy_footprint) {
1229 #if DEVELOPMENT || DEBUG
1230 printf("%s: %d[%s] legacy footprint (mach-o)\n",
1231 __FUNCTION__, p->p_pid, p->p_name);
1232 #endif /* DEVELOPMENT || DEBUG */
1233 task_set_legacy_footprint(task, TRUE);
1234 }
1235 #endif /* __arm64__ */
1236
1237 pal_dbg_set_task_name(task);
1238
1239 /*
1240 * The load result will have already been munged by AMFI to include the
1241 * platform binary flag if boot-args dictated it (AMFI will mark anything
1242 * that doesn't go through the upcall path as a platform binary if its
1243 * enforcement is disabled).
1244 */
1245 if (load_result.platform_binary) {
1246 if (cs_debug) {
1247 printf("setting platform binary on task: pid = %d\n", p->p_pid);
1248 }
1249
1250 /*
1251 * We must use 'task' here because the proc's task has not yet been
1252 * switched to the new one.
1253 */
1254 task_set_platform_binary(task, TRUE);
1255 } else {
1256 if (cs_debug) {
1257 printf("clearing platform binary on task: pid = %d\n", p->p_pid);
1258 }
1259
1260 task_set_platform_binary(task, FALSE);
1261 }
1262
1263 #if DEVELOPMENT || DEBUG
1264 /*
1265 * Update the pid an proc name for importance base if any
1266 */
1267 task_importance_update_owner_info(task);
1268 #endif
1269
1270 memcpy(&p->p_uuid[0], &load_result.uuid[0], sizeof(p->p_uuid));
1271
1272 #if CONFIG_DTRACE
1273 dtrace_proc_exec(p);
1274 #endif
1275
1276 if (kdebug_enable) {
1277 long args[4] = {};
1278
1279 uintptr_t fsid = 0, fileid = 0;
1280 if (imgp->ip_vattr) {
1281 uint64_t fsid64 = vnode_get_va_fsid(imgp->ip_vattr);
1282 fsid = fsid64;
1283 fileid = imgp->ip_vattr->va_fileid;
1284 // check for (unexpected) overflow and trace zero in that case
1285 if (fsid != fsid64 || fileid != imgp->ip_vattr->va_fileid) {
1286 fsid = fileid = 0;
1287 }
1288 }
1289 KERNEL_DEBUG_CONSTANT_IST1(TRACE_DATA_EXEC, p->p_pid, fsid, fileid, 0,
1290 (uintptr_t)thread_tid(thread));
1291
1292 /*
1293 * Collect the pathname for tracing
1294 */
1295 kdbg_trace_string(p, &args[0], &args[1], &args[2], &args[3]);
1296 KERNEL_DEBUG_CONSTANT_IST1(TRACE_STRING_EXEC, args[0], args[1],
1297 args[2], args[3], (uintptr_t)thread_tid(thread));
1298 }
1299
1300 /*
1301 * If posix_spawned with the START_SUSPENDED flag, stop the
1302 * process before it runs.
1303 */
1304 if (imgp->ip_px_sa != NULL) {
1305 psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
1306 if (psa->psa_flags & POSIX_SPAWN_START_SUSPENDED) {
1307 proc_lock(p);
1308 p->p_stat = SSTOP;
1309 proc_unlock(p);
1310 (void) task_suspend_internal(task);
1311 }
1312 }
1313
1314 /*
1315 * mark as execed, wakeup the process that vforked (if any) and tell
1316 * it that it now has its own resources back
1317 */
1318 OSBitOrAtomic(P_EXEC, &p->p_flag);
1319 proc_resetregister(p);
1320 if (p->p_pptr && (p->p_lflag & P_LPPWAIT)) {
1321 proc_lock(p);
1322 p->p_lflag &= ~P_LPPWAIT;
1323 proc_unlock(p);
1324 wakeup((caddr_t)p->p_pptr);
1325 }
1326
1327 /*
1328 * Pay for our earlier safety; deliver the delayed signals from
1329 * the incomplete vfexec process now that it's complete.
1330 */
1331 if (vfexec && (p->p_lflag & P_LTRACED)) {
1332 psignal_vfork(p, new_task, thread, SIGTRAP);
1333 }
1334
1335 goto done;
1336
1337 badtoolate:
1338 /* Don't allow child process to execute any instructions */
1339 if (!spawn) {
1340 if (vfexec) {
1341 assert(exec_failure_reason != OS_REASON_NULL);
1342 psignal_vfork_with_reason(p, new_task, thread, SIGKILL, exec_failure_reason);
1343 exec_failure_reason = OS_REASON_NULL;
1344 } else {
1345 assert(exec_failure_reason != OS_REASON_NULL);
1346 psignal_with_reason(p, SIGKILL, exec_failure_reason);
1347 exec_failure_reason = OS_REASON_NULL;
1348
1349 if (exec) {
1350 /* Terminate the exec copy task */
1351 task_terminate_internal(task);
1352 }
1353 }
1354
1355 /* We can't stop this system call at this point, so just pretend we succeeded */
1356 error = 0;
1357 } else {
1358 os_reason_free(exec_failure_reason);
1359 exec_failure_reason = OS_REASON_NULL;
1360 }
1361
1362 done:
1363 if (load_result.threadstate) {
1364 kfree(load_result.threadstate, load_result.threadstate_sz);
1365 load_result.threadstate = NULL;
1366 }
1367
1368 bad:
1369 /* If we hit this, we likely would have leaked an exit reason */
1370 assert(exec_failure_reason == OS_REASON_NULL);
1371 return error;
1372 }
1373
1374
1375
1376
1377 /*
1378 * Our image activator table; this is the table of the image types we are
1379 * capable of loading. We list them in order of preference to ensure the
1380 * fastest image load speed.
1381 *
1382 * XXX hardcoded, for now; should use linker sets
1383 */
1384 struct execsw {
1385 int (*ex_imgact)(struct image_params *);
1386 const char *ex_name;
1387 } execsw[] = {
1388 { exec_mach_imgact, "Mach-o Binary" },
1389 { exec_fat_imgact, "Fat Binary" },
1390 { exec_shell_imgact, "Interpreter Script" },
1391 { NULL, NULL}
1392 };
1393
1394
1395 /*
1396 * exec_activate_image
1397 *
1398 * Description: Iterate through the available image activators, and activate
1399 * the image associated with the imgp structure. We start with
1400 * the activator for Mach-o binaries followed by that for Fat binaries
1401 * for Interpreter scripts.
1402 *
1403 * Parameters: struct image_params * Image parameter block
1404 *
1405 * Returns: 0 Success
1406 * EBADEXEC The executable is corrupt/unknown
1407 * execargs_alloc:EINVAL Invalid argument
1408 * execargs_alloc:EACCES Permission denied
1409 * execargs_alloc:EINTR Interrupted function
1410 * execargs_alloc:ENOMEM Not enough space
1411 * exec_save_path:EFAULT Bad address
1412 * exec_save_path:ENAMETOOLONG Filename too long
1413 * exec_check_permissions:EACCES Permission denied
1414 * exec_check_permissions:ENOEXEC Executable file format error
1415 * exec_check_permissions:ETXTBSY Text file busy [misuse of error code]
1416 * exec_check_permissions:???
1417 * namei:???
1418 * vn_rdwr:??? [anything vn_rdwr can return]
1419 * <ex_imgact>:??? [anything an imgact can return]
1420 * EDEADLK Process is being terminated
1421 */
1422 static int
1423 exec_activate_image(struct image_params *imgp)
1424 {
1425 struct nameidata *ndp = NULL;
1426 const char *excpath;
1427 int error;
1428 int resid;
1429 int once = 1; /* save SGUID-ness for interpreted files */
1430 int i;
1431 int itercount = 0;
1432 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
1433
1434 error = execargs_alloc(imgp);
1435 if (error) {
1436 goto bad_notrans;
1437 }
1438
1439 error = exec_save_path(imgp, imgp->ip_user_fname, imgp->ip_seg, &excpath);
1440 if (error) {
1441 goto bad_notrans;
1442 }
1443
1444 /* Use excpath, which contains the copyin-ed exec path */
1445 DTRACE_PROC1(exec, uintptr_t, excpath);
1446
1447 MALLOC(ndp, struct nameidata *, sizeof(*ndp), M_TEMP, M_WAITOK | M_ZERO);
1448 if (ndp == NULL) {
1449 error = ENOMEM;
1450 goto bad_notrans;
1451 }
1452
1453 NDINIT(ndp, LOOKUP, OP_LOOKUP, FOLLOW | LOCKLEAF | AUDITVNPATH1,
1454 UIO_SYSSPACE, CAST_USER_ADDR_T(excpath), imgp->ip_vfs_context);
1455
1456 again:
1457 error = namei(ndp);
1458 if (error) {
1459 goto bad_notrans;
1460 }
1461 imgp->ip_ndp = ndp; /* successful namei(); call nameidone() later */
1462 imgp->ip_vp = ndp->ni_vp; /* if set, need to vnode_put() at some point */
1463
1464 /*
1465 * Before we start the transition from binary A to binary B, make
1466 * sure another thread hasn't started exiting the process. We grab
1467 * the proc lock to check p_lflag initially, and the transition
1468 * mechanism ensures that the value doesn't change after we release
1469 * the lock.
1470 */
1471 proc_lock(p);
1472 if (p->p_lflag & P_LEXIT) {
1473 error = EDEADLK;
1474 proc_unlock(p);
1475 goto bad_notrans;
1476 }
1477 error = proc_transstart(p, 1, 0);
1478 proc_unlock(p);
1479 if (error) {
1480 goto bad_notrans;
1481 }
1482
1483 error = exec_check_permissions(imgp);
1484 if (error) {
1485 goto bad;
1486 }
1487
1488 /* Copy; avoid invocation of an interpreter overwriting the original */
1489 if (once) {
1490 once = 0;
1491 *imgp->ip_origvattr = *imgp->ip_vattr;
1492 }
1493
1494 error = vn_rdwr(UIO_READ, imgp->ip_vp, imgp->ip_vdata, PAGE_SIZE, 0,
1495 UIO_SYSSPACE, IO_NODELOCKED,
1496 vfs_context_ucred(imgp->ip_vfs_context),
1497 &resid, vfs_context_proc(imgp->ip_vfs_context));
1498 if (error) {
1499 goto bad;
1500 }
1501
1502 if (resid) {
1503 memset(imgp->ip_vdata + (PAGE_SIZE - resid), 0x0, resid);
1504 }
1505
1506 encapsulated_binary:
1507 /* Limit the number of iterations we will attempt on each binary */
1508 if (++itercount > EAI_ITERLIMIT) {
1509 error = EBADEXEC;
1510 goto bad;
1511 }
1512 error = -1;
1513 for (i = 0; error == -1 && execsw[i].ex_imgact != NULL; i++) {
1514 error = (*execsw[i].ex_imgact)(imgp);
1515
1516 switch (error) {
1517 /* case -1: not claimed: continue */
1518 case -2: /* Encapsulated binary, imgp->ip_XXX set for next iteration */
1519 goto encapsulated_binary;
1520
1521 case -3: /* Interpreter */
1522 #if CONFIG_MACF
1523 /*
1524 * Copy the script label for later use. Note that
1525 * the label can be different when the script is
1526 * actually read by the interpreter.
1527 */
1528 if (imgp->ip_scriptlabelp) {
1529 mac_vnode_label_free(imgp->ip_scriptlabelp);
1530 }
1531 imgp->ip_scriptlabelp = mac_vnode_label_alloc();
1532 if (imgp->ip_scriptlabelp == NULL) {
1533 error = ENOMEM;
1534 break;
1535 }
1536 mac_vnode_label_copy(imgp->ip_vp->v_label,
1537 imgp->ip_scriptlabelp);
1538
1539 /*
1540 * Take a ref of the script vnode for later use.
1541 */
1542 if (imgp->ip_scriptvp) {
1543 vnode_put(imgp->ip_scriptvp);
1544 }
1545 if (vnode_getwithref(imgp->ip_vp) == 0) {
1546 imgp->ip_scriptvp = imgp->ip_vp;
1547 }
1548 #endif
1549
1550 nameidone(ndp);
1551
1552 vnode_put(imgp->ip_vp);
1553 imgp->ip_vp = NULL; /* already put */
1554 imgp->ip_ndp = NULL; /* already nameidone */
1555
1556 /* Use excpath, which exec_shell_imgact reset to the interpreter */
1557 NDINIT(ndp, LOOKUP, OP_LOOKUP, FOLLOW | LOCKLEAF,
1558 UIO_SYSSPACE, CAST_USER_ADDR_T(excpath), imgp->ip_vfs_context);
1559
1560 proc_transend(p, 0);
1561 goto again;
1562
1563 default:
1564 break;
1565 }
1566 }
1567
1568 if (error == 0) {
1569 if (imgp->ip_flags & IMGPF_INTERPRET && ndp->ni_vp) {
1570 AUDIT_ARG(vnpath, ndp->ni_vp, ARG_VNODE2);
1571 }
1572
1573 /*
1574 * Call out to allow 3rd party notification of exec.
1575 * Ignore result of kauth_authorize_fileop call.
1576 */
1577 if (kauth_authorize_fileop_has_listeners()) {
1578 kauth_authorize_fileop(vfs_context_ucred(imgp->ip_vfs_context),
1579 KAUTH_FILEOP_EXEC,
1580 (uintptr_t)ndp->ni_vp, 0);
1581 }
1582 }
1583 bad:
1584 proc_transend(p, 0);
1585
1586 bad_notrans:
1587 if (imgp->ip_strings) {
1588 execargs_free(imgp);
1589 }
1590 if (imgp->ip_ndp) {
1591 nameidone(imgp->ip_ndp);
1592 }
1593 if (ndp) {
1594 FREE(ndp, M_TEMP);
1595 }
1596
1597 return error;
1598 }
1599
1600
1601 /*
1602 * exec_handle_spawnattr_policy
1603 *
1604 * Description: Decode and apply the posix_spawn apptype, qos clamp, and watchport ports to the task.
1605 *
1606 * Parameters: proc_t p process to apply attributes to
1607 * int psa_apptype posix spawn attribute apptype
1608 *
1609 * Returns: 0 Success
1610 */
1611 static errno_t
1612 exec_handle_spawnattr_policy(proc_t p, int psa_apptype, uint64_t psa_qos_clamp, uint64_t psa_darwin_role,
1613 ipc_port_t * portwatch_ports, int portwatch_count)
1614 {
1615 int apptype = TASK_APPTYPE_NONE;
1616 int qos_clamp = THREAD_QOS_UNSPECIFIED;
1617 int role = TASK_UNSPECIFIED;
1618
1619 if ((psa_apptype & POSIX_SPAWN_PROC_TYPE_MASK) != 0) {
1620 int proctype = psa_apptype & POSIX_SPAWN_PROC_TYPE_MASK;
1621
1622 switch (proctype) {
1623 case POSIX_SPAWN_PROC_TYPE_DAEMON_INTERACTIVE:
1624 apptype = TASK_APPTYPE_DAEMON_INTERACTIVE;
1625 break;
1626 case POSIX_SPAWN_PROC_TYPE_DAEMON_STANDARD:
1627 apptype = TASK_APPTYPE_DAEMON_STANDARD;
1628 break;
1629 case POSIX_SPAWN_PROC_TYPE_DAEMON_ADAPTIVE:
1630 apptype = TASK_APPTYPE_DAEMON_ADAPTIVE;
1631 break;
1632 case POSIX_SPAWN_PROC_TYPE_DAEMON_BACKGROUND:
1633 apptype = TASK_APPTYPE_DAEMON_BACKGROUND;
1634 break;
1635 case POSIX_SPAWN_PROC_TYPE_APP_DEFAULT:
1636 apptype = TASK_APPTYPE_APP_DEFAULT;
1637 break;
1638 #if !CONFIG_EMBEDDED
1639 case POSIX_SPAWN_PROC_TYPE_APP_TAL:
1640 apptype = TASK_APPTYPE_APP_TAL;
1641 break;
1642 #endif /* !CONFIG_EMBEDDED */
1643 default:
1644 apptype = TASK_APPTYPE_NONE;
1645 /* TODO: Should an invalid value here fail the spawn? */
1646 break;
1647 }
1648 }
1649
1650 if (psa_qos_clamp != POSIX_SPAWN_PROC_CLAMP_NONE) {
1651 switch (psa_qos_clamp) {
1652 case POSIX_SPAWN_PROC_CLAMP_UTILITY:
1653 qos_clamp = THREAD_QOS_UTILITY;
1654 break;
1655 case POSIX_SPAWN_PROC_CLAMP_BACKGROUND:
1656 qos_clamp = THREAD_QOS_BACKGROUND;
1657 break;
1658 case POSIX_SPAWN_PROC_CLAMP_MAINTENANCE:
1659 qos_clamp = THREAD_QOS_MAINTENANCE;
1660 break;
1661 default:
1662 qos_clamp = THREAD_QOS_UNSPECIFIED;
1663 /* TODO: Should an invalid value here fail the spawn? */
1664 break;
1665 }
1666 }
1667
1668 if (psa_darwin_role != PRIO_DARWIN_ROLE_DEFAULT) {
1669 proc_darwin_role_to_task_role(psa_darwin_role, &role);
1670 }
1671
1672 if (apptype != TASK_APPTYPE_NONE ||
1673 qos_clamp != THREAD_QOS_UNSPECIFIED ||
1674 role != TASK_UNSPECIFIED) {
1675 proc_set_task_spawnpolicy(p->task, apptype, qos_clamp, role,
1676 portwatch_ports, portwatch_count);
1677 }
1678
1679 return 0;
1680 }
1681
1682
1683 /*
1684 * exec_handle_port_actions
1685 *
1686 * Description: Go through the _posix_port_actions_t contents,
1687 * calling task_set_special_port, task_set_exception_ports
1688 * and/or audit_session_spawnjoin for the current task.
1689 *
1690 * Parameters: struct image_params * Image parameter block
1691 *
1692 * Returns: 0 Success
1693 * EINVAL Failure
1694 * ENOTSUP Illegal posix_spawn attr flag was set
1695 */
1696 static errno_t
1697 exec_handle_port_actions(struct image_params *imgp, boolean_t * portwatch_present,
1698 ipc_port_t * portwatch_ports)
1699 {
1700 _posix_spawn_port_actions_t pacts = imgp->ip_px_spa;
1701 #if CONFIG_AUDIT
1702 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
1703 #endif
1704 _ps_port_action_t *act = NULL;
1705 task_t task = get_threadtask(imgp->ip_new_thread);
1706 ipc_port_t port = NULL;
1707 errno_t ret = 0;
1708 int i;
1709 kern_return_t kr;
1710
1711 *portwatch_present = FALSE;
1712
1713 for (i = 0; i < pacts->pspa_count; i++) {
1714 act = &pacts->pspa_actions[i];
1715
1716 if (MACH_PORT_VALID(act->new_port)) {
1717 kr = ipc_object_copyin(get_task_ipcspace(current_task()),
1718 act->new_port, MACH_MSG_TYPE_COPY_SEND,
1719 (ipc_object_t *) &port);
1720
1721 if (kr != KERN_SUCCESS) {
1722 ret = EINVAL;
1723 goto done;
1724 }
1725 } else {
1726 /* it's NULL or DEAD */
1727 port = CAST_MACH_NAME_TO_PORT(act->new_port);
1728 }
1729
1730 switch (act->port_type) {
1731 case PSPA_SPECIAL:
1732 kr = task_set_special_port(task, act->which, port);
1733
1734 if (kr != KERN_SUCCESS) {
1735 ret = EINVAL;
1736 }
1737 break;
1738
1739 case PSPA_EXCEPTION:
1740 kr = task_set_exception_ports(task, act->mask, port,
1741 act->behavior, act->flavor);
1742 if (kr != KERN_SUCCESS) {
1743 ret = EINVAL;
1744 }
1745 break;
1746 #if CONFIG_AUDIT
1747 case PSPA_AU_SESSION:
1748 ret = audit_session_spawnjoin(p, task, port);
1749 if (ret) {
1750 /* audit_session_spawnjoin() has already dropped the reference in case of error. */
1751 goto done;
1752 }
1753
1754 break;
1755 #endif
1756 case PSPA_IMP_WATCHPORTS:
1757 if (portwatch_ports != NULL && IPC_PORT_VALID(port)) {
1758 *portwatch_present = TRUE;
1759 /* hold on to this till end of spawn */
1760 portwatch_ports[i] = port;
1761 } else {
1762 ipc_port_release_send(port);
1763 }
1764
1765 break;
1766 default:
1767 ret = EINVAL;
1768 break;
1769 }
1770
1771 if (ret) {
1772 /* action failed, so release port resources */
1773 ipc_port_release_send(port);
1774 break;
1775 }
1776 }
1777
1778 done:
1779 if (0 != ret) {
1780 DTRACE_PROC1(spawn__port__failure, mach_port_name_t, act->new_port);
1781 }
1782 return ret;
1783 }
1784
1785 /*
1786 * exec_handle_file_actions
1787 *
1788 * Description: Go through the _posix_file_actions_t contents applying the
1789 * open, close, and dup2 operations to the open file table for
1790 * the current process.
1791 *
1792 * Parameters: struct image_params * Image parameter block
1793 *
1794 * Returns: 0 Success
1795 * ???
1796 *
1797 * Note: Actions are applied in the order specified, with the credential
1798 * of the parent process. This is done to permit the parent
1799 * process to utilize POSIX_SPAWN_RESETIDS to drop privilege in
1800 * the child following operations the child may in fact not be
1801 * normally permitted to perform.
1802 */
1803 static int
1804 exec_handle_file_actions(struct image_params *imgp, short psa_flags)
1805 {
1806 int error = 0;
1807 int action;
1808 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
1809 _posix_spawn_file_actions_t px_sfap = imgp->ip_px_sfa;
1810 int ival[2]; /* dummy retval for system calls) */
1811
1812 for (action = 0; action < px_sfap->psfa_act_count; action++) {
1813 _psfa_action_t *psfa = &px_sfap->psfa_act_acts[action];
1814
1815 switch (psfa->psfaa_type) {
1816 case PSFA_OPEN: {
1817 /*
1818 * Open is different, in that it requires the use of
1819 * a path argument, which is normally copied in from
1820 * user space; because of this, we have to support an
1821 * open from kernel space that passes an address space
1822 * context of UIO_SYSSPACE, and casts the address
1823 * argument to a user_addr_t.
1824 */
1825 char *bufp = NULL;
1826 struct vnode_attr *vap;
1827 struct nameidata *ndp;
1828 int mode = psfa->psfaa_openargs.psfao_mode;
1829 struct dup2_args dup2a;
1830 struct close_nocancel_args ca;
1831 int origfd;
1832
1833 MALLOC(bufp, char *, sizeof(*vap) + sizeof(*ndp), M_TEMP, M_WAITOK | M_ZERO);
1834 if (bufp == NULL) {
1835 error = ENOMEM;
1836 break;
1837 }
1838
1839 vap = (struct vnode_attr *) bufp;
1840 ndp = (struct nameidata *) (bufp + sizeof(*vap));
1841
1842 VATTR_INIT(vap);
1843 /* Mask off all but regular access permissions */
1844 mode = ((mode & ~p->p_fd->fd_cmask) & ALLPERMS) & ~S_ISTXT;
1845 VATTR_SET(vap, va_mode, mode & ACCESSPERMS);
1846
1847 NDINIT(ndp, LOOKUP, OP_OPEN, FOLLOW | AUDITVNPATH1, UIO_SYSSPACE,
1848 CAST_USER_ADDR_T(psfa->psfaa_openargs.psfao_path),
1849 imgp->ip_vfs_context);
1850
1851 error = open1(imgp->ip_vfs_context,
1852 ndp,
1853 psfa->psfaa_openargs.psfao_oflag,
1854 vap,
1855 fileproc_alloc_init, NULL,
1856 ival);
1857
1858 FREE(bufp, M_TEMP);
1859
1860 /*
1861 * If there's an error, or we get the right fd by
1862 * accident, then drop out here. This is easier than
1863 * reworking all the open code to preallocate fd
1864 * slots, and internally taking one as an argument.
1865 */
1866 if (error || ival[0] == psfa->psfaa_filedes) {
1867 break;
1868 }
1869
1870 origfd = ival[0];
1871 /*
1872 * If we didn't fall out from an error, we ended up
1873 * with the wrong fd; so now we've got to try to dup2
1874 * it to the right one.
1875 */
1876 dup2a.from = origfd;
1877 dup2a.to = psfa->psfaa_filedes;
1878
1879 /*
1880 * The dup2() system call implementation sets
1881 * ival to newfd in the success case, but we
1882 * can ignore that, since if we didn't get the
1883 * fd we wanted, the error will stop us.
1884 */
1885 error = dup2(p, &dup2a, ival);
1886 if (error) {
1887 break;
1888 }
1889
1890 /*
1891 * Finally, close the original fd.
1892 */
1893 ca.fd = origfd;
1894
1895 error = close_nocancel(p, &ca, ival);
1896 }
1897 break;
1898
1899 case PSFA_DUP2: {
1900 struct dup2_args dup2a;
1901
1902 dup2a.from = psfa->psfaa_filedes;
1903 dup2a.to = psfa->psfaa_openargs.psfao_oflag;
1904
1905 /*
1906 * The dup2() system call implementation sets
1907 * ival to newfd in the success case, but we
1908 * can ignore that, since if we didn't get the
1909 * fd we wanted, the error will stop us.
1910 */
1911 error = dup2(p, &dup2a, ival);
1912 }
1913 break;
1914
1915 case PSFA_CLOSE: {
1916 struct close_nocancel_args ca;
1917
1918 ca.fd = psfa->psfaa_filedes;
1919
1920 error = close_nocancel(p, &ca, ival);
1921 }
1922 break;
1923
1924 case PSFA_INHERIT: {
1925 struct fcntl_nocancel_args fcntla;
1926
1927 /*
1928 * Check to see if the descriptor exists, and
1929 * ensure it's -not- marked as close-on-exec.
1930 *
1931 * Attempting to "inherit" a guarded fd will
1932 * result in a error.
1933 */
1934 fcntla.fd = psfa->psfaa_filedes;
1935 fcntla.cmd = F_GETFD;
1936 if ((error = fcntl_nocancel(p, &fcntla, ival)) != 0) {
1937 break;
1938 }
1939
1940 if ((ival[0] & FD_CLOEXEC) == FD_CLOEXEC) {
1941 fcntla.fd = psfa->psfaa_filedes;
1942 fcntla.cmd = F_SETFD;
1943 fcntla.arg = ival[0] & ~FD_CLOEXEC;
1944 error = fcntl_nocancel(p, &fcntla, ival);
1945 }
1946 }
1947 break;
1948
1949 default:
1950 error = EINVAL;
1951 break;
1952 }
1953
1954 /* All file actions failures are considered fatal, per POSIX */
1955
1956 if (error) {
1957 if (PSFA_OPEN == psfa->psfaa_type) {
1958 DTRACE_PROC1(spawn__open__failure, uintptr_t,
1959 psfa->psfaa_openargs.psfao_path);
1960 } else {
1961 DTRACE_PROC1(spawn__fd__failure, int, psfa->psfaa_filedes);
1962 }
1963 break;
1964 }
1965 }
1966
1967 if (error != 0 || (psa_flags & POSIX_SPAWN_CLOEXEC_DEFAULT) == 0) {
1968 return error;
1969 }
1970
1971 /*
1972 * If POSIX_SPAWN_CLOEXEC_DEFAULT is set, behave (during
1973 * this spawn only) as if "close on exec" is the default
1974 * disposition of all pre-existing file descriptors. In this case,
1975 * the list of file descriptors mentioned in the file actions
1976 * are the only ones that can be inherited, so mark them now.
1977 *
1978 * The actual closing part comes later, in fdexec().
1979 */
1980 proc_fdlock(p);
1981 for (action = 0; action < px_sfap->psfa_act_count; action++) {
1982 _psfa_action_t *psfa = &px_sfap->psfa_act_acts[action];
1983 int fd = psfa->psfaa_filedes;
1984
1985 switch (psfa->psfaa_type) {
1986 case PSFA_DUP2:
1987 fd = psfa->psfaa_openargs.psfao_oflag;
1988 /*FALLTHROUGH*/
1989 case PSFA_OPEN:
1990 case PSFA_INHERIT:
1991 *fdflags(p, fd) |= UF_INHERIT;
1992 break;
1993
1994 case PSFA_CLOSE:
1995 break;
1996 }
1997 }
1998 proc_fdunlock(p);
1999
2000 return 0;
2001 }
2002
2003 #if CONFIG_MACF
2004 /*
2005 * exec_spawnattr_getmacpolicyinfo
2006 */
2007 void *
2008 exec_spawnattr_getmacpolicyinfo(const void *macextensions, const char *policyname, size_t *lenp)
2009 {
2010 const struct _posix_spawn_mac_policy_extensions *psmx = macextensions;
2011 int i;
2012
2013 if (psmx == NULL) {
2014 return NULL;
2015 }
2016
2017 for (i = 0; i < psmx->psmx_count; i++) {
2018 const _ps_mac_policy_extension_t *extension = &psmx->psmx_extensions[i];
2019 if (strncmp(extension->policyname, policyname, sizeof(extension->policyname)) == 0) {
2020 if (lenp != NULL) {
2021 *lenp = extension->datalen;
2022 }
2023 return extension->datap;
2024 }
2025 }
2026
2027 if (lenp != NULL) {
2028 *lenp = 0;
2029 }
2030 return NULL;
2031 }
2032
2033 static int
2034 spawn_copyin_macpolicyinfo(const struct user__posix_spawn_args_desc *px_args, _posix_spawn_mac_policy_extensions_t *psmxp)
2035 {
2036 _posix_spawn_mac_policy_extensions_t psmx = NULL;
2037 int error = 0;
2038 int copycnt = 0;
2039 int i = 0;
2040
2041 *psmxp = NULL;
2042
2043 if (px_args->mac_extensions_size < PS_MAC_EXTENSIONS_SIZE(1) ||
2044 px_args->mac_extensions_size > PAGE_SIZE) {
2045 error = EINVAL;
2046 goto bad;
2047 }
2048
2049 MALLOC(psmx, _posix_spawn_mac_policy_extensions_t, px_args->mac_extensions_size, M_TEMP, M_WAITOK);
2050 if ((error = copyin(px_args->mac_extensions, psmx, px_args->mac_extensions_size)) != 0) {
2051 goto bad;
2052 }
2053
2054 size_t extsize = PS_MAC_EXTENSIONS_SIZE(psmx->psmx_count);
2055 if (extsize == 0 || extsize > px_args->mac_extensions_size) {
2056 error = EINVAL;
2057 goto bad;
2058 }
2059
2060 for (i = 0; i < psmx->psmx_count; i++) {
2061 _ps_mac_policy_extension_t *extension = &psmx->psmx_extensions[i];
2062 if (extension->datalen == 0 || extension->datalen > PAGE_SIZE) {
2063 error = EINVAL;
2064 goto bad;
2065 }
2066 }
2067
2068 for (copycnt = 0; copycnt < psmx->psmx_count; copycnt++) {
2069 _ps_mac_policy_extension_t *extension = &psmx->psmx_extensions[copycnt];
2070 void *data = NULL;
2071
2072 MALLOC(data, void *, extension->datalen, M_TEMP, M_WAITOK);
2073 if ((error = copyin(extension->data, data, extension->datalen)) != 0) {
2074 FREE(data, M_TEMP);
2075 goto bad;
2076 }
2077 extension->datap = data;
2078 }
2079
2080 *psmxp = psmx;
2081 return 0;
2082
2083 bad:
2084 if (psmx != NULL) {
2085 for (i = 0; i < copycnt; i++) {
2086 FREE(psmx->psmx_extensions[i].datap, M_TEMP);
2087 }
2088 FREE(psmx, M_TEMP);
2089 }
2090 return error;
2091 }
2092
2093 static void
2094 spawn_free_macpolicyinfo(_posix_spawn_mac_policy_extensions_t psmx)
2095 {
2096 int i;
2097
2098 if (psmx == NULL) {
2099 return;
2100 }
2101 for (i = 0; i < psmx->psmx_count; i++) {
2102 FREE(psmx->psmx_extensions[i].datap, M_TEMP);
2103 }
2104 FREE(psmx, M_TEMP);
2105 }
2106 #endif /* CONFIG_MACF */
2107
2108 #if CONFIG_COALITIONS
2109 static inline void
2110 spawn_coalitions_release_all(coalition_t coal[COALITION_NUM_TYPES])
2111 {
2112 for (int c = 0; c < COALITION_NUM_TYPES; c++) {
2113 if (coal[c]) {
2114 coalition_remove_active(coal[c]);
2115 coalition_release(coal[c]);
2116 }
2117 }
2118 }
2119 #endif
2120
2121 #if CONFIG_PERSONAS
2122 static int
2123 spawn_validate_persona(struct _posix_spawn_persona_info *px_persona)
2124 {
2125 int error = 0;
2126 struct persona *persona = NULL;
2127 int verify = px_persona->pspi_flags & POSIX_SPAWN_PERSONA_FLAGS_VERIFY;
2128
2129 /*
2130 * TODO: rdar://problem/19981151
2131 * Add entitlement check!
2132 */
2133 if (!kauth_cred_issuser(kauth_cred_get())) {
2134 return EPERM;
2135 }
2136
2137 persona = persona_lookup(px_persona->pspi_id);
2138 if (!persona) {
2139 error = ESRCH;
2140 goto out;
2141 }
2142
2143 if (verify) {
2144 if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_UID) {
2145 if (px_persona->pspi_uid != persona_get_uid(persona)) {
2146 error = EINVAL;
2147 goto out;
2148 }
2149 }
2150 if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GID) {
2151 if (px_persona->pspi_gid != persona_get_gid(persona)) {
2152 error = EINVAL;
2153 goto out;
2154 }
2155 }
2156 if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GROUPS) {
2157 unsigned ngroups = 0;
2158 gid_t groups[NGROUPS_MAX];
2159
2160 if (persona_get_groups(persona, &ngroups, groups,
2161 px_persona->pspi_ngroups) != 0) {
2162 error = EINVAL;
2163 goto out;
2164 }
2165 if (ngroups != px_persona->pspi_ngroups) {
2166 error = EINVAL;
2167 goto out;
2168 }
2169 while (ngroups--) {
2170 if (px_persona->pspi_groups[ngroups] != groups[ngroups]) {
2171 error = EINVAL;
2172 goto out;
2173 }
2174 }
2175 if (px_persona->pspi_gmuid != persona_get_gmuid(persona)) {
2176 error = EINVAL;
2177 goto out;
2178 }
2179 }
2180 }
2181
2182 out:
2183 if (persona) {
2184 persona_put(persona);
2185 }
2186
2187 return error;
2188 }
2189
2190 static int
2191 spawn_persona_adopt(proc_t p, struct _posix_spawn_persona_info *px_persona)
2192 {
2193 int ret;
2194 kauth_cred_t cred;
2195 struct persona *persona = NULL;
2196 int override = !!(px_persona->pspi_flags & POSIX_SPAWN_PERSONA_FLAGS_OVERRIDE);
2197
2198 if (!override) {
2199 return persona_proc_adopt_id(p, px_persona->pspi_id, NULL);
2200 }
2201
2202 /*
2203 * we want to spawn into the given persona, but we want to override
2204 * the kauth with a different UID/GID combo
2205 */
2206 persona = persona_lookup(px_persona->pspi_id);
2207 if (!persona) {
2208 return ESRCH;
2209 }
2210
2211 cred = persona_get_cred(persona);
2212 if (!cred) {
2213 ret = EINVAL;
2214 goto out;
2215 }
2216
2217 if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_UID) {
2218 cred = kauth_cred_setresuid(cred,
2219 px_persona->pspi_uid,
2220 px_persona->pspi_uid,
2221 px_persona->pspi_uid,
2222 KAUTH_UID_NONE);
2223 }
2224
2225 if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GID) {
2226 cred = kauth_cred_setresgid(cred,
2227 px_persona->pspi_gid,
2228 px_persona->pspi_gid,
2229 px_persona->pspi_gid);
2230 }
2231
2232 if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GROUPS) {
2233 cred = kauth_cred_setgroups(cred,
2234 px_persona->pspi_groups,
2235 px_persona->pspi_ngroups,
2236 px_persona->pspi_gmuid);
2237 }
2238
2239 ret = persona_proc_adopt(p, persona, cred);
2240
2241 out:
2242 persona_put(persona);
2243 return ret;
2244 }
2245 #endif
2246
2247 #if __arm64__
2248 static inline void
2249 proc_legacy_footprint(proc_t p, task_t task, const char *caller)
2250 {
2251 boolean_t legacy_footprint_entitled;
2252
2253 legacy_footprint_entitled = IOTaskHasEntitlement(task,
2254 "com.apple.private.memory.legacy_footprint");
2255 if (legacy_footprint_entitled) {
2256 printf("%s: %d[%s] legacy footprint (entitled)\n",
2257 caller, p->p_pid, p->p_name);
2258 task_set_legacy_footprint(task, TRUE);
2259 }
2260 }
2261 #endif /* __arm64__ */
2262
2263 /*
2264 * posix_spawn
2265 *
2266 * Parameters: uap->pid Pointer to pid return area
2267 * uap->fname File name to exec
2268 * uap->argp Argument list
2269 * uap->envp Environment list
2270 *
2271 * Returns: 0 Success
2272 * EINVAL Invalid argument
2273 * ENOTSUP Not supported
2274 * ENOEXEC Executable file format error
2275 * exec_activate_image:EINVAL Invalid argument
2276 * exec_activate_image:EACCES Permission denied
2277 * exec_activate_image:EINTR Interrupted function
2278 * exec_activate_image:ENOMEM Not enough space
2279 * exec_activate_image:EFAULT Bad address
2280 * exec_activate_image:ENAMETOOLONG Filename too long
2281 * exec_activate_image:ENOEXEC Executable file format error
2282 * exec_activate_image:ETXTBSY Text file busy [misuse of error code]
2283 * exec_activate_image:EBADEXEC The executable is corrupt/unknown
2284 * exec_activate_image:???
2285 * mac_execve_enter:???
2286 *
2287 * TODO: Expect to need __mac_posix_spawn() at some point...
2288 * Handle posix_spawnattr_t
2289 * Handle posix_spawn_file_actions_t
2290 */
2291 int
2292 posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
2293 {
2294 proc_t p = ap; /* quiet bogus GCC vfork() warning */
2295 user_addr_t pid = uap->pid;
2296 int ival[2]; /* dummy retval for setpgid() */
2297 char *bufp = NULL;
2298 struct image_params *imgp;
2299 struct vnode_attr *vap;
2300 struct vnode_attr *origvap;
2301 struct uthread *uthread = 0; /* compiler complains if not set to 0*/
2302 int error, sig;
2303 int is_64 = IS_64BIT_PROCESS(p);
2304 struct vfs_context context;
2305 struct user__posix_spawn_args_desc px_args;
2306 struct _posix_spawnattr px_sa;
2307 _posix_spawn_file_actions_t px_sfap = NULL;
2308 _posix_spawn_port_actions_t px_spap = NULL;
2309 struct __kern_sigaction vec;
2310 boolean_t spawn_no_exec = FALSE;
2311 boolean_t proc_transit_set = TRUE;
2312 boolean_t exec_done = FALSE;
2313 int portwatch_count = 0;
2314 ipc_port_t * portwatch_ports = NULL;
2315 vm_size_t px_sa_offset = offsetof(struct _posix_spawnattr, psa_ports);
2316 task_t old_task = current_task();
2317 task_t new_task = NULL;
2318 boolean_t should_release_proc_ref = FALSE;
2319 void *inherit = NULL;
2320 #if CONFIG_PERSONAS
2321 struct _posix_spawn_persona_info *px_persona = NULL;
2322 #endif
2323
2324 /*
2325 * Allocate a big chunk for locals instead of using stack since these
2326 * structures are pretty big.
2327 */
2328 MALLOC(bufp, char *, (sizeof(*imgp) + sizeof(*vap) + sizeof(*origvap)), M_TEMP, M_WAITOK | M_ZERO);
2329 imgp = (struct image_params *) bufp;
2330 if (bufp == NULL) {
2331 error = ENOMEM;
2332 goto bad;
2333 }
2334 vap = (struct vnode_attr *) (bufp + sizeof(*imgp));
2335 origvap = (struct vnode_attr *) (bufp + sizeof(*imgp) + sizeof(*vap));
2336
2337 /* Initialize the common data in the image_params structure */
2338 imgp->ip_user_fname = uap->path;
2339 imgp->ip_user_argv = uap->argv;
2340 imgp->ip_user_envv = uap->envp;
2341 imgp->ip_vattr = vap;
2342 imgp->ip_origvattr = origvap;
2343 imgp->ip_vfs_context = &context;
2344 imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT_ADDR : IMGPF_NONE);
2345 imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
2346 imgp->ip_mac_return = 0;
2347 imgp->ip_px_persona = NULL;
2348 imgp->ip_cs_error = OS_REASON_NULL;
2349
2350 if (uap->adesc != USER_ADDR_NULL) {
2351 if (is_64) {
2352 error = copyin(uap->adesc, &px_args, sizeof(px_args));
2353 } else {
2354 struct user32__posix_spawn_args_desc px_args32;
2355
2356 error = copyin(uap->adesc, &px_args32, sizeof(px_args32));
2357
2358 /*
2359 * Convert arguments descriptor from external 32 bit
2360 * representation to internal 64 bit representation
2361 */
2362 px_args.attr_size = px_args32.attr_size;
2363 px_args.attrp = CAST_USER_ADDR_T(px_args32.attrp);
2364 px_args.file_actions_size = px_args32.file_actions_size;
2365 px_args.file_actions = CAST_USER_ADDR_T(px_args32.file_actions);
2366 px_args.port_actions_size = px_args32.port_actions_size;
2367 px_args.port_actions = CAST_USER_ADDR_T(px_args32.port_actions);
2368 px_args.mac_extensions_size = px_args32.mac_extensions_size;
2369 px_args.mac_extensions = CAST_USER_ADDR_T(px_args32.mac_extensions);
2370 px_args.coal_info_size = px_args32.coal_info_size;
2371 px_args.coal_info = CAST_USER_ADDR_T(px_args32.coal_info);
2372 px_args.persona_info_size = px_args32.persona_info_size;
2373 px_args.persona_info = CAST_USER_ADDR_T(px_args32.persona_info);
2374 }
2375 if (error) {
2376 goto bad;
2377 }
2378
2379 if (px_args.attr_size != 0) {
2380 /*
2381 * We are not copying the port_actions pointer,
2382 * because we already have it from px_args.
2383 * This is a bit fragile: <rdar://problem/16427422>
2384 */
2385
2386 if ((error = copyin(px_args.attrp, &px_sa, px_sa_offset)) != 0) {
2387 goto bad;
2388 }
2389
2390 bzero((void *)((unsigned long) &px_sa + px_sa_offset), sizeof(px_sa) - px_sa_offset );
2391
2392 imgp->ip_px_sa = &px_sa;
2393 }
2394 if (px_args.file_actions_size != 0) {
2395 /* Limit file_actions to allowed number of open files */
2396 int maxfa = (p->p_limit ? p->p_rlimit[RLIMIT_NOFILE].rlim_cur : NOFILE);
2397 size_t maxfa_size = PSF_ACTIONS_SIZE(maxfa);
2398 if (px_args.file_actions_size < PSF_ACTIONS_SIZE(1) ||
2399 maxfa_size == 0 || px_args.file_actions_size > maxfa_size) {
2400 error = EINVAL;
2401 goto bad;
2402 }
2403 MALLOC(px_sfap, _posix_spawn_file_actions_t, px_args.file_actions_size, M_TEMP, M_WAITOK);
2404 if (px_sfap == NULL) {
2405 error = ENOMEM;
2406 goto bad;
2407 }
2408 imgp->ip_px_sfa = px_sfap;
2409
2410 if ((error = copyin(px_args.file_actions, px_sfap,
2411 px_args.file_actions_size)) != 0) {
2412 goto bad;
2413 }
2414
2415 /* Verify that the action count matches the struct size */
2416 size_t psfsize = PSF_ACTIONS_SIZE(px_sfap->psfa_act_count);
2417 if (psfsize == 0 || psfsize != px_args.file_actions_size) {
2418 error = EINVAL;
2419 goto bad;
2420 }
2421 }
2422 if (px_args.port_actions_size != 0) {
2423 /* Limit port_actions to one page of data */
2424 if (px_args.port_actions_size < PS_PORT_ACTIONS_SIZE(1) ||
2425 px_args.port_actions_size > PAGE_SIZE) {
2426 error = EINVAL;
2427 goto bad;
2428 }
2429
2430 MALLOC(px_spap, _posix_spawn_port_actions_t,
2431 px_args.port_actions_size, M_TEMP, M_WAITOK);
2432 if (px_spap == NULL) {
2433 error = ENOMEM;
2434 goto bad;
2435 }
2436 imgp->ip_px_spa = px_spap;
2437
2438 if ((error = copyin(px_args.port_actions, px_spap,
2439 px_args.port_actions_size)) != 0) {
2440 goto bad;
2441 }
2442
2443 /* Verify that the action count matches the struct size */
2444 size_t pasize = PS_PORT_ACTIONS_SIZE(px_spap->pspa_count);
2445 if (pasize == 0 || pasize != px_args.port_actions_size) {
2446 error = EINVAL;
2447 goto bad;
2448 }
2449 }
2450 #if CONFIG_PERSONAS
2451 /* copy in the persona info */
2452 if (px_args.persona_info_size != 0 && px_args.persona_info != 0) {
2453 /* for now, we need the exact same struct in user space */
2454 if (px_args.persona_info_size != sizeof(*px_persona)) {
2455 error = ERANGE;
2456 goto bad;
2457 }
2458
2459 MALLOC(px_persona, struct _posix_spawn_persona_info *, px_args.persona_info_size, M_TEMP, M_WAITOK | M_ZERO);
2460 if (px_persona == NULL) {
2461 error = ENOMEM;
2462 goto bad;
2463 }
2464 imgp->ip_px_persona = px_persona;
2465
2466 if ((error = copyin(px_args.persona_info, px_persona,
2467 px_args.persona_info_size)) != 0) {
2468 goto bad;
2469 }
2470 if ((error = spawn_validate_persona(px_persona)) != 0) {
2471 goto bad;
2472 }
2473 }
2474 #endif
2475 #if CONFIG_MACF
2476 if (px_args.mac_extensions_size != 0) {
2477 if ((error = spawn_copyin_macpolicyinfo(&px_args, (_posix_spawn_mac_policy_extensions_t *)&imgp->ip_px_smpx)) != 0) {
2478 goto bad;
2479 }
2480 }
2481 #endif /* CONFIG_MACF */
2482 }
2483
2484 /* set uthread to parent */
2485 uthread = get_bsdthread_info(current_thread());
2486
2487 /*
2488 * <rdar://6640530>; this does not result in a behaviour change
2489 * relative to Leopard, so there should not be any existing code
2490 * which depends on it.
2491 */
2492 if (uthread->uu_flag & UT_VFORK) {
2493 error = EINVAL;
2494 goto bad;
2495 }
2496
2497 /*
2498 * If we don't have the extension flag that turns "posix_spawn()"
2499 * into "execve() with options", then we will be creating a new
2500 * process which does not inherit memory from the parent process,
2501 * which is one of the most expensive things about using fork()
2502 * and execve().
2503 */
2504 if (imgp->ip_px_sa == NULL || !(px_sa.psa_flags & POSIX_SPAWN_SETEXEC)) {
2505 /* Set the new task's coalition, if it is requested. */
2506 coalition_t coal[COALITION_NUM_TYPES] = { COALITION_NULL };
2507 #if CONFIG_COALITIONS
2508 int i, ncoals;
2509 kern_return_t kr = KERN_SUCCESS;
2510 struct _posix_spawn_coalition_info coal_info;
2511 int coal_role[COALITION_NUM_TYPES];
2512
2513 if (imgp->ip_px_sa == NULL || !px_args.coal_info) {
2514 goto do_fork1;
2515 }
2516
2517 memset(&coal_info, 0, sizeof(coal_info));
2518
2519 if (px_args.coal_info_size > sizeof(coal_info)) {
2520 px_args.coal_info_size = sizeof(coal_info);
2521 }
2522 error = copyin(px_args.coal_info,
2523 &coal_info, px_args.coal_info_size);
2524 if (error != 0) {
2525 goto bad;
2526 }
2527
2528 ncoals = 0;
2529 for (i = 0; i < COALITION_NUM_TYPES; i++) {
2530 uint64_t cid = coal_info.psci_info[i].psci_id;
2531 if (cid != 0) {
2532 /*
2533 * don't allow tasks which are not in a
2534 * privileged coalition to spawn processes
2535 * into coalitions other than their own
2536 */
2537 if (!task_is_in_privileged_coalition(p->task, i)) {
2538 coal_dbg("ERROR: %d not in privilegd "
2539 "coalition of type %d",
2540 p->p_pid, i);
2541 spawn_coalitions_release_all(coal);
2542 error = EPERM;
2543 goto bad;
2544 }
2545
2546 coal_dbg("searching for coalition id:%llu", cid);
2547 /*
2548 * take a reference and activation on the
2549 * coalition to guard against free-while-spawn
2550 * races
2551 */
2552 coal[i] = coalition_find_and_activate_by_id(cid);
2553 if (coal[i] == COALITION_NULL) {
2554 coal_dbg("could not find coalition id:%llu "
2555 "(perhaps it has been terminated or reaped)", cid);
2556 /*
2557 * release any other coalition's we
2558 * may have a reference to
2559 */
2560 spawn_coalitions_release_all(coal);
2561 error = ESRCH;
2562 goto bad;
2563 }
2564 if (coalition_type(coal[i]) != i) {
2565 coal_dbg("coalition with id:%lld is not of type:%d"
2566 " (it's type:%d)", cid, i, coalition_type(coal[i]));
2567 error = ESRCH;
2568 goto bad;
2569 }
2570 coal_role[i] = coal_info.psci_info[i].psci_role;
2571 ncoals++;
2572 }
2573 }
2574 if (ncoals < COALITION_NUM_TYPES) {
2575 /*
2576 * If the user is attempting to spawn into a subset of
2577 * the known coalition types, then make sure they have
2578 * _at_least_ specified a resource coalition. If not,
2579 * the following fork1() call will implicitly force an
2580 * inheritance from 'p' and won't actually spawn the
2581 * new task into the coalitions the user specified.
2582 * (also the call to coalitions_set_roles will panic)
2583 */
2584 if (coal[COALITION_TYPE_RESOURCE] == COALITION_NULL) {
2585 spawn_coalitions_release_all(coal);
2586 error = EINVAL;
2587 goto bad;
2588 }
2589 }
2590 do_fork1:
2591 #endif /* CONFIG_COALITIONS */
2592
2593 /*
2594 * note that this will implicitly inherit the
2595 * caller's persona (if it exists)
2596 */
2597 error = fork1(p, &imgp->ip_new_thread, PROC_CREATE_SPAWN, coal);
2598 /* returns a thread and task reference */
2599
2600 if (error == 0) {
2601 new_task = get_threadtask(imgp->ip_new_thread);
2602 }
2603 #if CONFIG_COALITIONS
2604 /* set the roles of this task within each given coalition */
2605 if (error == 0) {
2606 kr = coalitions_set_roles(coal, new_task, coal_role);
2607 if (kr != KERN_SUCCESS) {
2608 error = EINVAL;
2609 }
2610 if (kdebug_debugid_enabled(MACHDBG_CODE(DBG_MACH_COALITION,
2611 MACH_COALITION_ADOPT))) {
2612 for (i = 0; i < COALITION_NUM_TYPES; i++) {
2613 if (coal[i] != COALITION_NULL) {
2614 /*
2615 * On 32-bit targets, uniqueid
2616 * will get truncated to 32 bits
2617 */
2618 KDBG_RELEASE(MACHDBG_CODE(
2619 DBG_MACH_COALITION,
2620 MACH_COALITION_ADOPT),
2621 coalition_id(coal[i]),
2622 get_task_uniqueid(new_task));
2623 }
2624 }
2625 }
2626 }
2627
2628 /* drop our references and activations - fork1() now holds them */
2629 spawn_coalitions_release_all(coal);
2630 #endif /* CONFIG_COALITIONS */
2631 if (error != 0) {
2632 goto bad;
2633 }
2634 imgp->ip_flags |= IMGPF_SPAWN; /* spawn w/o exec */
2635 spawn_no_exec = TRUE; /* used in later tests */
2636
2637 #if CONFIG_PERSONAS
2638 /*
2639 * If the parent isn't in a persona (launchd), and
2640 * hasn't specified a new persona for the process,
2641 * then we'll put the process into the system persona
2642 *
2643 * TODO: this will have to be re-worked because as of
2644 * now, without any launchd adoption, the resulting
2645 * xpcproxy process will not have sufficient
2646 * privileges to setuid/gid.
2647 */
2648 #if 0
2649 if (!proc_has_persona(p) && imgp->ip_px_persona == NULL) {
2650 MALLOC(px_persona, struct _posix_spawn_persona_info *,
2651 sizeof(*px_persona), M_TEMP, M_WAITOK | M_ZERO);
2652 if (px_persona == NULL) {
2653 error = ENOMEM;
2654 goto bad;
2655 }
2656 px_persona->pspi_id = persona_get_id(g_system_persona);
2657 imgp->ip_px_persona = px_persona;
2658 }
2659 #endif /* 0 */
2660 #endif /* CONFIG_PERSONAS */
2661 } else {
2662 /*
2663 * For execve case, create a new task and thread
2664 * which points to current_proc. The current_proc will point
2665 * to the new task after image activation and proc ref drain.
2666 *
2667 * proc (current_proc) <----- old_task (current_task)
2668 * ^ | ^
2669 * | | |
2670 * | ----------------------------------
2671 * |
2672 * --------- new_task (task marked as TF_EXEC_COPY)
2673 *
2674 * After image activation, the proc will point to the new task
2675 * and would look like following.
2676 *
2677 * proc (current_proc) <----- old_task (current_task, marked as TPF_DID_EXEC)
2678 * ^ |
2679 * | |
2680 * | ----------> new_task
2681 * | |
2682 * -----------------
2683 *
2684 * During exec any transition from new_task -> proc is fine, but don't allow
2685 * transition from proc->task, since it will modify old_task.
2686 */
2687 imgp->ip_new_thread = fork_create_child(old_task,
2688 NULL,
2689 p,
2690 FALSE,
2691 p->p_flag & P_LP64,
2692 task_get_64bit_data(old_task),
2693 TRUE);
2694 /* task and thread ref returned by fork_create_child */
2695 if (imgp->ip_new_thread == NULL) {
2696 error = ENOMEM;
2697 goto bad;
2698 }
2699
2700 new_task = get_threadtask(imgp->ip_new_thread);
2701 imgp->ip_flags |= IMGPF_EXEC;
2702 }
2703
2704 if (spawn_no_exec) {
2705 p = (proc_t)get_bsdthreadtask_info(imgp->ip_new_thread);
2706
2707 /*
2708 * We had to wait until this point before firing the
2709 * proc:::create probe, otherwise p would not point to the
2710 * child process.
2711 */
2712 DTRACE_PROC1(create, proc_t, p);
2713 }
2714 assert(p != NULL);
2715
2716 context.vc_thread = imgp->ip_new_thread;
2717 context.vc_ucred = p->p_ucred; /* XXX must NOT be kauth_cred_get() */
2718
2719 /*
2720 * Post fdcopy(), pre exec_handle_sugid() - this is where we want
2721 * to handle the file_actions. Since vfork() also ends up setting
2722 * us into the parent process group, and saved off the signal flags,
2723 * this is also where we want to handle the spawn flags.
2724 */
2725
2726 /* Has spawn file actions? */
2727 if (imgp->ip_px_sfa != NULL) {
2728 /*
2729 * The POSIX_SPAWN_CLOEXEC_DEFAULT flag
2730 * is handled in exec_handle_file_actions().
2731 */
2732 if ((error = exec_handle_file_actions(imgp,
2733 imgp->ip_px_sa != NULL ? px_sa.psa_flags : 0)) != 0) {
2734 goto bad;
2735 }
2736 }
2737
2738 /* Has spawn port actions? */
2739 if (imgp->ip_px_spa != NULL) {
2740 boolean_t is_adaptive = FALSE;
2741 boolean_t portwatch_present = FALSE;
2742
2743 /* Will this process become adaptive? The apptype isn't ready yet, so we can't look there. */
2744 if (imgp->ip_px_sa != NULL && px_sa.psa_apptype == POSIX_SPAWN_PROC_TYPE_DAEMON_ADAPTIVE) {
2745 is_adaptive = TRUE;
2746 }
2747
2748 /*
2749 * portwatch only:
2750 * Allocate a place to store the ports we want to bind to the new task
2751 * We can't bind them until after the apptype is set.
2752 */
2753 if (px_spap->pspa_count != 0 && is_adaptive) {
2754 portwatch_count = px_spap->pspa_count;
2755 MALLOC(portwatch_ports, ipc_port_t *, (sizeof(ipc_port_t) * portwatch_count), M_TEMP, M_WAITOK | M_ZERO);
2756 } else {
2757 portwatch_ports = NULL;
2758 }
2759
2760 if ((error = exec_handle_port_actions(imgp, &portwatch_present, portwatch_ports)) != 0) {
2761 goto bad;
2762 }
2763
2764 if (portwatch_present == FALSE && portwatch_ports != NULL) {
2765 FREE(portwatch_ports, M_TEMP);
2766 portwatch_ports = NULL;
2767 portwatch_count = 0;
2768 }
2769 }
2770
2771 /* Has spawn attr? */
2772 if (imgp->ip_px_sa != NULL) {
2773 /*
2774 * Set the process group ID of the child process; this has
2775 * to happen before the image activation.
2776 */
2777 if (px_sa.psa_flags & POSIX_SPAWN_SETPGROUP) {
2778 struct setpgid_args spga;
2779 spga.pid = p->p_pid;
2780 spga.pgid = px_sa.psa_pgroup;
2781 /*
2782 * Effectively, call setpgid() system call; works
2783 * because there are no pointer arguments.
2784 */
2785 if ((error = setpgid(p, &spga, ival)) != 0) {
2786 goto bad;
2787 }
2788 }
2789
2790 /*
2791 * Reset UID/GID to parent's RUID/RGID; This works only
2792 * because the operation occurs *after* the vfork() and
2793 * before the call to exec_handle_sugid() by the image
2794 * activator called from exec_activate_image(). POSIX
2795 * requires that any setuid/setgid bits on the process
2796 * image will take precedence over the spawn attributes
2797 * (re)setting them.
2798 *
2799 * Modifications to p_ucred must be guarded using the
2800 * proc's ucred lock. This prevents others from accessing
2801 * a garbage credential.
2802 */
2803 while (px_sa.psa_flags & POSIX_SPAWN_RESETIDS) {
2804 kauth_cred_t my_cred = kauth_cred_proc_ref(p);
2805 kauth_cred_t my_new_cred = kauth_cred_setuidgid(my_cred, kauth_cred_getruid(my_cred), kauth_cred_getrgid(my_cred));
2806
2807 if (my_cred == my_new_cred) {
2808 kauth_cred_unref(&my_cred);
2809 break;
2810 }
2811
2812 /* update cred on proc */
2813 proc_ucred_lock(p);
2814
2815 if (p->p_ucred != my_cred) {
2816 proc_ucred_unlock(p);
2817 kauth_cred_unref(&my_new_cred);
2818 continue;
2819 }
2820
2821 /* donate cred reference on my_new_cred to p->p_ucred */
2822 p->p_ucred = my_new_cred;
2823 PROC_UPDATE_CREDS_ONPROC(p);
2824 proc_ucred_unlock(p);
2825
2826 /* drop additional reference that was taken on the previous cred */
2827 kauth_cred_unref(&my_cred);
2828 }
2829
2830 #if CONFIG_PERSONAS
2831 if (spawn_no_exec && imgp->ip_px_persona != NULL) {
2832 /*
2833 * If we were asked to spawn a process into a new persona,
2834 * do the credential switch now (which may override the UID/GID
2835 * inherit done just above). It's important to do this switch
2836 * before image activation both for reasons stated above, and
2837 * to ensure that the new persona has access to the image/file
2838 * being executed.
2839 */
2840 error = spawn_persona_adopt(p, imgp->ip_px_persona);
2841 if (error != 0) {
2842 goto bad;
2843 }
2844 }
2845 #endif /* CONFIG_PERSONAS */
2846 #if !SECURE_KERNEL
2847 /*
2848 * Disable ASLR for the spawned process.
2849 *
2850 * But only do so if we are not embedded + RELEASE.
2851 * While embedded allows for a boot-arg (-disable_aslr)
2852 * to deal with this (which itself is only honored on
2853 * DEVELOPMENT or DEBUG builds of xnu), it is often
2854 * useful or necessary to disable ASLR on a per-process
2855 * basis for unit testing and debugging.
2856 */
2857 if (px_sa.psa_flags & _POSIX_SPAWN_DISABLE_ASLR) {
2858 OSBitOrAtomic(P_DISABLE_ASLR, &p->p_flag);
2859 }
2860 #endif /* !SECURE_KERNEL */
2861
2862 /* Randomize high bits of ASLR slide */
2863 if (px_sa.psa_flags & _POSIX_SPAWN_HIGH_BITS_ASLR) {
2864 imgp->ip_flags |= IMGPF_HIGH_BITS_ASLR;
2865 }
2866
2867 /*
2868 * Forcibly disallow execution from data pages for the spawned process
2869 * even if it would otherwise be permitted by the architecture default.
2870 */
2871 if (px_sa.psa_flags & _POSIX_SPAWN_ALLOW_DATA_EXEC) {
2872 imgp->ip_flags |= IMGPF_ALLOW_DATA_EXEC;
2873 }
2874 }
2875
2876 /*
2877 * Disable ASLR during image activation. This occurs either if the
2878 * _POSIX_SPAWN_DISABLE_ASLR attribute was found above or if
2879 * P_DISABLE_ASLR was inherited from the parent process.
2880 */
2881 if (p->p_flag & P_DISABLE_ASLR) {
2882 imgp->ip_flags |= IMGPF_DISABLE_ASLR;
2883 }
2884
2885 /*
2886 * Clear transition flag so we won't hang if exec_activate_image() causes
2887 * an automount (and launchd does a proc sysctl to service it).
2888 *
2889 * <rdar://problem/6848672>, <rdar://problem/5959568>.
2890 */
2891 if (spawn_no_exec) {
2892 proc_transend(p, 0);
2893 proc_transit_set = 0;
2894 }
2895
2896 #if MAC_SPAWN /* XXX */
2897 if (uap->mac_p != USER_ADDR_NULL) {
2898 error = mac_execve_enter(uap->mac_p, imgp);
2899 if (error) {
2900 goto bad;
2901 }
2902 }
2903 #endif
2904
2905 /*
2906 * Activate the image
2907 */
2908 error = exec_activate_image(imgp);
2909
2910 if (error == 0 && !spawn_no_exec) {
2911 p = proc_exec_switch_task(p, old_task, new_task, imgp->ip_new_thread);
2912 /* proc ref returned */
2913 should_release_proc_ref = TRUE;
2914
2915 /*
2916 * Need to transfer pending watch port boosts to the new task while still making
2917 * sure that the old task remains in the importance linkage. Create an importance
2918 * linkage from old task to new task, then switch the task importance base
2919 * of old task and new task. After the switch the port watch boost will be
2920 * boosting the new task and new task will be donating importance to old task.
2921 */
2922 inherit = ipc_importance_exec_switch_task(old_task, new_task);
2923 }
2924
2925 if (error == 0) {
2926 /* process completed the exec */
2927 exec_done = TRUE;
2928 } else if (error == -1) {
2929 /* Image not claimed by any activator? */
2930 error = ENOEXEC;
2931 }
2932
2933 /*
2934 * If we have a spawn attr, and it contains signal related flags,
2935 * the we need to process them in the "context" of the new child
2936 * process, so we have to process it following image activation,
2937 * prior to making the thread runnable in user space. This is
2938 * necessitated by some signal information being per-thread rather
2939 * than per-process, and we don't have the new allocation in hand
2940 * until after the image is activated.
2941 */
2942 if (!error && imgp->ip_px_sa != NULL) {
2943 thread_t child_thread = imgp->ip_new_thread;
2944 uthread_t child_uthread = get_bsdthread_info(child_thread);
2945
2946 /*
2947 * Mask a list of signals, instead of them being unmasked, if
2948 * they were unmasked in the parent; note that some signals
2949 * are not maskable.
2950 */
2951 if (px_sa.psa_flags & POSIX_SPAWN_SETSIGMASK) {
2952 child_uthread->uu_sigmask = (px_sa.psa_sigmask & ~sigcantmask);
2953 }
2954 /*
2955 * Default a list of signals instead of ignoring them, if
2956 * they were ignored in the parent. Note that we pass
2957 * spawn_no_exec to setsigvec() to indicate that we called
2958 * fork1() and therefore do not need to call proc_signalstart()
2959 * internally.
2960 */
2961 if (px_sa.psa_flags & POSIX_SPAWN_SETSIGDEF) {
2962 vec.sa_handler = SIG_DFL;
2963 vec.sa_tramp = 0;
2964 vec.sa_mask = 0;
2965 vec.sa_flags = 0;
2966 for (sig = 1; sig < NSIG; sig++) {
2967 if (px_sa.psa_sigdefault & (1 << (sig - 1))) {
2968 error = setsigvec(p, child_thread, sig, &vec, spawn_no_exec);
2969 }
2970 }
2971 }
2972
2973 /*
2974 * Activate the CPU usage monitor, if requested. This is done via a task-wide, per-thread CPU
2975 * usage limit, which will generate a resource exceeded exception if any one thread exceeds the
2976 * limit.
2977 *
2978 * Userland gives us interval in seconds, and the kernel SPI expects nanoseconds.
2979 */
2980 if (px_sa.psa_cpumonitor_percent != 0) {
2981 /*
2982 * Always treat a CPU monitor activation coming from spawn as entitled. Requiring
2983 * an entitlement to configure the monitor a certain way seems silly, since
2984 * whomever is turning it on could just as easily choose not to do so.
2985 */
2986 error = proc_set_task_ruse_cpu(p->task,
2987 TASK_POLICY_RESOURCE_ATTRIBUTE_NOTIFY_EXC,
2988 px_sa.psa_cpumonitor_percent,
2989 px_sa.psa_cpumonitor_interval * NSEC_PER_SEC,
2990 0, TRUE);
2991 }
2992 }
2993
2994 bad:
2995
2996 if (error == 0) {
2997 /* reset delay idle sleep status if set */
2998 #if !CONFIG_EMBEDDED
2999 if ((p->p_flag & P_DELAYIDLESLEEP) == P_DELAYIDLESLEEP) {
3000 OSBitAndAtomic(~((uint32_t)P_DELAYIDLESLEEP), &p->p_flag);
3001 }
3002 #endif /* !CONFIG_EMBEDDED */
3003 /* upon successful spawn, re/set the proc control state */
3004 if (imgp->ip_px_sa != NULL) {
3005 switch (px_sa.psa_pcontrol) {
3006 case POSIX_SPAWN_PCONTROL_THROTTLE:
3007 p->p_pcaction = P_PCTHROTTLE;
3008 break;
3009 case POSIX_SPAWN_PCONTROL_SUSPEND:
3010 p->p_pcaction = P_PCSUSP;
3011 break;
3012 case POSIX_SPAWN_PCONTROL_KILL:
3013 p->p_pcaction = P_PCKILL;
3014 break;
3015 case POSIX_SPAWN_PCONTROL_NONE:
3016 default:
3017 p->p_pcaction = 0;
3018 break;
3019 }
3020 ;
3021 }
3022 exec_resettextvp(p, imgp);
3023
3024 #if CONFIG_MEMORYSTATUS
3025 /* Has jetsam attributes? */
3026 if (imgp->ip_px_sa != NULL && (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_SET)) {
3027 /*
3028 * With 2-level high-water-mark support, POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND is no
3029 * longer relevant, as background limits are described via the inactive limit slots.
3030 *
3031 * That said, however, if the POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND is passed in,
3032 * we attempt to mimic previous behavior by forcing the BG limit data into the
3033 * inactive/non-fatal mode and force the active slots to hold system_wide/fatal mode.
3034 */
3035 if (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND) {
3036 memorystatus_update(p, px_sa.psa_priority, 0,
3037 (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_USE_EFFECTIVE_PRIORITY),
3038 TRUE,
3039 -1, TRUE,
3040 px_sa.psa_memlimit_inactive, FALSE);
3041 } else {
3042 memorystatus_update(p, px_sa.psa_priority, 0,
3043 (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_USE_EFFECTIVE_PRIORITY),
3044 TRUE,
3045 px_sa.psa_memlimit_active,
3046 (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_MEMLIMIT_ACTIVE_FATAL),
3047 px_sa.psa_memlimit_inactive,
3048 (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_MEMLIMIT_INACTIVE_FATAL));
3049 }
3050 }
3051 #endif /* CONFIG_MEMORYSTATUS */
3052 if (imgp->ip_px_sa != NULL && px_sa.psa_thread_limit > 0) {
3053 task_set_thread_limit(new_task, (uint16_t)px_sa.psa_thread_limit);
3054 }
3055 }
3056
3057 /*
3058 * If we successfully called fork1(), we always need to do this;
3059 * we identify this case by noting the IMGPF_SPAWN flag. This is
3060 * because we come back from that call with signals blocked in the
3061 * child, and we have to unblock them, but we want to wait until
3062 * after we've performed any spawn actions. This has to happen
3063 * before check_for_signature(), which uses psignal.
3064 */
3065 if (spawn_no_exec) {
3066 if (proc_transit_set) {
3067 proc_transend(p, 0);
3068 }
3069
3070 /*
3071 * Drop the signal lock on the child which was taken on our
3072 * behalf by forkproc()/cloneproc() to prevent signals being
3073 * received by the child in a partially constructed state.
3074 */
3075 proc_signalend(p, 0);
3076
3077 /* flag the 'fork' has occurred */
3078 proc_knote(p->p_pptr, NOTE_FORK | p->p_pid);
3079 }
3080
3081 /* flag exec has occurred, notify only if it has not failed due to FP Key error */
3082 if (!error && ((p->p_lflag & P_LTERM_DECRYPTFAIL) == 0)) {
3083 proc_knote(p, NOTE_EXEC);
3084 }
3085
3086
3087 if (error == 0) {
3088 /*
3089 * We need to initialize the bank context behind the protection of
3090 * the proc_trans lock to prevent a race with exit. We can't do this during
3091 * exec_activate_image because task_bank_init checks entitlements that
3092 * aren't loaded until subsequent calls (including exec_resettextvp).
3093 */
3094 error = proc_transstart(p, 0, 0);
3095
3096 if (error == 0) {
3097 task_bank_init(new_task);
3098 proc_transend(p, 0);
3099 }
3100
3101 #if __arm64__
3102 proc_legacy_footprint(p, new_task, __FUNCTION__);
3103 #endif /* __arm64__ */
3104 }
3105
3106 /* Inherit task role from old task to new task for exec */
3107 if (error == 0 && !spawn_no_exec) {
3108 proc_inherit_task_role(new_task, old_task);
3109 }
3110
3111 /*
3112 * Apply the spawnattr policy, apptype (which primes the task for importance donation),
3113 * and bind any portwatch ports to the new task.
3114 * This must be done after the exec so that the child's thread is ready,
3115 * and after the in transit state has been released, because priority is
3116 * dropped here so we need to be prepared for a potentially long preemption interval
3117 *
3118 * TODO: Consider splitting this up into separate phases
3119 */
3120 if (error == 0 && imgp->ip_px_sa != NULL) {
3121 struct _posix_spawnattr *psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
3122
3123 exec_handle_spawnattr_policy(p, psa->psa_apptype, psa->psa_qos_clamp, psa->psa_darwin_role,
3124 portwatch_ports, portwatch_count);
3125 }
3126
3127 /*
3128 * Apply the requested maximum address.
3129 */
3130 if (error == 0 && imgp->ip_px_sa != NULL) {
3131 struct _posix_spawnattr *psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
3132
3133 if (psa->psa_max_addr) {
3134 vm_map_set_max_addr(get_task_map(new_task), psa->psa_max_addr);
3135 }
3136 }
3137
3138 if (error == 0) {
3139 /* Apply the main thread qos */
3140 thread_t main_thread = imgp->ip_new_thread;
3141 task_set_main_thread_qos(new_task, main_thread);
3142
3143 #if CONFIG_MACF
3144 /*
3145 * Processes with the MAP_JIT entitlement are permitted to have
3146 * a jumbo-size map.
3147 */
3148 if (mac_proc_check_map_anon(p, 0, 0, 0, MAP_JIT, NULL) == 0) {
3149 vm_map_set_jumbo(get_task_map(new_task));
3150 }
3151 #endif /* CONFIG_MACF */
3152 }
3153
3154 /*
3155 * Release any ports we kept around for binding to the new task
3156 * We need to release the rights even if the posix_spawn has failed.
3157 */
3158 if (portwatch_ports != NULL) {
3159 for (int i = 0; i < portwatch_count; i++) {
3160 ipc_port_t port = NULL;
3161 if ((port = portwatch_ports[i]) != NULL) {
3162 ipc_port_release_send(port);
3163 }
3164 }
3165 FREE(portwatch_ports, M_TEMP);
3166 portwatch_ports = NULL;
3167 portwatch_count = 0;
3168 }
3169
3170 /*
3171 * We have to delay operations which might throw a signal until after
3172 * the signals have been unblocked; however, we want that to happen
3173 * after exec_resettextvp() so that the textvp is correct when they
3174 * fire.
3175 */
3176 if (error == 0) {
3177 error = check_for_signature(p, imgp);
3178
3179 /*
3180 * Pay for our earlier safety; deliver the delayed signals from
3181 * the incomplete spawn process now that it's complete.
3182 */
3183 if (imgp != NULL && spawn_no_exec && (p->p_lflag & P_LTRACED)) {
3184 psignal_vfork(p, p->task, imgp->ip_new_thread, SIGTRAP);
3185 }
3186
3187 if (error == 0 && !spawn_no_exec) {
3188 KDBG(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXEC),
3189 p->p_pid);
3190 }
3191 }
3192
3193
3194 if (imgp != NULL) {
3195 if (imgp->ip_vp) {
3196 vnode_put(imgp->ip_vp);
3197 }
3198 if (imgp->ip_scriptvp) {
3199 vnode_put(imgp->ip_scriptvp);
3200 }
3201 if (imgp->ip_strings) {
3202 execargs_free(imgp);
3203 }
3204 if (imgp->ip_px_sfa != NULL) {
3205 FREE(imgp->ip_px_sfa, M_TEMP);
3206 }
3207 if (imgp->ip_px_spa != NULL) {
3208 FREE(imgp->ip_px_spa, M_TEMP);
3209 }
3210 #if CONFIG_PERSONAS
3211 if (imgp->ip_px_persona != NULL) {
3212 FREE(imgp->ip_px_persona, M_TEMP);
3213 }
3214 #endif
3215 #if CONFIG_MACF
3216 if (imgp->ip_px_smpx != NULL) {
3217 spawn_free_macpolicyinfo(imgp->ip_px_smpx);
3218 }
3219 if (imgp->ip_execlabelp) {
3220 mac_cred_label_free(imgp->ip_execlabelp);
3221 }
3222 if (imgp->ip_scriptlabelp) {
3223 mac_vnode_label_free(imgp->ip_scriptlabelp);
3224 }
3225 if (imgp->ip_cs_error != OS_REASON_NULL) {
3226 os_reason_free(imgp->ip_cs_error);
3227 imgp->ip_cs_error = OS_REASON_NULL;
3228 }
3229 #endif
3230 }
3231
3232 #if CONFIG_DTRACE
3233 if (spawn_no_exec) {
3234 /*
3235 * In the original DTrace reference implementation,
3236 * posix_spawn() was a libc routine that just
3237 * did vfork(2) then exec(2). Thus the proc::: probes
3238 * are very fork/exec oriented. The details of this
3239 * in-kernel implementation of posix_spawn() is different
3240 * (while producing the same process-observable effects)
3241 * particularly w.r.t. errors, and which thread/process
3242 * is constructing what on behalf of whom.
3243 */
3244 if (error) {
3245 DTRACE_PROC1(spawn__failure, int, error);
3246 } else {
3247 DTRACE_PROC(spawn__success);
3248 /*
3249 * Some DTrace scripts, e.g. newproc.d in
3250 * /usr/bin, rely on the the 'exec-success'
3251 * probe being fired in the child after the
3252 * new process image has been constructed
3253 * in order to determine the associated pid.
3254 *
3255 * So, even though the parent built the image
3256 * here, for compatibility, mark the new thread
3257 * so 'exec-success' fires on it as it leaves
3258 * the kernel.
3259 */
3260 dtrace_thread_didexec(imgp->ip_new_thread);
3261 }
3262 } else {
3263 if (error) {
3264 DTRACE_PROC1(exec__failure, int, error);
3265 } else {
3266 dtrace_thread_didexec(imgp->ip_new_thread);
3267 }
3268 }
3269
3270 if ((dtrace_proc_waitfor_hook = dtrace_proc_waitfor_exec_ptr) != NULL) {
3271 (*dtrace_proc_waitfor_hook)(p);
3272 }
3273 #endif
3274
3275 #if CONFIG_AUDIT
3276 if (!error && AUDIT_ENABLED() && p) {
3277 /* Add the CDHash of the new process to the audit record */
3278 uint8_t *cdhash = cs_get_cdhash(p);
3279 if (cdhash) {
3280 AUDIT_ARG(data, cdhash, sizeof(uint8_t), CS_CDHASH_LEN);
3281 }
3282 }
3283 #endif
3284
3285 /*
3286 * clear bsd_info from old task if it did exec.
3287 */
3288 if (task_did_exec(old_task)) {
3289 set_bsdtask_info(old_task, NULL);
3290 }
3291
3292 /* clear bsd_info from new task and terminate it if exec failed */
3293 if (new_task != NULL && task_is_exec_copy(new_task)) {
3294 set_bsdtask_info(new_task, NULL);
3295 task_terminate_internal(new_task);
3296 }
3297
3298 /* Return to both the parent and the child? */
3299 if (imgp != NULL && spawn_no_exec) {
3300 /*
3301 * If the parent wants the pid, copy it out
3302 */
3303 if (pid != USER_ADDR_NULL) {
3304 (void)suword(pid, p->p_pid);
3305 }
3306 retval[0] = error;
3307
3308 /*
3309 * If we had an error, perform an internal reap ; this is
3310 * entirely safe, as we have a real process backing us.
3311 */
3312 if (error) {
3313 proc_list_lock();
3314 p->p_listflag |= P_LIST_DEADPARENT;
3315 proc_list_unlock();
3316 proc_lock(p);
3317 /* make sure no one else has killed it off... */
3318 if (p->p_stat != SZOMB && p->exit_thread == NULL) {
3319 p->exit_thread = current_thread();
3320 proc_unlock(p);
3321 exit1(p, 1, (int *)NULL);
3322 } else {
3323 /* someone is doing it for us; just skip it */
3324 proc_unlock(p);
3325 }
3326 }
3327 }
3328
3329 /*
3330 * Do not terminate the current task, if proc_exec_switch_task did not
3331 * switch the tasks, terminating the current task without the switch would
3332 * result in loosing the SIGKILL status.
3333 */
3334 if (task_did_exec(old_task)) {
3335 /* Terminate the current task, since exec will start in new task */
3336 task_terminate_internal(old_task);
3337 }
3338
3339 /* Release the thread ref returned by fork_create_child/fork1 */
3340 if (imgp != NULL && imgp->ip_new_thread) {
3341 /* wake up the new thread */
3342 task_clear_return_wait(get_threadtask(imgp->ip_new_thread));
3343 thread_deallocate(imgp->ip_new_thread);
3344 imgp->ip_new_thread = NULL;
3345 }
3346
3347 /* Release the ref returned by fork_create_child/fork1 */
3348 if (new_task) {
3349 task_deallocate(new_task);
3350 new_task = NULL;
3351 }
3352
3353 if (should_release_proc_ref) {
3354 proc_rele(p);
3355 }
3356
3357 if (bufp != NULL) {
3358 FREE(bufp, M_TEMP);
3359 }
3360
3361 if (inherit != NULL) {
3362 ipc_importance_release(inherit);
3363 }
3364
3365 return error;
3366 }
3367
3368 /*
3369 * proc_exec_switch_task
3370 *
3371 * Parameters: p proc
3372 * old_task task before exec
3373 * new_task task after exec
3374 * new_thread thread in new task
3375 *
3376 * Returns: proc.
3377 *
3378 * Note: The function will switch the task pointer of proc
3379 * from old task to new task. The switch needs to happen
3380 * after draining all proc refs and inside a proc translock.
3381 * In the case of failure to switch the task, which might happen
3382 * if the process received a SIGKILL or jetsam killed it, it will make
3383 * sure that the new tasks terminates. User proc ref returned
3384 * to caller.
3385 *
3386 * This function is called after point of no return, in the case
3387 * failure to switch, it will terminate the new task and swallow the
3388 * error and let the terminated process complete exec and die.
3389 */
3390 proc_t
3391 proc_exec_switch_task(proc_t p, task_t old_task, task_t new_task, thread_t new_thread)
3392 {
3393 int error = 0;
3394 boolean_t task_active;
3395 boolean_t proc_active;
3396 boolean_t thread_active;
3397 thread_t old_thread = current_thread();
3398
3399 /*
3400 * Switch the task pointer of proc to new task.
3401 * Before switching the task, wait for proc_refdrain.
3402 * After the switch happens, the proc can disappear,
3403 * take a ref before it disappears. Waiting for
3404 * proc_refdrain in exec will block all other threads
3405 * trying to take a proc ref, boost the current thread
3406 * to avoid priority inversion.
3407 */
3408 thread_set_exec_promotion(old_thread);
3409 p = proc_refdrain_with_refwait(p, TRUE);
3410 /* extra proc ref returned to the caller */
3411
3412 assert(get_threadtask(new_thread) == new_task);
3413 task_active = task_is_active(new_task);
3414
3415 /* Take the proc_translock to change the task ptr */
3416 proc_lock(p);
3417 proc_active = !(p->p_lflag & P_LEXIT);
3418
3419 /* Check if the current thread is not aborted due to SIGKILL */
3420 thread_active = thread_is_active(old_thread);
3421
3422 /*
3423 * Do not switch the task if the new task or proc is already terminated
3424 * as a result of error in exec past point of no return
3425 */
3426 if (proc_active && task_active && thread_active) {
3427 error = proc_transstart(p, 1, 0);
3428 if (error == 0) {
3429 uthread_t new_uthread = get_bsdthread_info(new_thread);
3430 uthread_t old_uthread = get_bsdthread_info(current_thread());
3431
3432 /*
3433 * bsd_info of old_task will get cleared in execve and posix_spawn
3434 * after firing exec-success/error dtrace probe.
3435 */
3436 p->task = new_task;
3437
3438 /* Clear dispatchqueue and workloop ast offset */
3439 p->p_dispatchqueue_offset = 0;
3440 p->p_dispatchqueue_serialno_offset = 0;
3441 p->p_return_to_kernel_offset = 0;
3442
3443 /* Copy the signal state, dtrace state and set bsd ast on new thread */
3444 act_set_astbsd(new_thread);
3445 new_uthread->uu_siglist = old_uthread->uu_siglist;
3446 new_uthread->uu_sigwait = old_uthread->uu_sigwait;
3447 new_uthread->uu_sigmask = old_uthread->uu_sigmask;
3448 new_uthread->uu_oldmask = old_uthread->uu_oldmask;
3449 new_uthread->uu_vforkmask = old_uthread->uu_vforkmask;
3450 new_uthread->uu_exit_reason = old_uthread->uu_exit_reason;
3451 #if CONFIG_DTRACE
3452 new_uthread->t_dtrace_sig = old_uthread->t_dtrace_sig;
3453 new_uthread->t_dtrace_stop = old_uthread->t_dtrace_stop;
3454 new_uthread->t_dtrace_resumepid = old_uthread->t_dtrace_resumepid;
3455 assert(new_uthread->t_dtrace_scratch == NULL);
3456 new_uthread->t_dtrace_scratch = old_uthread->t_dtrace_scratch;
3457
3458 old_uthread->t_dtrace_sig = 0;
3459 old_uthread->t_dtrace_stop = 0;
3460 old_uthread->t_dtrace_resumepid = 0;
3461 old_uthread->t_dtrace_scratch = NULL;
3462 #endif
3463 /* Copy the resource accounting info */
3464 thread_copy_resource_info(new_thread, current_thread());
3465
3466 /* Clear the exit reason and signal state on old thread */
3467 old_uthread->uu_exit_reason = NULL;
3468 old_uthread->uu_siglist = 0;
3469
3470 /* Add the new uthread to proc uthlist and remove the old one */
3471 TAILQ_INSERT_TAIL(&p->p_uthlist, new_uthread, uu_list);
3472 TAILQ_REMOVE(&p->p_uthlist, old_uthread, uu_list);
3473
3474 task_set_did_exec_flag(old_task);
3475 task_clear_exec_copy_flag(new_task);
3476
3477 task_copy_fields_for_exec(new_task, old_task);
3478
3479 proc_transend(p, 1);
3480 }
3481 }
3482
3483 proc_unlock(p);
3484 proc_refwake(p);
3485 thread_clear_exec_promotion(old_thread);
3486
3487 if (error != 0 || !task_active || !proc_active || !thread_active) {
3488 task_terminate_internal(new_task);
3489 }
3490
3491 return p;
3492 }
3493
3494 /*
3495 * execve
3496 *
3497 * Parameters: uap->fname File name to exec
3498 * uap->argp Argument list
3499 * uap->envp Environment list
3500 *
3501 * Returns: 0 Success
3502 * __mac_execve:EINVAL Invalid argument
3503 * __mac_execve:ENOTSUP Invalid argument
3504 * __mac_execve:EACCES Permission denied
3505 * __mac_execve:EINTR Interrupted function
3506 * __mac_execve:ENOMEM Not enough space
3507 * __mac_execve:EFAULT Bad address
3508 * __mac_execve:ENAMETOOLONG Filename too long
3509 * __mac_execve:ENOEXEC Executable file format error
3510 * __mac_execve:ETXTBSY Text file busy [misuse of error code]
3511 * __mac_execve:???
3512 *
3513 * TODO: Dynamic linker header address on stack is copied via suword()
3514 */
3515 /* ARGSUSED */
3516 int
3517 execve(proc_t p, struct execve_args *uap, int32_t *retval)
3518 {
3519 struct __mac_execve_args muap;
3520 int err;
3521
3522 memoryshot(VM_EXECVE, DBG_FUNC_NONE);
3523
3524 muap.fname = uap->fname;
3525 muap.argp = uap->argp;
3526 muap.envp = uap->envp;
3527 muap.mac_p = USER_ADDR_NULL;
3528 err = __mac_execve(p, &muap, retval);
3529
3530 return err;
3531 }
3532
3533 /*
3534 * __mac_execve
3535 *
3536 * Parameters: uap->fname File name to exec
3537 * uap->argp Argument list
3538 * uap->envp Environment list
3539 * uap->mac_p MAC label supplied by caller
3540 *
3541 * Returns: 0 Success
3542 * EINVAL Invalid argument
3543 * ENOTSUP Not supported
3544 * ENOEXEC Executable file format error
3545 * exec_activate_image:EINVAL Invalid argument
3546 * exec_activate_image:EACCES Permission denied
3547 * exec_activate_image:EINTR Interrupted function
3548 * exec_activate_image:ENOMEM Not enough space
3549 * exec_activate_image:EFAULT Bad address
3550 * exec_activate_image:ENAMETOOLONG Filename too long
3551 * exec_activate_image:ENOEXEC Executable file format error
3552 * exec_activate_image:ETXTBSY Text file busy [misuse of error code]
3553 * exec_activate_image:EBADEXEC The executable is corrupt/unknown
3554 * exec_activate_image:???
3555 * mac_execve_enter:???
3556 *
3557 * TODO: Dynamic linker header address on stack is copied via suword()
3558 */
3559 int
3560 __mac_execve(proc_t p, struct __mac_execve_args *uap, int32_t *retval)
3561 {
3562 char *bufp = NULL;
3563 struct image_params *imgp;
3564 struct vnode_attr *vap;
3565 struct vnode_attr *origvap;
3566 int error;
3567 int is_64 = IS_64BIT_PROCESS(p);
3568 struct vfs_context context;
3569 struct uthread *uthread;
3570 task_t old_task = current_task();
3571 task_t new_task = NULL;
3572 boolean_t should_release_proc_ref = FALSE;
3573 boolean_t exec_done = FALSE;
3574 boolean_t in_vfexec = FALSE;
3575 void *inherit = NULL;
3576
3577 context.vc_thread = current_thread();
3578 context.vc_ucred = kauth_cred_proc_ref(p); /* XXX must NOT be kauth_cred_get() */
3579
3580 /* Allocate a big chunk for locals instead of using stack since these
3581 * structures a pretty big.
3582 */
3583 MALLOC(bufp, char *, (sizeof(*imgp) + sizeof(*vap) + sizeof(*origvap)), M_TEMP, M_WAITOK | M_ZERO);
3584 imgp = (struct image_params *) bufp;
3585 if (bufp == NULL) {
3586 error = ENOMEM;
3587 goto exit_with_error;
3588 }
3589 vap = (struct vnode_attr *) (bufp + sizeof(*imgp));
3590 origvap = (struct vnode_attr *) (bufp + sizeof(*imgp) + sizeof(*vap));
3591
3592 /* Initialize the common data in the image_params structure */
3593 imgp->ip_user_fname = uap->fname;
3594 imgp->ip_user_argv = uap->argp;
3595 imgp->ip_user_envv = uap->envp;
3596 imgp->ip_vattr = vap;
3597 imgp->ip_origvattr = origvap;
3598 imgp->ip_vfs_context = &context;
3599 imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT_ADDR : IMGPF_NONE) | ((p->p_flag & P_DISABLE_ASLR) ? IMGPF_DISABLE_ASLR : IMGPF_NONE);
3600 imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
3601 imgp->ip_mac_return = 0;
3602 imgp->ip_cs_error = OS_REASON_NULL;
3603
3604 #if CONFIG_MACF
3605 if (uap->mac_p != USER_ADDR_NULL) {
3606 error = mac_execve_enter(uap->mac_p, imgp);
3607 if (error) {
3608 kauth_cred_unref(&context.vc_ucred);
3609 goto exit_with_error;
3610 }
3611 }
3612 #endif
3613 uthread = get_bsdthread_info(current_thread());
3614 if (uthread->uu_flag & UT_VFORK) {
3615 imgp->ip_flags |= IMGPF_VFORK_EXEC;
3616 in_vfexec = TRUE;
3617 } else {
3618 imgp->ip_flags |= IMGPF_EXEC;
3619
3620 /*
3621 * For execve case, create a new task and thread
3622 * which points to current_proc. The current_proc will point
3623 * to the new task after image activation and proc ref drain.
3624 *
3625 * proc (current_proc) <----- old_task (current_task)
3626 * ^ | ^
3627 * | | |
3628 * | ----------------------------------
3629 * |
3630 * --------- new_task (task marked as TF_EXEC_COPY)
3631 *
3632 * After image activation, the proc will point to the new task
3633 * and would look like following.
3634 *
3635 * proc (current_proc) <----- old_task (current_task, marked as TPF_DID_EXEC)
3636 * ^ |
3637 * | |
3638 * | ----------> new_task
3639 * | |
3640 * -----------------
3641 *
3642 * During exec any transition from new_task -> proc is fine, but don't allow
3643 * transition from proc->task, since it will modify old_task.
3644 */
3645 imgp->ip_new_thread = fork_create_child(old_task,
3646 NULL,
3647 p,
3648 FALSE,
3649 p->p_flag & P_LP64,
3650 task_get_64bit_data(old_task),
3651 TRUE);
3652 /* task and thread ref returned by fork_create_child */
3653 if (imgp->ip_new_thread == NULL) {
3654 error = ENOMEM;
3655 goto exit_with_error;
3656 }
3657
3658 new_task = get_threadtask(imgp->ip_new_thread);
3659 context.vc_thread = imgp->ip_new_thread;
3660 }
3661
3662 error = exec_activate_image(imgp);
3663 /* thread and task ref returned for vfexec case */
3664
3665 if (imgp->ip_new_thread != NULL) {
3666 /*
3667 * task reference might be returned by exec_activate_image
3668 * for vfexec.
3669 */
3670 new_task = get_threadtask(imgp->ip_new_thread);
3671 }
3672
3673 if (!error && !in_vfexec) {
3674 p = proc_exec_switch_task(p, old_task, new_task, imgp->ip_new_thread);
3675 /* proc ref returned */
3676 should_release_proc_ref = TRUE;
3677
3678 /*
3679 * Need to transfer pending watch port boosts to the new task while still making
3680 * sure that the old task remains in the importance linkage. Create an importance
3681 * linkage from old task to new task, then switch the task importance base
3682 * of old task and new task. After the switch the port watch boost will be
3683 * boosting the new task and new task will be donating importance to old task.
3684 */
3685 inherit = ipc_importance_exec_switch_task(old_task, new_task);
3686 }
3687
3688 kauth_cred_unref(&context.vc_ucred);
3689
3690 /* Image not claimed by any activator? */
3691 if (error == -1) {
3692 error = ENOEXEC;
3693 }
3694
3695 if (!error) {
3696 exec_done = TRUE;
3697 assert(imgp->ip_new_thread != NULL);
3698
3699 exec_resettextvp(p, imgp);
3700 error = check_for_signature(p, imgp);
3701 }
3702
3703 /* flag exec has occurred, notify only if it has not failed due to FP Key error */
3704 if (exec_done && ((p->p_lflag & P_LTERM_DECRYPTFAIL) == 0)) {
3705 proc_knote(p, NOTE_EXEC);
3706 }
3707
3708 if (imgp->ip_vp != NULLVP) {
3709 vnode_put(imgp->ip_vp);
3710 }
3711 if (imgp->ip_scriptvp != NULLVP) {
3712 vnode_put(imgp->ip_scriptvp);
3713 }
3714 if (imgp->ip_strings) {
3715 execargs_free(imgp);
3716 }
3717 #if CONFIG_MACF
3718 if (imgp->ip_execlabelp) {
3719 mac_cred_label_free(imgp->ip_execlabelp);
3720 }
3721 if (imgp->ip_scriptlabelp) {
3722 mac_vnode_label_free(imgp->ip_scriptlabelp);
3723 }
3724 #endif
3725 if (imgp->ip_cs_error != OS_REASON_NULL) {
3726 os_reason_free(imgp->ip_cs_error);
3727 imgp->ip_cs_error = OS_REASON_NULL;
3728 }
3729
3730 if (!error) {
3731 /*
3732 * We need to initialize the bank context behind the protection of
3733 * the proc_trans lock to prevent a race with exit. We can't do this during
3734 * exec_activate_image because task_bank_init checks entitlements that
3735 * aren't loaded until subsequent calls (including exec_resettextvp).
3736 */
3737 error = proc_transstart(p, 0, 0);
3738 }
3739
3740 if (!error) {
3741 task_bank_init(new_task);
3742 proc_transend(p, 0);
3743
3744 #if __arm64__
3745 proc_legacy_footprint(p, new_task, __FUNCTION__);
3746 #endif /* __arm64__ */
3747
3748 /* Sever any extant thread affinity */
3749 thread_affinity_exec(current_thread());
3750
3751 /* Inherit task role from old task to new task for exec */
3752 if (!in_vfexec) {
3753 proc_inherit_task_role(new_task, old_task);
3754 }
3755
3756 thread_t main_thread = imgp->ip_new_thread;
3757
3758 task_set_main_thread_qos(new_task, main_thread);
3759
3760 #if CONFIG_MACF
3761 /*
3762 * Processes with the MAP_JIT entitlement are permitted to have
3763 * a jumbo-size map.
3764 */
3765 if (mac_proc_check_map_anon(p, 0, 0, 0, MAP_JIT, NULL) == 0) {
3766 vm_map_set_jumbo(get_task_map(new_task));
3767 }
3768 #endif /* CONFIG_MACF */
3769
3770 if (vm_darkwake_mode == TRUE) {
3771 /*
3772 * This process is being launched when the system
3773 * is in darkwake. So mark it specially. This will
3774 * cause all its pages to be entered in the background Q.
3775 */
3776 task_set_darkwake_mode(new_task, vm_darkwake_mode);
3777 }
3778
3779 #if CONFIG_DTRACE
3780 dtrace_thread_didexec(imgp->ip_new_thread);
3781
3782 if ((dtrace_proc_waitfor_hook = dtrace_proc_waitfor_exec_ptr) != NULL) {
3783 (*dtrace_proc_waitfor_hook)(p);
3784 }
3785 #endif
3786
3787 #if CONFIG_AUDIT
3788 if (!error && AUDIT_ENABLED() && p) {
3789 /* Add the CDHash of the new process to the audit record */
3790 uint8_t *cdhash = cs_get_cdhash(p);
3791 if (cdhash) {
3792 AUDIT_ARG(data, cdhash, sizeof(uint8_t), CS_CDHASH_LEN);
3793 }
3794 }
3795 #endif
3796
3797 if (in_vfexec) {
3798 vfork_return(p, retval, p->p_pid);
3799 }
3800 } else {
3801 DTRACE_PROC1(exec__failure, int, error);
3802 }
3803
3804 exit_with_error:
3805
3806 /*
3807 * clear bsd_info from old task if it did exec.
3808 */
3809 if (task_did_exec(old_task)) {
3810 set_bsdtask_info(old_task, NULL);
3811 }
3812
3813 /* clear bsd_info from new task and terminate it if exec failed */
3814 if (new_task != NULL && task_is_exec_copy(new_task)) {
3815 set_bsdtask_info(new_task, NULL);
3816 task_terminate_internal(new_task);
3817 }
3818
3819 if (imgp != NULL) {
3820 /*
3821 * Do not terminate the current task, if proc_exec_switch_task did not
3822 * switch the tasks, terminating the current task without the switch would
3823 * result in loosing the SIGKILL status.
3824 */
3825 if (task_did_exec(old_task)) {
3826 /* Terminate the current task, since exec will start in new task */
3827 task_terminate_internal(old_task);
3828 }
3829
3830 /* Release the thread ref returned by fork_create_child */
3831 if (imgp->ip_new_thread) {
3832 /* wake up the new exec thread */
3833 task_clear_return_wait(get_threadtask(imgp->ip_new_thread));
3834 thread_deallocate(imgp->ip_new_thread);
3835 imgp->ip_new_thread = NULL;
3836 }
3837 }
3838
3839 /* Release the ref returned by fork_create_child */
3840 if (new_task) {
3841 task_deallocate(new_task);
3842 new_task = NULL;
3843 }
3844
3845 if (should_release_proc_ref) {
3846 proc_rele(p);
3847 }
3848
3849 if (bufp != NULL) {
3850 FREE(bufp, M_TEMP);
3851 }
3852
3853 if (inherit != NULL) {
3854 ipc_importance_release(inherit);
3855 }
3856
3857 return error;
3858 }
3859
3860
3861 /*
3862 * copyinptr
3863 *
3864 * Description: Copy a pointer in from user space to a user_addr_t in kernel
3865 * space, based on 32/64 bitness of the user space
3866 *
3867 * Parameters: froma User space address
3868 * toptr Address of kernel space user_addr_t
3869 * ptr_size 4/8, based on 'froma' address space
3870 *
3871 * Returns: 0 Success
3872 * EFAULT Bad 'froma'
3873 *
3874 * Implicit returns:
3875 * *ptr_size Modified
3876 */
3877 static int
3878 copyinptr(user_addr_t froma, user_addr_t *toptr, int ptr_size)
3879 {
3880 int error;
3881
3882 if (ptr_size == 4) {
3883 /* 64 bit value containing 32 bit address */
3884 unsigned int i;
3885
3886 error = copyin(froma, &i, 4);
3887 *toptr = CAST_USER_ADDR_T(i); /* SAFE */
3888 } else {
3889 error = copyin(froma, toptr, 8);
3890 }
3891 return error;
3892 }
3893
3894
3895 /*
3896 * copyoutptr
3897 *
3898 * Description: Copy a pointer out from a user_addr_t in kernel space to
3899 * user space, based on 32/64 bitness of the user space
3900 *
3901 * Parameters: ua User space address to copy to
3902 * ptr Address of kernel space user_addr_t
3903 * ptr_size 4/8, based on 'ua' address space
3904 *
3905 * Returns: 0 Success
3906 * EFAULT Bad 'ua'
3907 *
3908 */
3909 static int
3910 copyoutptr(user_addr_t ua, user_addr_t ptr, int ptr_size)
3911 {
3912 int error;
3913
3914 if (ptr_size == 4) {
3915 /* 64 bit value containing 32 bit address */
3916 unsigned int i = CAST_DOWN_EXPLICIT(unsigned int, ua); /* SAFE */
3917
3918 error = copyout(&i, ptr, 4);
3919 } else {
3920 error = copyout(&ua, ptr, 8);
3921 }
3922 return error;
3923 }
3924
3925
3926 /*
3927 * exec_copyout_strings
3928 *
3929 * Copy out the strings segment to user space. The strings segment is put
3930 * on a preinitialized stack frame.
3931 *
3932 * Parameters: struct image_params * the image parameter block
3933 * int * a pointer to the stack offset variable
3934 *
3935 * Returns: 0 Success
3936 * !0 Faiure: errno
3937 *
3938 * Implicit returns:
3939 * (*stackp) The stack offset, modified
3940 *
3941 * Note: The strings segment layout is backward, from the beginning
3942 * of the top of the stack to consume the minimal amount of
3943 * space possible; the returned stack pointer points to the
3944 * end of the area consumed (stacks grow downward).
3945 *
3946 * argc is an int; arg[i] are pointers; env[i] are pointers;
3947 * the 0's are (void *)NULL's
3948 *
3949 * The stack frame layout is:
3950 *
3951 * +-------------+ <- p->user_stack
3952 * | 16b |
3953 * +-------------+
3954 * | STRING AREA |
3955 * | : |
3956 * | : |
3957 * | : |
3958 * +- -- -- -- --+
3959 * | PATH AREA |
3960 * +-------------+
3961 * | 0 |
3962 * +-------------+
3963 * | applev[n] |
3964 * +-------------+
3965 * :
3966 * :
3967 * +-------------+
3968 * | applev[1] |
3969 * +-------------+
3970 * | exec_path / |
3971 * | applev[0] |
3972 * +-------------+
3973 * | 0 |
3974 * +-------------+
3975 * | env[n] |
3976 * +-------------+
3977 * :
3978 * :
3979 * +-------------+
3980 * | env[0] |
3981 * +-------------+
3982 * | 0 |
3983 * +-------------+
3984 * | arg[argc-1] |
3985 * +-------------+
3986 * :
3987 * :
3988 * +-------------+
3989 * | arg[0] |
3990 * +-------------+
3991 * | argc |
3992 * sp-> +-------------+
3993 *
3994 * Although technically a part of the STRING AREA, we treat the PATH AREA as
3995 * a separate entity. This allows us to align the beginning of the PATH AREA
3996 * to a pointer boundary so that the exec_path, env[i], and argv[i] pointers
3997 * which preceed it on the stack are properly aligned.
3998 */
3999
4000 static int
4001 exec_copyout_strings(struct image_params *imgp, user_addr_t *stackp)
4002 {
4003 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
4004 int ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT_ADDR) ? 8 : 4;
4005 int ptr_area_size;
4006 void *ptr_buffer_start, *ptr_buffer;
4007 int string_size;
4008
4009 user_addr_t string_area; /* *argv[], *env[] */
4010 user_addr_t ptr_area; /* argv[], env[], applev[] */
4011 user_addr_t argc_area; /* argc */
4012 user_addr_t stack;
4013 int error;
4014
4015 unsigned i;
4016 struct copyout_desc {
4017 char *start_string;
4018 int count;
4019 #if CONFIG_DTRACE
4020 user_addr_t *dtrace_cookie;
4021 #endif
4022 boolean_t null_term;
4023 } descriptors[] = {
4024 {
4025 .start_string = imgp->ip_startargv,
4026 .count = imgp->ip_argc,
4027 #if CONFIG_DTRACE
4028 .dtrace_cookie = &p->p_dtrace_argv,
4029 #endif
4030 .null_term = TRUE
4031 },
4032 {
4033 .start_string = imgp->ip_endargv,
4034 .count = imgp->ip_envc,
4035 #if CONFIG_DTRACE
4036 .dtrace_cookie = &p->p_dtrace_envp,
4037 #endif
4038 .null_term = TRUE
4039 },
4040 {
4041 .start_string = imgp->ip_strings,
4042 .count = 1,
4043 #if CONFIG_DTRACE
4044 .dtrace_cookie = NULL,
4045 #endif
4046 .null_term = FALSE
4047 },
4048 {
4049 .start_string = imgp->ip_endenvv,
4050 .count = imgp->ip_applec - 1, /* exec_path handled above */
4051 #if CONFIG_DTRACE
4052 .dtrace_cookie = NULL,
4053 #endif
4054 .null_term = TRUE
4055 }
4056 };
4057
4058 stack = *stackp;
4059
4060 /*
4061 * All previous contributors to the string area
4062 * should have aligned their sub-area
4063 */
4064 if (imgp->ip_strspace % ptr_size != 0) {
4065 error = EINVAL;
4066 goto bad;
4067 }
4068
4069 /* Grow the stack down for the strings we've been building up */
4070 string_size = imgp->ip_strendp - imgp->ip_strings;
4071 stack -= string_size;
4072 string_area = stack;
4073
4074 /*
4075 * Need room for one pointer for each string, plus
4076 * one for the NULLs terminating the argv, envv, and apple areas.
4077 */
4078 ptr_area_size = (imgp->ip_argc + imgp->ip_envc + imgp->ip_applec + 3) * ptr_size;
4079 stack -= ptr_area_size;
4080 ptr_area = stack;
4081
4082 /* We'll construct all the pointer arrays in our string buffer,
4083 * which we already know is aligned properly, and ip_argspace
4084 * was used to verify we have enough space.
4085 */
4086 ptr_buffer_start = ptr_buffer = (void *)imgp->ip_strendp;
4087
4088 /*
4089 * Need room for pointer-aligned argc slot.
4090 */
4091 stack -= ptr_size;
4092 argc_area = stack;
4093
4094 /*
4095 * Record the size of the arguments area so that sysctl_procargs()
4096 * can return the argument area without having to parse the arguments.
4097 */
4098 proc_lock(p);
4099 p->p_argc = imgp->ip_argc;
4100 p->p_argslen = (int)(*stackp - string_area);
4101 proc_unlock(p);
4102
4103 /* Return the initial stack address: the location of argc */
4104 *stackp = stack;
4105
4106 /*
4107 * Copy out the entire strings area.
4108 */
4109 error = copyout(imgp->ip_strings, string_area,
4110 string_size);
4111 if (error) {
4112 goto bad;
4113 }
4114
4115 for (i = 0; i < sizeof(descriptors) / sizeof(descriptors[0]); i++) {
4116 char *cur_string = descriptors[i].start_string;
4117 int j;
4118
4119 #if CONFIG_DTRACE
4120 if (descriptors[i].dtrace_cookie) {
4121 proc_lock(p);
4122 *descriptors[i].dtrace_cookie = ptr_area + ((uintptr_t)ptr_buffer - (uintptr_t)ptr_buffer_start); /* dtrace convenience */
4123 proc_unlock(p);
4124 }
4125 #endif /* CONFIG_DTRACE */
4126
4127 /*
4128 * For each segment (argv, envv, applev), copy as many pointers as requested
4129 * to our pointer buffer.
4130 */
4131 for (j = 0; j < descriptors[i].count; j++) {
4132 user_addr_t cur_address = string_area + (cur_string - imgp->ip_strings);
4133
4134 /* Copy out the pointer to the current string. Alignment has been verified */
4135 if (ptr_size == 8) {
4136 *(uint64_t *)ptr_buffer = (uint64_t)cur_address;
4137 } else {
4138 *(uint32_t *)ptr_buffer = (uint32_t)cur_address;
4139 }
4140
4141 ptr_buffer = (void *)((uintptr_t)ptr_buffer + ptr_size);
4142 cur_string += strlen(cur_string) + 1; /* Only a NUL between strings in the same area */
4143 }
4144
4145 if (descriptors[i].null_term) {
4146 if (ptr_size == 8) {
4147 *(uint64_t *)ptr_buffer = 0ULL;
4148 } else {
4149 *(uint32_t *)ptr_buffer = 0;
4150 }
4151
4152 ptr_buffer = (void *)((uintptr_t)ptr_buffer + ptr_size);
4153 }
4154 }
4155
4156 /*
4157 * Copy out all our pointer arrays in bulk.
4158 */
4159 error = copyout(ptr_buffer_start, ptr_area,
4160 ptr_area_size);
4161 if (error) {
4162 goto bad;
4163 }
4164
4165 /* argc (int32, stored in a ptr_size area) */
4166 error = copyoutptr((user_addr_t)imgp->ip_argc, argc_area, ptr_size);
4167 if (error) {
4168 goto bad;
4169 }
4170
4171 bad:
4172 return error;
4173 }
4174
4175
4176 /*
4177 * exec_extract_strings
4178 *
4179 * Copy arguments and environment from user space into work area; we may
4180 * have already copied some early arguments into the work area, and if
4181 * so, any arguments opied in are appended to those already there.
4182 * This function is the primary manipulator of ip_argspace, since
4183 * these are the arguments the client of execve(2) knows about. After
4184 * each argv[]/envv[] string is copied, we charge the string length
4185 * and argv[]/envv[] pointer slot to ip_argspace, so that we can
4186 * full preflight the arg list size.
4187 *
4188 * Parameters: struct image_params * the image parameter block
4189 *
4190 * Returns: 0 Success
4191 * !0 Failure: errno
4192 *
4193 * Implicit returns;
4194 * (imgp->ip_argc) Count of arguments, updated
4195 * (imgp->ip_envc) Count of environment strings, updated
4196 * (imgp->ip_argspace) Count of remaining of NCARGS
4197 * (imgp->ip_interp_buffer) Interpreter and args (mutated in place)
4198 *
4199 *
4200 * Note: The argument and environment vectors are user space pointers
4201 * to arrays of user space pointers.
4202 */
4203 static int
4204 exec_extract_strings(struct image_params *imgp)
4205 {
4206 int error = 0;
4207 int ptr_size = (imgp->ip_flags & IMGPF_WAS_64BIT_ADDR) ? 8 : 4;
4208 int new_ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT_ADDR) ? 8 : 4;
4209 user_addr_t argv = imgp->ip_user_argv;
4210 user_addr_t envv = imgp->ip_user_envv;
4211
4212 /*
4213 * Adjust space reserved for the path name by however much padding it
4214 * needs. Doing this here since we didn't know if this would be a 32-
4215 * or 64-bit process back in exec_save_path.
4216 */
4217 while (imgp->ip_strspace % new_ptr_size != 0) {
4218 *imgp->ip_strendp++ = '\0';
4219 imgp->ip_strspace--;
4220 /* imgp->ip_argspace--; not counted towards exec args total */
4221 }
4222
4223 /*
4224 * From now on, we start attributing string space to ip_argspace
4225 */
4226 imgp->ip_startargv = imgp->ip_strendp;
4227 imgp->ip_argc = 0;
4228
4229 if ((imgp->ip_flags & IMGPF_INTERPRET) != 0) {
4230 user_addr_t arg;
4231 char *argstart, *ch;
4232
4233 /* First, the arguments in the "#!" string are tokenized and extracted. */
4234 argstart = imgp->ip_interp_buffer;
4235 while (argstart) {
4236 ch = argstart;
4237 while (*ch && !IS_WHITESPACE(*ch)) {
4238 ch++;
4239 }
4240
4241 if (*ch == '\0') {
4242 /* last argument, no need to NUL-terminate */
4243 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(argstart), UIO_SYSSPACE, TRUE);
4244 argstart = NULL;
4245 } else {
4246 /* NUL-terminate */
4247 *ch = '\0';
4248 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(argstart), UIO_SYSSPACE, TRUE);
4249
4250 /*
4251 * Find the next string. We know spaces at the end of the string have already
4252 * been stripped.
4253 */
4254 argstart = ch + 1;
4255 while (IS_WHITESPACE(*argstart)) {
4256 argstart++;
4257 }
4258 }
4259
4260 /* Error-check, regardless of whether this is the last interpreter arg or not */
4261 if (error) {
4262 goto bad;
4263 }
4264 if (imgp->ip_argspace < new_ptr_size) {
4265 error = E2BIG;
4266 goto bad;
4267 }
4268 imgp->ip_argspace -= new_ptr_size; /* to hold argv[] entry */
4269 imgp->ip_argc++;
4270 }
4271
4272 if (argv != 0LL) {
4273 /*
4274 * If we are running an interpreter, replace the av[0] that was
4275 * passed to execve() with the path name that was
4276 * passed to execve() for interpreters which do not use the PATH
4277 * to locate their script arguments.
4278 */
4279 error = copyinptr(argv, &arg, ptr_size);
4280 if (error) {
4281 goto bad;
4282 }
4283 if (arg != 0LL) {
4284 argv += ptr_size; /* consume without using */
4285 }
4286 }
4287
4288 if (imgp->ip_interp_sugid_fd != -1) {
4289 char temp[19]; /* "/dev/fd/" + 10 digits + NUL */
4290 snprintf(temp, sizeof(temp), "/dev/fd/%d", imgp->ip_interp_sugid_fd);
4291 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(temp), UIO_SYSSPACE, TRUE);
4292 } else {
4293 error = exec_add_user_string(imgp, imgp->ip_user_fname, imgp->ip_seg, TRUE);
4294 }
4295
4296 if (error) {
4297 goto bad;
4298 }
4299 if (imgp->ip_argspace < new_ptr_size) {
4300 error = E2BIG;
4301 goto bad;
4302 }
4303 imgp->ip_argspace -= new_ptr_size; /* to hold argv[] entry */
4304 imgp->ip_argc++;
4305 }
4306
4307 while (argv != 0LL) {
4308 user_addr_t arg;
4309
4310 error = copyinptr(argv, &arg, ptr_size);
4311 if (error) {
4312 goto bad;
4313 }
4314
4315 if (arg == 0LL) {
4316 break;
4317 }
4318
4319 argv += ptr_size;
4320
4321 /*
4322 * av[n...] = arg[n]
4323 */
4324 error = exec_add_user_string(imgp, arg, imgp->ip_seg, TRUE);
4325 if (error) {
4326 goto bad;
4327 }
4328 if (imgp->ip_argspace < new_ptr_size) {
4329 error = E2BIG;
4330 goto bad;
4331 }
4332 imgp->ip_argspace -= new_ptr_size; /* to hold argv[] entry */
4333 imgp->ip_argc++;
4334 }
4335
4336 /* Save space for argv[] NULL terminator */
4337 if (imgp->ip_argspace < new_ptr_size) {
4338 error = E2BIG;
4339 goto bad;
4340 }
4341 imgp->ip_argspace -= new_ptr_size;
4342
4343 /* Note where the args ends and env begins. */
4344 imgp->ip_endargv = imgp->ip_strendp;
4345 imgp->ip_envc = 0;
4346
4347 /* Now, get the environment */
4348 while (envv != 0LL) {
4349 user_addr_t env;
4350
4351 error = copyinptr(envv, &env, ptr_size);
4352 if (error) {
4353 goto bad;
4354 }
4355
4356 envv += ptr_size;
4357 if (env == 0LL) {
4358 break;
4359 }
4360 /*
4361 * av[n...] = env[n]
4362 */
4363 error = exec_add_user_string(imgp, env, imgp->ip_seg, TRUE);
4364 if (error) {
4365 goto bad;
4366 }
4367 if (imgp->ip_argspace < new_ptr_size) {
4368 error = E2BIG;
4369 goto bad;
4370 }
4371 imgp->ip_argspace -= new_ptr_size; /* to hold envv[] entry */
4372 imgp->ip_envc++;
4373 }
4374
4375 /* Save space for envv[] NULL terminator */
4376 if (imgp->ip_argspace < new_ptr_size) {
4377 error = E2BIG;
4378 goto bad;
4379 }
4380 imgp->ip_argspace -= new_ptr_size;
4381
4382 /* Align the tail of the combined argv+envv area */
4383 while (imgp->ip_strspace % new_ptr_size != 0) {
4384 if (imgp->ip_argspace < 1) {
4385 error = E2BIG;
4386 goto bad;
4387 }
4388 *imgp->ip_strendp++ = '\0';
4389 imgp->ip_strspace--;
4390 imgp->ip_argspace--;
4391 }
4392
4393 /* Note where the envv ends and applev begins. */
4394 imgp->ip_endenvv = imgp->ip_strendp;
4395
4396 /*
4397 * From now on, we are no longer charging argument
4398 * space to ip_argspace.
4399 */
4400
4401 bad:
4402 return error;
4403 }
4404
4405 /*
4406 * Libc has an 8-element array set up for stack guard values. It only fills
4407 * in one of those entries, and both gcc and llvm seem to use only a single
4408 * 8-byte guard. Until somebody needs more than an 8-byte guard value, don't
4409 * do the work to construct them.
4410 */
4411 #define GUARD_VALUES 1
4412 #define GUARD_KEY "stack_guard="
4413
4414 /*
4415 * System malloc needs some entropy when it is initialized.
4416 */
4417 #define ENTROPY_VALUES 2
4418 #define ENTROPY_KEY "malloc_entropy="
4419
4420 /*
4421 * libplatform needs a random pointer-obfuscation value when it is initialized.
4422 */
4423 #define PTR_MUNGE_VALUES 1
4424 #define PTR_MUNGE_KEY "ptr_munge="
4425
4426 /*
4427 * System malloc engages nanozone for UIAPP.
4428 */
4429 #define NANO_ENGAGE_KEY "MallocNanoZone=1"
4430
4431 #define PFZ_KEY "pfz="
4432 extern user32_addr_t commpage_text32_location;
4433 extern user64_addr_t commpage_text64_location;
4434
4435 #define MAIN_STACK_VALUES 4
4436 #define MAIN_STACK_KEY "main_stack="
4437
4438 #define FSID_KEY "executable_file="
4439 #define DYLD_FSID_KEY "dyld_file="
4440 #define CDHASH_KEY "executable_cdhash="
4441
4442 #define FSID_MAX_STRING "0x1234567890abcdef,0x1234567890abcdef"
4443
4444 #define HEX_STR_LEN 18 // 64-bit hex value "0x0123456701234567"
4445
4446 static int
4447 exec_add_entropy_key(struct image_params *imgp,
4448 const char *key,
4449 int values,
4450 boolean_t embedNUL)
4451 {
4452 const int limit = 8;
4453 uint64_t entropy[limit];
4454 char str[strlen(key) + (HEX_STR_LEN + 1) * limit + 1];
4455 if (values > limit) {
4456 values = limit;
4457 }
4458
4459 read_random(entropy, sizeof(entropy[0]) * values);
4460
4461 if (embedNUL) {
4462 entropy[0] &= ~(0xffull << 8);
4463 }
4464
4465 int len = snprintf(str, sizeof(str), "%s0x%llx", key, entropy[0]);
4466 int remaining = sizeof(str) - len;
4467 for (int i = 1; i < values && remaining > 0; ++i) {
4468 int start = sizeof(str) - remaining;
4469 len = snprintf(&str[start], remaining, ",0x%llx", entropy[i]);
4470 remaining -= len;
4471 }
4472
4473 return exec_add_user_string(imgp, CAST_USER_ADDR_T(str), UIO_SYSSPACE, FALSE);
4474 }
4475
4476 /*
4477 * Build up the contents of the apple[] string vector
4478 */
4479 static int
4480 exec_add_apple_strings(struct image_params *imgp,
4481 const load_result_t *load_result)
4482 {
4483 int error;
4484 int img_ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT_ADDR) ? 8 : 4;
4485
4486 /* exec_save_path stored the first string */
4487 imgp->ip_applec = 1;
4488
4489 /* adding the pfz string */
4490 {
4491 char pfz_string[strlen(PFZ_KEY) + HEX_STR_LEN + 1];
4492
4493 if (img_ptr_size == 8) {
4494 snprintf(pfz_string, sizeof(pfz_string), PFZ_KEY "0x%llx", commpage_text64_location);
4495 } else {
4496 snprintf(pfz_string, sizeof(pfz_string), PFZ_KEY "0x%x", commpage_text32_location);
4497 }
4498 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(pfz_string), UIO_SYSSPACE, FALSE);
4499 if (error) {
4500 goto bad;
4501 }
4502 imgp->ip_applec++;
4503 }
4504
4505 /* adding the NANO_ENGAGE_KEY key */
4506 if (imgp->ip_px_sa) {
4507 int proc_flags = (((struct _posix_spawnattr *) imgp->ip_px_sa)->psa_flags);
4508
4509 if ((proc_flags & _POSIX_SPAWN_NANO_ALLOCATOR) == _POSIX_SPAWN_NANO_ALLOCATOR) {
4510 const char *nano_string = NANO_ENGAGE_KEY;
4511 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(nano_string), UIO_SYSSPACE, FALSE);
4512 if (error) {
4513 goto bad;
4514 }
4515 imgp->ip_applec++;
4516 }
4517 }
4518
4519 /*
4520 * Supply libc with a collection of random values to use when
4521 * implementing -fstack-protector.
4522 *
4523 * (The first random string always contains an embedded NUL so that
4524 * __stack_chk_guard also protects against C string vulnerabilities)
4525 */
4526 error = exec_add_entropy_key(imgp, GUARD_KEY, GUARD_VALUES, TRUE);
4527 if (error) {
4528 goto bad;
4529 }
4530 imgp->ip_applec++;
4531
4532 /*
4533 * Supply libc with entropy for system malloc.
4534 */
4535 error = exec_add_entropy_key(imgp, ENTROPY_KEY, ENTROPY_VALUES, FALSE);
4536 if (error) {
4537 goto bad;
4538 }
4539 imgp->ip_applec++;
4540
4541 /*
4542 * Supply libpthread & libplatform with a random value to use for pointer
4543 * obfuscation.
4544 */
4545 error = exec_add_entropy_key(imgp, PTR_MUNGE_KEY, PTR_MUNGE_VALUES, FALSE);
4546 if (error) {
4547 goto bad;
4548 }
4549 imgp->ip_applec++;
4550
4551 /*
4552 * Add MAIN_STACK_KEY: Supplies the address and size of the main thread's
4553 * stack if it was allocated by the kernel.
4554 *
4555 * The guard page is not included in this stack size as libpthread
4556 * expects to add it back in after receiving this value.
4557 */
4558 if (load_result->unixproc) {
4559 char stack_string[strlen(MAIN_STACK_KEY) + (HEX_STR_LEN + 1) * MAIN_STACK_VALUES + 1];
4560 snprintf(stack_string, sizeof(stack_string),
4561 MAIN_STACK_KEY "0x%llx,0x%llx,0x%llx,0x%llx",
4562 (uint64_t)load_result->user_stack,
4563 (uint64_t)load_result->user_stack_size,
4564 (uint64_t)load_result->user_stack_alloc,
4565 (uint64_t)load_result->user_stack_alloc_size);
4566 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(stack_string), UIO_SYSSPACE, FALSE);
4567 if (error) {
4568 goto bad;
4569 }
4570 imgp->ip_applec++;
4571 }
4572
4573 if (imgp->ip_vattr) {
4574 uint64_t fsid = vnode_get_va_fsid(imgp->ip_vattr);
4575 uint64_t fsobjid = imgp->ip_vattr->va_fileid;
4576
4577 char fsid_string[strlen(FSID_KEY) + strlen(FSID_MAX_STRING) + 1];
4578 snprintf(fsid_string, sizeof(fsid_string),
4579 FSID_KEY "0x%llx,0x%llx", fsid, fsobjid);
4580 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(fsid_string), UIO_SYSSPACE, FALSE);
4581 if (error) {
4582 goto bad;
4583 }
4584 imgp->ip_applec++;
4585 }
4586
4587 if (imgp->ip_dyld_fsid || imgp->ip_dyld_fsobjid) {
4588 char fsid_string[strlen(DYLD_FSID_KEY) + strlen(FSID_MAX_STRING) + 1];
4589 snprintf(fsid_string, sizeof(fsid_string),
4590 DYLD_FSID_KEY "0x%llx,0x%llx", imgp->ip_dyld_fsid, imgp->ip_dyld_fsobjid);
4591 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(fsid_string), UIO_SYSSPACE, FALSE);
4592 if (error) {
4593 goto bad;
4594 }
4595 imgp->ip_applec++;
4596 }
4597
4598 uint8_t cdhash[SHA1_RESULTLEN];
4599 int cdhash_errror = ubc_cs_getcdhash(imgp->ip_vp, imgp->ip_arch_offset, cdhash);
4600 if (cdhash_errror == 0) {
4601 char hash_string[strlen(CDHASH_KEY) + 2 * SHA1_RESULTLEN + 1];
4602 strncpy(hash_string, CDHASH_KEY, sizeof(hash_string));
4603 char *p = hash_string + sizeof(CDHASH_KEY) - 1;
4604 for (int i = 0; i < SHA1_RESULTLEN; i++) {
4605 snprintf(p, 3, "%02x", (int) cdhash[i]);
4606 p += 2;
4607 }
4608 error = exec_add_user_string(imgp, CAST_USER_ADDR_T(hash_string), UIO_SYSSPACE, FALSE);
4609 if (error) {
4610 goto bad;
4611 }
4612 imgp->ip_applec++;
4613 }
4614
4615 /* Align the tail of the combined applev area */
4616 while (imgp->ip_strspace % img_ptr_size != 0) {
4617 *imgp->ip_strendp++ = '\0';
4618 imgp->ip_strspace--;
4619 }
4620
4621 bad:
4622 return error;
4623 }
4624
4625 #define unix_stack_size(p) (p->p_rlimit[RLIMIT_STACK].rlim_cur)
4626
4627 /*
4628 * exec_check_permissions
4629 *
4630 * Description: Verify that the file that is being attempted to be executed
4631 * is in fact allowed to be executed based on it POSIX file
4632 * permissions and other access control criteria
4633 *
4634 * Parameters: struct image_params * the image parameter block
4635 *
4636 * Returns: 0 Success
4637 * EACCES Permission denied
4638 * ENOEXEC Executable file format error
4639 * ETXTBSY Text file busy [misuse of error code]
4640 * vnode_getattr:???
4641 * vnode_authorize:???
4642 */
4643 static int
4644 exec_check_permissions(struct image_params *imgp)
4645 {
4646 struct vnode *vp = imgp->ip_vp;
4647 struct vnode_attr *vap = imgp->ip_vattr;
4648 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
4649 int error;
4650 kauth_action_t action;
4651
4652 /* Only allow execution of regular files */
4653 if (!vnode_isreg(vp)) {
4654 return EACCES;
4655 }
4656
4657 /* Get the file attributes that we will be using here and elsewhere */
4658 VATTR_INIT(vap);
4659 VATTR_WANTED(vap, va_uid);
4660 VATTR_WANTED(vap, va_gid);
4661 VATTR_WANTED(vap, va_mode);
4662 VATTR_WANTED(vap, va_fsid);
4663 VATTR_WANTED(vap, va_fsid64);
4664 VATTR_WANTED(vap, va_fileid);
4665 VATTR_WANTED(vap, va_data_size);
4666 if ((error = vnode_getattr(vp, vap, imgp->ip_vfs_context)) != 0) {
4667 return error;
4668 }
4669
4670 /*
4671 * Ensure that at least one execute bit is on - otherwise root
4672 * will always succeed, and we don't want to happen unless the
4673 * file really is executable.
4674 */
4675 if (!vfs_authopaque(vnode_mount(vp)) && ((vap->va_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0)) {
4676 return EACCES;
4677 }
4678
4679 /* Disallow zero length files */
4680 if (vap->va_data_size == 0) {
4681 return ENOEXEC;
4682 }
4683
4684 imgp->ip_arch_offset = (user_size_t)0;
4685 imgp->ip_arch_size = vap->va_data_size;
4686
4687 /* Disable setuid-ness for traced programs or if MNT_NOSUID */
4688 if ((vp->v_mount->mnt_flag & MNT_NOSUID) || (p->p_lflag & P_LTRACED)) {
4689 vap->va_mode &= ~(VSUID | VSGID);
4690 }
4691
4692 /*
4693 * Disable _POSIX_SPAWN_ALLOW_DATA_EXEC and _POSIX_SPAWN_DISABLE_ASLR
4694 * flags for setuid/setgid binaries.
4695 */
4696 if (vap->va_mode & (VSUID | VSGID)) {
4697 imgp->ip_flags &= ~(IMGPF_ALLOW_DATA_EXEC | IMGPF_DISABLE_ASLR);
4698 }
4699
4700 #if CONFIG_MACF
4701 error = mac_vnode_check_exec(imgp->ip_vfs_context, vp, imgp);
4702 if (error) {
4703 return error;
4704 }
4705 #endif
4706
4707 /* Check for execute permission */
4708 action = KAUTH_VNODE_EXECUTE;
4709 /* Traced images must also be readable */
4710 if (p->p_lflag & P_LTRACED) {
4711 action |= KAUTH_VNODE_READ_DATA;
4712 }
4713 if ((error = vnode_authorize(vp, NULL, action, imgp->ip_vfs_context)) != 0) {
4714 return error;
4715 }
4716
4717 #if 0
4718 /* Don't let it run if anyone had it open for writing */
4719 vnode_lock(vp);
4720 if (vp->v_writecount) {
4721 panic("going to return ETXTBSY %x", vp);
4722 vnode_unlock(vp);
4723 return ETXTBSY;
4724 }
4725 vnode_unlock(vp);
4726 #endif
4727
4728
4729 /* XXX May want to indicate to underlying FS that vnode is open */
4730
4731 return error;
4732 }
4733
4734
4735 /*
4736 * exec_handle_sugid
4737 *
4738 * Initially clear the P_SUGID in the process flags; if an SUGID process is
4739 * exec'ing a non-SUGID image, then this is the point of no return.
4740 *
4741 * If the image being activated is SUGID, then replace the credential with a
4742 * copy, disable tracing (unless the tracing process is root), reset the
4743 * mach task port to revoke it, set the P_SUGID bit,
4744 *
4745 * If the saved user and group ID will be changing, then make sure it happens
4746 * to a new credential, rather than a shared one.
4747 *
4748 * Set the security token (this is probably obsolete, given that the token
4749 * should not technically be separate from the credential itself).
4750 *
4751 * Parameters: struct image_params * the image parameter block
4752 *
4753 * Returns: void No failure indication
4754 *
4755 * Implicit returns:
4756 * <process credential> Potentially modified/replaced
4757 * <task port> Potentially revoked
4758 * <process flags> P_SUGID bit potentially modified
4759 * <security token> Potentially modified
4760 */
4761 static int
4762 exec_handle_sugid(struct image_params *imgp)
4763 {
4764 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
4765 kauth_cred_t cred = vfs_context_ucred(imgp->ip_vfs_context);
4766 kauth_cred_t my_cred, my_new_cred;
4767 int i;
4768 int leave_sugid_clear = 0;
4769 int mac_reset_ipc = 0;
4770 int error = 0;
4771 task_t task = NULL;
4772 #if CONFIG_MACF
4773 int mac_transition, disjoint_cred = 0;
4774 int label_update_return = 0;
4775
4776 /*
4777 * Determine whether a call to update the MAC label will result in the
4778 * credential changing.
4779 *
4780 * Note: MAC policies which do not actually end up modifying
4781 * the label subsequently are strongly encouraged to
4782 * return 0 for this check, since a non-zero answer will
4783 * slow down the exec fast path for normal binaries.
4784 */
4785 mac_transition = mac_cred_check_label_update_execve(
4786 imgp->ip_vfs_context,
4787 imgp->ip_vp,
4788 imgp->ip_arch_offset,
4789 imgp->ip_scriptvp,
4790 imgp->ip_scriptlabelp,
4791 imgp->ip_execlabelp,
4792 p,
4793 imgp->ip_px_smpx);
4794 #endif
4795
4796 OSBitAndAtomic(~((uint32_t)P_SUGID), &p->p_flag);
4797
4798 /*
4799 * Order of the following is important; group checks must go last,
4800 * as we use the success of the 'ismember' check combined with the
4801 * failure of the explicit match to indicate that we will be setting
4802 * the egid of the process even though the new process did not
4803 * require VSUID/VSGID bits in order for it to set the new group as
4804 * its egid.
4805 *
4806 * Note: Technically, by this we are implying a call to
4807 * setegid() in the new process, rather than implying
4808 * it used its VSGID bit to set the effective group,
4809 * even though there is no code in that process to make
4810 * such a call.
4811 */
4812 if (((imgp->ip_origvattr->va_mode & VSUID) != 0 &&
4813 kauth_cred_getuid(cred) != imgp->ip_origvattr->va_uid) ||
4814 ((imgp->ip_origvattr->va_mode & VSGID) != 0 &&
4815 ((kauth_cred_ismember_gid(cred, imgp->ip_origvattr->va_gid, &leave_sugid_clear) || !leave_sugid_clear) ||
4816 (kauth_cred_getgid(cred) != imgp->ip_origvattr->va_gid)))) {
4817 #if CONFIG_MACF
4818 /* label for MAC transition and neither VSUID nor VSGID */
4819 handle_mac_transition:
4820 #endif
4821
4822 #if !SECURE_KERNEL
4823 /*
4824 * Replace the credential with a copy of itself if euid or
4825 * egid change.
4826 *
4827 * Note: setuid binaries will automatically opt out of
4828 * group resolver participation as a side effect
4829 * of this operation. This is an intentional
4830 * part of the security model, which requires a
4831 * participating credential be established by
4832 * escalating privilege, setting up all other
4833 * aspects of the credential including whether
4834 * or not to participate in external group
4835 * membership resolution, then dropping their
4836 * effective privilege to that of the desired
4837 * final credential state.
4838 *
4839 * Modifications to p_ucred must be guarded using the
4840 * proc's ucred lock. This prevents others from accessing
4841 * a garbage credential.
4842 */
4843 while (imgp->ip_origvattr->va_mode & VSUID) {
4844 my_cred = kauth_cred_proc_ref(p);
4845 my_new_cred = kauth_cred_setresuid(my_cred, KAUTH_UID_NONE, imgp->ip_origvattr->va_uid, imgp->ip_origvattr->va_uid, KAUTH_UID_NONE);
4846
4847 if (my_new_cred == my_cred) {
4848 kauth_cred_unref(&my_cred);
4849 break;
4850 }
4851
4852 /* update cred on proc */
4853 proc_ucred_lock(p);
4854
4855 if (p->p_ucred != my_cred) {
4856 proc_ucred_unlock(p);
4857 kauth_cred_unref(&my_new_cred);
4858 continue;
4859 }
4860
4861 /* donate cred reference on my_new_cred to p->p_ucred */
4862 p->p_ucred = my_new_cred;
4863 PROC_UPDATE_CREDS_ONPROC(p);
4864 proc_ucred_unlock(p);
4865
4866 /* drop additional reference that was taken on the previous cred */
4867 kauth_cred_unref(&my_cred);
4868
4869 break;
4870 }
4871
4872 while (imgp->ip_origvattr->va_mode & VSGID) {
4873 my_cred = kauth_cred_proc_ref(p);
4874 my_new_cred = kauth_cred_setresgid(my_cred, KAUTH_GID_NONE, imgp->ip_origvattr->va_gid, imgp->ip_origvattr->va_gid);
4875
4876 if (my_new_cred == my_cred) {
4877 kauth_cred_unref(&my_cred);
4878 break;
4879 }
4880
4881 /* update cred on proc */
4882 proc_ucred_lock(p);
4883
4884 if (p->p_ucred != my_cred) {
4885 proc_ucred_unlock(p);
4886 kauth_cred_unref(&my_new_cred);
4887 continue;
4888 }
4889
4890 /* donate cred reference on my_new_cred to p->p_ucred */
4891 p->p_ucred = my_new_cred;
4892 PROC_UPDATE_CREDS_ONPROC(p);
4893 proc_ucred_unlock(p);
4894
4895 /* drop additional reference that was taken on the previous cred */
4896 kauth_cred_unref(&my_cred);
4897
4898 break;
4899 }
4900 #endif /* !SECURE_KERNEL */
4901
4902 #if CONFIG_MACF
4903 /*
4904 * If a policy has indicated that it will transition the label,
4905 * before making the call into the MAC policies, get a new
4906 * duplicate credential, so they can modify it without
4907 * modifying any others sharing it.
4908 */
4909 if (mac_transition) {
4910 /*
4911 * This hook may generate upcalls that require
4912 * importance donation from the kernel.
4913 * (23925818)
4914 */
4915 thread_t thread = current_thread();
4916 thread_enable_send_importance(thread, TRUE);
4917 kauth_proc_label_update_execve(p,
4918 imgp->ip_vfs_context,
4919 imgp->ip_vp,
4920 imgp->ip_arch_offset,
4921 imgp->ip_scriptvp,
4922 imgp->ip_scriptlabelp,
4923 imgp->ip_execlabelp,
4924 &imgp->ip_csflags,
4925 imgp->ip_px_smpx,
4926 &disjoint_cred, /* will be non zero if disjoint */
4927 &label_update_return);
4928 thread_enable_send_importance(thread, FALSE);
4929
4930 if (disjoint_cred) {
4931 /*
4932 * If updating the MAC label resulted in a
4933 * disjoint credential, flag that we need to
4934 * set the P_SUGID bit. This protects
4935 * against debuggers being attached by an
4936 * insufficiently privileged process onto the
4937 * result of a transition to a more privileged
4938 * credential.
4939 */
4940 leave_sugid_clear = 0;
4941 }
4942
4943 imgp->ip_mac_return = label_update_return;
4944 }
4945
4946 mac_reset_ipc = mac_proc_check_inherit_ipc_ports(p, p->p_textvp, p->p_textoff, imgp->ip_vp, imgp->ip_arch_offset, imgp->ip_scriptvp);
4947
4948 #endif /* CONFIG_MACF */
4949
4950 /*
4951 * If 'leave_sugid_clear' is non-zero, then we passed the
4952 * VSUID and MACF checks, and successfully determined that
4953 * the previous cred was a member of the VSGID group, but
4954 * that it was not the default at the time of the execve,
4955 * and that the post-labelling credential was not disjoint.
4956 * So we don't set the P_SUGID or reset mach ports and fds
4957 * on the basis of simply running this code.
4958 */
4959 if (mac_reset_ipc || !leave_sugid_clear) {
4960 /*
4961 * Have mach reset the task and thread ports.
4962 * We don't want anyone who had the ports before
4963 * a setuid exec to be able to access/control the
4964 * task/thread after.
4965 */
4966 ipc_task_reset((imgp->ip_new_thread != NULL) ?
4967 get_threadtask(imgp->ip_new_thread) : p->task);
4968 ipc_thread_reset((imgp->ip_new_thread != NULL) ?
4969 imgp->ip_new_thread : current_thread());
4970 }
4971
4972 if (!leave_sugid_clear) {
4973 /*
4974 * Flag the process as setuid.
4975 */
4976 OSBitOrAtomic(P_SUGID, &p->p_flag);
4977
4978 /*
4979 * Radar 2261856; setuid security hole fix
4980 * XXX For setuid processes, attempt to ensure that
4981 * stdin, stdout, and stderr are already allocated.
4982 * We do not want userland to accidentally allocate
4983 * descriptors in this range which has implied meaning
4984 * to libc.
4985 */
4986 for (i = 0; i < 3; i++) {
4987 if (p->p_fd->fd_ofiles[i] != NULL) {
4988 continue;
4989 }
4990
4991 /*
4992 * Do the kernel equivalent of
4993 *
4994 * if i == 0
4995 * (void) open("/dev/null", O_RDONLY);
4996 * else
4997 * (void) open("/dev/null", O_WRONLY);
4998 */
4999
5000 struct fileproc *fp;
5001 int indx;
5002 int flag;
5003 struct nameidata *ndp = NULL;
5004
5005 if (i == 0) {
5006 flag = FREAD;
5007 } else {
5008 flag = FWRITE;
5009 }
5010
5011 if ((error = falloc(p,
5012 &fp, &indx, imgp->ip_vfs_context)) != 0) {
5013 continue;
5014 }
5015
5016 MALLOC(ndp, struct nameidata *, sizeof(*ndp), M_TEMP, M_WAITOK | M_ZERO);
5017 if (ndp == NULL) {
5018 fp_free(p, indx, fp);
5019 error = ENOMEM;
5020 break;
5021 }
5022
5023 NDINIT(ndp, LOOKUP, OP_OPEN, FOLLOW, UIO_SYSSPACE,
5024 CAST_USER_ADDR_T("/dev/null"),
5025 imgp->ip_vfs_context);
5026
5027 if ((error = vn_open(ndp, flag, 0)) != 0) {
5028 fp_free(p, indx, fp);
5029 FREE(ndp, M_TEMP);
5030 break;
5031 }
5032
5033 struct fileglob *fg = fp->f_fglob;
5034
5035 fg->fg_flag = flag;
5036 fg->fg_ops = &vnops;
5037 fg->fg_data = ndp->ni_vp;
5038
5039 vnode_put(ndp->ni_vp);
5040
5041 proc_fdlock(p);
5042 procfdtbl_releasefd(p, indx, NULL);
5043 fp_drop(p, indx, fp, 1);
5044 proc_fdunlock(p);
5045
5046 FREE(ndp, M_TEMP);
5047 }
5048 }
5049 }
5050 #if CONFIG_MACF
5051 else {
5052 /*
5053 * We are here because we were told that the MAC label will
5054 * be transitioned, and the binary is not VSUID or VSGID; to
5055 * deal with this case, we could either duplicate a lot of
5056 * code, or we can indicate we want to default the P_SUGID
5057 * bit clear and jump back up.
5058 */
5059 if (mac_transition) {
5060 leave_sugid_clear = 1;
5061 goto handle_mac_transition;
5062 }
5063 }
5064
5065 #endif /* CONFIG_MACF */
5066
5067 /*
5068 * Implement the semantic where the effective user and group become
5069 * the saved user and group in exec'ed programs.
5070 *
5071 * Modifications to p_ucred must be guarded using the
5072 * proc's ucred lock. This prevents others from accessing
5073 * a garbage credential.
5074 */
5075 for (;;) {
5076 my_cred = kauth_cred_proc_ref(p);
5077 my_new_cred = kauth_cred_setsvuidgid(my_cred, kauth_cred_getuid(my_cred), kauth_cred_getgid(my_cred));
5078
5079 if (my_new_cred == my_cred) {
5080 kauth_cred_unref(&my_cred);
5081 break;
5082 }
5083
5084 /* update cred on proc */
5085 proc_ucred_lock(p);
5086
5087 if (p->p_ucred != my_cred) {
5088 proc_ucred_unlock(p);
5089 kauth_cred_unref(&my_new_cred);
5090 continue;
5091 }
5092
5093 /* donate cred reference on my_new_cred to p->p_ucred */
5094 p->p_ucred = my_new_cred;
5095 PROC_UPDATE_CREDS_ONPROC(p);
5096 proc_ucred_unlock(p);
5097
5098 /* drop additional reference that was taken on the previous cred */
5099 kauth_cred_unref(&my_cred);
5100
5101 break;
5102 }
5103
5104
5105 /* Update the process' identity version and set the security token */
5106 p->p_idversion = OSIncrementAtomic(&nextpidversion);
5107
5108 if (imgp->ip_new_thread != NULL) {
5109 task = get_threadtask(imgp->ip_new_thread);
5110 } else {
5111 task = p->task;
5112 }
5113 set_security_token_task_internal(p, task);
5114
5115 return error;
5116 }
5117
5118
5119 /*
5120 * create_unix_stack
5121 *
5122 * Description: Set the user stack address for the process to the provided
5123 * address. If a custom stack was not set as a result of the
5124 * load process (i.e. as specified by the image file for the
5125 * executable), then allocate the stack in the provided map and
5126 * set up appropriate guard pages for enforcing administrative
5127 * limits on stack growth, if they end up being needed.
5128 *
5129 * Parameters: p Process to set stack on
5130 * load_result Information from mach-o load commands
5131 * map Address map in which to allocate the new stack
5132 *
5133 * Returns: KERN_SUCCESS Stack successfully created
5134 * !KERN_SUCCESS Mach failure code
5135 */
5136 static kern_return_t
5137 create_unix_stack(vm_map_t map, load_result_t* load_result,
5138 proc_t p)
5139 {
5140 mach_vm_size_t size, prot_size;
5141 mach_vm_offset_t addr, prot_addr;
5142 kern_return_t kr;
5143
5144 mach_vm_address_t user_stack = load_result->user_stack;
5145
5146 proc_lock(p);
5147 p->user_stack = user_stack;
5148 if (load_result->custom_stack) {
5149 p->p_lflag |= P_LCUSTOM_STACK;
5150 }
5151 proc_unlock(p);
5152
5153 if (load_result->user_stack_alloc_size > 0) {
5154 /*
5155 * Allocate enough space for the maximum stack size we
5156 * will ever authorize and an extra page to act as
5157 * a guard page for stack overflows. For default stacks,
5158 * vm_initial_limit_stack takes care of the extra guard page.
5159 * Otherwise we must allocate it ourselves.
5160 */
5161 if (mach_vm_round_page_overflow(load_result->user_stack_alloc_size, &size)) {
5162 return KERN_INVALID_ARGUMENT;
5163 }
5164 addr = mach_vm_trunc_page(load_result->user_stack - size);
5165 kr = mach_vm_allocate_kernel(map, &addr, size,
5166 VM_FLAGS_FIXED, VM_MEMORY_STACK);
5167 if (kr != KERN_SUCCESS) {
5168 // Can't allocate at default location, try anywhere
5169 addr = 0;
5170 kr = mach_vm_allocate_kernel(map, &addr, size,
5171 VM_FLAGS_ANYWHERE, VM_MEMORY_STACK);
5172 if (kr != KERN_SUCCESS) {
5173 return kr;
5174 }
5175
5176 user_stack = addr + size;
5177 load_result->user_stack = user_stack;
5178
5179 proc_lock(p);
5180 p->user_stack = user_stack;
5181 proc_unlock(p);
5182 }
5183
5184 load_result->user_stack_alloc = addr;
5185
5186 /*
5187 * And prevent access to what's above the current stack
5188 * size limit for this process.
5189 */
5190 if (load_result->user_stack_size == 0) {
5191 proc_list_lock();
5192 load_result->user_stack_size = unix_stack_size(p);
5193 proc_list_unlock();
5194 prot_size = mach_vm_trunc_page(size - load_result->user_stack_size);
5195 } else {
5196 prot_size = PAGE_SIZE;
5197 }
5198
5199 prot_addr = addr;
5200 kr = mach_vm_protect(map,
5201 prot_addr,
5202 prot_size,
5203 FALSE,
5204 VM_PROT_NONE);
5205 if (kr != KERN_SUCCESS) {
5206 (void)mach_vm_deallocate(map, addr, size);
5207 return kr;
5208 }
5209 }
5210
5211 return KERN_SUCCESS;
5212 }
5213
5214 #include <sys/reboot.h>
5215
5216 /*
5217 * load_init_program_at_path
5218 *
5219 * Description: Load the "init" program; in most cases, this will be "launchd"
5220 *
5221 * Parameters: p Process to call execve() to create
5222 * the "init" program
5223 * scratch_addr Page in p, scratch space
5224 * path NULL terminated path
5225 *
5226 * Returns: KERN_SUCCESS Success
5227 * !KERN_SUCCESS See execve/mac_execve for error codes
5228 *
5229 * Notes: The process that is passed in is the first manufactured
5230 * process on the system, and gets here via bsd_ast() firing
5231 * for the first time. This is done to ensure that bsd_init()
5232 * has run to completion.
5233 *
5234 * The address map of the first manufactured process matches the
5235 * word width of the kernel. Once the self-exec completes, the
5236 * initproc might be different.
5237 */
5238 static int
5239 load_init_program_at_path(proc_t p, user_addr_t scratch_addr, const char* path)
5240 {
5241 int retval[2];
5242 int error;
5243 struct execve_args init_exec_args;
5244 user_addr_t argv0 = USER_ADDR_NULL, argv1 = USER_ADDR_NULL;
5245
5246 /*
5247 * Validate inputs and pre-conditions
5248 */
5249 assert(p);
5250 assert(scratch_addr);
5251 assert(path);
5252
5253 /*
5254 * Copy out program name.
5255 */
5256 size_t path_length = strlen(path) + 1;
5257 argv0 = scratch_addr;
5258 error = copyout(path, argv0, path_length);
5259 if (error) {
5260 return error;
5261 }
5262
5263 scratch_addr = USER_ADDR_ALIGN(scratch_addr + path_length, sizeof(user_addr_t));
5264
5265 /*
5266 * Put out first (and only) argument, similarly.
5267 * Assumes everything fits in a page as allocated above.
5268 */
5269 if (boothowto & RB_SINGLE) {
5270 const char *init_args = "-s";
5271 size_t init_args_length = strlen(init_args) + 1;
5272
5273 argv1 = scratch_addr;
5274 error = copyout(init_args, argv1, init_args_length);
5275 if (error) {
5276 return error;
5277 }
5278
5279 scratch_addr = USER_ADDR_ALIGN(scratch_addr + init_args_length, sizeof(user_addr_t));
5280 }
5281
5282 if (proc_is64bit(p)) {
5283 user64_addr_t argv64bit[3] = {};
5284
5285 argv64bit[0] = argv0;
5286 argv64bit[1] = argv1;
5287 argv64bit[2] = USER_ADDR_NULL;
5288
5289 error = copyout(argv64bit, scratch_addr, sizeof(argv64bit));
5290 if (error) {
5291 return error;
5292 }
5293 } else {
5294 user32_addr_t argv32bit[3] = {};
5295
5296 argv32bit[0] = (user32_addr_t)argv0;
5297 argv32bit[1] = (user32_addr_t)argv1;
5298 argv32bit[2] = USER_ADDR_NULL;
5299
5300 error = copyout(argv32bit, scratch_addr, sizeof(argv32bit));
5301 if (error) {
5302 return error;
5303 }
5304 }
5305
5306 /*
5307 * Set up argument block for fake call to execve.
5308 */
5309 init_exec_args.fname = argv0;
5310 init_exec_args.argp = scratch_addr;
5311 init_exec_args.envp = USER_ADDR_NULL;
5312
5313 /*
5314 * So that init task is set with uid,gid 0 token
5315 */
5316 set_security_token(p);
5317
5318 return execve(p, &init_exec_args, retval);
5319 }
5320
5321 static const char * init_programs[] = {
5322 #if DEBUG
5323 "/usr/local/sbin/launchd.debug",
5324 #endif
5325 #if DEVELOPMENT || DEBUG
5326 "/usr/local/sbin/launchd.development",
5327 #endif
5328 "/sbin/launchd",
5329 };
5330
5331 /*
5332 * load_init_program
5333 *
5334 * Description: Load the "init" program; in most cases, this will be "launchd"
5335 *
5336 * Parameters: p Process to call execve() to create
5337 * the "init" program
5338 *
5339 * Returns: (void)
5340 *
5341 * Notes: The process that is passed in is the first manufactured
5342 * process on the system, and gets here via bsd_ast() firing
5343 * for the first time. This is done to ensure that bsd_init()
5344 * has run to completion.
5345 *
5346 * In DEBUG & DEVELOPMENT builds, the launchdsuffix boot-arg
5347 * may be used to select a specific launchd executable. As with
5348 * the kcsuffix boot-arg, setting launchdsuffix to "" or "release"
5349 * will force /sbin/launchd to be selected.
5350 *
5351 * Search order by build:
5352 *
5353 * DEBUG DEVELOPMENT RELEASE PATH
5354 * ----------------------------------------------------------------------------------
5355 * 1 1 NA /usr/local/sbin/launchd.$LAUNCHDSUFFIX
5356 * 2 NA NA /usr/local/sbin/launchd.debug
5357 * 3 2 NA /usr/local/sbin/launchd.development
5358 * 4 3 1 /sbin/launchd
5359 */
5360 void
5361 load_init_program(proc_t p)
5362 {
5363 uint32_t i;
5364 int error;
5365 vm_map_t map = current_map();
5366 mach_vm_offset_t scratch_addr = 0;
5367 mach_vm_size_t map_page_size = vm_map_page_size(map);
5368
5369 (void) mach_vm_allocate_kernel(map, &scratch_addr, map_page_size, VM_FLAGS_ANYWHERE, VM_KERN_MEMORY_NONE);
5370 #if CONFIG_MEMORYSTATUS
5371 (void) memorystatus_init_at_boot_snapshot();
5372 #endif /* CONFIG_MEMORYSTATUS */
5373
5374 #if DEBUG || DEVELOPMENT
5375 /* Check for boot-arg suffix first */
5376 char launchd_suffix[64];
5377 if (PE_parse_boot_argn("launchdsuffix", launchd_suffix, sizeof(launchd_suffix))) {
5378 char launchd_path[128];
5379 boolean_t is_release_suffix = ((launchd_suffix[0] == 0) ||
5380 (strcmp(launchd_suffix, "release") == 0));
5381
5382 if (is_release_suffix) {
5383 printf("load_init_program: attempting to load /sbin/launchd\n");
5384 error = load_init_program_at_path(p, (user_addr_t)scratch_addr, "/sbin/launchd");
5385 if (!error) {
5386 return;
5387 }
5388
5389 panic("Process 1 exec of launchd.release failed, errno %d", error);
5390 } else {
5391 strlcpy(launchd_path, "/usr/local/sbin/launchd.", sizeof(launchd_path));
5392 strlcat(launchd_path, launchd_suffix, sizeof(launchd_path));
5393
5394 printf("load_init_program: attempting to load %s\n", launchd_path);
5395 error = load_init_program_at_path(p, (user_addr_t)scratch_addr, launchd_path);
5396 if (!error) {
5397 return;
5398 } else {
5399 printf("load_init_program: failed loading %s: errno %d\n", launchd_path, error);
5400 }
5401 }
5402 }
5403 #endif
5404
5405 error = ENOENT;
5406 for (i = 0; i < sizeof(init_programs) / sizeof(init_programs[0]); i++) {
5407 printf("load_init_program: attempting to load %s\n", init_programs[i]);
5408 error = load_init_program_at_path(p, (user_addr_t)scratch_addr, init_programs[i]);
5409 if (!error) {
5410 return;
5411 } else {
5412 printf("load_init_program: failed loading %s: errno %d\n", init_programs[i], error);
5413 }
5414 }
5415
5416 panic("Process 1 exec of %s failed, errno %d", ((i == 0) ? "<null>" : init_programs[i - 1]), error);
5417 }
5418
5419 /*
5420 * load_return_to_errno
5421 *
5422 * Description: Convert a load_return_t (Mach error) to an errno (BSD error)
5423 *
5424 * Parameters: lrtn Mach error number
5425 *
5426 * Returns: (int) BSD error number
5427 * 0 Success
5428 * EBADARCH Bad architecture
5429 * EBADMACHO Bad Mach object file
5430 * ESHLIBVERS Bad shared library version
5431 * ENOMEM Out of memory/resource shortage
5432 * EACCES Access denied
5433 * ENOENT Entry not found (usually "file does
5434 * does not exist")
5435 * EIO An I/O error occurred
5436 * EBADEXEC The executable is corrupt/unknown
5437 */
5438 static int
5439 load_return_to_errno(load_return_t lrtn)
5440 {
5441 switch (lrtn) {
5442 case LOAD_SUCCESS:
5443 return 0;
5444 case LOAD_BADARCH:
5445 case LOAD_BADARCH_X86:
5446 return EBADARCH;
5447 case LOAD_BADMACHO:
5448 case LOAD_BADMACHO_UPX:
5449 return EBADMACHO;
5450 case LOAD_SHLIB:
5451 return ESHLIBVERS;
5452 case LOAD_NOSPACE:
5453 case LOAD_RESOURCE:
5454 return ENOMEM;
5455 case LOAD_PROTECT:
5456 return EACCES;
5457 case LOAD_ENOENT:
5458 return ENOENT;
5459 case LOAD_IOERROR:
5460 return EIO;
5461 case LOAD_FAILURE:
5462 case LOAD_DECRYPTFAIL:
5463 default:
5464 return EBADEXEC;
5465 }
5466 }
5467
5468 #include <mach/mach_types.h>
5469 #include <mach/vm_prot.h>
5470 #include <mach/semaphore.h>
5471 #include <mach/sync_policy.h>
5472 #include <kern/clock.h>
5473 #include <mach/kern_return.h>
5474
5475 /*
5476 * execargs_alloc
5477 *
5478 * Description: Allocate the block of memory used by the execve arguments.
5479 * At the same time, we allocate a page so that we can read in
5480 * the first page of the image.
5481 *
5482 * Parameters: struct image_params * the image parameter block
5483 *
5484 * Returns: 0 Success
5485 * EINVAL Invalid argument
5486 * EACCES Permission denied
5487 * EINTR Interrupted function
5488 * ENOMEM Not enough space
5489 *
5490 * Notes: This is a temporary allocation into the kernel address space
5491 * to enable us to copy arguments in from user space. This is
5492 * necessitated by not mapping the process calling execve() into
5493 * the kernel address space during the execve() system call.
5494 *
5495 * We assemble the argument and environment, etc., into this
5496 * region before copying it as a single block into the child
5497 * process address space (at the top or bottom of the stack,
5498 * depending on which way the stack grows; see the function
5499 * exec_copyout_strings() for details).
5500 *
5501 * This ends up with a second (possibly unnecessary) copy compared
5502 * with assembing the data directly into the child address space,
5503 * instead, but since we cannot be guaranteed that the parent has
5504 * not modified its environment, we can't really know that it's
5505 * really a block there as well.
5506 */
5507
5508
5509 static int execargs_waiters = 0;
5510 lck_mtx_t *execargs_cache_lock;
5511
5512 static void
5513 execargs_lock_lock(void)
5514 {
5515 lck_mtx_lock_spin(execargs_cache_lock);
5516 }
5517
5518 static void
5519 execargs_lock_unlock(void)
5520 {
5521 lck_mtx_unlock(execargs_cache_lock);
5522 }
5523
5524 static wait_result_t
5525 execargs_lock_sleep(void)
5526 {
5527 return lck_mtx_sleep(execargs_cache_lock, LCK_SLEEP_DEFAULT, &execargs_free_count, THREAD_INTERRUPTIBLE);
5528 }
5529
5530 static kern_return_t
5531 execargs_purgeable_allocate(char **execarg_address)
5532 {
5533 kern_return_t kr = vm_allocate_kernel(bsd_pageable_map, (vm_offset_t *)execarg_address, BSD_PAGEABLE_SIZE_PER_EXEC, VM_FLAGS_ANYWHERE | VM_FLAGS_PURGABLE, VM_KERN_MEMORY_NONE);
5534 assert(kr == KERN_SUCCESS);
5535 return kr;
5536 }
5537
5538 static kern_return_t
5539 execargs_purgeable_reference(void *execarg_address)
5540 {
5541 int state = VM_PURGABLE_NONVOLATILE;
5542 kern_return_t kr = vm_purgable_control(bsd_pageable_map, (vm_offset_t) execarg_address, VM_PURGABLE_SET_STATE, &state);
5543
5544 assert(kr == KERN_SUCCESS);
5545 return kr;
5546 }
5547
5548 static kern_return_t
5549 execargs_purgeable_volatilize(void *execarg_address)
5550 {
5551 int state = VM_PURGABLE_VOLATILE | VM_PURGABLE_ORDERING_OBSOLETE;
5552 kern_return_t kr;
5553 kr = vm_purgable_control(bsd_pageable_map, (vm_offset_t) execarg_address, VM_PURGABLE_SET_STATE, &state);
5554
5555 assert(kr == KERN_SUCCESS);
5556
5557 return kr;
5558 }
5559
5560 static void
5561 execargs_wakeup_waiters(void)
5562 {
5563 thread_wakeup(&execargs_free_count);
5564 }
5565
5566 static int
5567 execargs_alloc(struct image_params *imgp)
5568 {
5569 kern_return_t kret;
5570 wait_result_t res;
5571 int i, cache_index = -1;
5572
5573 execargs_lock_lock();
5574
5575 while (execargs_free_count == 0) {
5576 execargs_waiters++;
5577 res = execargs_lock_sleep();
5578 execargs_waiters--;
5579 if (res != THREAD_AWAKENED) {
5580 execargs_lock_unlock();
5581 return EINTR;
5582 }
5583 }
5584
5585 execargs_free_count--;
5586
5587 for (i = 0; i < execargs_cache_size; i++) {
5588 vm_offset_t element = execargs_cache[i];
5589 if (element) {
5590 cache_index = i;
5591 imgp->ip_strings = (char *)(execargs_cache[i]);
5592 execargs_cache[i] = 0;
5593 break;
5594 }
5595 }
5596
5597 assert(execargs_free_count >= 0);
5598
5599 execargs_lock_unlock();
5600
5601 if (cache_index == -1) {
5602 kret = execargs_purgeable_allocate(&imgp->ip_strings);
5603 } else {
5604 kret = execargs_purgeable_reference(imgp->ip_strings);
5605 }
5606
5607 assert(kret == KERN_SUCCESS);
5608 if (kret != KERN_SUCCESS) {
5609 return ENOMEM;
5610 }
5611
5612 /* last page used to read in file headers */
5613 imgp->ip_vdata = imgp->ip_strings + (NCARGS + PAGE_SIZE);
5614 imgp->ip_strendp = imgp->ip_strings;
5615 imgp->ip_argspace = NCARGS;
5616 imgp->ip_strspace = (NCARGS + PAGE_SIZE);
5617
5618 return 0;
5619 }
5620
5621 /*
5622 * execargs_free
5623 *
5624 * Description: Free the block of memory used by the execve arguments and the
5625 * first page of the executable by a previous call to the function
5626 * execargs_alloc().
5627 *
5628 * Parameters: struct image_params * the image parameter block
5629 *
5630 * Returns: 0 Success
5631 * EINVAL Invalid argument
5632 * EINTR Oeration interrupted
5633 */
5634 static int
5635 execargs_free(struct image_params *imgp)
5636 {
5637 kern_return_t kret;
5638 int i;
5639 boolean_t needs_wakeup = FALSE;
5640
5641 kret = execargs_purgeable_volatilize(imgp->ip_strings);
5642
5643 execargs_lock_lock();
5644 execargs_free_count++;
5645
5646 for (i = 0; i < execargs_cache_size; i++) {
5647 vm_offset_t element = execargs_cache[i];
5648 if (element == 0) {
5649 execargs_cache[i] = (vm_offset_t) imgp->ip_strings;
5650 imgp->ip_strings = NULL;
5651 break;
5652 }
5653 }
5654
5655 assert(imgp->ip_strings == NULL);
5656
5657 if (execargs_waiters > 0) {
5658 needs_wakeup = TRUE;
5659 }
5660
5661 execargs_lock_unlock();
5662
5663 if (needs_wakeup == TRUE) {
5664 execargs_wakeup_waiters();
5665 }
5666
5667 return kret == KERN_SUCCESS ? 0 : EINVAL;
5668 }
5669
5670 static void
5671 exec_resettextvp(proc_t p, struct image_params *imgp)
5672 {
5673 vnode_t vp;
5674 off_t offset;
5675 vnode_t tvp = p->p_textvp;
5676 int ret;
5677
5678 vp = imgp->ip_vp;
5679 offset = imgp->ip_arch_offset;
5680
5681 if (vp == NULLVP) {
5682 panic("exec_resettextvp: expected valid vp");
5683 }
5684
5685 ret = vnode_ref(vp);
5686 proc_lock(p);
5687 if (ret == 0) {
5688 p->p_textvp = vp;
5689 p->p_textoff = offset;
5690 } else {
5691 p->p_textvp = NULLVP; /* this is paranoia */
5692 p->p_textoff = 0;
5693 }
5694 proc_unlock(p);
5695
5696 if (tvp != NULLVP) {
5697 if (vnode_getwithref(tvp) == 0) {
5698 vnode_rele(tvp);
5699 vnode_put(tvp);
5700 }
5701 }
5702 }
5703
5704 // Includes the 0-byte (therefore "SIZE" instead of "LEN").
5705 static const size_t CS_CDHASH_STRING_SIZE = CS_CDHASH_LEN * 2 + 1;
5706
5707 static void
5708 cdhash_to_string(char str[CS_CDHASH_STRING_SIZE], uint8_t const * const cdhash)
5709 {
5710 static char const nibble[] = "0123456789abcdef";
5711
5712 /* Apparently still the safest way to get a hex representation
5713 * of binary data.
5714 * xnu's printf routines have %*D/%20D in theory, but "not really", see:
5715 * <rdar://problem/33328859> confusion around %*D/%nD in printf
5716 */
5717 for (int i = 0; i < CS_CDHASH_LEN; ++i) {
5718 str[i * 2] = nibble[(cdhash[i] & 0xf0) >> 4];
5719 str[i * 2 + 1] = nibble[cdhash[i] & 0x0f];
5720 }
5721 str[CS_CDHASH_STRING_SIZE - 1] = 0;
5722 }
5723
5724 /*
5725 * __EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__
5726 *
5727 * Description: Waits for the userspace daemon to respond to the request
5728 * we made. Function declared non inline to be visible in
5729 * stackshots and spindumps as well as debugging.
5730 */
5731 __attribute__((noinline)) int
5732 __EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__(mach_port_t task_access_port, int32_t new_pid)
5733 {
5734 return find_code_signature(task_access_port, new_pid);
5735 }
5736
5737 static int
5738 check_for_signature(proc_t p, struct image_params *imgp)
5739 {
5740 mach_port_t port = NULL;
5741 kern_return_t kr = KERN_FAILURE;
5742 int error = EACCES;
5743 boolean_t unexpected_failure = FALSE;
5744 struct cs_blob *csb;
5745 boolean_t require_success = FALSE;
5746 int spawn = (imgp->ip_flags & IMGPF_SPAWN);
5747 int vfexec = (imgp->ip_flags & IMGPF_VFORK_EXEC);
5748 os_reason_t signature_failure_reason = OS_REASON_NULL;
5749
5750 /*
5751 * Override inherited code signing flags with the
5752 * ones for the process that is being successfully
5753 * loaded
5754 */
5755 proc_lock(p);
5756 p->p_csflags = imgp->ip_csflags;
5757 proc_unlock(p);
5758
5759 /* Set the switch_protect flag on the map */
5760 if (p->p_csflags & (CS_HARD | CS_KILL)) {
5761 vm_map_switch_protect(get_task_map(p->task), TRUE);
5762 }
5763
5764 /*
5765 * image activation may be failed due to policy
5766 * which is unexpected but security framework does not
5767 * approve of exec, kill and return immediately.
5768 */
5769 if (imgp->ip_mac_return != 0) {
5770 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
5771 p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_SECURITY_POLICY, 0, 0);
5772 signature_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_SECURITY_POLICY);
5773 error = imgp->ip_mac_return;
5774 unexpected_failure = TRUE;
5775 goto done;
5776 }
5777
5778 if (imgp->ip_cs_error != OS_REASON_NULL) {
5779 signature_failure_reason = imgp->ip_cs_error;
5780 imgp->ip_cs_error = OS_REASON_NULL;
5781 error = EACCES;
5782 goto done;
5783 }
5784
5785 /* If the code signature came through the image activation path, we skip the
5786 * taskgated / externally attached path. */
5787 if (imgp->ip_csflags & CS_SIGNED) {
5788 error = 0;
5789 goto done;
5790 }
5791
5792 /* The rest of the code is for signatures that either already have been externally
5793 * attached (likely, but not necessarily by a previous run through the taskgated
5794 * path), or that will now be attached by taskgated. */
5795
5796 kr = task_get_task_access_port(p->task, &port);
5797 if (KERN_SUCCESS != kr || !IPC_PORT_VALID(port)) {
5798 error = 0;
5799 if (require_success) {
5800 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
5801 p->p_pid, OS_REASON_CODESIGNING, CODESIGNING_EXIT_REASON_TASK_ACCESS_PORT, 0, 0);
5802 signature_failure_reason = os_reason_create(OS_REASON_CODESIGNING, CODESIGNING_EXIT_REASON_TASK_ACCESS_PORT);
5803 error = EACCES;
5804 }
5805 goto done;
5806 }
5807
5808 /*
5809 * taskgated returns KERN_SUCCESS if it has completed its work
5810 * and the exec should continue, KERN_FAILURE if the exec should
5811 * fail, or it may error out with different error code in an
5812 * event of mig failure (e.g. process was signalled during the
5813 * rpc call, taskgated died, mig server died etc.).
5814 */
5815
5816 kr = __EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__(port, p->p_pid);
5817 switch (kr) {
5818 case KERN_SUCCESS:
5819 error = 0;
5820 break;
5821 case KERN_FAILURE:
5822 error = EACCES;
5823
5824 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
5825 p->p_pid, OS_REASON_CODESIGNING, CODESIGNING_EXIT_REASON_TASKGATED_INVALID_SIG, 0, 0);
5826 signature_failure_reason = os_reason_create(OS_REASON_CODESIGNING, CODESIGNING_EXIT_REASON_TASKGATED_INVALID_SIG);
5827 goto done;
5828 default:
5829 error = EACCES;
5830
5831 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
5832 p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_TASKGATED_OTHER, 0, 0);
5833 signature_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_TASKGATED_OTHER);
5834 unexpected_failure = TRUE;
5835 goto done;
5836 }
5837
5838 /* Only do this if exec_resettextvp() did not fail */
5839 if (p->p_textvp != NULLVP) {
5840 csb = ubc_cs_blob_get(p->p_textvp, -1, p->p_textoff);
5841
5842 if (csb != NULL) {
5843 /* As the enforcement we can do here is very limited, we only allow things that
5844 * are the only reason why this code path still exists:
5845 * Adhoc signed non-platform binaries without special cs_flags and without any
5846 * entitlements (unrestricted ones still pass AMFI). */
5847 if (
5848 /* Revalidate the blob if necessary through bumped generation count. */
5849 (ubc_cs_generation_check(p->p_textvp) == 0 ||
5850 ubc_cs_blob_revalidate(p->p_textvp, csb, imgp, 0) == 0) &&
5851 /* Only CS_ADHOC, no CS_KILL, CS_HARD etc. */
5852 (csb->csb_flags & CS_ALLOWED_MACHO) == CS_ADHOC &&
5853 /* If it has a CMS blob, it's not adhoc. The CS_ADHOC flag can lie. */
5854 csblob_find_blob_bytes((const uint8_t *)csb->csb_mem_kaddr, csb->csb_mem_size,
5855 CSSLOT_SIGNATURESLOT,
5856 CSMAGIC_BLOBWRAPPER) == NULL &&
5857 /* It could still be in a trust cache (unlikely with CS_ADHOC), or a magic path. */
5858 csb->csb_platform_binary == 0 &&
5859 /* No entitlements, not even unrestricted ones. */
5860 csb->csb_entitlements_blob == NULL) {
5861 proc_lock(p);
5862 p->p_csflags |= CS_SIGNED | CS_VALID;
5863 proc_unlock(p);
5864 } else {
5865 uint8_t cdhash[CS_CDHASH_LEN];
5866 char cdhash_string[CS_CDHASH_STRING_SIZE];
5867 proc_getcdhash(p, cdhash);
5868 cdhash_to_string(cdhash_string, cdhash);
5869 printf("ignoring detached code signature on '%s' with cdhash '%s' "
5870 "because it is invalid, or not a simple adhoc signature.\n",
5871 p->p_name, cdhash_string);
5872 }
5873 }
5874 }
5875
5876 done:
5877 if (0 == error) {
5878 /* The process's code signature related properties are
5879 * fully set up, so this is an opportune moment to log
5880 * platform binary execution, if desired. */
5881 if (platform_exec_logging != 0 && csproc_get_platform_binary(p)) {
5882 uint8_t cdhash[CS_CDHASH_LEN];
5883 char cdhash_string[CS_CDHASH_STRING_SIZE];
5884 proc_getcdhash(p, cdhash);
5885 cdhash_to_string(cdhash_string, cdhash);
5886
5887 os_log(peLog, "CS Platform Exec Logging: Executing platform signed binary "
5888 "'%s' with cdhash %s\n", p->p_name, cdhash_string);
5889 }
5890 } else {
5891 if (!unexpected_failure) {
5892 p->p_csflags |= CS_KILLED;
5893 }
5894 /* make very sure execution fails */
5895 if (vfexec || spawn) {
5896 assert(signature_failure_reason != OS_REASON_NULL);
5897 psignal_vfork_with_reason(p, p->task, imgp->ip_new_thread,
5898 SIGKILL, signature_failure_reason);
5899 signature_failure_reason = OS_REASON_NULL;
5900 error = 0;
5901 } else {
5902 assert(signature_failure_reason != OS_REASON_NULL);
5903 psignal_with_reason(p, SIGKILL, signature_failure_reason);
5904 signature_failure_reason = OS_REASON_NULL;
5905 }
5906 }
5907
5908 /* If we hit this, we likely would have leaked an exit reason */
5909 assert(signature_failure_reason == OS_REASON_NULL);
5910 return error;
5911 }
5912
5913 /*
5914 * Typically as soon as we start executing this process, the
5915 * first instruction will trigger a VM fault to bring the text
5916 * pages (as executable) into the address space, followed soon
5917 * thereafter by dyld data structures (for dynamic executable).
5918 * To optimize this, as well as improve support for hardware
5919 * debuggers that can only access resident pages present
5920 * in the process' page tables, we prefault some pages if
5921 * possible. Errors are non-fatal.
5922 */
5923 static void
5924 exec_prefault_data(proc_t p __unused, struct image_params *imgp, load_result_t *load_result)
5925 {
5926 int ret;
5927 size_t expected_all_image_infos_size;
5928
5929 /*
5930 * Prefault executable or dyld entry point.
5931 */
5932 vm_fault(current_map(),
5933 vm_map_trunc_page(load_result->entry_point,
5934 vm_map_page_mask(current_map())),
5935 VM_PROT_READ | VM_PROT_EXECUTE,
5936 FALSE, VM_KERN_MEMORY_NONE,
5937 THREAD_UNINT, NULL, 0);
5938
5939 if (imgp->ip_flags & IMGPF_IS_64BIT_ADDR) {
5940 expected_all_image_infos_size = sizeof(struct user64_dyld_all_image_infos);
5941 } else {
5942 expected_all_image_infos_size = sizeof(struct user32_dyld_all_image_infos);
5943 }
5944
5945 /* Decode dyld anchor structure from <mach-o/dyld_images.h> */
5946 if (load_result->dynlinker &&
5947 load_result->all_image_info_addr &&
5948 load_result->all_image_info_size >= expected_all_image_infos_size) {
5949 union {
5950 struct user64_dyld_all_image_infos infos64;
5951 struct user32_dyld_all_image_infos infos32;
5952 } all_image_infos;
5953
5954 /*
5955 * Pre-fault to avoid copyin() going through the trap handler
5956 * and recovery path.
5957 */
5958 vm_fault(current_map(),
5959 vm_map_trunc_page(load_result->all_image_info_addr,
5960 vm_map_page_mask(current_map())),
5961 VM_PROT_READ | VM_PROT_WRITE,
5962 FALSE, VM_KERN_MEMORY_NONE,
5963 THREAD_UNINT, NULL, 0);
5964 if ((load_result->all_image_info_addr & PAGE_MASK) + expected_all_image_infos_size > PAGE_SIZE) {
5965 /* all_image_infos straddles a page */
5966 vm_fault(current_map(),
5967 vm_map_trunc_page(load_result->all_image_info_addr + expected_all_image_infos_size - 1,
5968 vm_map_page_mask(current_map())),
5969 VM_PROT_READ | VM_PROT_WRITE,
5970 FALSE, VM_KERN_MEMORY_NONE,
5971 THREAD_UNINT, NULL, 0);
5972 }
5973
5974 ret = copyin(load_result->all_image_info_addr,
5975 &all_image_infos,
5976 expected_all_image_infos_size);
5977 if (ret == 0 && all_image_infos.infos32.version >= DYLD_ALL_IMAGE_INFOS_ADDRESS_MINIMUM_VERSION) {
5978 user_addr_t notification_address;
5979 user_addr_t dyld_image_address;
5980 user_addr_t dyld_version_address;
5981 user_addr_t dyld_all_image_infos_address;
5982 user_addr_t dyld_slide_amount;
5983
5984 if (imgp->ip_flags & IMGPF_IS_64BIT_ADDR) {
5985 notification_address = all_image_infos.infos64.notification;
5986 dyld_image_address = all_image_infos.infos64.dyldImageLoadAddress;
5987 dyld_version_address = all_image_infos.infos64.dyldVersion;
5988 dyld_all_image_infos_address = all_image_infos.infos64.dyldAllImageInfosAddress;
5989 } else {
5990 notification_address = all_image_infos.infos32.notification;
5991 dyld_image_address = all_image_infos.infos32.dyldImageLoadAddress;
5992 dyld_version_address = all_image_infos.infos32.dyldVersion;
5993 dyld_all_image_infos_address = all_image_infos.infos32.dyldAllImageInfosAddress;
5994 }
5995
5996 /*
5997 * dyld statically sets up the all_image_infos in its Mach-O
5998 * binary at static link time, with pointers relative to its default
5999 * load address. Since ASLR might slide dyld before its first
6000 * instruction is executed, "dyld_slide_amount" tells us how far
6001 * dyld was loaded compared to its default expected load address.
6002 * All other pointers into dyld's image should be adjusted by this
6003 * amount. At some point later, dyld will fix up pointers to take
6004 * into account the slide, at which point the all_image_infos_address
6005 * field in the structure will match the runtime load address, and
6006 * "dyld_slide_amount" will be 0, if we were to consult it again.
6007 */
6008
6009 dyld_slide_amount = load_result->all_image_info_addr - dyld_all_image_infos_address;
6010
6011 #if 0
6012 kprintf("exec_prefault: 0x%016llx 0x%08x 0x%016llx 0x%016llx 0x%016llx 0x%016llx\n",
6013 (uint64_t)load_result->all_image_info_addr,
6014 all_image_infos.infos32.version,
6015 (uint64_t)notification_address,
6016 (uint64_t)dyld_image_address,
6017 (uint64_t)dyld_version_address,
6018 (uint64_t)dyld_all_image_infos_address);
6019 #endif
6020
6021 vm_fault(current_map(),
6022 vm_map_trunc_page(notification_address + dyld_slide_amount,
6023 vm_map_page_mask(current_map())),
6024 VM_PROT_READ | VM_PROT_EXECUTE,
6025 FALSE, VM_KERN_MEMORY_NONE,
6026 THREAD_UNINT, NULL, 0);
6027 vm_fault(current_map(),
6028 vm_map_trunc_page(dyld_image_address + dyld_slide_amount,
6029 vm_map_page_mask(current_map())),
6030 VM_PROT_READ | VM_PROT_EXECUTE,
6031 FALSE, VM_KERN_MEMORY_NONE,
6032 THREAD_UNINT, NULL, 0);
6033 vm_fault(current_map(),
6034 vm_map_trunc_page(dyld_version_address + dyld_slide_amount,
6035 vm_map_page_mask(current_map())),
6036 VM_PROT_READ,
6037 FALSE, VM_KERN_MEMORY_NONE,
6038 THREAD_UNINT, NULL, 0);
6039 vm_fault(current_map(),
6040 vm_map_trunc_page(dyld_all_image_infos_address + dyld_slide_amount,
6041 vm_map_page_mask(current_map())),
6042 VM_PROT_READ | VM_PROT_WRITE,
6043 FALSE, VM_KERN_MEMORY_NONE,
6044 THREAD_UNINT, NULL, 0);
6045 }
6046 }
6047 }
mirror of XNU