]> git.saurik.com Git - apple/xnu.git/blobdiff - bsd/kern/kern_exec.c
projects / apple / xnu.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
xnu-3789.70.16.tar.gz
[apple/xnu.git] / bsd / kern / kern_exec.c
diff --git a/bsd/kern/kern_exec.c b/bsd/kern/kern_exec.c
index e2e7d1526403588d395587c067f781de55fe3e5b..604da6996af5dd930a7dfe522eb13ca539fbbb42 100644 (file)
--- a/bsd/kern/kern_exec.c
+++ b/bsd/kern/kern_exec.c
@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright (c) 2000-2011 Apple Inc. All rights reserved.
+ * Copyright (c) 2000-2013 Apple Inc. All rights reserved.
  *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
  * 
  *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
  * 
@@ -102,6 +102,8 @@
 #include <sys/signal.h>
 #include <sys/aio_kern.h>
 #include <sys/sysproto.h>
 #include <sys/signal.h>
 #include <sys/aio_kern.h>
 #include <sys/sysproto.h>
+#include <sys/persona.h>
+#include <sys/reason.h>
 #if SYSV_SHM
 #include <sys/shm_internal.h>          /* shmexec() */
 #endif
 #if SYSV_SHM
 #include <sys/shm_internal.h>          /* shmexec() */
 #endif
@@ -110,6 +112,7 @@
 #include <sys/spawn_internal.h>
 #include <sys/process_policy.h>
 #include <sys/codesign.h>
 #include <sys/spawn_internal.h>
 #include <sys/process_policy.h>
 #include <sys/codesign.h>
+#include <sys/random.h>
 #include <crypto/sha1.h>
 
 #include <libkern/libkern.h>
 #include <crypto/sha1.h>
 
 #include <libkern/libkern.h>
@@ -132,6 +135,8 @@
 #include <kern/assert.h>
 #include <kern/task.h>
 #include <kern/coalition.h>
 #include <kern/assert.h>
 #include <kern/task.h>
 #include <kern/coalition.h>
+#include <kern/policy_internal.h>
+#include <kern/kalloc.h>
 
 #if CONFIG_MACF
 #include <security/mac.h>
 
 #if CONFIG_MACF
 #include <security/mac.h>
@@ -157,10 +162,8 @@
 
 #if CONFIG_DTRACE
 /* Do not include dtrace.h, it redefines kmem_[alloc/free] */
 
 #if CONFIG_DTRACE
 /* Do not include dtrace.h, it redefines kmem_[alloc/free] */
-extern void (*dtrace_fasttrap_exec_ptr)(proc_t);
+extern void dtrace_proc_exec(proc_t);
 extern void (*dtrace_proc_waitfor_exec_ptr)(proc_t);
 extern void (*dtrace_proc_waitfor_exec_ptr)(proc_t);
-extern void (*dtrace_helpers_cleanup)(proc_t);
-extern void dtrace_lazy_dofs_destroy(proc_t);
 
 /*
  * Since dtrace_proc_waitfor_exec_ptr can be added/removed in dtrace_subr.c,
 
 /*
  * Since dtrace_proc_waitfor_exec_ptr can be added/removed in dtrace_subr.c,
@@ -172,9 +175,17 @@ static void (*dtrace_proc_waitfor_hook)(proc_t) = NULL;
 #endif
 
 /* support for child creation in exec after vfork */
 #endif
 
 /* support for child creation in exec after vfork */
-thread_t fork_create_child(task_t parent_task, coalition_t *parent_coalition, proc_t child_proc, int inherit_memory, int is64bit);
+thread_t fork_create_child(task_t parent_task, coalition_t *parent_coalition, proc_t child_proc, int inherit_memory, int is64bit, int in_exec);
 void vfork_exit(proc_t p, int rv);
 extern void proc_apply_task_networkbg_internal(proc_t, thread_t);
 void vfork_exit(proc_t p, int rv);
 extern void proc_apply_task_networkbg_internal(proc_t, thread_t);
+extern void task_set_did_exec_flag(task_t task);
+extern void task_clear_exec_copy_flag(task_t task);
+proc_t proc_exec_switch_task(proc_t p, task_t old_task, task_t new_task, thread_t new_thread);
+boolean_t task_is_active(task_t);
+boolean_t thread_is_active(thread_t thread);
+void thread_copy_resource_info(thread_t dst_thread, thread_t src_thread);
+void *ipc_importance_exec_switch_task(task_t old_task, task_t new_task);
+extern void ipc_importance_release(void *elem);
 
 /*
  * Mach things for which prototypes are unavailable from Mach headers
 
 /*
  * Mach things for which prototypes are unavailable from Mach headers
@@ -239,7 +250,7 @@ static int execargs_alloc(struct image_params *imgp);
 static int execargs_free(struct image_params *imgp);
 static int exec_check_permissions(struct image_params *imgp);
 static int exec_extract_strings(struct image_params *imgp);
 static int execargs_free(struct image_params *imgp);
 static int exec_check_permissions(struct image_params *imgp);
 static int exec_extract_strings(struct image_params *imgp);
-static int exec_add_apple_strings(struct image_params *imgp);
+static int exec_add_apple_strings(struct image_params *imgp, const load_result_t *load_result);
 static int exec_handle_sugid(struct image_params *imgp);
 static int sugid_scripts = 0;
 SYSCTL_INT (_kern, OID_AUTO, sugid_scripts, CTLFLAG_RW | CTLFLAG_LOCKED, &sugid_scripts, 0, "");
 static int exec_handle_sugid(struct image_params *imgp);
 static int sugid_scripts = 0;
 SYSCTL_INT (_kern, OID_AUTO, sugid_scripts, CTLFLAG_RW | CTLFLAG_LOCKED, &sugid_scripts, 0, "");
@@ -248,7 +259,7 @@ static int copyoutptr(user_addr_t ua, user_addr_t ptr, int ptr_size);
 static void exec_resettextvp(proc_t, struct image_params *);
 static int check_for_signature(proc_t, struct image_params *);
 static void exec_prefault_data(proc_t, struct image_params *, load_result_t *);
 static void exec_resettextvp(proc_t, struct image_params *);
 static int check_for_signature(proc_t, struct image_params *);
 static void exec_prefault_data(proc_t, struct image_params *, load_result_t *);
-static errno_t exec_handle_port_actions(struct image_params *imgp, short psa_flags, boolean_t * portwatch_present, ipc_port_t * portwatch_ports);
+static errno_t exec_handle_port_actions(struct image_params *imgp, boolean_t * portwatch_present, ipc_port_t * portwatch_ports);
 static errno_t exec_handle_spawnattr_policy(proc_t p, int psa_apptype, uint64_t psa_qos_clamp, uint64_t psa_darwin_role,
                              ipc_port_t * portwatch_ports, int portwatch_count);
 
 static errno_t exec_handle_spawnattr_policy(proc_t p, int psa_apptype, uint64_t psa_qos_clamp, uint64_t psa_darwin_role,
                              ipc_port_t * portwatch_ports, int portwatch_count);
 
@@ -609,7 +620,8 @@ exec_fat_imgact(struct image_params *imgp)
 
        if (imgp->ip_origcputype != 0) {
                /* Fat header previously matched, don't allow another fat file inside */
 
        if (imgp->ip_origcputype != 0) {
                /* Fat header previously matched, don't allow another fat file inside */
-               return (-1);
+               error = -1; /* not claimed */
+               goto bad;
        }
 
        /* Make sure it's a fat binary */
        }
 
        /* Make sure it's a fat binary */
@@ -694,6 +706,73 @@ bad:
        return (error);
 }
 
        return (error);
 }
 
+static int
+activate_exec_state(task_t task, proc_t p, thread_t thread, load_result_t *result)
+{
+       int ret;
+
+       task_set_dyld_info(task, MACH_VM_MIN_ADDRESS, 0);
+       if (result->is64bit) {
+               task_set_64bit(task, TRUE);
+               OSBitOrAtomic(P_LP64, &p->p_flag);
+       } else {
+               task_set_64bit(task, FALSE);
+               OSBitAndAtomic(~((uint32_t)P_LP64), &p->p_flag);
+       }
+
+       ret = thread_state_initialize(thread);
+       if (ret != KERN_SUCCESS) {
+               return ret;
+       }
+
+       if (result->threadstate) {
+               uint32_t *ts = result->threadstate;
+               uint32_t total_size = result->threadstate_sz;
+
+               while (total_size > 0) {
+                       uint32_t flavor = *ts++;
+                       uint32_t size = *ts++;
+
+                       ret = thread_setstatus(thread, flavor, (thread_state_t)ts, size);
+                       if (ret) {
+                               return ret;
+                       }
+                       ts += size;
+                       total_size -= (size + 2) * sizeof(uint32_t);
+               }
+       }
+
+       thread_setentrypoint(thread, result->entry_point);
+
+       return KERN_SUCCESS;
+}
+
+
+/*
+ * Set p->p_comm and p->p_name to the name passed to exec
+ */
+static void
+set_proc_name(struct image_params *imgp, proc_t p)
+{
+       int p_name_len = sizeof(p->p_name) - 1;
+
+       if (imgp->ip_ndp->ni_cnd.cn_namelen > p_name_len) {
+               imgp->ip_ndp->ni_cnd.cn_namelen = p_name_len;
+       }
+
+       bcopy((caddr_t)imgp->ip_ndp->ni_cnd.cn_nameptr, (caddr_t)p->p_name,
+               (unsigned)imgp->ip_ndp->ni_cnd.cn_namelen);
+       p->p_name[imgp->ip_ndp->ni_cnd.cn_namelen] = '\0';
+
+       if (imgp->ip_ndp->ni_cnd.cn_namelen > MAXCOMLEN) {
+               imgp->ip_ndp->ni_cnd.cn_namelen = MAXCOMLEN;
+       }
+
+       bcopy((caddr_t)imgp->ip_ndp->ni_cnd.cn_nameptr, (caddr_t)p->p_comm,
+               (unsigned)imgp->ip_ndp->ni_cnd.cn_namelen);
+       p->p_comm[imgp->ip_ndp->ni_cnd.cn_namelen] = '\0';
+}
+
 /*
  * exec_mach_imgact
  *
 /*
  * exec_mach_imgact
  *
@@ -728,13 +807,14 @@ exec_mach_imgact(struct image_params *imgp)
        thread_t                thread;
        struct uthread          *uthread;
        vm_map_t old_map = VM_MAP_NULL;
        thread_t                thread;
        struct uthread          *uthread;
        vm_map_t old_map = VM_MAP_NULL;
-       vm_map_t map;
+       vm_map_t map = VM_MAP_NULL;
        load_return_t           lret;
        load_result_t           load_result;
        struct _posix_spawnattr *psa = NULL;
        int                     spawn = (imgp->ip_flags & IMGPF_SPAWN);
        int                     vfexec = (imgp->ip_flags & IMGPF_VFORK_EXEC);
        load_return_t           lret;
        load_result_t           load_result;
        struct _posix_spawnattr *psa = NULL;
        int                     spawn = (imgp->ip_flags & IMGPF_SPAWN);
        int                     vfexec = (imgp->ip_flags & IMGPF_VFORK_EXEC);
-       int                     p_name_len;
+       int                     exec = (imgp->ip_flags & IMGPF_EXEC);
+       os_reason_t             exec_failure_reason = OS_REASON_NULL;
 
        /*
         * make sure it's a Mach-O 1.0 or Mach-O 2.0 binary; the difference
 
        /*
         * make sure it's a Mach-O 1.0 or Mach-O 2.0 binary; the difference
@@ -814,10 +894,6 @@ grade:
        if (error)
                goto bad;
 
        if (error)
                goto bad;
 
-       error = exec_add_apple_strings(imgp);
-       if (error)
-               goto bad;
-
        AUDIT_ARG(argv, imgp->ip_startargv, imgp->ip_argc, 
            imgp->ip_endargv - imgp->ip_startargv);
        AUDIT_ARG(envv, imgp->ip_endargv, imgp->ip_envc,
        AUDIT_ARG(argv, imgp->ip_startargv, imgp->ip_argc, 
            imgp->ip_endargv - imgp->ip_startargv);
        AUDIT_ARG(envv, imgp->ip_endargv, imgp->ip_envc,
@@ -830,36 +906,20 @@ grade:
         * obtained indirectly from the image_params vfs_context_t, is the
         * new child process.
         */
         * obtained indirectly from the image_params vfs_context_t, is the
         * new child process.
         */
-       if (vfexec || spawn) {
-               if (vfexec) {
-                       imgp->ip_new_thread = fork_create_child(task, NULL, p, FALSE, (imgp->ip_flags & IMGPF_IS_64BIT));
-                       if (imgp->ip_new_thread == NULL) {
-                               error = ENOMEM;
-                               goto bad;
-                       }
+       if (vfexec) {
+               imgp->ip_new_thread = fork_create_child(task, NULL, p, FALSE, (imgp->ip_flags & IMGPF_IS_64BIT), FALSE);
+               /* task and thread ref returned, will be released in __mac_execve */
+               if (imgp->ip_new_thread == NULL) {
+                       error = ENOMEM;
+                       goto bad;
                }
                }
-
-               /* reset local idea of thread, uthread, task */
-               thread = imgp->ip_new_thread;
-               uthread = get_bsdthread_info(thread);
-               task = new_task = get_threadtask(thread);
-               map = get_task_map(task);
-       } else {
-               map = VM_MAP_NULL;
        }
 
        }
 
-       /*
-        * We set these flags here; this is OK, since if we fail after
-        * this point, we have already destroyed the parent process anyway.
-        */
-       task_set_dyld_info(task, MACH_VM_MIN_ADDRESS, 0);
-       if (imgp->ip_flags & IMGPF_IS_64BIT) {
-               task_set_64bit(task, TRUE);
-               OSBitOrAtomic(P_LP64, &p->p_flag);
-       } else {
-               task_set_64bit(task, FALSE);
-               OSBitAndAtomic(~((uint32_t)P_LP64), &p->p_flag);
-       }
+
+       /* reset local idea of thread, uthread, task */
+       thread = imgp->ip_new_thread;
+       uthread = get_bsdthread_info(thread);
+       task = new_task = get_threadtask(thread);
 
        /*
         *      Load the Mach-O file.
 
        /*
         *      Load the Mach-O file.
@@ -876,10 +936,23 @@ grade:
        /*
         * Actually load the image file we previously decided to load.
         */
        /*
         * Actually load the image file we previously decided to load.
         */
-       lret = load_machfile(imgp, mach_header, thread, map, &load_result);
-
+       lret = load_machfile(imgp, mach_header, thread, &map, &load_result);
        if (lret != LOAD_SUCCESS) {
                error = load_return_to_errno(lret);
        if (lret != LOAD_SUCCESS) {
                error = load_return_to_errno(lret);
+
+               KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
+                                               p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_BAD_MACHO, 0, 0);
+               if (lret == LOAD_BADMACHO_UPX) {
+                       /* set anything that might be useful in the crash report */
+                       set_proc_name(imgp, p);
+
+                       exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_UPX);
+                       exec_failure_reason->osr_flags |= OS_REASON_FLAG_GENERATE_CRASH_REPORT;
+                       exec_failure_reason->osr_flags |= OS_REASON_FLAG_CONSISTENT_FAILURE;
+               } else {
+                       exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_BAD_MACHO);
+               }
+
                goto badtoolate;
        }
 
                goto badtoolate;
        }
 
@@ -888,7 +961,7 @@ grade:
        p->p_cpusubtype = imgp->ip_origcpusubtype;
        proc_unlock(p);
 
        p->p_cpusubtype = imgp->ip_origcpusubtype;
        proc_unlock(p);
 
-       vm_map_set_user_wire_limit(get_task_map(task), p->p_rlimit[RLIMIT_MEMLOCK].rlim_cur);
+       vm_map_set_user_wire_limit(map, p->p_rlimit[RLIMIT_MEMLOCK].rlim_cur);
 
        /* 
         * Set code-signing flags if this binary is signed, or if parent has
 
        /* 
         * Set code-signing flags if this binary is signed, or if parent has
@@ -896,8 +969,10 @@ grade:
         */
        if (load_result.csflags & CS_VALID) {
                imgp->ip_csflags |= load_result.csflags & 
         */
        if (load_result.csflags & CS_VALID) {
                imgp->ip_csflags |= load_result.csflags & 
-                       (CS_VALID|
-                        CS_HARD|CS_KILL|CS_RESTRICT|CS_ENFORCEMENT|CS_REQUIRE_LV|CS_DYLD_PLATFORM|
+                       (CS_VALID|CS_SIGNED|CS_DEV_CODE|
+                        CS_HARD|CS_KILL|CS_RESTRICT|CS_ENFORCEMENT|CS_REQUIRE_LV|
+                        CS_ENTITLEMENTS_VALIDATED|CS_DYLD_PLATFORM|
+                        CS_ENTITLEMENT_FLAGS|
                         CS_EXEC_SET_HARD|CS_EXEC_SET_KILL|CS_EXEC_SET_ENFORCEMENT);
        } else {
                imgp->ip_csflags &= ~CS_VALID;
                         CS_EXEC_SET_HARD|CS_EXEC_SET_KILL|CS_EXEC_SET_ENFORCEMENT);
        } else {
                imgp->ip_csflags &= ~CS_VALID;
@@ -912,15 +987,11 @@ grade:
        if (p->p_csflags & CS_EXEC_SET_INSTALLER)
                imgp->ip_csflags |= CS_INSTALLER;
 
        if (p->p_csflags & CS_EXEC_SET_INSTALLER)
                imgp->ip_csflags |= CS_INSTALLER;
 
-
        /*
         * Set up the system reserved areas in the new address space.
         */
        /*
         * Set up the system reserved areas in the new address space.
         */
-       vm_map_exec(get_task_map(task),
-                   task,
-                   (void *) p->p_fd->fd_rdir,
-                   cpu_type());
-       
+       vm_map_exec(map, task, load_result.is64bit, (void *)p->p_fd->fd_rdir, cpu_type());
+
        /*
         * Close file descriptors which specify close-on-exec.
         */
        /*
         * Close file descriptors which specify close-on-exec.
         */
@@ -931,8 +1002,38 @@ grade:
         */
        error = exec_handle_sugid(imgp);
        if (error) {
         */
        error = exec_handle_sugid(imgp);
        if (error) {
+               vm_map_deallocate(map);
+
+               KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
+                                               p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_SUGID_FAILURE, 0, 0);
+               exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_SUGID_FAILURE);
                goto badtoolate;
                goto badtoolate;
-       }       
+       }
+
+       /*
+        * Commit to new map.
+        *
+        * Swap the new map for the old for target task, which consumes
+        * our new map reference but each leaves us responsible for the
+        * old_map reference.  That lets us get off the pmap associated
+        * with it, and then we can release it.
+        *
+        * The map needs to be set on the target task which is different
+        * than current task, thus swap_task_map is used instead of
+        * vm_map_switch.
+        */
+       old_map = swap_task_map(task, thread, map);
+       vm_map_deallocate(old_map);
+       old_map = NULL;
+
+       lret = activate_exec_state(task, p, thread, &load_result);
+       if (lret != KERN_SUCCESS) {
+
+               KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
+                                               p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_ACTV_THREADSTATE, 0, 0);
+               exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_ACTV_THREADSTATE);
+               goto badtoolate;
+       }
 
        /*
         * deal with voucher on exec-calling thread.
 
        /*
         * deal with voucher on exec-calling thread.
@@ -949,13 +1050,25 @@ grade:
                                  &load_result,
                                  p) != KERN_SUCCESS) {
                error = load_return_to_errno(LOAD_NOSPACE);
                                  &load_result,
                                  p) != KERN_SUCCESS) {
                error = load_return_to_errno(LOAD_NOSPACE);
+
+               KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
+                                               p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_STACK_ALLOC, 0, 0);
+               exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_STACK_ALLOC);
                goto badtoolate;
        }
 
                goto badtoolate;
        }
 
-       if (vfexec || spawn) {
-               old_map = vm_map_switch(get_task_map(task));
+       error = exec_add_apple_strings(imgp, &load_result);
+       if (error) {
+
+               KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
+                                               p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_APPLE_STRING_INIT, 0, 0);
+               exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_APPLE_STRING_INIT);
+               goto badtoolate;
        }
 
        }
 
+       /* Switch to target task's map to copy out strings */
+       old_map = vm_map_switch(get_task_map(task));
+
        if (load_result.unixproc) {
                user_addr_t     ap;
 
        if (load_result.unixproc) {
                user_addr_t     ap;
 
@@ -966,14 +1079,17 @@ grade:
                ap = p->user_stack;
                error = exec_copyout_strings(imgp, &ap);
                if (error) {
                ap = p->user_stack;
                error = exec_copyout_strings(imgp, &ap);
                if (error) {
-                       if (vfexec || spawn)
-                               vm_map_switch(old_map);
+                       vm_map_switch(old_map);
+
+                       KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
+                                               p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_COPYOUT_STRINGS, 0, 0);
+                       exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_COPYOUT_STRINGS);
                        goto badtoolate;
                }
                /* Set the stack */
                thread_setuserstack(thread, ap);
        }
                        goto badtoolate;
                }
                /* Set the stack */
                thread_setuserstack(thread, ap);
        }
-       
+
        if (load_result.dynlinker) {
                uint64_t        ap;
                int                     new_ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT) ? 8 : 4;
        if (load_result.dynlinker) {
                uint64_t        ap;
                int                     new_ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT) ? 8 : 4;
@@ -983,8 +1099,11 @@ grade:
                error = copyoutptr(load_result.mach_header, ap, new_ptr_size);
 
                if (error) {
                error = copyoutptr(load_result.mach_header, ap, new_ptr_size);
 
                if (error) {
-                       if (vfexec || spawn)
-                               vm_map_switch(old_map);
+                       vm_map_switch(old_map);
+
+                       KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
+                                               p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_COPYOUT_DYNLINKER, 0, 0);
+                       exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_COPYOUT_DYNLINKER);
                        goto badtoolate;
                }
                task_set_dyld_info(task, load_result.all_image_info_addr,
                        goto badtoolate;
                }
                task_set_dyld_info(task, load_result.all_image_info_addr,
@@ -994,11 +1113,7 @@ grade:
        /* Avoid immediate VM faults back into kernel */
        exec_prefault_data(p, imgp, &load_result);
 
        /* Avoid immediate VM faults back into kernel */
        exec_prefault_data(p, imgp, &load_result);
 
-       if (vfexec || spawn) {
-               vm_map_switch(old_map);
-       }
-       /* Set the entry point */
-       thread_setentrypoint(thread, load_result.entry_point);
+       vm_map_switch(old_map);
 
        /* Stop profiling */
        stopprofclock(p);
 
        /* Stop profiling */
        stopprofclock(p);
@@ -1029,68 +1144,46 @@ grade:
         */
        p->p_acflag &= ~AFORK;
 
         */
        p->p_acflag &= ~AFORK;
 
-       /*
-        * Set p->p_comm and p->p_name to the name passed to exec
-        */
-       p_name_len = sizeof(p->p_name) - 1;
-       if(imgp->ip_ndp->ni_cnd.cn_namelen > p_name_len)
-               imgp->ip_ndp->ni_cnd.cn_namelen = p_name_len;
-       bcopy((caddr_t)imgp->ip_ndp->ni_cnd.cn_nameptr, (caddr_t)p->p_name,
-               (unsigned)imgp->ip_ndp->ni_cnd.cn_namelen);
-       p->p_name[imgp->ip_ndp->ni_cnd.cn_namelen] = '\0';
-
-       if (imgp->ip_ndp->ni_cnd.cn_namelen > MAXCOMLEN)
-               imgp->ip_ndp->ni_cnd.cn_namelen = MAXCOMLEN;
-       bcopy((caddr_t)imgp->ip_ndp->ni_cnd.cn_nameptr, (caddr_t)p->p_comm,
-               (unsigned)imgp->ip_ndp->ni_cnd.cn_namelen);
-       p->p_comm[imgp->ip_ndp->ni_cnd.cn_namelen] = '\0';
+       set_proc_name(imgp, p);
+
+#if CONFIG_SECLUDED_MEMORY
+       if (secluded_for_apps) {
+               if (strncmp(p->p_name,
+                           "Camera",
+                           sizeof (p->p_name)) == 0 ||
+#if 00
+                   strncmp(p->p_name,
+                           "camerad",
+                           sizeof (p->p_name)) == 0 ||
+#endif
+                   strncmp(p->p_name,
+                           "testCamera",
+                           sizeof (p->p_name)) == 0) {
+                       task_set_could_use_secluded_mem(task, TRUE);
+               } else {
+                       task_set_could_use_secluded_mem(task, FALSE);
+               }
+               if (strncmp(p->p_name,
+                           "mediaserverd",
+                           sizeof (p->p_name)) == 0) {
+                       task_set_could_also_use_secluded_mem(task, TRUE);
+               }
+       }
+#endif /* CONFIG_SECLUDED_MEMORY */
 
 
-       pal_dbg_set_task_name( p->task );
+       pal_dbg_set_task_name( task );
 
 #if DEVELOPMENT || DEBUG
        /* 
         * Update the pid an proc name for importance base if any
         */
 
 #if DEVELOPMENT || DEBUG
        /* 
         * Update the pid an proc name for importance base if any
         */
-       task_importance_update_owner_info(p->task);
+       task_importance_update_owner_info(task);
 #endif
 
        memcpy(&p->p_uuid[0], &load_result.uuid[0], sizeof(p->p_uuid));
 
 #endif
 
        memcpy(&p->p_uuid[0], &load_result.uuid[0], sizeof(p->p_uuid));
 
-// <rdar://6598155> dtrace code cleanup needed
 #if CONFIG_DTRACE
 #if CONFIG_DTRACE
-       /*
-        * Invalidate any predicate evaluation already cached for this thread by DTrace.
-        * That's because we've just stored to p_comm and DTrace refers to that when it
-        * evaluates the "execname" special variable. uid and gid may have changed as well.
-        */
-       dtrace_set_thread_predcache(current_thread(), 0);
-
-       /*
-        * Free any outstanding lazy dof entries. It is imperative we
-        * always call dtrace_lazy_dofs_destroy, rather than null check
-        * and call if !NULL. If we NULL test, during lazy dof faulting
-        * we can race with the faulting code and proceed from here to
-        * beyond the helpers cleanup. The lazy dof faulting will then
-        * install new helpers which no longer belong to this process!
-        */
-       dtrace_lazy_dofs_destroy(p);
-
-
-       /*
-        * Clean up any DTrace helpers for the process.
-        */
-       if (p->p_dtrace_helpers != NULL && dtrace_helpers_cleanup) {
-               (*dtrace_helpers_cleanup)(p);
-       }
-       
-       /*
-        * Cleanup the DTrace provider associated with this process.
-        */
-       proc_lock(p);
-       if (p->p_dtrace_probes && dtrace_fasttrap_exec_ptr) {
-               (*dtrace_fasttrap_exec_ptr)(p);
-       }
-       proc_unlock(p);
+       dtrace_proc_exec(p);
 #endif
 
        if (kdebug_enable) {
 #endif
 
        if (kdebug_enable) {
@@ -1101,17 +1194,10 @@ grade:
                 */
                kdbg_trace_string(p, &dbg_arg1, &dbg_arg2, &dbg_arg3, &dbg_arg4);
 
                 */
                kdbg_trace_string(p, &dbg_arg1, &dbg_arg2, &dbg_arg3, &dbg_arg4);
 
-               if (vfexec || spawn) {
-                       KERNEL_DEBUG_CONSTANT1(TRACE_DATA_EXEC | DBG_FUNC_NONE,
-                                       p->p_pid ,0,0,0, (uintptr_t)thread_tid(thread));
-                       KERNEL_DEBUG_CONSTANT1(TRACE_STRING_EXEC | DBG_FUNC_NONE,
-                                       dbg_arg1, dbg_arg2, dbg_arg3, dbg_arg4, (uintptr_t)thread_tid(thread));
-               } else {
-                       KERNEL_DEBUG_CONSTANT(TRACE_DATA_EXEC | DBG_FUNC_NONE,
-                                       p->p_pid ,0,0,0,0);
-                       KERNEL_DEBUG_CONSTANT(TRACE_STRING_EXEC | DBG_FUNC_NONE,
-                                       dbg_arg1, dbg_arg2, dbg_arg3, dbg_arg4, 0);
-               }
+               KERNEL_DEBUG_CONSTANT1(TRACE_DATA_EXEC | DBG_FUNC_NONE,
+                               p->p_pid ,0,0,0, (uintptr_t)thread_tid(thread));
+               KERNEL_DEBUG_CONSTANT1(TRACE_STRING_EXEC | DBG_FUNC_NONE,
+                               dbg_arg1, dbg_arg2, dbg_arg3, dbg_arg4, (uintptr_t)thread_tid(thread));
        }
 
        /*
        }
 
        /*
@@ -1124,7 +1210,7 @@ grade:
                        proc_lock(p);
                        p->p_stat = SSTOP;
                        proc_unlock(p);
                        proc_lock(p);
                        p->p_stat = SSTOP;
                        proc_unlock(p);
-                       (void) task_suspend_internal(p->task);
+                       (void) task_suspend_internal(task);
                }
        }
 
                }
        }
 
@@ -1155,13 +1241,25 @@ badtoolate:
        /* Don't allow child process to execute any instructions */
        if (!spawn) {
                if (vfexec) {
        /* Don't allow child process to execute any instructions */
        if (!spawn) {
                if (vfexec) {
-                       psignal_vfork(p, new_task, thread, SIGKILL);
+                       assert(exec_failure_reason != OS_REASON_NULL);
+                       psignal_vfork_with_reason(p, new_task, thread, SIGKILL, exec_failure_reason);
+                       exec_failure_reason = OS_REASON_NULL;
                } else {
                } else {
-                       psignal(p, SIGKILL);
+                       assert(exec_failure_reason != OS_REASON_NULL);
+                       psignal_with_reason(p, SIGKILL, exec_failure_reason);
+                       exec_failure_reason = OS_REASON_NULL;
+
+                       if (exec) {
+                               /* Terminate the exec copy task */
+                               task_terminate_internal(task);
+                       }
                }
 
                /* We can't stop this system call at this point, so just pretend we succeeded */
                error = 0;
                }
 
                /* We can't stop this system call at this point, so just pretend we succeeded */
                error = 0;
+       } else {
+               os_reason_free(exec_failure_reason);
+               exec_failure_reason = OS_REASON_NULL;
        }
        
 done:
        }
        
 done:
@@ -1171,13 +1269,14 @@ done:
                        proc_knote(p, NOTE_EXEC);
        }
 
                        proc_knote(p, NOTE_EXEC);
        }
 
-       /* Drop extra references for cases where we don't expect the caller to clean up */
-       if (vfexec || (spawn && error == 0)) {
-               task_deallocate(new_task);
-               thread_deallocate(thread);
+       if (load_result.threadstate) {
+               kfree(load_result.threadstate, load_result.threadstate_sz);
+               load_result.threadstate = NULL;
        }
 
 bad:
        }
 
 bad:
+       /* If we hit this, we likely would have leaked an exit reason */
+       assert(exec_failure_reason == OS_REASON_NULL);
        return(error);
 }
 
        return(error);
 }
 
@@ -1226,6 +1325,7 @@ struct execsw {
  *     namei:???
  *     vn_rdwr:???                     [anything vn_rdwr can return]
  *     <ex_imgact>:???                 [anything an imgact can return]
  *     namei:???
  *     vn_rdwr:???                     [anything vn_rdwr can return]
  *     <ex_imgact>:???                 [anything an imgact can return]
+ *     EDEADLK                         Process is being terminated
  */
 static int
 exec_activate_image(struct image_params *imgp)
  */
 static int
 exec_activate_image(struct image_params *imgp)
@@ -1276,6 +1376,7 @@ again:
         */
        proc_lock(p);
        if (p->p_lflag & P_LEXIT) {
         */
        proc_lock(p);
        if (p->p_lflag & P_LEXIT) {
+               error = EDEADLK;
                proc_unlock(p);
                goto bad_notrans;
        }
                proc_unlock(p);
                goto bad_notrans;
        }
@@ -1374,7 +1475,6 @@ encapsulated_binary:
                                        KAUTH_FILEOP_EXEC,
                                        (uintptr_t)ndp->ni_vp, 0);
        }
                                        KAUTH_FILEOP_EXEC,
                                        (uintptr_t)ndp->ni_vp, 0);
        }
-
 bad:
        proc_transend(p, 0);
 
 bad:
        proc_transend(p, 0);
 
@@ -1478,76 +1578,86 @@ exec_handle_spawnattr_policy(proc_t p, int psa_apptype, uint64_t psa_qos_clamp,
  *             and/or audit_session_spawnjoin for the current task.
  *
  * Parameters: struct image_params *   Image parameter block
  *             and/or audit_session_spawnjoin for the current task.
  *
  * Parameters: struct image_params *   Image parameter block
- *             short psa_flags         posix spawn attribute flags
  *
  * Returns:    0                       Success
  *             EINVAL                  Failure
  *             ENOTSUP                 Illegal posix_spawn attr flag was set
  */
 static errno_t
  *
  * Returns:    0                       Success
  *             EINVAL                  Failure
  *             ENOTSUP                 Illegal posix_spawn attr flag was set
  */
 static errno_t
-exec_handle_port_actions(struct image_params *imgp, short psa_flags, boolean_t * portwatch_present, ipc_port_t * portwatch_ports)
+exec_handle_port_actions(struct image_params *imgp, boolean_t * portwatch_present,
+                         ipc_port_t * portwatch_ports)
 {
        _posix_spawn_port_actions_t pacts = imgp->ip_px_spa;
 {
        _posix_spawn_port_actions_t pacts = imgp->ip_px_spa;
+#if CONFIG_AUDIT
        proc_t p = vfs_context_proc(imgp->ip_vfs_context);
        proc_t p = vfs_context_proc(imgp->ip_vfs_context);
+#endif
        _ps_port_action_t *act = NULL;
        _ps_port_action_t *act = NULL;
-       task_t task = p->task;
+       task_t task = get_threadtask(imgp->ip_new_thread);
        ipc_port_t port = NULL;
        errno_t ret = 0;
        int i;
        ipc_port_t port = NULL;
        errno_t ret = 0;
        int i;
+       kern_return_t kr;
 
        *portwatch_present = FALSE;
 
        for (i = 0; i < pacts->pspa_count; i++) {
                act = &pacts->pspa_actions[i];
 
 
        *portwatch_present = FALSE;
 
        for (i = 0; i < pacts->pspa_count; i++) {
                act = &pacts->pspa_actions[i];
 
-               if (ipc_object_copyin(get_task_ipcspace(current_task()),
-                   act->new_port, MACH_MSG_TYPE_COPY_SEND,
-                   (ipc_object_t *) &port) != KERN_SUCCESS) {
-                       ret = EINVAL;
-                       goto done;
+               if (MACH_PORT_VALID(act->new_port)) {
+                       kr = ipc_object_copyin(get_task_ipcspace(current_task()),
+                                              act->new_port, MACH_MSG_TYPE_COPY_SEND,
+                                              (ipc_object_t *) &port);
+
+                       if (kr != KERN_SUCCESS) {
+                               ret = EINVAL;
+                               goto done;
+                       }
+               } else {
+                       /* it's NULL or DEAD */
+                       port = CAST_MACH_NAME_TO_PORT(act->new_port);
                }
 
                switch (act->port_type) {
                case PSPA_SPECIAL:
                }
 
                switch (act->port_type) {
                case PSPA_SPECIAL:
-                       /* Only allowed when not under vfork */
-                       if (!(psa_flags & POSIX_SPAWN_SETEXEC))
-                               ret = ENOTSUP;
-                       else if (task_set_special_port(task,
-                       act->which, port) != KERN_SUCCESS)
+                       kr = task_set_special_port(task, act->which, port);
+
+                       if (kr != KERN_SUCCESS)
                                ret = EINVAL;
                        break;
 
                case PSPA_EXCEPTION:
                                ret = EINVAL;
                        break;
 
                case PSPA_EXCEPTION:
-                       /* Only allowed when not under vfork */
-                       if (!(psa_flags & POSIX_SPAWN_SETEXEC))
-                               ret = ENOTSUP;
-                       else if (task_set_exception_ports(task, 
-                       act->mask, port, act->behavior, 
-                       act->flavor) != KERN_SUCCESS)
+                       kr = task_set_exception_ports(task, act->mask, port,
+                                                     act->behavior, act->flavor);
+                       if (kr != KERN_SUCCESS)
                                ret = EINVAL;
                        break;
 #if CONFIG_AUDIT
                case PSPA_AU_SESSION:
                                ret = EINVAL;
                        break;
 #if CONFIG_AUDIT
                case PSPA_AU_SESSION:
-                       ret = audit_session_spawnjoin(p, port);
+                       ret = audit_session_spawnjoin(p, task, port);
+                       if (ret) {
+                               /* audit_session_spawnjoin() has already dropped the reference in case of error. */
+                               goto done;
+                       }
+
                        break;
 #endif
                case PSPA_IMP_WATCHPORTS:
                        break;
 #endif
                case PSPA_IMP_WATCHPORTS:
-                       if (portwatch_ports != NULL) {
+                       if (portwatch_ports != NULL && IPC_PORT_VALID(port)) {
                                *portwatch_present = TRUE;
                                /* hold on to this till end of spawn */
                                portwatch_ports[i] = port;
                                *portwatch_present = TRUE;
                                /* hold on to this till end of spawn */
                                portwatch_ports[i] = port;
-                               ret = 0;
-                       } else
+                       } else {
                                ipc_port_release_send(port);
                                ipc_port_release_send(port);
+                       }
+
                        break;
                default:
                        ret = EINVAL;
                        break;
                }
 
                        break;
                default:
                        ret = EINVAL;
                        break;
                }
 
-               /* action failed, so release port resources */
-
-               if (ret) { 
+               if (ret) {
+                       /* action failed, so release port resources */
                        ipc_port_release_send(port);
                        break;
                }
                        ipc_port_release_send(port);
                        break;
                }
@@ -1883,49 +1993,125 @@ static inline void spawn_coalitions_release_all(coalition_t coal[COALITION_NUM_T
 }
 #endif
 
 }
 #endif
 
-void
-proc_set_return_wait(proc_t p)
+#if CONFIG_PERSONAS
+static int spawn_validate_persona(struct _posix_spawn_persona_info *px_persona)
 {
 {
-       proc_lock(p);
-       p->p_lflag |= P_LRETURNWAIT;
-       proc_unlock(p);
-}
+       int error = 0;
+       struct persona *persona = NULL;
+       int verify = px_persona->pspi_flags & POSIX_SPAWN_PERSONA_FLAGS_VERIFY;
 
 
-void
-proc_clear_return_wait(proc_t p, thread_t child_thread)
-{
-       proc_lock(p);
+       /*
+        * TODO: rdar://problem/19981151
+        * Add entitlement check!
+        */
+       if (!kauth_cred_issuser(kauth_cred_get()))
+               return EPERM;
 
 
-       p->p_lflag &= ~P_LRETURNWAIT;
-       if (p->p_lflag & P_LRETURNWAITER) {
-               wakeup(&p->p_lflag);
+       persona = persona_lookup(px_persona->pspi_id);
+       if (!persona) {
+               error = ESRCH;
+               goto out;
        }
 
        }
 
-       proc_unlock(p);
+       if (verify) {
+               if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_UID) {
+                       if (px_persona->pspi_uid != persona_get_uid(persona)) {
+                               error = EINVAL;
+                               goto out;
+                       }
+               }
+               if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GID) {
+                       if (px_persona->pspi_gid != persona_get_gid(persona)) {
+                               error = EINVAL;
+                               goto out;
+                       }
+               }
+               if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GROUPS) {
+                       int ngroups = 0;
+                       gid_t groups[NGROUPS_MAX];
 
 
-       (void)thread_resume(child_thread);
+                       if (persona_get_groups(persona, &ngroups, groups,
+                                              px_persona->pspi_ngroups) != 0) {
+                               error = EINVAL;
+                               goto out;
+                       }
+                       if (ngroups != (int)px_persona->pspi_ngroups) {
+                               error = EINVAL;
+                               goto out;
+                       }
+                       while (ngroups--) {
+                               if (px_persona->pspi_groups[ngroups] != groups[ngroups]) {
+                                       error = EINVAL;
+                                       goto out;
+                               }
+                       }
+                       if (px_persona->pspi_gmuid != persona_get_gmuid(persona)) {
+                               error = EINVAL;
+                               goto out;
+                       }
+               }
+       }
+
+out:
+       if (persona)
+               persona_put(persona);
+
+       return error;
 }
 
 }
 
-void
-proc_wait_to_return()
+static int spawn_persona_adopt(proc_t p, struct _posix_spawn_persona_info *px_persona)
 {
 {
-       proc_t  p;
+       int ret;
+       kauth_cred_t cred;
+       struct persona *persona = NULL;
+       int override = !!(px_persona->pspi_flags & POSIX_SPAWN_PERSONA_FLAGS_OVERRIDE);
 
 
-       p = current_proc();
-       proc_lock(p);
+       if (!override)
+               return persona_proc_adopt_id(p, px_persona->pspi_id, NULL);
 
 
-       if (p->p_lflag & P_LRETURNWAIT) {
-               p->p_lflag |= P_LRETURNWAITER;
-               do {
-                       msleep(&p->p_lflag, &p->p_mlock, 0,
-                               "thread_check_setup_complete", NULL);
-               } while (p->p_lflag & P_LRETURNWAIT);
-               p->p_lflag &= ~P_LRETURNWAITER;
+       /*
+        * we want to spawn into the given persona, but we want to override
+        * the kauth with a different UID/GID combo
+        */
+       persona = persona_lookup(px_persona->pspi_id);
+       if (!persona)
+               return ESRCH;
+
+       cred = persona_get_cred(persona);
+       if (!cred) {
+               ret = EINVAL;
+               goto out;
        }
 
        }
 
-       proc_unlock(p);
-       thread_bootstrap_return();
+       if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_UID) {
+               cred = kauth_cred_setresuid(cred,
+                                           px_persona->pspi_uid,
+                                           px_persona->pspi_uid,
+                                           px_persona->pspi_uid,
+                                           KAUTH_UID_NONE);
+       }
+
+       if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GID) {
+               cred = kauth_cred_setresgid(cred,
+                                           px_persona->pspi_gid,
+                                           px_persona->pspi_gid,
+                                           px_persona->pspi_gid);
+       }
+
+       if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GROUPS) {
+               cred = kauth_cred_setgroups(cred,
+                                           px_persona->pspi_groups,
+                                           px_persona->pspi_ngroups,
+                                           px_persona->pspi_gmuid);
+       }
+
+       ret = persona_proc_adopt(p, persona, cred);
+
+out:
+       persona_put(persona);
+       return ret;
 }
 }
+#endif
 
 /*
  * posix_spawn
 
 /*
  * posix_spawn
@@ -1979,7 +2165,13 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
        boolean_t exec_done = FALSE;
        int portwatch_count = 0;
        ipc_port_t * portwatch_ports = NULL;
        boolean_t exec_done = FALSE;
        int portwatch_count = 0;
        ipc_port_t * portwatch_ports = NULL;
-       vm_size_t px_sa_offset = offsetof(struct _posix_spawnattr, psa_ports); 
+       vm_size_t px_sa_offset = offsetof(struct _posix_spawnattr, psa_ports);
+       task_t new_task = NULL;
+       boolean_t should_release_proc_ref = FALSE;
+       void *inherit = NULL;
+#if CONFIG_PERSONAS
+       struct _posix_spawn_persona_info *px_persona = NULL;
+#endif
 
        /*
         * Allocate a big chunk for locals instead of using stack since these  
 
        /*
         * Allocate a big chunk for locals instead of using stack since these  
@@ -2004,7 +2196,8 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
        imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT : IMGPF_NONE);
        imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
        imgp->ip_mac_return = 0;
        imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT : IMGPF_NONE);
        imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
        imgp->ip_mac_return = 0;
-       imgp->ip_reserved = NULL;
+       imgp->ip_px_persona = NULL;
+       imgp->ip_cs_error = OS_REASON_NULL;
 
        if (uap->adesc != USER_ADDR_NULL) {
                if(is_64) {
 
        if (uap->adesc != USER_ADDR_NULL) {
                if(is_64) {
@@ -2028,8 +2221,8 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
                        px_args.mac_extensions = CAST_USER_ADDR_T(px_args32.mac_extensions);
                        px_args.coal_info_size = px_args32.coal_info_size;
                        px_args.coal_info = CAST_USER_ADDR_T(px_args32.coal_info);
                        px_args.mac_extensions = CAST_USER_ADDR_T(px_args32.mac_extensions);
                        px_args.coal_info_size = px_args32.coal_info_size;
                        px_args.coal_info = CAST_USER_ADDR_T(px_args32.coal_info);
-                       px_args.reserved = 0;
-                       px_args.reserved_size = 0;
+                       px_args.persona_info_size = px_args32.persona_info_size;
+                       px_args.persona_info = CAST_USER_ADDR_T(px_args32.persona_info);
                }
                if (error)
                        goto bad;
                }
                if (error)
                        goto bad;
@@ -2099,7 +2292,29 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
                                goto bad;
                        }
                }
                                goto bad;
                        }
                }
+#if CONFIG_PERSONAS
+               /* copy in the persona info */
+               if (px_args.persona_info_size != 0 && px_args.persona_info != 0) {
+                       /* for now, we need the exact same struct in user space */
+                       if (px_args.persona_info_size != sizeof(*px_persona)) {
+                               error = ERANGE;
+                               goto bad;
+                       }
+
+                       MALLOC(px_persona, struct _posix_spawn_persona_info *, px_args.persona_info_size, M_TEMP, M_WAITOK|M_ZERO);
+                       if (px_persona == NULL) {
+                               error = ENOMEM;
+                               goto bad;
+                       }
+                       imgp->ip_px_persona = px_persona;
 
 
+                       if ((error = copyin(px_args.persona_info, px_persona,
+                                           px_args.persona_info_size)) != 0)
+                               goto bad;
+                       if ((error = spawn_validate_persona(px_persona)) != 0)
+                               goto bad;
+               }
+#endif
 #if CONFIG_MACF
                if (px_args.mac_extensions_size != 0) {
                        if ((error = spawn_copyin_macpolicyinfo(&px_args, (_posix_spawn_mac_policy_extensions_t *)&imgp->ip_px_smpx)) != 0)
 #if CONFIG_MACF
                if (px_args.mac_extensions_size != 0) {
                        if ((error = spawn_copyin_macpolicyinfo(&px_args, (_posix_spawn_mac_policy_extensions_t *)&imgp->ip_px_smpx)) != 0)
@@ -2215,8 +2430,16 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
 do_fork1:
 #endif /* CONFIG_COALITIONS */
 
 do_fork1:
 #endif /* CONFIG_COALITIONS */
 
+               /*
+                * note that this will implicitly inherit the
+                * caller's persona (if it exists)
+                */
                error = fork1(p, &imgp->ip_new_thread, PROC_CREATE_SPAWN, coal);
                error = fork1(p, &imgp->ip_new_thread, PROC_CREATE_SPAWN, coal);
+               /* returns a thread and task reference */
 
 
+               if (error == 0) {
+                       new_task = get_threadtask(imgp->ip_new_thread);
+               }
 #if CONFIG_COALITIONS
                /* set the roles of this task within each given coalition */
                if (error == 0) {
 #if CONFIG_COALITIONS
                /* set the roles of this task within each given coalition */
                if (error == 0) {
@@ -2234,6 +2457,66 @@ do_fork1:
                imgp->ip_flags |= IMGPF_SPAWN;  /* spawn w/o exec */
                spawn_no_exec = TRUE;           /* used in later tests */
 
                imgp->ip_flags |= IMGPF_SPAWN;  /* spawn w/o exec */
                spawn_no_exec = TRUE;           /* used in later tests */
 
+#if CONFIG_PERSONAS
+               /*
+                * If the parent isn't in a persona (launchd), and
+                * hasn't specified a new persona for the process,
+                * then we'll put the process into the system persona
+                *
+                * TODO: this will have to be re-worked because as of
+                *       now, without any launchd adoption, the resulting
+                *       xpcproxy process will not have sufficient
+                *       privileges to setuid/gid.
+                */
+#if 0
+               if (!proc_has_persona(p) && imgp->ip_px_persona == NULL) {
+                       MALLOC(px_persona, struct _posix_spawn_persona_info *,
+                              sizeof(*px_persona), M_TEMP, M_WAITOK|M_ZERO);
+                       if (px_persona == NULL) {
+                               error = ENOMEM;
+                               goto bad;
+                       }
+                       px_persona->pspi_id = persona_get_id(g_system_persona);
+                       imgp->ip_px_persona = px_persona;
+               }
+#endif /* 0 */
+#endif /* CONFIG_PERSONAS */
+       } else {
+               /*
+                * For execve case, create a new task and thread
+                * which points to current_proc. The current_proc will point
+                * to the new task after image activation and proc ref drain.
+                *
+                * proc (current_proc) <-----  old_task (current_task)
+                *  ^ |                                ^
+                *  | |                                |
+                *  | ----------------------------------
+                *  |
+                *  --------- new_task (task marked as TF_EXEC_COPY)
+                *
+                * After image activation, the proc will point to the new task
+                * and would look like following.
+                *
+                * proc (current_proc)  <-----  old_task (current_task, marked as TPF_DID_EXEC)
+                *  ^ |
+                *  | |
+                *  | ----------> new_task
+                *  |               |
+                *  -----------------
+                *
+                * During exec any transition from new_task -> proc is fine, but don't allow
+                * transition from proc->task, since it will modify old_task.
+                */
+               imgp->ip_new_thread = fork_create_child(current_task(),
+                                       NULL, p, FALSE, p->p_flag & P_LP64, TRUE);
+               /* task and thread ref returned by fork_create_child */
+               if (imgp->ip_new_thread == NULL) {
+                       error = ENOMEM;
+                       goto bad;
+               }
+
+               new_task = get_threadtask(imgp->ip_new_thread);
+               imgp->ip_flags |= IMGPF_EXEC;
        }
 
        if (spawn_no_exec) {
        }
 
        if (spawn_no_exec) {
@@ -2248,17 +2531,9 @@ do_fork1:
        }
        assert(p != NULL);
 
        }
        assert(p != NULL);
 
-       /* By default, the thread everyone plays with is the parent */
-       context.vc_thread = current_thread();
+       context.vc_thread = imgp->ip_new_thread;
        context.vc_ucred = p->p_ucred;  /* XXX must NOT be kauth_cred_get() */
 
        context.vc_ucred = p->p_ucred;  /* XXX must NOT be kauth_cred_get() */
 
-       /*
-        * However, if we're not in the setexec case, redirect the context
-        * to the newly created process instead
-        */
-       if (spawn_no_exec)
-               context.vc_thread = imgp->ip_new_thread;
-
        /*
         * Post fdcopy(), pre exec_handle_sugid() - this is where we want
         * to handle the file_actions.  Since vfork() also ends up setting
        /*
         * Post fdcopy(), pre exec_handle_sugid() - this is where we want
         * to handle the file_actions.  Since vfork() also ends up setting
@@ -2298,8 +2573,7 @@ do_fork1:
                        portwatch_ports = NULL;
                }
 
                        portwatch_ports = NULL;
                }
 
-               if ((error = exec_handle_port_actions(imgp,
-                   imgp->ip_px_sa != NULL ? px_sa.psa_flags : 0, &portwatch_present, portwatch_ports)) != 0) 
+               if ((error = exec_handle_port_actions(imgp, &portwatch_present, portwatch_ports)) != 0)
                        goto bad;
 
                if (portwatch_present == FALSE && portwatch_ports != NULL) {
                        goto bad;
 
                if (portwatch_present == FALSE && portwatch_ports != NULL) {
@@ -2336,20 +2610,52 @@ do_fork1:
                 * image will take precedence over the spawn attributes
                 * (re)setting them.
                 *
                 * image will take precedence over the spawn attributes
                 * (re)setting them.
                 *
-                * The use of p_ucred is safe, since we are acting on the
-                * new process, and it has no threads other than the one
-                * we are creating for it.
+                * Modifications to p_ucred must be guarded using the
+                * proc's ucred lock. This prevents others from accessing
+                * a garbage credential.
                 */
                 */
-               if (px_sa.psa_flags & POSIX_SPAWN_RESETIDS) {
-                       kauth_cred_t my_cred = p->p_ucred;
+               while (px_sa.psa_flags & POSIX_SPAWN_RESETIDS) {
+                       kauth_cred_t my_cred = kauth_cred_proc_ref(p);
                        kauth_cred_t my_new_cred = kauth_cred_setuidgid(my_cred, kauth_cred_getruid(my_cred), kauth_cred_getrgid(my_cred));
                        kauth_cred_t my_new_cred = kauth_cred_setuidgid(my_cred, kauth_cred_getruid(my_cred), kauth_cred_getrgid(my_cred));
-                       if (my_new_cred != my_cred) {
-                               p->p_ucred = my_new_cred;
-                               /* update cred on proc */
-                               PROC_UPDATE_CREDS_ONPROC(p);
+
+                       if (my_cred == my_new_cred) {
+                               kauth_cred_unref(&my_cred);
+                               break;
                        }
                        }
+
+                       /* update cred on proc */
+                       proc_ucred_lock(p);
+
+                       if (p->p_ucred != my_cred) {
+                               proc_ucred_unlock(p);
+                               kauth_cred_unref(&my_new_cred);
+                               continue;
+                       }
+
+                       /* donate cred reference on my_new_cred to p->p_ucred */
+                       p->p_ucred = my_new_cred;
+                       PROC_UPDATE_CREDS_ONPROC(p);
+                       proc_ucred_unlock(p);
+
+                       /* drop additional reference that was taken on the previous cred */
+                       kauth_cred_unref(&my_cred);
                }
 
                }
 
+#if CONFIG_PERSONAS
+               if (spawn_no_exec && imgp->ip_px_persona != NULL) {
+                       /*
+                        * If we were asked to spawn a process into a new persona,
+                        * do the credential switch now (which may override the UID/GID
+                        * inherit done just above). It's important to do this switch
+                        * before image activation both for reasons stated above, and
+                        * to ensure that the new persona has access to the image/file
+                        * being executed.
+                        */
+                       error = spawn_persona_adopt(p, imgp->ip_px_persona);
+                       if (error != 0)
+                               goto bad;
+               }
+#endif /* CONFIG_PERSONAS */
 #if !SECURE_KERNEL
                /*
                 * Disable ASLR for the spawned process.
 #if !SECURE_KERNEL
                /*
                 * Disable ASLR for the spawned process.
@@ -2405,6 +2711,12 @@ do_fork1:
         */
        error = exec_activate_image(imgp);
        
         */
        error = exec_activate_image(imgp);
        
+       if (error == 0 && !spawn_no_exec) {
+               p = proc_exec_switch_task(p, current_task(), new_task, imgp->ip_new_thread);
+               /* proc ref returned */
+               should_release_proc_ref = TRUE;
+       }
+
        if (error == 0) {
                /* process completed the exec */
                exec_done = TRUE;
        if (error == 0) {
                /* process completed the exec */
                exec_done = TRUE;
@@ -2423,18 +2735,8 @@ do_fork1:
         * until after the image is activated.
         */
        if (!error && imgp->ip_px_sa != NULL) {
         * until after the image is activated.
         */
        if (!error && imgp->ip_px_sa != NULL) {
-               thread_t child_thread = current_thread();
-               uthread_t child_uthread = uthread;
-
-               /*
-                * If we created a new child thread, then the thread and
-                * uthread are different than the current ones; otherwise,
-                * we leave them, since we are in the exec case instead.
-                */
-               if (spawn_no_exec) {
-                       child_thread = imgp->ip_new_thread;
-                       child_uthread = get_bsdthread_info(child_thread);
-               }
+               thread_t child_thread = imgp->ip_new_thread;
+               uthread_t child_uthread = get_bsdthread_info(child_thread);
 
                /*
                 * Mask a list of signals, instead of them being unmasked, if
 
                /*
                 * Mask a list of signals, instead of them being unmasked, if
@@ -2455,9 +2757,9 @@ do_fork1:
                        vec.sa_tramp = 0;
                        vec.sa_mask = 0;
                        vec.sa_flags = 0;
                        vec.sa_tramp = 0;
                        vec.sa_mask = 0;
                        vec.sa_flags = 0;
-                       for (sig = 0; sig < NSIG; sig++)
-                               if (px_sa.psa_sigdefault & (1 << sig)) {
-                                       error = setsigvec(p, child_thread, sig + 1, &vec, spawn_no_exec);
+                       for (sig = 1; sig < NSIG; sig++)
+                               if (px_sa.psa_sigdefault & (1 << (sig-1))) {
+                                       error = setsigvec(p, child_thread, sig, &vec, spawn_no_exec);
                        }
                }
 
                        }
                }
 
@@ -2508,7 +2810,7 @@ bad:
                }
                exec_resettextvp(p, imgp);
                
                }
                exec_resettextvp(p, imgp);
                
-#if CONFIG_MEMORYSTATUS && CONFIG_JETSAM
+#if CONFIG_MEMORYSTATUS
                /* Has jetsam attributes? */
                if (imgp->ip_px_sa != NULL && (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_SET)) {
                        /*
                /* Has jetsam attributes? */
                if (imgp->ip_px_sa != NULL && (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_SET)) {
                        /*
@@ -2540,7 +2842,7 @@ bad:
                        }
 
                }
                        }
 
                }
-#endif /* CONFIG_MEMORYSTATUS && CONFIG_JETSAM*/
+#endif /* CONFIG_MEMORYSTATUS */
        }
 
        /*
        }
 
        /*
@@ -2568,12 +2870,26 @@ bad:
                /* notify only if it has not failed due to FP Key error */
                if ((p->p_lflag & P_LTERM_DECRYPTFAIL) == 0)
                        proc_knote(p, NOTE_EXEC);
                /* notify only if it has not failed due to FP Key error */
                if ((p->p_lflag & P_LTERM_DECRYPTFAIL) == 0)
                        proc_knote(p, NOTE_EXEC);
-       } else if (error == 0) {
-               /* reset the importance attribute from our previous life */
-               task_importance_reset(p->task);
+       }
 
 
-               /* reset atm context from task */
-               task_atm_reset(p->task);
+       if (error == 0) {
+               /*
+                * We need to initialize the bank context behind the protection of
+                * the proc_trans lock to prevent a race with exit. We can't do this during
+                * exec_activate_image because task_bank_init checks entitlements that
+                * aren't loaded until subsequent calls (including exec_resettextvp).
+                */
+               error = proc_transstart(p, 0, 0);
+
+               if (error == 0) {
+                       task_bank_init(get_threadtask(imgp->ip_new_thread));
+                       proc_transend(p, 0);
+               }
+       }
+
+       /* Inherit task role from old task to new task for exec */
+       if (error == 0 && !spawn_no_exec) {
+               proc_inherit_task_role(get_threadtask(imgp->ip_new_thread), current_task());
        }
 
        /*
        }
 
        /*
@@ -2592,11 +2908,31 @@ bad:
                                              portwatch_ports, portwatch_count);
        }
 
                                              portwatch_ports, portwatch_count);
        }
 
-       /* Apply the main thread qos */
+       /*
+        * Need to transfer pending watch port boosts to the new task while still making
+        * sure that the old task remains in the importance linkage. Create an importance
+        * linkage from old task to new task, then switch the task importance base
+        * of old task and new task. After the switch the port watch boost will be
+        * boosting the new task and new task will be donating importance to old task.
+        */
+       if (error == 0 && task_did_exec(current_task())) {
+               inherit = ipc_importance_exec_switch_task(current_task(), get_threadtask(imgp->ip_new_thread));
+       }
+
        if (error == 0) {
        if (error == 0) {
-               thread_t main_thread = (imgp->ip_new_thread != NULL) ? imgp->ip_new_thread : current_thread();
+               /* Apply the main thread qos */         
+               thread_t main_thread = imgp->ip_new_thread;
+               task_set_main_thread_qos(get_threadtask(imgp->ip_new_thread), main_thread);
 
 
-               task_set_main_thread_qos(p->task, main_thread);
+#if CONFIG_MACF
+               /*
+                * Processes with the MAP_JIT entitlement are permitted to have
+                * a jumbo-size map.
+                */
+               if (mac_proc_check_map_anon(p, 0, 0, 0, MAP_JIT, NULL) == 0) {
+                       vm_map_set_jumbo(get_task_map(p->task));
+               }
+#endif /* CONFIG_MACF */
        }
 
        /*
        }
 
        /*
@@ -2631,6 +2967,10 @@ bad:
                if (imgp != NULL && spawn_no_exec && (p->p_lflag & P_LTRACED)) {
                        psignal_vfork(p, p->task, imgp->ip_new_thread, SIGTRAP);
                }
                if (imgp != NULL && spawn_no_exec && (p->p_lflag & P_LTRACED)) {
                        psignal_vfork(p, p->task, imgp->ip_new_thread, SIGTRAP);
                }
+
+               if (error == 0 && !spawn_no_exec)
+                       KDBG(BSDDBG_CODE(DBG_BSD_PROC,BSD_PROC_EXEC),
+                            p->p_pid);
        }
 
 
        }
 
 
@@ -2645,6 +2985,10 @@ bad:
                        FREE(imgp->ip_px_sfa, M_TEMP);
                if (imgp->ip_px_spa != NULL)
                        FREE(imgp->ip_px_spa, M_TEMP);
                        FREE(imgp->ip_px_sfa, M_TEMP);
                if (imgp->ip_px_spa != NULL)
                        FREE(imgp->ip_px_spa, M_TEMP);
+#if CONFIG_PERSONAS
+               if (imgp->ip_px_persona != NULL)
+                       FREE(imgp->ip_px_persona, M_TEMP);
+#endif
 #if CONFIG_MACF
                if (imgp->ip_px_smpx != NULL)
                        spawn_free_macpolicyinfo(imgp->ip_px_smpx);
 #if CONFIG_MACF
                if (imgp->ip_px_smpx != NULL)
                        spawn_free_macpolicyinfo(imgp->ip_px_smpx);
@@ -2652,6 +2996,10 @@ bad:
                        mac_cred_label_free(imgp->ip_execlabelp);
                if (imgp->ip_scriptlabelp)
                        mac_vnode_label_free(imgp->ip_scriptlabelp);
                        mac_cred_label_free(imgp->ip_execlabelp);
                if (imgp->ip_scriptlabelp)
                        mac_vnode_label_free(imgp->ip_scriptlabelp);
+               if (imgp->ip_cs_error != OS_REASON_NULL) {
+                       os_reason_free(imgp->ip_cs_error);
+                       imgp->ip_cs_error = OS_REASON_NULL;
+               }
 #endif
        }
 
 #endif
        }
 
@@ -2693,9 +3041,23 @@ bad:
                }
        }
 
                }
        }
 
-       if ((dtrace_proc_waitfor_hook = dtrace_proc_waitfor_exec_ptr) != NULL)
+       if ((dtrace_proc_waitfor_hook = dtrace_proc_waitfor_exec_ptr) != NULL) {
                (*dtrace_proc_waitfor_hook)(p);
                (*dtrace_proc_waitfor_hook)(p);
+       }
 #endif
 #endif
+       /*
+        * exec-success dtrace probe fired, clear bsd_info from
+        * old task if it did exec.
+        */
+       if (task_did_exec(current_task())) {
+               set_bsdtask_info(current_task(), NULL);
+       }
+
+       /* clear bsd_info from new task and terminate it if exec failed  */
+       if (new_task != NULL && task_is_exec_copy(new_task)) {
+               set_bsdtask_info(new_task, NULL);
+               task_terminate_internal(new_task);
+       }
 
        /* Return to both the parent and the child? */
        if (imgp != NULL && spawn_no_exec) {
 
        /* Return to both the parent and the child? */
        if (imgp != NULL && spawn_no_exec) {
@@ -2720,37 +3082,165 @@ bad:
                                p->exit_thread = current_thread();
                                proc_unlock(p);
                                exit1(p, 1, (int *)NULL);
                                p->exit_thread = current_thread();
                                proc_unlock(p);
                                exit1(p, 1, (int *)NULL);
-                               proc_clear_return_wait(p, imgp->ip_new_thread);
-                               if (exec_done == FALSE) {
-                                       task_deallocate(get_threadtask(imgp->ip_new_thread));
-                                       thread_deallocate(imgp->ip_new_thread);
-                               }
                        } else {
                                /* someone is doing it for us; just skip it */
                                proc_unlock(p);
                        } else {
                                /* someone is doing it for us; just skip it */
                                proc_unlock(p);
-                               proc_clear_return_wait(p, imgp->ip_new_thread);
                        }
                        }
-               } else {
+               }
+       }
+
+       /*
+        * Do not terminate the current task, if proc_exec_switch_task did not
+        * switch the tasks, terminating the current task without the switch would
+        * result in loosing the SIGKILL status.
+        */
+       if (task_did_exec(current_task())) {
+               /* Terminate the current task, since exec will start in new task */
+               task_terminate_internal(current_task());
+       }
+
+       /* Release the thread ref returned by fork_create_child/fork1 */
+       if (imgp != NULL && imgp->ip_new_thread) {
+               /* wake up the new thread */
+               task_clear_return_wait(get_threadtask(imgp->ip_new_thread));
+               thread_deallocate(imgp->ip_new_thread);
+               imgp->ip_new_thread = NULL;
+       }
+
+       /* Release the ref returned by fork_create_child/fork1 */
+       if (new_task) {
+               task_deallocate(new_task);
+               new_task = NULL;
+       }
+
+       if (should_release_proc_ref) {
+               proc_rele(p);
+       }
+
+       if (bufp != NULL) {
+               FREE(bufp, M_TEMP);
+       }
+
+       if (inherit != NULL) {
+               ipc_importance_release(inherit);
+       }
+       
+       return(error);
+}
+
+/*
+ * proc_exec_switch_task
+ *
+ * Parameters:  p                      proc
+ *             old_task                task before exec
+ *             new_task                task after exec
+ *             new_thread              thread in new task
+ *
+ * Returns: proc.
+ *
+ * Note: The function will switch the task pointer of proc
+ * from old task to new task. The switch needs to happen
+ * after draining all proc refs and inside a proc translock.
+ * In the case of failure to switch the task, which might happen
+ * if the process received a SIGKILL or jetsam killed it, it will make
+ * sure that the new tasks terminates. User proc ref returned
+ * to caller.
+ *
+ * This function is called after point of no return, in the case
+ * failure to switch, it will terminate the new task and swallow the
+ * error and let the terminated process complete exec and die.
+ */
+proc_t
+proc_exec_switch_task(proc_t p, task_t old_task, task_t new_task, thread_t new_thread)
+{
+       int error = 0;
+       boolean_t task_active;
+       boolean_t proc_active;
+       boolean_t thread_active;
+       thread_t old_thread = current_thread();
+
+       /*
+        * Switch the task pointer of proc to new task.
+        * Before switching the task, wait for proc_refdrain.
+        * After the switch happens, the proc can disappear,
+        * take a ref before it disappears.
+        */
+       p = proc_refdrain_with_refwait(p, TRUE);
+       /* extra proc ref returned to the caller */
+
+       assert(get_threadtask(new_thread) == new_task);
+       task_active = task_is_active(new_task);
+
+       /* Take the proc_translock to change the task ptr */
+       proc_lock(p);
+       proc_active = !(p->p_lflag & P_LEXIT);
+
+       /* Check if the current thread is not aborted due to SIGKILL */
+       thread_active = thread_is_active(old_thread);
+
+       /*
+        * Do not switch the task if the new task or proc is already terminated
+        * as a result of error in exec past point of no return
+        */
+       if (proc_active && task_active && thread_active) {
+               error = proc_transstart(p, 1, 0);
+               if (error == 0) {
+                       uthread_t new_uthread = get_bsdthread_info(new_thread);
+                       uthread_t old_uthread = get_bsdthread_info(current_thread());
 
                        /*
 
                        /*
-                        * Return to the child
-                        *
-                        * Note: the image activator earlier dropped the
-                        * task/thread references to the newly spawned
-                        * process; this is OK, since we still have suspended
-                        * queue references on them, so we should be fine
-                        * with the delayed resume of the thread here.
+                        * bsd_info of old_task will get cleared in execve and posix_spawn
+                        * after firing exec-success/error dtrace probe.
                         */
                         */
-                       proc_clear_return_wait(p, imgp->ip_new_thread);
+                       p->task = new_task;
+
+                       /* Copy the signal state, dtrace state and set bsd ast on new thread */
+                       act_set_astbsd(new_thread);
+                       new_uthread->uu_siglist = old_uthread->uu_siglist;
+                       new_uthread->uu_sigwait = old_uthread->uu_sigwait;
+                       new_uthread->uu_sigmask = old_uthread->uu_sigmask;
+                       new_uthread->uu_oldmask = old_uthread->uu_oldmask;
+                       new_uthread->uu_vforkmask = old_uthread->uu_vforkmask;
+                       new_uthread->uu_exit_reason = old_uthread->uu_exit_reason;
+#if CONFIG_DTRACE
+                       new_uthread->t_dtrace_sig = old_uthread->t_dtrace_sig;
+                       new_uthread->t_dtrace_stop = old_uthread->t_dtrace_stop;
+                       new_uthread->t_dtrace_resumepid = old_uthread->t_dtrace_resumepid;
+                       assert(new_uthread->t_dtrace_scratch == NULL);
+                       new_uthread->t_dtrace_scratch = old_uthread->t_dtrace_scratch;
+
+                       old_uthread->t_dtrace_sig = 0;
+                       old_uthread->t_dtrace_stop = 0;
+                       old_uthread->t_dtrace_resumepid = 0;
+                       old_uthread->t_dtrace_scratch = NULL;
+#endif
+                       /* Copy the resource accounting info */
+                       thread_copy_resource_info(new_thread, current_thread());
+
+                       /* Clear the exit reason and signal state on old thread */
+                       old_uthread->uu_exit_reason = NULL;
+                       old_uthread->uu_siglist = 0;
+
+                       /* Add the new uthread to proc uthlist and remove the old one */
+                       TAILQ_INSERT_TAIL(&p->p_uthlist, new_uthread, uu_list);
+                       TAILQ_REMOVE(&p->p_uthlist, old_uthread, uu_list);
+
+                       task_set_did_exec_flag(old_task);
+                       task_clear_exec_copy_flag(new_task);
+
+                       proc_transend(p, 1);
                }
        }
                }
        }
-       if (bufp != NULL) {
-               FREE(bufp, M_TEMP);
+
+       proc_unlock(p);
+       proc_refwake(p);
+
+       if (error != 0 || !task_active || !proc_active || !thread_active) {
+               task_terminate_internal(new_task);
        }
        }
-       
-       return(error);
-}
 
 
+       return p;
+}
 
 /*
  * execve
 
 /*
  * execve
@@ -2828,6 +3318,11 @@ __mac_execve(proc_t p, struct __mac_execve_args *uap, int32_t *retval)
        int is_64 = IS_64BIT_PROCESS(p);
        struct vfs_context context;
        struct uthread  *uthread;
        int is_64 = IS_64BIT_PROCESS(p);
        struct vfs_context context;
        struct uthread  *uthread;
+       task_t new_task = NULL;
+       boolean_t should_release_proc_ref = FALSE;
+       boolean_t exec_done = FALSE;
+       boolean_t in_vfexec = FALSE;
+       void *inherit = NULL;
 
        context.vc_thread = current_thread();
        context.vc_ucred = kauth_cred_proc_ref(p);      /* XXX must NOT be kauth_cred_get() */
 
        context.vc_thread = current_thread();
        context.vc_ucred = kauth_cred_proc_ref(p);      /* XXX must NOT be kauth_cred_get() */
@@ -2854,11 +3349,7 @@ __mac_execve(proc_t p, struct __mac_execve_args *uap, int32_t *retval)
        imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT : IMGPF_NONE) | ((p->p_flag & P_DISABLE_ASLR) ? IMGPF_DISABLE_ASLR : IMGPF_NONE);
        imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
        imgp->ip_mac_return = 0;
        imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT : IMGPF_NONE) | ((p->p_flag & P_DISABLE_ASLR) ? IMGPF_DISABLE_ASLR : IMGPF_NONE);
        imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
        imgp->ip_mac_return = 0;
-
-       uthread = get_bsdthread_info(current_thread());
-       if (uthread->uu_flag & UT_VFORK) {
-               imgp->ip_flags |= IMGPF_VFORK_EXEC;
-       }
+       imgp->ip_cs_error = OS_REASON_NULL;
 
 #if CONFIG_MACF
        if (uap->mac_p != USER_ADDR_NULL) {
 
 #if CONFIG_MACF
        if (uap->mac_p != USER_ADDR_NULL) {
@@ -2869,8 +3360,66 @@ __mac_execve(proc_t p, struct __mac_execve_args *uap, int32_t *retval)
                }
        }
 #endif
                }
        }
 #endif
+       uthread = get_bsdthread_info(current_thread());
+       if (uthread->uu_flag & UT_VFORK) {
+               imgp->ip_flags |= IMGPF_VFORK_EXEC;
+               in_vfexec = TRUE;
+       } else {
+               imgp->ip_flags |= IMGPF_EXEC;
+
+               /*
+                * For execve case, create a new task and thread
+                * which points to current_proc. The current_proc will point
+                * to the new task after image activation and proc ref drain.
+                *
+                * proc (current_proc) <-----  old_task (current_task)
+                *  ^ |                                ^
+                *  | |                                |
+                *  | ----------------------------------
+                *  |
+                *  --------- new_task (task marked as TF_EXEC_COPY)
+                *
+                * After image activation, the proc will point to the new task
+                * and would look like following.
+                *
+                * proc (current_proc)  <-----  old_task (current_task, marked as TPF_DID_EXEC)
+                *  ^ |
+                *  | |
+                *  | ----------> new_task
+                *  |               |
+                *  -----------------
+                *
+                * During exec any transition from new_task -> proc is fine, but don't allow
+                * transition from proc->task, since it will modify old_task.
+                */
+               imgp->ip_new_thread = fork_create_child(current_task(),
+                                       NULL, p, FALSE, p->p_flag & P_LP64, TRUE);
+               /* task and thread ref returned by fork_create_child */
+               if (imgp->ip_new_thread == NULL) {
+                       error = ENOMEM;
+                       goto exit_with_error;
+               }
+
+               new_task = get_threadtask(imgp->ip_new_thread);
+               context.vc_thread = imgp->ip_new_thread;
+       }
 
        error = exec_activate_image(imgp);
 
        error = exec_activate_image(imgp);
+       /* thread and task ref returned for vfexec case */
+
+       if (imgp->ip_new_thread != NULL) {
+               /*
+                * task reference might be returned by exec_activate_image
+                * for vfexec.
+                */
+               new_task = get_threadtask(imgp->ip_new_thread);
+       }
+
+       if (!error && !in_vfexec) {
+               p = proc_exec_switch_task(p, current_task(), new_task, imgp->ip_new_thread);
+               /* proc ref returned */
+               should_release_proc_ref = TRUE;
+       }
 
        kauth_cred_unref(&context.vc_ucred);
        
 
        kauth_cred_unref(&context.vc_ucred);
        
@@ -2878,7 +3427,10 @@ __mac_execve(proc_t p, struct __mac_execve_args *uap, int32_t *retval)
        if (error == -1)
                error = ENOEXEC;
 
        if (error == -1)
                error = ENOEXEC;
 
-       if (error == 0) {
+       if (!error) {
+               exec_done = TRUE;
+               assert(imgp->ip_new_thread != NULL);
+
                exec_resettextvp(p, imgp);
                error = check_for_signature(p, imgp);
        }       
                exec_resettextvp(p, imgp);
                error = check_for_signature(p, imgp);
        }       
@@ -2894,19 +3446,46 @@ __mac_execve(proc_t p, struct __mac_execve_args *uap, int32_t *retval)
        if (imgp->ip_scriptlabelp)
                mac_vnode_label_free(imgp->ip_scriptlabelp);
 #endif
        if (imgp->ip_scriptlabelp)
                mac_vnode_label_free(imgp->ip_scriptlabelp);
 #endif
+       if (imgp->ip_cs_error != OS_REASON_NULL) {
+               os_reason_free(imgp->ip_cs_error);
+               imgp->ip_cs_error = OS_REASON_NULL;
+       }
+
+       if (!error) {
+               /*
+                * We need to initialize the bank context behind the protection of
+                * the proc_trans lock to prevent a race with exit. We can't do this during
+                * exec_activate_image because task_bank_init checks entitlements that
+                * aren't loaded until subsequent calls (including exec_resettextvp).
+                */
+               error = proc_transstart(p, 0, 0);
+       }
+
        if (!error) {
        if (!error) {
+               task_bank_init(get_threadtask(imgp->ip_new_thread));
+               proc_transend(p, 0);
+
                /* Sever any extant thread affinity */
                thread_affinity_exec(current_thread());
 
                /* Sever any extant thread affinity */
                thread_affinity_exec(current_thread());
 
-               thread_t main_thread = (imgp->ip_new_thread != NULL) ? imgp->ip_new_thread : current_thread();          
+               /* Inherit task role from old task to new task for exec */
+               if (!in_vfexec) {
+                       proc_inherit_task_role(get_threadtask(imgp->ip_new_thread), current_task());
+               }
 
 
-               task_set_main_thread_qos(p->task, main_thread);
+               thread_t main_thread = imgp->ip_new_thread;
 
 
-               /* reset task importance */
-               task_importance_reset(p->task);
+               task_set_main_thread_qos(new_task, main_thread);
 
 
-               /* reset atm context from task */
-               task_atm_reset(p->task);
+#if CONFIG_MACF
+               /*
+                * Processes with the MAP_JIT entitlement are permitted to have
+                * a jumbo-size map.
+                */
+               if (mac_proc_check_map_anon(p, 0, 0, 0, MAP_JIT, NULL) == 0) {
+                       vm_map_set_jumbo(get_task_map(new_task));
+               }
+#endif /* CONFIG_MACF */
 
                DTRACE_PROC(exec__success);
 
 
                DTRACE_PROC(exec__success);
 
@@ -2915,18 +3494,77 @@ __mac_execve(proc_t p, struct __mac_execve_args *uap, int32_t *retval)
                        (*dtrace_proc_waitfor_hook)(p);
 #endif
 
                        (*dtrace_proc_waitfor_hook)(p);
 #endif
 
-               if (imgp->ip_flags & IMGPF_VFORK_EXEC) {
+               if (in_vfexec) {
                        vfork_return(p, retval, p->p_pid);
                        vfork_return(p, retval, p->p_pid);
-                       proc_clear_return_wait(p, imgp->ip_new_thread);
                }
        } else {
                DTRACE_PROC1(exec__failure, int, error);
        }
 
 exit_with_error:
                }
        } else {
                DTRACE_PROC1(exec__failure, int, error);
        }
 
 exit_with_error:
+
+       /*
+        * exec-success dtrace probe fired, clear bsd_info from
+        * old task if it did exec.
+        */
+       if (task_did_exec(current_task())) {
+               set_bsdtask_info(current_task(), NULL);
+       }
+
+       /* clear bsd_info from new task and terminate it if exec failed  */
+       if (new_task != NULL && task_is_exec_copy(new_task)) {
+               set_bsdtask_info(new_task, NULL);
+               task_terminate_internal(new_task);
+       }
+
+       /*
+        * Need to transfer pending watch port boosts to the new task while still making
+        * sure that the old task remains in the importance linkage. Create an importance
+        * linkage from old task to new task, then switch the task importance base
+        * of old task and new task. After the switch the port watch boost will be
+        * boosting the new task and new task will be donating importance to old task.
+        */
+       if (error == 0 && task_did_exec(current_task())) {
+               inherit = ipc_importance_exec_switch_task(current_task(), get_threadtask(imgp->ip_new_thread));
+       }
+
+       if (imgp != NULL) {
+               /*
+                * Do not terminate the current task, if proc_exec_switch_task did not
+                * switch the tasks, terminating the current task without the switch would
+                * result in loosing the SIGKILL status.
+                */
+               if (task_did_exec(current_task())) {
+                       /* Terminate the current task, since exec will start in new task */
+                       task_terminate_internal(current_task());
+               }
+
+               /* Release the thread ref returned by fork_create_child */
+               if (imgp->ip_new_thread) {
+                       /* wake up the new exec thread */
+                       task_clear_return_wait(get_threadtask(imgp->ip_new_thread));
+                       thread_deallocate(imgp->ip_new_thread);
+                       imgp->ip_new_thread = NULL;
+               }
+       }
+
+       /* Release the ref returned by fork_create_child */
+       if (new_task) {
+               task_deallocate(new_task);
+               new_task = NULL;
+       }
+
+       if (should_release_proc_ref) {
+               proc_rele(p);
+       }
+
        if (bufp != NULL) {
                FREE(bufp, M_TEMP);
        }
        if (bufp != NULL) {
                FREE(bufp, M_TEMP);
        }
+
+       if (inherit != NULL) {
+               ipc_importance_release(inherit);
+       }
        
        return(error);
 }
        
        return(error);
 }
@@ -3467,47 +4105,6 @@ bad:
        return error;
 }
 
        return error;
 }
 
-static char *
-random_hex_str(char *str, int len, boolean_t embedNUL)
-{
-       uint64_t low, high, value;
-       int idx;
-       char digit;
-
-       /* A 64-bit value will only take 16 characters, plus '0x' and NULL. */
-       if (len > 19)
-               len = 19;
-
-       /* We need enough room for at least 1 digit */
-       if (len < 4)
-               return (NULL);
-
-       low = random();
-       high = random();
-       value = high << 32 | low;
-
-       if (embedNUL) {
-               /*
-                * Zero a byte to protect against C string vulnerabilities
-                * e.g. for userland __stack_chk_guard.
-                */ 
-               value &= ~(0xffull << 8);
-       }
-
-       str[0] = '0';
-       str[1] = 'x';
-       for (idx = 2; idx < len - 1; idx++) {
-               digit = value & 0xf;
-               value = value >> 4;
-               if (digit < 10)
-                       str[idx] = '0' + digit;
-               else
-                       str[idx] = 'a' + (digit - 10);
-       }
-       str[idx] = '\0';
-       return (str);
-}
-
 /*
  * Libc has an 8-element array set up for stack guard values.  It only fills
  * in one of those entries, and both gcc and llvm seem to use only a single
 /*
  * Libc has an 8-element array set up for stack guard values.  It only fills
  * in one of those entries, and both gcc and llvm seem to use only a single
@@ -3531,49 +4128,81 @@ random_hex_str(char *str, int len, boolean_t embedNUL)
 #define PFZ_KEY "pfz="
 extern user32_addr_t commpage_text32_location;
 extern user64_addr_t commpage_text64_location;
 #define PFZ_KEY "pfz="
 extern user32_addr_t commpage_text32_location;
 extern user64_addr_t commpage_text64_location;
-/*
- * Build up the contents of the apple[] string vector
- */
+
+#define MAIN_STACK_VALUES 4
+#define MAIN_STACK_KEY "main_stack="
+
+#define HEX_STR_LEN 18 // 64-bit hex value "0x0123456701234567"
+
 static int
 static int
-exec_add_apple_strings(struct image_params *imgp)
+exec_add_entropy_key(struct image_params *imgp,
+                    const char *key,
+                    int values,
+                    boolean_t embedNUL)
 {
 {
-       int i, error;
-       int new_ptr_size=4;
-       char guard[19];
-       char guard_vec[strlen(GUARD_KEY) + 19 * GUARD_VALUES + 1];
+       const int limit = 8;
+       uint64_t entropy[limit];
+       char str[strlen(key) + (HEX_STR_LEN + 1) * limit + 1];
+       if (values > limit) {
+               values = limit;
+       }
 
 
-       char entropy[19];
-       char entropy_vec[strlen(ENTROPY_KEY) + 19 * ENTROPY_VALUES + 1];
+    read_random(entropy, sizeof(entropy[0]) * values);
 
 
-       char pfz_string[strlen(PFZ_KEY) + 16 + 4 +1];
-       
-       if( imgp->ip_flags & IMGPF_IS_64BIT) {
-               new_ptr_size = 8;
-               snprintf(pfz_string, sizeof(pfz_string),PFZ_KEY "0x%llx",commpage_text64_location);
-       } else {
-               snprintf(pfz_string, sizeof(pfz_string),PFZ_KEY "0x%x",commpage_text32_location);
+       if (embedNUL) {
+               entropy[0] &= ~(0xffull << 8);
+       }
+
+       int len = snprintf(str, sizeof(str), "%s0x%llx", key, entropy[0]);
+       int remaining = sizeof(str) - len;
+       for (int i = 1; i < values && remaining > 0; ++i) {
+               int start = sizeof(str) - remaining;
+               len = snprintf(&str[start], remaining, ",0x%llx", entropy[i]);
+               remaining -= len;
        }
 
        }
 
+       return exec_add_user_string(imgp, CAST_USER_ADDR_T(str), UIO_SYSSPACE, FALSE);
+}
+
+/*
+ * Build up the contents of the apple[] string vector
+ */
+static int
+exec_add_apple_strings(struct image_params *imgp,
+                      const load_result_t *load_result)
+{
+       int error;
+       int img_ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT) ? 8 : 4;
+
        /* exec_save_path stored the first string */
        imgp->ip_applec = 1;
 
        /* adding the pfz string */
        /* exec_save_path stored the first string */
        imgp->ip_applec = 1;
 
        /* adding the pfz string */
-       error = exec_add_user_string(imgp, CAST_USER_ADDR_T(pfz_string),UIO_SYSSPACE,FALSE);
-       if(error)
-               goto bad;
-       imgp->ip_applec++;
+       {
+               char pfz_string[strlen(PFZ_KEY) + HEX_STR_LEN + 1];
+
+               if (img_ptr_size == 8) {
+                       snprintf(pfz_string, sizeof(pfz_string), PFZ_KEY "0x%llx", commpage_text64_location);
+               } else {
+                       snprintf(pfz_string, sizeof(pfz_string), PFZ_KEY "0x%x", commpage_text32_location);
+               }
+               error = exec_add_user_string(imgp, CAST_USER_ADDR_T(pfz_string), UIO_SYSSPACE, FALSE);
+               if (error) {
+                       goto bad;
+               }
+               imgp->ip_applec++;
+       }
 
        /* adding the NANO_ENGAGE_KEY key */
        if (imgp->ip_px_sa) {
                int proc_flags = (((struct _posix_spawnattr *) imgp->ip_px_sa)->psa_flags);
 
                if ((proc_flags & _POSIX_SPAWN_NANO_ALLOCATOR) == _POSIX_SPAWN_NANO_ALLOCATOR) {
 
        /* adding the NANO_ENGAGE_KEY key */
        if (imgp->ip_px_sa) {
                int proc_flags = (((struct _posix_spawnattr *) imgp->ip_px_sa)->psa_flags);
 
                if ((proc_flags & _POSIX_SPAWN_NANO_ALLOCATOR) == _POSIX_SPAWN_NANO_ALLOCATOR) {
-                       char uiapp_string[strlen(NANO_ENGAGE_KEY) + 1];
-
-                       snprintf(uiapp_string, sizeof(uiapp_string), NANO_ENGAGE_KEY);
-                       error = exec_add_user_string(imgp, CAST_USER_ADDR_T(uiapp_string),UIO_SYSSPACE,FALSE);
-                       if (error)
+                       const char *nano_string = NANO_ENGAGE_KEY;
+                       error = exec_add_user_string(imgp, CAST_USER_ADDR_T(nano_string), UIO_SYSSPACE, FALSE);
+                       if (error){
                                goto bad;
                                goto bad;
+                       }
                        imgp->ip_applec++;
                }
        }
                        imgp->ip_applec++;
                }
        }
@@ -3585,37 +4214,45 @@ exec_add_apple_strings(struct image_params *imgp)
         * (The first random string always contains an embedded NUL so that
         * __stack_chk_guard also protects against C string vulnerabilities)
         */
         * (The first random string always contains an embedded NUL so that
         * __stack_chk_guard also protects against C string vulnerabilities)
         */
-       (void)strlcpy(guard_vec, GUARD_KEY, sizeof (guard_vec));
-       for (i = 0; i < GUARD_VALUES; i++) {
-               random_hex_str(guard, sizeof (guard), i == 0);
-               if (i)
-                       (void)strlcat(guard_vec, ",", sizeof (guard_vec));
-               (void)strlcat(guard_vec, guard, sizeof (guard_vec));
-       }
-
-       error = exec_add_user_string(imgp, CAST_USER_ADDR_T(guard_vec), UIO_SYSSPACE, FALSE);
-       if (error)
+       error = exec_add_entropy_key(imgp, GUARD_KEY, GUARD_VALUES, TRUE);
+       if (error) {
                goto bad;
                goto bad;
+       }
        imgp->ip_applec++;
 
        /*
         * Supply libc with entropy for system malloc.
         */
        imgp->ip_applec++;
 
        /*
         * Supply libc with entropy for system malloc.
         */
-       (void)strlcpy(entropy_vec, ENTROPY_KEY, sizeof(entropy_vec));
-       for (i = 0; i < ENTROPY_VALUES; i++) {
-               random_hex_str(entropy, sizeof (entropy), FALSE);
-               if (i)
-                       (void)strlcat(entropy_vec, ",", sizeof (entropy_vec));
-               (void)strlcat(entropy_vec, entropy, sizeof (entropy_vec));
-       }
-       
-       error = exec_add_user_string(imgp, CAST_USER_ADDR_T(entropy_vec), UIO_SYSSPACE, FALSE);
-       if (error)
+       error = exec_add_entropy_key(imgp, ENTROPY_KEY, ENTROPY_VALUES, FALSE);
+       if (error) {
                goto bad;
                goto bad;
+       }
        imgp->ip_applec++;
 
        imgp->ip_applec++;
 
+       /* 
+        * Add MAIN_STACK_KEY: Supplies the address and size of the main thread's
+        * stack if it was allocated by the kernel.
+        *
+        * The guard page is not included in this stack size as libpthread
+        * expects to add it back in after receiving this value.
+        */
+       if (load_result->unixproc) {
+               char stack_string[strlen(MAIN_STACK_KEY) + (HEX_STR_LEN + 1) * MAIN_STACK_VALUES + 1];
+               snprintf(stack_string, sizeof(stack_string),
+                        MAIN_STACK_KEY "0x%llx,0x%llx,0x%llx,0x%llx",
+                        (uint64_t)load_result->user_stack,
+                        (uint64_t)load_result->user_stack_size,
+                        (uint64_t)load_result->user_stack_alloc,
+                        (uint64_t)load_result->user_stack_alloc_size);
+               error = exec_add_user_string(imgp, CAST_USER_ADDR_T(stack_string), UIO_SYSSPACE, FALSE);
+               if (error) {
+                       goto bad;
+               }
+               imgp->ip_applec++;
+       }
+
        /* Align the tail of the combined applev area */
        /* Align the tail of the combined applev area */
-       while (imgp->ip_strspace % new_ptr_size != 0) {
+       while (imgp->ip_strspace % img_ptr_size != 0) {
                *imgp->ip_strendp++ = '\0';
                imgp->ip_strspace--;
        }
                *imgp->ip_strendp++ = '\0';
                imgp->ip_strspace--;
        }
@@ -3753,12 +4390,14 @@ exec_check_permissions(struct image_params *imgp)
 static int
 exec_handle_sugid(struct image_params *imgp)
 {
 static int
 exec_handle_sugid(struct image_params *imgp)
 {
-       kauth_cred_t            cred = vfs_context_ucred(imgp->ip_vfs_context);
        proc_t                  p = vfs_context_proc(imgp->ip_vfs_context);
        proc_t                  p = vfs_context_proc(imgp->ip_vfs_context);
+       kauth_cred_t            cred = vfs_context_ucred(imgp->ip_vfs_context);
+       kauth_cred_t            my_cred, my_new_cred;
        int                     i;
        int                     leave_sugid_clear = 0;
        int                     mac_reset_ipc = 0;
        int                     error = 0;
        int                     i;
        int                     leave_sugid_clear = 0;
        int                     mac_reset_ipc = 0;
        int                     error = 0;
+       task_t                  task = NULL;
 #if CONFIG_MACF
        int                     mac_transition, disjoint_cred = 0;
        int             label_update_return = 0;
 #if CONFIG_MACF
        int                     mac_transition, disjoint_cred = 0;
        int             label_update_return = 0;
@@ -3825,16 +4464,67 @@ handle_mac_transition:
                 *              membership resolution, then dropping their
                 *              effective privilege to that of the desired
                 *              final credential state.
                 *              membership resolution, then dropping their
                 *              effective privilege to that of the desired
                 *              final credential state.
+                *
+                * Modifications to p_ucred must be guarded using the
+                * proc's ucred lock. This prevents others from accessing
+                * a garbage credential.
                 */
                 */
-               if (imgp->ip_origvattr->va_mode & VSUID) {
-                       p->p_ucred  = kauth_cred_setresuid(p->p_ucred, KAUTH_UID_NONE, imgp->ip_origvattr->va_uid, imgp->ip_origvattr->va_uid, KAUTH_UID_NONE);
+               while (imgp->ip_origvattr->va_mode & VSUID) {
+                       my_cred = kauth_cred_proc_ref(p);
+                       my_new_cred = kauth_cred_setresuid(my_cred, KAUTH_UID_NONE, imgp->ip_origvattr->va_uid, imgp->ip_origvattr->va_uid, KAUTH_UID_NONE);
+
+                       if (my_new_cred == my_cred) {
+                               kauth_cred_unref(&my_cred);
+                               break;
+                       }
+
                        /* update cred on proc */
                        /* update cred on proc */
+                       proc_ucred_lock(p);
+
+                       if (p->p_ucred != my_cred) {
+                               proc_ucred_unlock(p);
+                               kauth_cred_unref(&my_new_cred);
+                               continue;
+                       }
+
+                       /* donate cred reference on my_new_cred to p->p_ucred */
+                       p->p_ucred = my_new_cred;
                        PROC_UPDATE_CREDS_ONPROC(p);
                        PROC_UPDATE_CREDS_ONPROC(p);
+                       proc_ucred_unlock(p);
+
+                       /* drop additional reference that was taken on the previous cred */
+                       kauth_cred_unref(&my_cred);
+
+                       break;
                }
                }
-               if (imgp->ip_origvattr->va_mode & VSGID) {
-                       p->p_ucred = kauth_cred_setresgid(p->p_ucred, KAUTH_GID_NONE, imgp->ip_origvattr->va_gid, imgp->ip_origvattr->va_gid);
+
+               while (imgp->ip_origvattr->va_mode & VSGID) {
+                       my_cred = kauth_cred_proc_ref(p);
+                       my_new_cred = kauth_cred_setresgid(my_cred, KAUTH_GID_NONE, imgp->ip_origvattr->va_gid, imgp->ip_origvattr->va_gid);
+
+                       if (my_new_cred == my_cred) {
+                               kauth_cred_unref(&my_cred);
+                               break;
+                       }
+
                        /* update cred on proc */
                        /* update cred on proc */
+                       proc_ucred_lock(p);
+
+                       if (p->p_ucred != my_cred) {
+                               proc_ucred_unlock(p);
+                               kauth_cred_unref(&my_new_cred);
+                               continue;
+                       }
+
+                       /* donate cred reference on my_new_cred to p->p_ucred */
+                       p->p_ucred = my_new_cred;
                        PROC_UPDATE_CREDS_ONPROC(p);
                        PROC_UPDATE_CREDS_ONPROC(p);
+                       proc_ucred_unlock(p);
+
+                       /* drop additional reference that was taken on the previous cred */
+                       kauth_cred_unref(&my_cred);
+
+                       break;
                }
 
 #if CONFIG_MACF
                }
 
 #if CONFIG_MACF
@@ -3845,6 +4535,13 @@ handle_mac_transition:
                 * modifying any others sharing it.
                 */
                if (mac_transition) { 
                 * modifying any others sharing it.
                 */
                if (mac_transition) { 
+                       /*
+                        * This hook may generate upcalls that require
+                        * importance donation from the kernel.
+                        * (23925818)
+                        */
+                       thread_t thread = current_thread();
+                       thread_enable_send_importance(thread, TRUE);
                        kauth_proc_label_update_execve(p,
                                                imgp->ip_vfs_context,
                                                imgp->ip_vp, 
                        kauth_proc_label_update_execve(p,
                                                imgp->ip_vfs_context,
                                                imgp->ip_vp, 
@@ -3856,6 +4553,7 @@ handle_mac_transition:
                                                imgp->ip_px_smpx,
                                                &disjoint_cred, /* will be non zero if disjoint */
                                                &label_update_return);
                                                imgp->ip_px_smpx,
                                                &disjoint_cred, /* will be non zero if disjoint */
                                                &label_update_return);
+                       thread_enable_send_importance(thread, FALSE);
 
                        if (disjoint_cred) {
                                /*
 
                        if (disjoint_cred) {
                                /*
@@ -3893,7 +4591,8 @@ handle_mac_transition:
                         * a setuid exec to be able to access/control the
                         * task/thread after.
                         */
                         * a setuid exec to be able to access/control the
                         * task/thread after.
                         */
-                       ipc_task_reset(p->task);
+                       ipc_task_reset((imgp->ip_new_thread != NULL) ?
+                                       get_threadtask(imgp->ip_new_thread) : p->task);
                        ipc_thread_reset((imgp->ip_new_thread != NULL) ?
                                         imgp->ip_new_thread : current_thread());
                }
                        ipc_thread_reset((imgp->ip_new_thread != NULL) ?
                                         imgp->ip_new_thread : current_thread());
                }
@@ -3942,6 +4641,7 @@ handle_mac_transition:
 
                                MALLOC(ndp, struct nameidata *, sizeof(*ndp), M_TEMP, M_WAITOK | M_ZERO);
                                if (ndp == NULL) {
 
                                MALLOC(ndp, struct nameidata *, sizeof(*ndp), M_TEMP, M_WAITOK | M_ZERO);
                                if (ndp == NULL) {
+                                       fp_free(p, indx, fp);
                                        error = ENOMEM;
                                        break;
                                }
                                        error = ENOMEM;
                                        break;
                                }
@@ -3952,6 +4652,7 @@ handle_mac_transition:
 
                                if ((error = vn_open(ndp, flag, 0)) != 0) {
                                        fp_free(p, indx, fp);
 
                                if ((error = vn_open(ndp, flag, 0)) != 0) {
                                        fp_free(p, indx, fp);
+                                       FREE(ndp, M_TEMP);
                                        break;
                                }
 
                                        break;
                                }
 
@@ -3992,14 +4693,50 @@ handle_mac_transition:
        /*
         * Implement the semantic where the effective user and group become
         * the saved user and group in exec'ed programs.
        /*
         * Implement the semantic where the effective user and group become
         * the saved user and group in exec'ed programs.
+        *
+        * Modifications to p_ucred must be guarded using the
+        * proc's ucred lock. This prevents others from accessing
+        * a garbage credential.
         */
         */
-       p->p_ucred = kauth_cred_setsvuidgid(p->p_ucred, kauth_cred_getuid(p->p_ucred),  kauth_cred_getgid(p->p_ucred));
-       /* update cred on proc */
-       PROC_UPDATE_CREDS_ONPROC(p);
-       
+       for (;;) {
+               my_cred = kauth_cred_proc_ref(p);
+               my_new_cred = kauth_cred_setsvuidgid(my_cred, kauth_cred_getuid(my_cred),  kauth_cred_getgid(my_cred));
+
+               if (my_new_cred == my_cred) {
+                       kauth_cred_unref(&my_cred);
+                       break;
+               }
+
+               /* update cred on proc */
+               proc_ucred_lock(p);
+
+               if (p->p_ucred != my_cred) {
+                       proc_ucred_unlock(p);
+                       kauth_cred_unref(&my_new_cred);
+                       continue;
+               }
+
+               /* donate cred reference on my_new_cred to p->p_ucred */
+               p->p_ucred = my_new_cred;
+               PROC_UPDATE_CREDS_ONPROC(p);
+               proc_ucred_unlock(p);
+
+               /* drop additional reference that was taken on the previous cred */
+               kauth_cred_unref(&my_cred);
+
+               break;
+       }
+
+
        /* Update the process' identity version and set the security token */
        p->p_idversion++;
        /* Update the process' identity version and set the security token */
        p->p_idversion++;
-       set_security_token(p);
+
+       if (imgp->ip_new_thread != NULL) {
+               task = get_threadtask(imgp->ip_new_thread);
+       } else {
+               task = p->task;
+       }
+       set_security_token_task_internal(p, task);
 
        return(error);
 }
 
        return(error);
 }
@@ -4036,7 +4773,7 @@ create_unix_stack(vm_map_t map, load_result_t* load_result,
        p->user_stack = user_stack;
        proc_unlock(p);
 
        p->user_stack = user_stack;
        proc_unlock(p);
 
-       if (!load_result->prog_allocated_stack) {
+       if (load_result->user_stack_alloc_size > 0) {
                /*
                 * Allocate enough space for the maximum stack size we
                 * will ever authorize and an extra page to act as
                /*
                 * Allocate enough space for the maximum stack size we
                 * will ever authorize and an extra page to act as
@@ -4044,22 +4781,22 @@ create_unix_stack(vm_map_t map, load_result_t* load_result,
                 * vm_initial_limit_stack takes care of the extra guard page.
                 * Otherwise we must allocate it ourselves.
                 */
                 * vm_initial_limit_stack takes care of the extra guard page.
                 * Otherwise we must allocate it ourselves.
                 */
-
-               size = mach_vm_round_page(load_result->user_stack_size);
-               if (load_result->prog_stack_size)
-                       size += PAGE_SIZE;
+               if (mach_vm_round_page_overflow(load_result->user_stack_alloc_size, &size)) {
+                       return KERN_INVALID_ARGUMENT;
+               }
                addr = mach_vm_trunc_page(load_result->user_stack - size);
                kr = mach_vm_allocate(map, &addr, size,
                addr = mach_vm_trunc_page(load_result->user_stack - size);
                kr = mach_vm_allocate(map, &addr, size,
-                                       VM_MAKE_TAG(VM_MEMORY_STACK) |
-                                       VM_FLAGS_FIXED);
+                                     VM_MAKE_TAG(VM_MEMORY_STACK) |
+                                     VM_FLAGS_FIXED);
                if (kr != KERN_SUCCESS) {
                if (kr != KERN_SUCCESS) {
-                       /* If can't allocate at default location, try anywhere */
+                       // Can't allocate at default location, try anywhere
                        addr = 0;
                        kr = mach_vm_allocate(map, &addr, size,
                        addr = 0;
                        kr = mach_vm_allocate(map, &addr, size,
-                                                                 VM_MAKE_TAG(VM_MEMORY_STACK) |
-                                                                 VM_FLAGS_ANYWHERE);
-                       if (kr != KERN_SUCCESS)
+                                             VM_MAKE_TAG(VM_MEMORY_STACK) |
+                                             VM_FLAGS_ANYWHERE);
+                       if (kr != KERN_SUCCESS) {
                                return kr;
                                return kr;
+                       }
 
                        user_stack = addr + size;
                        load_result->user_stack = user_stack;
 
                        user_stack = addr + size;
                        load_result->user_stack = user_stack;
@@ -4069,22 +4806,27 @@ create_unix_stack(vm_map_t map, load_result_t* load_result,
                        proc_unlock(p);
                }
 
                        proc_unlock(p);
                }
 
+               load_result->user_stack_alloc = addr;
+
                /*
                 * And prevent access to what's above the current stack
                 * size limit for this process.
                 */
                /*
                 * And prevent access to what's above the current stack
                 * size limit for this process.
                 */
-               prot_addr = addr;
-               if (load_result->prog_stack_size)
+               if (load_result->user_stack_size == 0) {
+                       load_result->user_stack_size = unix_stack_size(p);
+                       prot_size = mach_vm_trunc_page(size - load_result->user_stack_size);
+               } else {
                        prot_size = PAGE_SIZE;
                        prot_size = PAGE_SIZE;
-               else
-                       prot_size = mach_vm_trunc_page(size - unix_stack_size(p));
+               }
+
+               prot_addr = addr;
                kr = mach_vm_protect(map,
                kr = mach_vm_protect(map,
-                                                        prot_addr,
-                                                        prot_size,
-                                                        FALSE,
-                                                        VM_PROT_NONE);
+                                    prot_addr,
+                                    prot_size,
+                                    FALSE,
+                                    VM_PROT_NONE);
                if (kr != KERN_SUCCESS) {
                if (kr != KERN_SUCCESS) {
-                       (void) mach_vm_deallocate(map, addr, size);
+                       (void)mach_vm_deallocate(map, addr, size);
                        return kr;
                }
        }
                        return kr;
                }
        }
@@ -4112,17 +4854,17 @@ create_unix_stack(vm_map_t map, load_result_t* load_result,
  *             for the first time.  This is done to ensure that bsd_init()
  *             has run to completion.
  *
  *             for the first time.  This is done to ensure that bsd_init()
  *             has run to completion.
  *
- *             The address map of the first manufactured process is 32 bit.
- *             WHEN this becomes 64b, this code will fail; it needs to be
- *             made 64b capable.
+ *             The address map of the first manufactured process matches the
+ *             word width of the kernel. Once the self-exec completes, the
+ *             initproc might be different.
  */
 static int
 load_init_program_at_path(proc_t p, user_addr_t scratch_addr, const char* path)
 {
  */
 static int
 load_init_program_at_path(proc_t p, user_addr_t scratch_addr, const char* path)
 {
-       uint32_t argv[3];
-       uint32_t argc = 0;
        int retval[2];
        int retval[2];
+       int error;
        struct execve_args init_exec_args;
        struct execve_args init_exec_args;
+       user_addr_t argv0 = USER_ADDR_NULL, argv1 = USER_ADDR_NULL;
 
        /*
         * Validate inputs and pre-conditions
 
        /*
         * Validate inputs and pre-conditions
@@ -4131,18 +4873,16 @@ load_init_program_at_path(proc_t p, user_addr_t scratch_addr, const char* path)
        assert(scratch_addr);
        assert(path);
 
        assert(scratch_addr);
        assert(path);
 
-       if (IS_64BIT_PROCESS(p)) {
-               panic("Init against 64b primordial proc not implemented");
-       }
-
        /*
         * Copy out program name.
         */
        size_t path_length = strlen(path) + 1;
        /*
         * Copy out program name.
         */
        size_t path_length = strlen(path) + 1;
-       (void) copyout(path, scratch_addr, path_length);
+       argv0 = scratch_addr;
+       error = copyout(path, argv0, path_length);
+       if (error)
+               return error;
 
 
-       argv[argc++] = (uint32_t)scratch_addr;
-       scratch_addr = USER_ADDR_ALIGN(scratch_addr + path_length, 16);
+       scratch_addr = USER_ADDR_ALIGN(scratch_addr + path_length, sizeof(user_addr_t));
 
        /*
         * Put out first (and only) argument, similarly.
 
        /*
         * Put out first (and only) argument, similarly.
@@ -4152,26 +4892,40 @@ load_init_program_at_path(proc_t p, user_addr_t scratch_addr, const char* path)
                const char *init_args = "-s";
                size_t init_args_length = strlen(init_args)+1;
 
                const char *init_args = "-s";
                size_t init_args_length = strlen(init_args)+1;
 
-               copyout(init_args, scratch_addr, init_args_length);
+               argv1 = scratch_addr;
+               error = copyout(init_args, argv1, init_args_length);
+               if (error)
+                       return error;
 
 
-               argv[argc++] = (uint32_t)scratch_addr;
-               scratch_addr = USER_ADDR_ALIGN(scratch_addr + init_args_length, 16);
+               scratch_addr = USER_ADDR_ALIGN(scratch_addr + init_args_length, sizeof(user_addr_t));
        }
 
        }
 
-       /*
-        * Null-end the argument list
-        */
-       argv[argc] = 0;
-       
-       /*
-        * Copy out the argument list.
-        */
-       (void) copyout(argv, scratch_addr, sizeof(argv));
+       if (proc_is64bit(p)) {
+               user64_addr_t argv64bit[3];
+
+               argv64bit[0] = argv0;
+               argv64bit[1] = argv1;
+               argv64bit[2] = USER_ADDR_NULL;
+
+               error = copyout(argv64bit, scratch_addr, sizeof(argv64bit));
+               if (error)
+                       return error;
+       } else {
+               user32_addr_t argv32bit[3];
+
+               argv32bit[0] = (user32_addr_t)argv0;
+               argv32bit[1] = (user32_addr_t)argv1;
+               argv32bit[2] = USER_ADDR_NULL;
+
+               error = copyout(argv32bit, scratch_addr, sizeof(argv32bit));
+               if (error)
+                       return error;
+       }
 
        /*
         * Set up argument block for fake call to execve.
         */
 
        /*
         * Set up argument block for fake call to execve.
         */
-       init_exec_args.fname = CAST_USER_ADDR_T(argv[0]);
+       init_exec_args.fname = argv0;
        init_exec_args.argp = scratch_addr;
        init_exec_args.envp = USER_ADDR_NULL;
 
        init_exec_args.argp = scratch_addr;
        init_exec_args.envp = USER_ADDR_NULL;
 
@@ -4188,7 +4942,6 @@ static const char * init_programs[] = {
        "/usr/local/sbin/launchd.debug",
 #endif
 #if DEVELOPMENT || DEBUG
        "/usr/local/sbin/launchd.debug",
 #endif
 #if DEVELOPMENT || DEBUG
-       /* Remove DEBUG conditional when <rdar://problem/17931977> is fixed */
        "/usr/local/sbin/launchd.development",
 #endif
        "/sbin/launchd",
        "/usr/local/sbin/launchd.development",
 #endif
        "/sbin/launchd",
@@ -4214,9 +4967,6 @@ static const char * init_programs[] = {
  *             the kcsuffix boot-arg, setting launchdsuffix to "" or "release"
  *             will force /sbin/launchd to be selected.
  *
  *             the kcsuffix boot-arg, setting launchdsuffix to "" or "release"
  *             will force /sbin/launchd to be selected.
  *
- *             The DEBUG kernel will continue to check for a .development
- *             version until <rdar://problem/17931977> is fixed.
- *
  *              Search order by build:
  *
  * DEBUG       DEVELOPMENT     RELEASE         PATH
  *              Search order by build:
  *
  * DEBUG       DEVELOPMENT     RELEASE         PATH
@@ -4231,9 +4981,11 @@ load_init_program(proc_t p)
 {
        uint32_t i;
        int error;
 {
        uint32_t i;
        int error;
-       vm_offset_t scratch_addr = VM_MIN_ADDRESS;
+       vm_map_t map = current_map();
+       mach_vm_offset_t scratch_addr = 0;
+       mach_vm_size_t map_page_size = vm_map_page_size(map);
 
 
-       (void) vm_allocate(current_map(), &scratch_addr, PAGE_SIZE, VM_FLAGS_ANYWHERE);
+       (void) mach_vm_allocate(map, &scratch_addr, map_page_size, VM_FLAGS_ANYWHERE);
 #if CONFIG_MEMORYSTATUS && CONFIG_JETSAM
        (void) memorystatus_init_at_boot_snapshot();
 #endif /* CONFIG_MEMORYSTATUS && CONFIG_JETSAM */
 #if CONFIG_MEMORYSTATUS && CONFIG_JETSAM
        (void) memorystatus_init_at_boot_snapshot();
 #endif /* CONFIG_MEMORYSTATUS && CONFIG_JETSAM */
@@ -4247,7 +4999,7 @@ load_init_program(proc_t p)
                                               (strcmp(launchd_suffix, "release") == 0));
 
                if (is_release_suffix) {
                                               (strcmp(launchd_suffix, "release") == 0));
 
                if (is_release_suffix) {
-                       error = load_init_program_at_path(p, CAST_USER_ADDR_T(scratch_addr), "/sbin/launchd");
+                       error = load_init_program_at_path(p, (user_addr_t)scratch_addr, "/sbin/launchd");
                        if (!error)
                                return;
 
                        if (!error)
                                return;
 
@@ -4258,7 +5010,7 @@ load_init_program(proc_t p)
 
                        /* All the error data is lost in the loop below, don't
                         * attempt to save it. */
 
                        /* All the error data is lost in the loop below, don't
                         * attempt to save it. */
-                       if (!load_init_program_at_path(p, CAST_USER_ADDR_T(scratch_addr), launchd_path)) {
+                       if (!load_init_program_at_path(p, (user_addr_t)scratch_addr, launchd_path)) {
                                return;
                        }
                }
                                return;
                        }
                }
@@ -4267,7 +5019,7 @@ load_init_program(proc_t p)
 
        error = ENOENT;
        for (i = 0; i < sizeof(init_programs)/sizeof(init_programs[0]); i++) {
 
        error = ENOENT;
        for (i = 0; i < sizeof(init_programs)/sizeof(init_programs[0]); i++) {
-               error = load_init_program_at_path(p, CAST_USER_ADDR_T(scratch_addr), init_programs[i]);
+               error = load_init_program_at_path(p, (user_addr_t)scratch_addr, init_programs[i]);
                if (!error)
                        return;
        }
                if (!error)
                        return;
        }
@@ -4303,6 +5055,7 @@ load_return_to_errno(load_return_t lrtn)
        case LOAD_BADARCH:
                return EBADARCH;
        case LOAD_BADMACHO:
        case LOAD_BADARCH:
                return EBADARCH;
        case LOAD_BADMACHO:
+       case LOAD_BADMACHO_UPX:
                return EBADMACHO;
        case LOAD_SHLIB:
                return ESHLIBVERS;
                return EBADMACHO;
        case LOAD_SHLIB:
                return ESHLIBVERS;
@@ -4628,6 +5381,7 @@ check_for_signature(proc_t p, struct image_params *imgp)
        boolean_t require_success = FALSE;
        int spawn = (imgp->ip_flags & IMGPF_SPAWN);
        int vfexec = (imgp->ip_flags & IMGPF_VFORK_EXEC);
        boolean_t require_success = FALSE;
        int spawn = (imgp->ip_flags & IMGPF_SPAWN);
        int vfexec = (imgp->ip_flags & IMGPF_VFORK_EXEC);
+       os_reason_t signature_failure_reason = OS_REASON_NULL;
 
        /*
         * Override inherited code signing flags with the
 
        /*
         * Override inherited code signing flags with the
@@ -4649,11 +5403,22 @@ check_for_signature(proc_t p, struct image_params *imgp)
         * approve of exec, kill and return immediately.
         */
        if (imgp->ip_mac_return != 0) {
         * approve of exec, kill and return immediately.
         */
        if (imgp->ip_mac_return != 0) {
+
+               KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
+                                               p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_SECURITY_POLICY, 0, 0);
+               signature_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_SECURITY_POLICY);
                error = imgp->ip_mac_return;
                unexpected_failure = TRUE;
                goto done;
        }
 
                error = imgp->ip_mac_return;
                unexpected_failure = TRUE;
                goto done;
        }
 
+       if (imgp->ip_cs_error != OS_REASON_NULL) {
+               signature_failure_reason = imgp->ip_cs_error;
+               imgp->ip_cs_error = OS_REASON_NULL;
+               error = EACCES;
+               goto done;
+       }
+
        /* check if callout to taskgated is needed */
        if (!taskgated_required(p, &require_success)) {
                error = 0;
        /* check if callout to taskgated is needed */
        if (!taskgated_required(p, &require_success)) {
                error = 0;
@@ -4663,8 +5428,12 @@ check_for_signature(proc_t p, struct image_params *imgp)
        kr = task_get_task_access_port(p->task, &port);
        if (KERN_SUCCESS != kr || !IPC_PORT_VALID(port)) {
                error = 0;
        kr = task_get_task_access_port(p->task, &port);
        if (KERN_SUCCESS != kr || !IPC_PORT_VALID(port)) {
                error = 0;
-               if (require_success)
+               if (require_success) {
+                       KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
+                                                       p->p_pid, OS_REASON_CODESIGNING, CODESIGNING_EXIT_REASON_TASK_ACCESS_PORT, 0, 0);
+                       signature_failure_reason = os_reason_create(OS_REASON_CODESIGNING, CODESIGNING_EXIT_REASON_TASK_ACCESS_PORT);
                        error = EACCES;
                        error = EACCES;
+               }
                goto done;
        }
 
                goto done;
        }
 
@@ -4683,9 +5452,17 @@ check_for_signature(proc_t p, struct image_params *imgp)
                break;
        case KERN_FAILURE:
                error = EACCES;
                break;
        case KERN_FAILURE:
                error = EACCES;
+
+               KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
+                                               p->p_pid, OS_REASON_CODESIGNING, CODESIGNING_EXIT_REASON_TASKGATED_INVALID_SIG, 0, 0);
+               signature_failure_reason = os_reason_create(OS_REASON_CODESIGNING, CODESIGNING_EXIT_REASON_TASKGATED_INVALID_SIG);
                goto done;
        default:
                error = EACCES;
                goto done;
        default:
                error = EACCES;
+
+               KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) | DBG_FUNC_NONE,
+                                               p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_TASKGATED_OTHER, 0, 0);
+               signature_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_TASKGATED_OTHER);
                unexpected_failure = TRUE;
                goto done;
        }
                unexpected_failure = TRUE;
                goto done;
        }
@@ -4709,12 +5486,20 @@ done:
                        p->p_csflags |= CS_KILLED;
                /* make very sure execution fails */
                if (vfexec || spawn) {
                        p->p_csflags |= CS_KILLED;
                /* make very sure execution fails */
                if (vfexec || spawn) {
-                       psignal_vfork(p, p->task, imgp->ip_new_thread, SIGKILL);
+                       assert(signature_failure_reason != OS_REASON_NULL);
+                       psignal_vfork_with_reason(p, p->task, imgp->ip_new_thread,
+                                       SIGKILL, signature_failure_reason);
+                       signature_failure_reason = OS_REASON_NULL;
                        error = 0;
                } else {
                        error = 0;
                } else {
-                       psignal(p, SIGKILL);
+                       assert(signature_failure_reason != OS_REASON_NULL);
+                       psignal_with_reason(p, SIGKILL, signature_failure_reason);
+                       signature_failure_reason = OS_REASON_NULL;
                }
        }
                }
        }
+
+       /* If we hit this, we likely would have leaked an exit reason */
+       assert(signature_failure_reason == OS_REASON_NULL);
        return error;
 }
 
        return error;
 }
 
mirror of XNU