+ }
+ if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GROUPS) {
+ unsigned ngroups = 0;
+ gid_t groups[NGROUPS_MAX];
+
+ if (persona_get_groups(persona, &ngroups, groups,
+ px_persona->pspi_ngroups) != 0) {
+ error = EINVAL;
+ goto out;
+ }
+ if (ngroups != px_persona->pspi_ngroups) {
+ error = EINVAL;
+ goto out;
+ }
+ while (ngroups--) {
+ if (px_persona->pspi_groups[ngroups] != groups[ngroups]) {
+ error = EINVAL;
+ goto out;
+ }
+ }
+ if (px_persona->pspi_gmuid != persona_get_gmuid(persona)) {
+ error = EINVAL;
+ goto out;
+ }
+ }
+ }
+
+out:
+ if (persona) {
+ persona_put(persona);
+ }
+
+ return error;
+}
+
+static int
+spawn_persona_adopt(proc_t p, struct _posix_spawn_persona_info *px_persona)
+{
+ int ret;
+ kauth_cred_t cred;
+ struct persona *persona = NULL;
+ int override = !!(px_persona->pspi_flags & POSIX_SPAWN_PERSONA_FLAGS_OVERRIDE);
+
+ if (!override) {
+ return persona_proc_adopt_id(p, px_persona->pspi_id, NULL);
+ }
+
+ /*
+ * we want to spawn into the given persona, but we want to override
+ * the kauth with a different UID/GID combo
+ */
+ persona = persona_lookup(px_persona->pspi_id);
+ if (!persona) {
+ return ESRCH;
+ }
+
+ cred = persona_get_cred(persona);
+ if (!cred) {
+ ret = EINVAL;
+ goto out;
+ }
+
+ if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_UID) {
+ cred = kauth_cred_setresuid(cred,
+ px_persona->pspi_uid,
+ px_persona->pspi_uid,
+ px_persona->pspi_uid,
+ KAUTH_UID_NONE);
+ }
+
+ if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GID) {
+ cred = kauth_cred_setresgid(cred,
+ px_persona->pspi_gid,
+ px_persona->pspi_gid,
+ px_persona->pspi_gid);
+ }
+
+ if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GROUPS) {
+ cred = kauth_cred_setgroups(cred,
+ px_persona->pspi_groups,
+ px_persona->pspi_ngroups,
+ px_persona->pspi_gmuid);
+ }
+
+ ret = persona_proc_adopt(p, persona, cred);
+
+out:
+ persona_put(persona);
+ return ret;
+}
+#endif
+
+#if __arm64__
+extern int legacy_footprint_entitlement_mode;
+static inline void
+proc_legacy_footprint_entitled(proc_t p, task_t task, const char *caller)
+{
+#pragma unused(p, caller)
+ boolean_t legacy_footprint_entitled;
+
+ switch (legacy_footprint_entitlement_mode) {
+ case LEGACY_FOOTPRINT_ENTITLEMENT_IGNORE:
+ /* the entitlement is ignored */
+ break;
+ case LEGACY_FOOTPRINT_ENTITLEMENT_IOS11_ACCT:
+ /* the entitlement grants iOS11 legacy accounting */
+ legacy_footprint_entitled = IOTaskHasEntitlement(task,
+ "com.apple.private.memory.legacy_footprint");
+ if (legacy_footprint_entitled) {
+ task_set_legacy_footprint(task);
+ }
+ break;
+ case LEGACY_FOOTPRINT_ENTITLEMENT_LIMIT_INCREASE:
+ /* the entitlement grants a footprint limit increase */
+ legacy_footprint_entitled = IOTaskHasEntitlement(task,
+ "com.apple.private.memory.legacy_footprint");
+ if (legacy_footprint_entitled) {
+ task_set_extra_footprint_limit(task);
+ }
+ break;
+ default:
+ break;
+ }
+}
+
+static inline void
+proc_ios13extended_footprint_entitled(proc_t p, task_t task, const char *caller)
+{
+#pragma unused(p, caller)
+ boolean_t ios13extended_footprint_entitled;
+
+ /* the entitlement grants a footprint limit increase */
+ ios13extended_footprint_entitled = IOTaskHasEntitlement(task,
+ "com.apple.developer.memory.ios13extended_footprint");
+ if (ios13extended_footprint_entitled) {
+ task_set_ios13extended_footprint_limit(task);
+ }
+}
+#endif /* __arm64__ */
+
+/*
+ * Apply a modification on the proc's kauth cred until it converges.
+ *
+ * `update` consumes its argument to return a new kauth cred.
+ */
+static void
+apply_kauth_cred_update(proc_t p,
+ kauth_cred_t (^update)(kauth_cred_t orig_cred))
+{
+ kauth_cred_t my_cred, my_new_cred;
+
+ my_cred = kauth_cred_proc_ref(p);
+ for (;;) {
+ my_new_cred = update(my_cred);
+ if (my_cred == my_new_cred) {
+ kauth_cred_unref(&my_new_cred);
+ break;
+ }
+
+ /* try update cred on proc */
+ proc_ucred_lock(p);
+
+ if (p->p_ucred == my_cred) {
+ /* base pointer didn't change, donate our ref */
+ p->p_ucred = my_new_cred;
+ PROC_UPDATE_CREDS_ONPROC(p);
+ proc_ucred_unlock(p);
+
+ /* drop p->p_ucred reference */
+ kauth_cred_unref(&my_cred);
+ break;
+ }
+
+ /* base pointer changed, retry */
+ my_cred = p->p_ucred;
+ kauth_cred_ref(my_cred);
+ proc_ucred_unlock(p);
+
+ kauth_cred_unref(&my_new_cred);
+ }
+}
+
+static int
+spawn_posix_cred_adopt(proc_t p,
+ struct _posix_spawn_posix_cred_info *px_pcred_info)
+{
+ int error = 0;
+
+ if (px_pcred_info->pspci_flags & POSIX_SPAWN_POSIX_CRED_GID) {
+ struct setgid_args args = {
+ .gid = px_pcred_info->pspci_gid,
+ };
+ error = setgid(p, &args, NULL);
+ if (error) {
+ return error;
+ }
+ }
+
+ if (px_pcred_info->pspci_flags & POSIX_SPAWN_POSIX_CRED_GROUPS) {
+ error = setgroups_internal(p,
+ px_pcred_info->pspci_ngroups,
+ px_pcred_info->pspci_groups,
+ px_pcred_info->pspci_gmuid);
+ if (error) {
+ return error;
+ }
+ }
+
+ if (px_pcred_info->pspci_flags & POSIX_SPAWN_POSIX_CRED_UID) {
+ struct setuid_args args = {
+ .uid = px_pcred_info->pspci_uid,
+ };
+ error = setuid(p, &args, NULL);
+ if (error) {
+ return error;
+ }
+ }
+ return 0;
+}
+
+/*
+ * posix_spawn
+ *
+ * Parameters: uap->pid Pointer to pid return area
+ * uap->fname File name to exec
+ * uap->argp Argument list
+ * uap->envp Environment list
+ *
+ * Returns: 0 Success
+ * EINVAL Invalid argument
+ * ENOTSUP Not supported
+ * ENOEXEC Executable file format error
+ * exec_activate_image:EINVAL Invalid argument
+ * exec_activate_image:EACCES Permission denied
+ * exec_activate_image:EINTR Interrupted function
+ * exec_activate_image:ENOMEM Not enough space
+ * exec_activate_image:EFAULT Bad address
+ * exec_activate_image:ENAMETOOLONG Filename too long
+ * exec_activate_image:ENOEXEC Executable file format error
+ * exec_activate_image:ETXTBSY Text file busy [misuse of error code]
+ * exec_activate_image:EAUTH Image decryption failed
+ * exec_activate_image:EBADEXEC The executable is corrupt/unknown
+ * exec_activate_image:???
+ * mac_execve_enter:???
+ *
+ * TODO: Expect to need __mac_posix_spawn() at some point...
+ * Handle posix_spawnattr_t
+ * Handle posix_spawn_file_actions_t
+ */
+int
+posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
+{
+ proc_t p = ap; /* quiet bogus GCC vfork() warning */
+ user_addr_t pid = uap->pid;
+ int ival[2]; /* dummy retval for setpgid() */
+ char *bufp = NULL;
+ struct image_params *imgp;
+ struct vnode_attr *vap;
+ struct vnode_attr *origvap;
+ struct uthread *uthread = 0; /* compiler complains if not set to 0*/
+ int error, sig;
+ int is_64 = IS_64BIT_PROCESS(p);
+ struct vfs_context context;
+ struct user__posix_spawn_args_desc px_args;
+ struct _posix_spawnattr px_sa;
+ _posix_spawn_file_actions_t px_sfap = NULL;
+ _posix_spawn_port_actions_t px_spap = NULL;
+ struct __kern_sigaction vec;
+ boolean_t spawn_no_exec = FALSE;
+ boolean_t proc_transit_set = TRUE;
+ boolean_t exec_done = FALSE;
+ struct exec_port_actions port_actions = { };
+ vm_size_t px_sa_offset = offsetof(struct _posix_spawnattr, psa_ports);
+ task_t old_task = current_task();
+ task_t new_task = NULL;
+ boolean_t should_release_proc_ref = FALSE;
+ void *inherit = NULL;
+#if CONFIG_PERSONAS
+ struct _posix_spawn_persona_info *px_persona = NULL;
+#endif
+ struct _posix_spawn_posix_cred_info *px_pcred_info = NULL;
+
+ /*
+ * Allocate a big chunk for locals instead of using stack since these
+ * structures are pretty big.
+ */
+ MALLOC(bufp, char *, (sizeof(*imgp) + sizeof(*vap) + sizeof(*origvap)), M_TEMP, M_WAITOK | M_ZERO);
+ imgp = (struct image_params *) bufp;
+ if (bufp == NULL) {
+ error = ENOMEM;
+ goto bad;
+ }
+ vap = (struct vnode_attr *) (bufp + sizeof(*imgp));
+ origvap = (struct vnode_attr *) (bufp + sizeof(*imgp) + sizeof(*vap));
+
+ /* Initialize the common data in the image_params structure */
+ imgp->ip_user_fname = uap->path;
+ imgp->ip_user_argv = uap->argv;
+ imgp->ip_user_envv = uap->envp;
+ imgp->ip_vattr = vap;
+ imgp->ip_origvattr = origvap;
+ imgp->ip_vfs_context = &context;
+ imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT_ADDR : IMGPF_NONE);
+ imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
+ imgp->ip_mac_return = 0;
+ imgp->ip_px_persona = NULL;
+ imgp->ip_px_pcred_info = NULL;
+ imgp->ip_cs_error = OS_REASON_NULL;
+ imgp->ip_simulator_binary = IMGPF_SB_DEFAULT;
+
+ if (uap->adesc != USER_ADDR_NULL) {
+ if (is_64) {
+ error = copyin(uap->adesc, &px_args, sizeof(px_args));
+ } else {
+ struct user32__posix_spawn_args_desc px_args32;
+
+ error = copyin(uap->adesc, &px_args32, sizeof(px_args32));
+
+ /*
+ * Convert arguments descriptor from external 32 bit
+ * representation to internal 64 bit representation
+ */
+ px_args.attr_size = px_args32.attr_size;
+ px_args.attrp = CAST_USER_ADDR_T(px_args32.attrp);
+ px_args.file_actions_size = px_args32.file_actions_size;
+ px_args.file_actions = CAST_USER_ADDR_T(px_args32.file_actions);
+ px_args.port_actions_size = px_args32.port_actions_size;
+ px_args.port_actions = CAST_USER_ADDR_T(px_args32.port_actions);
+ px_args.mac_extensions_size = px_args32.mac_extensions_size;
+ px_args.mac_extensions = CAST_USER_ADDR_T(px_args32.mac_extensions);
+ px_args.coal_info_size = px_args32.coal_info_size;
+ px_args.coal_info = CAST_USER_ADDR_T(px_args32.coal_info);
+ px_args.persona_info_size = px_args32.persona_info_size;
+ px_args.persona_info = CAST_USER_ADDR_T(px_args32.persona_info);
+ px_args.posix_cred_info_size = px_args32.posix_cred_info_size;
+ px_args.posix_cred_info = CAST_USER_ADDR_T(px_args32.posix_cred_info);
+ }
+ if (error) {
+ goto bad;
+ }
+
+ if (px_args.attr_size != 0) {
+ /*
+ * We are not copying the port_actions pointer,
+ * because we already have it from px_args.
+ * This is a bit fragile: <rdar://problem/16427422>
+ */
+
+ if ((error = copyin(px_args.attrp, &px_sa, px_sa_offset)) != 0) {
+ goto bad;
+ }
+
+ bzero((void *)((unsigned long) &px_sa + px_sa_offset), sizeof(px_sa) - px_sa_offset );
+
+ imgp->ip_px_sa = &px_sa;
+ }
+ if (px_args.file_actions_size != 0) {
+ /* Limit file_actions to allowed number of open files */
+ int maxfa = (p->p_limit ? p->p_rlimit[RLIMIT_NOFILE].rlim_cur : NOFILE);
+ size_t maxfa_size = PSF_ACTIONS_SIZE(maxfa);
+ if (px_args.file_actions_size < PSF_ACTIONS_SIZE(1) ||
+ maxfa_size == 0 || px_args.file_actions_size > maxfa_size) {
+ error = EINVAL;
+ goto bad;
+ }
+ MALLOC(px_sfap, _posix_spawn_file_actions_t, px_args.file_actions_size, M_TEMP, M_WAITOK);
+ if (px_sfap == NULL) {
+ error = ENOMEM;
+ goto bad;
+ }
+ imgp->ip_px_sfa = px_sfap;
+
+ if ((error = copyin(px_args.file_actions, px_sfap,
+ px_args.file_actions_size)) != 0) {
+ goto bad;
+ }
+
+ /* Verify that the action count matches the struct size */
+ size_t psfsize = PSF_ACTIONS_SIZE(px_sfap->psfa_act_count);
+ if (psfsize == 0 || psfsize != px_args.file_actions_size) {
+ error = EINVAL;
+ goto bad;
+ }
+ }
+ if (px_args.port_actions_size != 0) {
+ /* Limit port_actions to one page of data */
+ if (px_args.port_actions_size < PS_PORT_ACTIONS_SIZE(1) ||
+ px_args.port_actions_size > PAGE_SIZE) {
+ error = EINVAL;
+ goto bad;
+ }
+
+ MALLOC(px_spap, _posix_spawn_port_actions_t,
+ px_args.port_actions_size, M_TEMP, M_WAITOK);
+ if (px_spap == NULL) {
+ error = ENOMEM;
+ goto bad;
+ }
+ imgp->ip_px_spa = px_spap;
+
+ if ((error = copyin(px_args.port_actions, px_spap,
+ px_args.port_actions_size)) != 0) {
+ goto bad;
+ }
+
+ /* Verify that the action count matches the struct size */
+ size_t pasize = PS_PORT_ACTIONS_SIZE(px_spap->pspa_count);
+ if (pasize == 0 || pasize != px_args.port_actions_size) {
+ error = EINVAL;
+ goto bad;
+ }
+ }
+#if CONFIG_PERSONAS
+ /* copy in the persona info */
+ if (px_args.persona_info_size != 0 && px_args.persona_info != 0) {
+ /* for now, we need the exact same struct in user space */
+ if (px_args.persona_info_size != sizeof(*px_persona)) {
+ error = ERANGE;
+ goto bad;
+ }
+
+ MALLOC(px_persona, struct _posix_spawn_persona_info *, px_args.persona_info_size, M_TEMP, M_WAITOK | M_ZERO);
+ if (px_persona == NULL) {
+ error = ENOMEM;
+ goto bad;
+ }
+ imgp->ip_px_persona = px_persona;
+
+ if ((error = copyin(px_args.persona_info, px_persona,
+ px_args.persona_info_size)) != 0) {
+ goto bad;
+ }
+ if ((error = spawn_validate_persona(px_persona)) != 0) {
+ goto bad;
+ }
+ }
+#endif
+ /* copy in the posix cred info */
+ if (px_args.posix_cred_info_size != 0 && px_args.posix_cred_info != 0) {
+ /* for now, we need the exact same struct in user space */
+ if (px_args.posix_cred_info_size != sizeof(*px_pcred_info)) {
+ error = ERANGE;
+ goto bad;
+ }
+
+ if (!kauth_cred_issuser(kauth_cred_get())) {
+ error = EPERM;
+ goto bad;
+ }
+
+ MALLOC(px_pcred_info, struct _posix_spawn_posix_cred_info *,
+ px_args.posix_cred_info_size, M_TEMP, M_WAITOK | M_ZERO);
+ if (px_pcred_info == NULL) {
+ error = ENOMEM;
+ goto bad;
+ }
+ imgp->ip_px_pcred_info = px_pcred_info;
+
+ if ((error = copyin(px_args.posix_cred_info, px_pcred_info,
+ px_args.posix_cred_info_size)) != 0) {
+ goto bad;
+ }
+
+ if (px_pcred_info->pspci_flags & POSIX_SPAWN_POSIX_CRED_GROUPS) {
+ if (px_pcred_info->pspci_ngroups > NGROUPS_MAX) {
+ error = EINVAL;
+ goto bad;
+ }
+ }
+ }
+#if CONFIG_MACF
+ if (px_args.mac_extensions_size != 0) {
+ if ((error = spawn_copyin_macpolicyinfo(&px_args, (_posix_spawn_mac_policy_extensions_t *)&imgp->ip_px_smpx)) != 0) {
+ goto bad;
+ }
+ }
+#endif /* CONFIG_MACF */
+ }
+
+ /* set uthread to parent */
+ uthread = get_bsdthread_info(current_thread());
+
+ /*
+ * <rdar://6640530>; this does not result in a behaviour change
+ * relative to Leopard, so there should not be any existing code
+ * which depends on it.
+ */
+ if (uthread->uu_flag & UT_VFORK) {
+ error = EINVAL;
+ goto bad;
+ }
+
+ if (imgp->ip_px_sa != NULL) {
+ struct _posix_spawnattr *psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
+ if ((error = exec_validate_spawnattr_policy(psa->psa_apptype)) != 0) {
+ goto bad;
+ }
+ }
+
+ /*
+ * If we don't have the extension flag that turns "posix_spawn()"
+ * into "execve() with options", then we will be creating a new
+ * process which does not inherit memory from the parent process,
+ * which is one of the most expensive things about using fork()
+ * and execve().
+ */
+ if (imgp->ip_px_sa == NULL || !(px_sa.psa_flags & POSIX_SPAWN_SETEXEC)) {
+ /* Set the new task's coalition, if it is requested. */
+ coalition_t coal[COALITION_NUM_TYPES] = { COALITION_NULL };
+#if CONFIG_COALITIONS
+ int i, ncoals;
+ kern_return_t kr = KERN_SUCCESS;
+ struct _posix_spawn_coalition_info coal_info;
+ int coal_role[COALITION_NUM_TYPES];
+
+ if (imgp->ip_px_sa == NULL || !px_args.coal_info) {
+ goto do_fork1;
+ }
+
+ memset(&coal_info, 0, sizeof(coal_info));
+
+ if (px_args.coal_info_size > sizeof(coal_info)) {
+ px_args.coal_info_size = sizeof(coal_info);
+ }
+ error = copyin(px_args.coal_info,
+ &coal_info, px_args.coal_info_size);
+ if (error != 0) {
+ goto bad;
+ }
+
+ ncoals = 0;
+ for (i = 0; i < COALITION_NUM_TYPES; i++) {
+ uint64_t cid = coal_info.psci_info[i].psci_id;
+ if (cid != 0) {
+ /*
+ * don't allow tasks which are not in a
+ * privileged coalition to spawn processes
+ * into coalitions other than their own
+ */
+ if (!task_is_in_privileged_coalition(p->task, i)) {
+ coal_dbg("ERROR: %d not in privilegd "
+ "coalition of type %d",
+ p->p_pid, i);
+ spawn_coalitions_release_all(coal);
+ error = EPERM;
+ goto bad;
+ }
+
+ coal_dbg("searching for coalition id:%llu", cid);
+ /*
+ * take a reference and activation on the
+ * coalition to guard against free-while-spawn
+ * races
+ */
+ coal[i] = coalition_find_and_activate_by_id(cid);
+ if (coal[i] == COALITION_NULL) {
+ coal_dbg("could not find coalition id:%llu "
+ "(perhaps it has been terminated or reaped)", cid);
+ /*
+ * release any other coalition's we
+ * may have a reference to
+ */
+ spawn_coalitions_release_all(coal);
+ error = ESRCH;
+ goto bad;
+ }
+ if (coalition_type(coal[i]) != i) {
+ coal_dbg("coalition with id:%lld is not of type:%d"
+ " (it's type:%d)", cid, i, coalition_type(coal[i]));
+ error = ESRCH;
+ goto bad;
+ }
+ coal_role[i] = coal_info.psci_info[i].psci_role;
+ ncoals++;
+ }
+ }
+ if (ncoals < COALITION_NUM_TYPES) {
+ /*
+ * If the user is attempting to spawn into a subset of
+ * the known coalition types, then make sure they have
+ * _at_least_ specified a resource coalition. If not,
+ * the following fork1() call will implicitly force an
+ * inheritance from 'p' and won't actually spawn the
+ * new task into the coalitions the user specified.
+ * (also the call to coalitions_set_roles will panic)
+ */
+ if (coal[COALITION_TYPE_RESOURCE] == COALITION_NULL) {
+ spawn_coalitions_release_all(coal);
+ error = EINVAL;
+ goto bad;
+ }
+ }
+do_fork1:
+#endif /* CONFIG_COALITIONS */
+
+ /*
+ * note that this will implicitly inherit the
+ * caller's persona (if it exists)
+ */
+ error = fork1(p, &imgp->ip_new_thread, PROC_CREATE_SPAWN, coal);
+ /* returns a thread and task reference */
+
+ if (error == 0) {
+ new_task = get_threadtask(imgp->ip_new_thread);
+ }
+#if CONFIG_COALITIONS
+ /* set the roles of this task within each given coalition */
+ if (error == 0) {
+ kr = coalitions_set_roles(coal, new_task, coal_role);
+ if (kr != KERN_SUCCESS) {
+ error = EINVAL;
+ }
+ if (kdebug_debugid_enabled(MACHDBG_CODE(DBG_MACH_COALITION,
+ MACH_COALITION_ADOPT))) {
+ for (i = 0; i < COALITION_NUM_TYPES; i++) {
+ if (coal[i] != COALITION_NULL) {
+ /*
+ * On 32-bit targets, uniqueid
+ * will get truncated to 32 bits
+ */
+ KDBG_RELEASE(MACHDBG_CODE(
+ DBG_MACH_COALITION,
+ MACH_COALITION_ADOPT),
+ coalition_id(coal[i]),
+ get_task_uniqueid(new_task));
+ }
+ }
+ }
+ }
+
+ /* drop our references and activations - fork1() now holds them */
+ spawn_coalitions_release_all(coal);
+#endif /* CONFIG_COALITIONS */
+ if (error != 0) {
+ goto bad;
+ }
+ imgp->ip_flags |= IMGPF_SPAWN; /* spawn w/o exec */
+ spawn_no_exec = TRUE; /* used in later tests */
+ } else {
+ /*
+ * For execve case, create a new task and thread
+ * which points to current_proc. The current_proc will point
+ * to the new task after image activation and proc ref drain.
+ *
+ * proc (current_proc) <----- old_task (current_task)
+ * ^ | ^
+ * | | |
+ * | ----------------------------------
+ * |
+ * --------- new_task (task marked as TF_EXEC_COPY)
+ *
+ * After image activation, the proc will point to the new task
+ * and would look like following.
+ *
+ * proc (current_proc) <----- old_task (current_task, marked as TPF_DID_EXEC)
+ * ^ |
+ * | |
+ * | ----------> new_task
+ * | |
+ * -----------------
+ *
+ * During exec any transition from new_task -> proc is fine, but don't allow
+ * transition from proc->task, since it will modify old_task.
+ */
+ imgp->ip_new_thread = fork_create_child(old_task,
+ NULL,
+ p,
+ FALSE,
+ p->p_flag & P_LP64,
+ task_get_64bit_data(old_task),
+ TRUE);
+ /* task and thread ref returned by fork_create_child */
+ if (imgp->ip_new_thread == NULL) {
+ error = ENOMEM;
+ goto bad;
+ }
+
+ new_task = get_threadtask(imgp->ip_new_thread);
+ imgp->ip_flags |= IMGPF_EXEC;
+ }
+
+ if (spawn_no_exec) {
+ p = (proc_t)get_bsdthreadtask_info(imgp->ip_new_thread);
+
+ /*
+ * We had to wait until this point before firing the
+ * proc:::create probe, otherwise p would not point to the
+ * child process.
+ */
+ DTRACE_PROC1(create, proc_t, p);
+ }
+ assert(p != NULL);
+
+ context.vc_thread = imgp->ip_new_thread;
+ context.vc_ucred = p->p_ucred; /* XXX must NOT be kauth_cred_get() */
+
+ /*
+ * Post fdcopy(), pre exec_handle_sugid() - this is where we want
+ * to handle the file_actions. Since vfork() also ends up setting
+ * us into the parent process group, and saved off the signal flags,
+ * this is also where we want to handle the spawn flags.
+ */
+
+ /* Has spawn file actions? */
+ if (imgp->ip_px_sfa != NULL) {
+ /*
+ * The POSIX_SPAWN_CLOEXEC_DEFAULT flag
+ * is handled in exec_handle_file_actions().
+ */
+#if CONFIG_AUDIT
+ /*
+ * The file actions auditing can overwrite the upath of
+ * AUE_POSIX_SPAWN audit record. Save the audit record.
+ */
+ struct kaudit_record *save_uu_ar = uthread->uu_ar;
+ uthread->uu_ar = NULL;
+#endif
+ error = exec_handle_file_actions(imgp,
+ imgp->ip_px_sa != NULL ? px_sa.psa_flags : 0);
+#if CONFIG_AUDIT
+ /* Restore the AUE_POSIX_SPAWN audit record. */
+ uthread->uu_ar = save_uu_ar;
+#endif
+ if (error != 0) {
+ goto bad;
+ }
+ }
+
+ /* Has spawn port actions? */
+ if (imgp->ip_px_spa != NULL) {
+#if CONFIG_AUDIT
+ /*
+ * Do the same for the port actions as we did for the file
+ * actions. Save the AUE_POSIX_SPAWN audit record.
+ */
+ struct kaudit_record *save_uu_ar = uthread->uu_ar;
+ uthread->uu_ar = NULL;
+#endif
+ error = exec_handle_port_actions(imgp, &port_actions);
+#if CONFIG_AUDIT
+ /* Restore the AUE_POSIX_SPAWN audit record. */
+ uthread->uu_ar = save_uu_ar;
+#endif
+ if (error != 0) {
+ goto bad;
+ }
+ }
+
+ /* Has spawn attr? */
+ if (imgp->ip_px_sa != NULL) {
+ /*
+ * Reset UID/GID to parent's RUID/RGID; This works only
+ * because the operation occurs *after* the vfork() and
+ * before the call to exec_handle_sugid() by the image
+ * activator called from exec_activate_image(). POSIX
+ * requires that any setuid/setgid bits on the process
+ * image will take precedence over the spawn attributes
+ * (re)setting them.
+ *
+ * Modifications to p_ucred must be guarded using the
+ * proc's ucred lock. This prevents others from accessing
+ * a garbage credential.
+ */
+ if (px_sa.psa_flags & POSIX_SPAWN_RESETIDS) {
+ apply_kauth_cred_update(p, ^kauth_cred_t (kauth_cred_t my_cred){
+ return kauth_cred_setuidgid(my_cred,
+ kauth_cred_getruid(my_cred),
+ kauth_cred_getrgid(my_cred));
+ });
+ }
+
+ if (imgp->ip_px_pcred_info) {
+ if (!spawn_no_exec) {
+ error = ENOTSUP;
+ goto bad;
+ }
+
+ error = spawn_posix_cred_adopt(p, imgp->ip_px_pcred_info);
+ if (error != 0) {
+ goto bad;
+ }
+ }
+
+#if CONFIG_PERSONAS
+ if (imgp->ip_px_persona != NULL) {
+ if (!spawn_no_exec) {
+ error = ENOTSUP;
+ goto bad;
+ }
+
+ /*
+ * If we were asked to spawn a process into a new persona,
+ * do the credential switch now (which may override the UID/GID
+ * inherit done just above). It's important to do this switch
+ * before image activation both for reasons stated above, and
+ * to ensure that the new persona has access to the image/file
+ * being executed.
+ */
+ error = spawn_persona_adopt(p, imgp->ip_px_persona);
+ if (error != 0) {
+ goto bad;
+ }
+ }
+#endif /* CONFIG_PERSONAS */
+#if !SECURE_KERNEL
+ /*
+ * Disable ASLR for the spawned process.
+ *
+ * But only do so if we are not embedded + RELEASE.
+ * While embedded allows for a boot-arg (-disable_aslr)
+ * to deal with this (which itself is only honored on
+ * DEVELOPMENT or DEBUG builds of xnu), it is often
+ * useful or necessary to disable ASLR on a per-process
+ * basis for unit testing and debugging.
+ */
+ if (px_sa.psa_flags & _POSIX_SPAWN_DISABLE_ASLR) {
+ OSBitOrAtomic(P_DISABLE_ASLR, &p->p_flag);
+ }
+#endif /* !SECURE_KERNEL */
+
+ /* Randomize high bits of ASLR slide */
+ if (px_sa.psa_flags & _POSIX_SPAWN_HIGH_BITS_ASLR) {
+ imgp->ip_flags |= IMGPF_HIGH_BITS_ASLR;
+ }
+
+#if !SECURE_KERNEL
+ /*
+ * Forcibly disallow execution from data pages for the spawned process
+ * even if it would otherwise be permitted by the architecture default.
+ */
+ if (px_sa.psa_flags & _POSIX_SPAWN_ALLOW_DATA_EXEC) {
+ imgp->ip_flags |= IMGPF_ALLOW_DATA_EXEC;
+ }
+#endif /* !SECURE_KERNEL */
+
+ if ((px_sa.psa_apptype & POSIX_SPAWN_PROC_TYPE_MASK) ==
+ POSIX_SPAWN_PROC_TYPE_DRIVER) {
+ imgp->ip_flags |= IMGPF_DRIVER;
+ }
+ }
+
+ /*
+ * Disable ASLR during image activation. This occurs either if the
+ * _POSIX_SPAWN_DISABLE_ASLR attribute was found above or if
+ * P_DISABLE_ASLR was inherited from the parent process.
+ */
+ if (p->p_flag & P_DISABLE_ASLR) {
+ imgp->ip_flags |= IMGPF_DISABLE_ASLR;
+ }
+
+ /*
+ * Clear transition flag so we won't hang if exec_activate_image() causes
+ * an automount (and launchd does a proc sysctl to service it).
+ *
+ * <rdar://problem/6848672>, <rdar://problem/5959568>.
+ */
+ if (spawn_no_exec) {
+ proc_transend(p, 0);
+ proc_transit_set = 0;
+ }
+
+#if MAC_SPAWN /* XXX */
+ if (uap->mac_p != USER_ADDR_NULL) {
+ error = mac_execve_enter(uap->mac_p, imgp);
+ if (error) {
+ goto bad;
+ }
+ }
+#endif
+
+ /*
+ * Activate the image
+ */
+ error = exec_activate_image(imgp);
+#if defined(HAS_APPLE_PAC)
+ ml_task_set_disable_user_jop(new_task, imgp->ip_flags & IMGPF_NOJOP ? TRUE : FALSE);
+ ml_thread_set_disable_user_jop(imgp->ip_new_thread, imgp->ip_flags & IMGPF_NOJOP ? TRUE : FALSE);
+#endif
+
+ if (error == 0 && !spawn_no_exec) {
+ p = proc_exec_switch_task(p, old_task, new_task, imgp->ip_new_thread);
+ /* proc ref returned */
+ should_release_proc_ref = TRUE;
+
+ /*
+ * Need to transfer pending watch port boosts to the new task while still making
+ * sure that the old task remains in the importance linkage. Create an importance
+ * linkage from old task to new task, then switch the task importance base
+ * of old task and new task. After the switch the port watch boost will be
+ * boosting the new task and new task will be donating importance to old task.
+ */
+ inherit = ipc_importance_exec_switch_task(old_task, new_task);
+ }
+
+ if (error == 0) {
+ /* process completed the exec */
+ exec_done = TRUE;
+ } else if (error == -1) {
+ /* Image not claimed by any activator? */
+ error = ENOEXEC;
+ }
+
+ if (!error && imgp->ip_px_sa != NULL) {
+ thread_t child_thread = imgp->ip_new_thread;
+ uthread_t child_uthread = get_bsdthread_info(child_thread);
+
+ /*
+ * Because of POSIX_SPAWN_SETEXEC, we need to handle this after image
+ * activation, else when image activation fails (before the point of no
+ * return) would leave the parent process in a modified state.
+ */
+ if (px_sa.psa_flags & POSIX_SPAWN_SETPGROUP) {
+ struct setpgid_args spga;
+ spga.pid = p->p_pid;
+ spga.pgid = px_sa.psa_pgroup;
+ /*
+ * Effectively, call setpgid() system call; works
+ * because there are no pointer arguments.
+ */
+ if ((error = setpgid(p, &spga, ival)) != 0) {
+ goto bad;
+ }
+ }
+
+ if (px_sa.psa_flags & POSIX_SPAWN_SETSID) {
+ error = setsid_internal(p);
+ if (error != 0) {
+ goto bad;
+ }
+ }
+
+ /*
+ * If we have a spawn attr, and it contains signal related flags,
+ * the we need to process them in the "context" of the new child
+ * process, so we have to process it following image activation,
+ * prior to making the thread runnable in user space. This is
+ * necessitated by some signal information being per-thread rather
+ * than per-process, and we don't have the new allocation in hand
+ * until after the image is activated.
+ */
+
+ /*
+ * Mask a list of signals, instead of them being unmasked, if
+ * they were unmasked in the parent; note that some signals
+ * are not maskable.
+ */
+ if (px_sa.psa_flags & POSIX_SPAWN_SETSIGMASK) {
+ child_uthread->uu_sigmask = (px_sa.psa_sigmask & ~sigcantmask);
+ }
+ /*
+ * Default a list of signals instead of ignoring them, if
+ * they were ignored in the parent. Note that we pass
+ * spawn_no_exec to setsigvec() to indicate that we called
+ * fork1() and therefore do not need to call proc_signalstart()
+ * internally.
+ */
+ if (px_sa.psa_flags & POSIX_SPAWN_SETSIGDEF) {
+ vec.sa_handler = SIG_DFL;
+ vec.sa_tramp = 0;
+ vec.sa_mask = 0;
+ vec.sa_flags = 0;
+ for (sig = 1; sig < NSIG; sig++) {
+ if (px_sa.psa_sigdefault & (1 << (sig - 1))) {
+ error = setsigvec(p, child_thread, sig, &vec, spawn_no_exec);
+ }
+ }
+ }
+
+ /*
+ * Activate the CPU usage monitor, if requested. This is done via a task-wide, per-thread CPU
+ * usage limit, which will generate a resource exceeded exception if any one thread exceeds the
+ * limit.
+ *
+ * Userland gives us interval in seconds, and the kernel SPI expects nanoseconds.
+ */
+ if (px_sa.psa_cpumonitor_percent != 0) {
+ /*
+ * Always treat a CPU monitor activation coming from spawn as entitled. Requiring
+ * an entitlement to configure the monitor a certain way seems silly, since
+ * whomever is turning it on could just as easily choose not to do so.
+ */
+ error = proc_set_task_ruse_cpu(p->task,
+ TASK_POLICY_RESOURCE_ATTRIBUTE_NOTIFY_EXC,
+ px_sa.psa_cpumonitor_percent,
+ px_sa.psa_cpumonitor_interval * NSEC_PER_SEC,
+ 0, TRUE);
+ }
+
+
+ if (px_pcred_info &&
+ (px_pcred_info->pspci_flags & POSIX_SPAWN_POSIX_CRED_LOGIN)) {
+ /*
+ * setlogin() must happen after setsid()
+ */
+ setlogin_internal(p, px_pcred_info->pspci_login);
+ }
+ }
+
+bad:
+
+ if (error == 0) {
+ /* reset delay idle sleep status if set */
+#if !CONFIG_EMBEDDED
+ if ((p->p_flag & P_DELAYIDLESLEEP) == P_DELAYIDLESLEEP) {
+ OSBitAndAtomic(~((uint32_t)P_DELAYIDLESLEEP), &p->p_flag);
+ }
+#endif /* !CONFIG_EMBEDDED */
+ /* upon successful spawn, re/set the proc control state */
+ if (imgp->ip_px_sa != NULL) {
+ switch (px_sa.psa_pcontrol) {
+ case POSIX_SPAWN_PCONTROL_THROTTLE:
+ p->p_pcaction = P_PCTHROTTLE;
+ break;
+ case POSIX_SPAWN_PCONTROL_SUSPEND:
+ p->p_pcaction = P_PCSUSP;
+ break;
+ case POSIX_SPAWN_PCONTROL_KILL:
+ p->p_pcaction = P_PCKILL;
+ break;
+ case POSIX_SPAWN_PCONTROL_NONE:
+ default:
+ p->p_pcaction = 0;
+ break;
+ }
+ ;
+ }
+ exec_resettextvp(p, imgp);
+
+#if CONFIG_MEMORYSTATUS
+ /* Set jetsam priority for DriverKit processes */
+ if (px_sa.psa_apptype == POSIX_SPAWN_PROC_TYPE_DRIVER) {
+ px_sa.psa_priority = JETSAM_PRIORITY_DRIVER_APPLE;
+ }
+
+ /* Has jetsam attributes? */
+ if (imgp->ip_px_sa != NULL && (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_SET)) {
+ /*
+ * With 2-level high-water-mark support, POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND is no
+ * longer relevant, as background limits are described via the inactive limit slots.
+ *
+ * That said, however, if the POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND is passed in,
+ * we attempt to mimic previous behavior by forcing the BG limit data into the
+ * inactive/non-fatal mode and force the active slots to hold system_wide/fatal mode.
+ */
+
+ if (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND) {
+ memorystatus_update(p, px_sa.psa_priority, 0, FALSE, /* assertion priority */
+ (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_USE_EFFECTIVE_PRIORITY),
+ TRUE,
+ -1, TRUE,
+ px_sa.psa_memlimit_inactive, FALSE);
+ } else {
+ memorystatus_update(p, px_sa.psa_priority, 0, FALSE, /* assertion priority */
+ (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_USE_EFFECTIVE_PRIORITY),
+ TRUE,
+ px_sa.psa_memlimit_active,
+ (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_MEMLIMIT_ACTIVE_FATAL),
+ px_sa.psa_memlimit_inactive,
+ (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_MEMLIMIT_INACTIVE_FATAL));
+ }
+ }
+
+ /* Has jetsam relaunch behavior? */
+ if (imgp->ip_px_sa != NULL && (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_RELAUNCH_BEHAVIOR_MASK)) {
+ /*
+ * Launchd has passed in data indicating the behavior of this process in response to jetsam.
+ * This data would be used by the jetsam subsystem to determine the position and protection
+ * offered to this process on dirty -> clean transitions.
+ */
+ int relaunch_flags = P_MEMSTAT_RELAUNCH_UNKNOWN;
+ switch (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_RELAUNCH_BEHAVIOR_MASK) {
+ case POSIX_SPAWN_JETSAM_RELAUNCH_BEHAVIOR_LOW:
+ relaunch_flags = P_MEMSTAT_RELAUNCH_LOW;
+ break;
+ case POSIX_SPAWN_JETSAM_RELAUNCH_BEHAVIOR_MED:
+ relaunch_flags = P_MEMSTAT_RELAUNCH_MED;
+ break;
+ case POSIX_SPAWN_JETSAM_RELAUNCH_BEHAVIOR_HIGH:
+ relaunch_flags = P_MEMSTAT_RELAUNCH_HIGH;
+ break;
+ default:
+ break;
+ }
+ memorystatus_relaunch_flags_update(p, relaunch_flags);
+ }
+
+#endif /* CONFIG_MEMORYSTATUS */
+ if (imgp->ip_px_sa != NULL && px_sa.psa_thread_limit > 0) {
+ task_set_thread_limit(new_task, (uint16_t)px_sa.psa_thread_limit);
+ }
+ }
+
+ /*
+ * If we successfully called fork1(), we always need to do this;
+ * we identify this case by noting the IMGPF_SPAWN flag. This is
+ * because we come back from that call with signals blocked in the
+ * child, and we have to unblock them, but we want to wait until
+ * after we've performed any spawn actions. This has to happen
+ * before check_for_signature(), which uses psignal.
+ */
+ if (spawn_no_exec) {
+ if (proc_transit_set) {
+ proc_transend(p, 0);
+ }
+
+ /*
+ * Drop the signal lock on the child which was taken on our
+ * behalf by forkproc()/cloneproc() to prevent signals being
+ * received by the child in a partially constructed state.
+ */
+ proc_signalend(p, 0);
+
+ /* flag the 'fork' has occurred */
+ proc_knote(p->p_pptr, NOTE_FORK | p->p_pid);
+ }
projects / apple / xnu.git / blobdiff