/*
- * Copyright (c) 2000-2004 Apple Computer, Inc. All rights reserved.
+ * Copyright (c) 2000-2011 Apple Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
* the terms and conditions for use and redistribution.
*/
-#include <cputypes.h>
-
/*-
* Copyright (c) 1982, 1986, 1991, 1993
* The Regents of the University of California. All rights reserved.
*
* from: @(#)kern_exec.c 8.1 (Berkeley) 6/10/93
*/
+/*
+ * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
+ * support for mandatory and extensible security protections. This notice
+ * is included in support of clause 2.2 (b) of the Apple Public License,
+ * Version 2.0.
+ */
#include <machine/reg.h>
+#include <machine/cpu_capabilities.h>
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/signal.h>
#include <sys/aio_kern.h>
#include <sys/sysproto.h>
+#if SYSV_SHM
#include <sys/shm_internal.h> /* shmexec() */
+#endif
#include <sys/ubc_internal.h> /* ubc_map() */
+#include <sys/spawn.h>
+#include <sys/spawn_internal.h>
+#include <sys/process_policy.h>
+#include <sys/codesign.h>
+#include <crypto/sha1.h>
-#include <bsm/audit_kernel.h>
+#include <libkern/libkern.h>
+
+#include <security/audit/audit.h>
+
+#include <ipc/ipc_types.h>
#include <mach/mach_types.h>
+#include <mach/port.h>
#include <mach/task.h>
+#include <mach/task_access.h>
#include <mach/thread_act.h>
#include <mach/vm_map.h>
#include <mach/mach_vm.h>
#include <mach/vm_param.h>
+#include <kern/sched_prim.h> /* thread_wakeup() */
+#include <kern/affinity.h>
+#include <kern/assert.h>
+#include <kern/task.h>
+#include <kern/coalition.h>
+
+#if CONFIG_MACF
+#include <security/mac.h>
+#include <security/mac_mach_internal.h>
+#endif
+
#include <vm/vm_map.h>
#include <vm/vm_kern.h>
-#include <vm/vm_pager.h>
+#include <vm/vm_protos.h>
#include <vm/vm_kern.h>
-#include <vm/task_working_set.h>
-#include <vm/vm_shared_memory_server.h>
+#include <vm/vm_fault.h>
+#include <vm/vm_pageout.h>
+
+#include <kdp/kdp_dyld.h>
+
+#include <machine/pal_routines.h>
+
+#include <pexpert/pexpert.h>
+
+#if CONFIG_MEMORYSTATUS
+#include <sys/kern_memorystatus.h>
+#endif
+
+#if CONFIG_DTRACE
+/* Do not include dtrace.h, it redefines kmem_[alloc/free] */
+extern void (*dtrace_fasttrap_exec_ptr)(proc_t);
+extern void (*dtrace_proc_waitfor_exec_ptr)(proc_t);
+extern void (*dtrace_helpers_cleanup)(proc_t);
+extern void dtrace_lazy_dofs_destroy(proc_t);
+
+/*
+ * Since dtrace_proc_waitfor_exec_ptr can be added/removed in dtrace_subr.c,
+ * we will store its value before actually calling it.
+ */
+static void (*dtrace_proc_waitfor_hook)(proc_t) = NULL;
+
+#include <sys/dtrace_ptss.h>
+#endif
+
+/* support for child creation in exec after vfork */
+thread_t fork_create_child(task_t parent_task, coalition_t *parent_coalition, proc_t child_proc, int inherit_memory, int is64bit);
+void vfork_exit(proc_t p, int rv);
+extern void proc_apply_task_networkbg_internal(proc_t, thread_t);
/*
* Mach things for which prototypes are unavailable from Mach headers
*/
void ipc_task_reset(
task_t task);
+void ipc_thread_reset(
+ thread_t thread);
+kern_return_t ipc_object_copyin(
+ ipc_space_t space,
+ mach_port_name_t name,
+ mach_msg_type_name_t msgt_name,
+ ipc_object_t *objectp);
+void ipc_port_release_send(ipc_port_t);
+
+#if DEVELOPMENT || DEBUG
+void task_importance_update_owner_info(task_t);
+#endif
extern struct savearea *get_user_regs(thread_t);
+__attribute__((noinline)) int __EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__(mach_port_t task_access_port, int32_t new_pid);
#include <kern/thread.h>
#include <kern/task.h>
#include <kern/ast.h>
#include <kern/mach_loader.h>
+#include <kern/mach_fat.h>
#include <mach-o/fat.h>
#include <mach-o/loader.h>
#include <machine/vmparam.h>
-#if KTRACE
-#include <sys/ktrace.h>
-#endif
#include <sys/imgact.h>
+#include <sys/sdt.h>
+
/*
- * SIZE_MAXPTR The maximum size of a user space pointer, in bytes
- * SIZE_IMG_STRSPACE The available string space, minus two pointers; we
- * define it interms of the maximum, since we don't
- * know the pointer size going in, until after we've
- * parsed the executable image.
+ * EAI_ITERLIMIT The maximum number of times to iterate an image
+ * activator in exec_activate_image() before treating
+ * it as malformed/corrupt.
*/
-#define SIZE_MAXPTR 8 /* 64 bits */
-#define SIZE_IMG_STRSPACE (NCARGS - 2 * SIZE_MAXPTR)
+#define EAI_ITERLIMIT 3
-int app_profile = 0;
+/*
+ * For #! interpreter parsing
+ */
+#define IS_WHITESPACE(ch) ((ch == ' ') || (ch == '\t'))
+#define IS_EOL(ch) ((ch == '#') || (ch == '\n'))
extern vm_map_t bsd_pageable_map;
-extern struct fileops vnops;
+extern const struct fileops vnops;
-#define ROUND_PTR(type, addr) \
- (type *)( ( (unsigned)(addr) + 16 - 1) \
- & ~(16 - 1) )
+#define USER_ADDR_ALIGN(addr, val) \
+ ( ( (user_addr_t)(addr) + (val) - 1) \
+ & ~((val) - 1) )
struct image_params; /* Forward */
+static int exec_activate_image(struct image_params *imgp);
static int exec_copyout_strings(struct image_params *imgp, user_addr_t *stackp);
static int load_return_to_errno(load_return_t lrtn);
static int execargs_alloc(struct image_params *imgp);
static int execargs_free(struct image_params *imgp);
static int exec_check_permissions(struct image_params *imgp);
static int exec_extract_strings(struct image_params *imgp);
+static int exec_add_apple_strings(struct image_params *imgp);
static int exec_handle_sugid(struct image_params *imgp);
static int sugid_scripts = 0;
-SYSCTL_INT (_kern, OID_AUTO, sugid_scripts, CTLFLAG_RW, &sugid_scripts, 0, "");
-static kern_return_t create_unix_stack(vm_map_t map, user_addr_t user_stack,
- int customstack, struct proc *p);
+SYSCTL_INT (_kern, OID_AUTO, sugid_scripts, CTLFLAG_RW | CTLFLAG_LOCKED, &sugid_scripts, 0, "");
+static kern_return_t create_unix_stack(vm_map_t map, load_result_t* load_result, proc_t p);
static int copyoutptr(user_addr_t ua, user_addr_t ptr, int ptr_size);
-
-/* XXX forward; should be in headers, but can't be for one reason or another */
-extern void vfork_return(thread_t th_act,
- struct proc * p,
- struct proc *p2,
- register_t *retval);
+static void exec_resettextvp(proc_t, struct image_params *);
+static int check_for_signature(proc_t, struct image_params *);
+static void exec_prefault_data(proc_t, struct image_params *, load_result_t *);
+static errno_t exec_handle_port_actions(struct image_params *imgp, short psa_flags, boolean_t * portwatch_present, ipc_port_t * portwatch_ports);
+static errno_t exec_handle_spawnattr_policy(proc_t p, int psa_apptype, uint64_t psa_qos_clamp, uint64_t psa_darwin_role,
+ ipc_port_t * portwatch_ports, int portwatch_count);
/*
- * exec_add_string
+ * exec_add_user_string
*
* Add the requested string to the string space area.
*
* Parameters; struct image_params * image parameter block
* user_addr_t string to add to strings area
- * uio_seg segment where string is located
+ * int segment from which string comes
+ * boolean_t TRUE if string contributes to NCARGS
*
* Returns: 0 Success
* !0 Failure errno from copyinstr()
* Implicit returns:
* (imgp->ip_strendp) updated location of next add, if any
* (imgp->ip_strspace) updated byte count of space remaining
+ * (imgp->ip_argspace) updated byte count of space in NCARGS
*/
static int
-exec_add_string(struct image_params *imgp, user_addr_t str, /*uio_seg*/int seg)
+exec_add_user_string(struct image_params *imgp, user_addr_t str, int seg, boolean_t is_ncargs)
{
- int error = 0;
-
- do {
- size_t len = 0;
- if (imgp->ip_strspace <= 0) {
+ int error = 0;
+
+ do {
+ size_t len = 0;
+ int space;
+
+ if (is_ncargs)
+ space = imgp->ip_argspace; /* by definition smaller than ip_strspace */
+ else
+ space = imgp->ip_strspace;
+
+ if (space <= 0) {
error = E2BIG;
break;
}
- if (IS_UIO_SYS_SPACE(seg)) {
+
+ if (!UIO_SEG_IS_USER_SPACE(seg)) {
char *kstr = CAST_DOWN(char *,str); /* SAFE */
- error = copystr(kstr, imgp->ip_strendp, imgp->ip_strspace, &len);
+ error = copystr(kstr, imgp->ip_strendp, space, &len);
} else {
- error = copyinstr(str, imgp->ip_strendp, imgp->ip_strspace,
- &len);
+ error = copyinstr(str, imgp->ip_strendp, space, &len);
}
+
imgp->ip_strendp += len;
imgp->ip_strspace -= len;
+ if (is_ncargs)
+ imgp->ip_argspace -= len;
+
} while (error == ENAMETOOLONG);
-
+
return error;
}
+/*
+ * dyld is now passed the executable path as a getenv-like variable
+ * in the same fashion as the stack_guard and malloc_entropy keys.
+ */
+#define EXECUTABLE_KEY "executable_path="
+
/*
* exec_save_path
*
* To support new app package launching for Mac OS X, the dyld needs the
* first argument to execve() stored on the user stack.
*
- * Save the executable path name at the top of the strings area and set
+ * Save the executable path name at the bottom of the strings area and set
* the argument vector pointer to the location following that to indicate
* the start of the argument and environment tuples, setting the remaining
- * string space count to the size of the string area minus the path length
- * and a reserve for two pointers.
+ * string space count to the size of the string area minus the path length.
*
* Parameters; struct image_params * image parameter block
* char * path used to invoke program
- * uio_seg segment where path is located
+ * int segment from which path comes
*
* Returns: int 0 Success
- * !0 Failure: error number
+ * EFAULT Bad address
+ * copy[in]str:EFAULT Bad address
+ * copy[in]str:ENAMETOOLONG Filename too long
+ *
* Implicit returns:
* (imgp->ip_strings) saved path
* (imgp->ip_strspace) space remaining in ip_strings
- * (imgp->ip_argv) beginning of argument list
* (imgp->ip_strendp) start of remaining copy area
+ * (imgp->ip_argspace) space remaining of NCARGS
+ * (imgp->ip_applec) Initial applev[0]
*
* Note: We have to do this before the initial namei() since in the
* path contains symbolic links, namei() will overwrite the
* unacceptable for dyld.
*/
static int
-exec_save_path(struct image_params *imgp, user_addr_t path, /*uio_seg*/int seg)
+exec_save_path(struct image_params *imgp, user_addr_t path, int seg, const char **excpath)
{
int error;
- size_t len;
- char *kpath = CAST_DOWN(char *,path); /* SAFE */
+ size_t len;
+ char *kpath;
- imgp->ip_strendp = imgp->ip_strings;
- imgp->ip_strspace = SIZE_IMG_STRSPACE;
+ // imgp->ip_strings can come out of a cache, so we need to obliterate the
+ // old path.
+ memset(imgp->ip_strings, '\0', strlen(EXECUTABLE_KEY) + MAXPATHLEN);
len = MIN(MAXPATHLEN, imgp->ip_strspace);
- switch( seg) {
+ switch(seg) {
case UIO_USERSPACE32:
case UIO_USERSPACE64: /* Same for copyin()... */
- error = copyinstr(path, imgp->ip_strings, len, &len);
+ error = copyinstr(path, imgp->ip_strings + strlen(EXECUTABLE_KEY), len, &len);
break;
- case UIO_SYSSPACE32:
- error = copystr(kpath, imgp->ip_strings, len, &len);
+ case UIO_SYSSPACE:
+ kpath = CAST_DOWN(char *,path); /* SAFE */
+ error = copystr(kpath, imgp->ip_strings + strlen(EXECUTABLE_KEY), len, &len);
break;
default:
error = EFAULT;
}
if (!error) {
+ bcopy(EXECUTABLE_KEY, imgp->ip_strings, strlen(EXECUTABLE_KEY));
+ len += strlen(EXECUTABLE_KEY);
+
imgp->ip_strendp += len;
imgp->ip_strspace -= len;
- imgp->ip_argv = imgp->ip_strendp;
+
+ if (excpath) {
+ *excpath = imgp->ip_strings + strlen(EXECUTABLE_KEY);
+ }
}
return(error);
}
-#ifdef IMGPF_POWERPC
/*
- * exec_powerpc32_imgact
+ * exec_reset_save_path
*
- * Implicitly invoke the PowerPC handler for a byte-swapped image magic
- * number. This may happen either as a result of an attempt to invoke a
- * PowerPC image directly, or indirectly as the interpreter used in an
- * interpreter script.
- *
- * Parameters; struct image_params * image parameter block
+ * If we detect a shell script, we need to reset the string area
+ * state so that the interpreter can be saved onto the stack.
+
+ * Parameters; struct image_params * image parameter block
*
- * Returns: -1 not an PowerPC image (keep looking)
- * -3 Success: exec_archhandler_ppc: relookup
- * >0 Failure: exec_archhandler_ppc: error number
+ * Returns: int 0 Success
*
- * Note: This image activator does not handle the case of a direct
- * invocation of the exec_archhandler_ppc, since in that case, the
- * exec_archhandler_ppc itself is not a PowerPC binary; instead,
- * binary image activators must recognize the exec_archhandler_ppc;
- * This is managed in exec_check_permissions().
+ * Implicit returns:
+ * (imgp->ip_strings) saved path
+ * (imgp->ip_strspace) space remaining in ip_strings
+ * (imgp->ip_strendp) start of remaining copy area
+ * (imgp->ip_argspace) space remaining of NCARGS
*
- * Note: This image activator is limited to 32 bit powerpc images;
- * if support for 64 bit powerpc images is desired, it would
- * be more in line with this design to write a separate 64 bit
- * image activator.
*/
static int
-exec_powerpc32_imgact(struct image_params *imgp)
+exec_reset_save_path(struct image_params *imgp)
{
- struct mach_header *mach_header = (struct mach_header *)imgp->ip_vdata;
- int error;
- size_t len = 0;
-
- /*
- * Make sure it's a PowerPC binary. If we've already redirected
- * from an interpreted file once, don't do it again.
- */
- if (mach_header->magic != MH_CIGAM)
- return (-1);
-
- /* If there is no exec_archhandler_ppc, we can't run it */
- if (exec_archhandler_ppc.path[0] == 0)
- return (EBADARCH);
-
- /*
- * The PowerPC flag will be set by the exec_check_permissions()
- * call anyway; however, we set this flag here so that the relookup
- * in execve() does not follow symbolic links, as a side effect.
- */
- imgp->ip_flags |= IMGPF_POWERPC;
-
- /* impute an interpreter */
- error = copystr(exec_archhandler_ppc.path, imgp->ip_interp_name,
- IMG_SHSIZE, &len);
- if (error)
- return (error);
-
- /*
- * provide a replacement string for p->p_comm; we have to use an
- * an alternate buffer for this, rather than replacing it directly,
- * since the exec may fail and return to the parent. In that case,
- * we would have erroneously changed the parent p->p_comm instead.
- */
- strncpy(imgp->ip_p_comm, imgp->ip_ndp->ni_cnd.cn_nameptr, MAXCOMLEN);
- imgp->ip_p_comm[MAXCOMLEN] = '\0';
+ imgp->ip_strendp = imgp->ip_strings;
+ imgp->ip_argspace = NCARGS;
+ imgp->ip_strspace = ( NCARGS + PAGE_SIZE );
- return (-3);
+ return (0);
}
-#endif /* IMGPF_POWERPC */
-
/*
* exec_shell_imgact
*
- * Image activator for interpreter scripts. If the image begins with the
- * characters "#!", then it is an interpreter script. Verify that we are
- * not already executing in PowerPC mode, and that the length of the script
- * line indicating the interpreter is not in excess of the maximum allowed
- * size. If this is the case, then break out the arguments, if any, which
- * are separated by white space, and copy them into the argument save area
- * as if they were provided on the command line before all other arguments.
- * The line ends when we encounter a comment character ('#') or newline.
+ * Image activator for interpreter scripts. If the image begins with
+ * the characters "#!", then it is an interpreter script. Verify the
+ * length of the script line indicating the interpreter is not in
+ * excess of the maximum allowed size. If this is the case, then
+ * break out the arguments, if any, which are separated by white
+ * space, and copy them into the argument save area as if they were
+ * provided on the command line before all other arguments. The line
+ * ends when we encounter a comment character ('#') or newline.
*
* Parameters; struct image_params * image parameter block
*
{
char *vdata = imgp->ip_vdata;
char *ihp;
- char *line_endp;
+ char *line_startp, *line_endp;
char *interp;
+ proc_t p;
+ struct fileproc *fp;
+ int fd;
+ int error;
/*
* Make sure it's a shell script. If we've already redirected
* from an interpreted file once, don't do it again.
- *
- * Note: We disallow PowerPC, since the expectation is that we
- * may run a PowerPC interpreter, but not an interpret a PowerPC
- * image. This is consistent with historical behaviour.
*/
if (vdata[0] != '#' ||
vdata[1] != '!' ||
return (-1);
}
-#ifdef IMGPF_POWERPC
- if ((imgp->ip_flags & IMGPF_POWERPC) != 0)
- return (EBADARCH);
-#endif /* IMGPF_POWERPC */
+ if (imgp->ip_origcputype != 0) {
+ /* Fat header previously matched, don't allow shell script inside */
+ return (-1);
+ }
imgp->ip_flags |= IMGPF_INTERPRET;
+ imgp->ip_interp_sugid_fd = -1;
+ imgp->ip_interp_buffer[0] = '\0';
- /* Check to see if SUGID scripts are permitted. If they aren't then
+ /* Check to see if SUGID scripts are permitted. If they aren't then
* clear the SUGID bits.
* imgp->ip_vattr is known to be valid.
- */
- if (sugid_scripts == 0) {
- imgp->ip_origvattr->va_mode &= ~(VSUID | VSGID);
+ */
+ if (sugid_scripts == 0) {
+ imgp->ip_origvattr->va_mode &= ~(VSUID | VSGID);
}
- /* Find the nominal end of the interpreter line */
- for( ihp = &vdata[2]; *ihp != '\n' && *ihp != '#'; ihp++) {
- if (ihp >= &vdata[IMG_SHSIZE])
+ /* Try to find the first non-whitespace character */
+ for( ihp = &vdata[2]; ihp < &vdata[IMG_SHSIZE]; ihp++ ) {
+ if (IS_EOL(*ihp)) {
+ /* Did not find interpreter, "#!\n" */
return (ENOEXEC);
+ } else if (IS_WHITESPACE(*ihp)) {
+ /* Whitespace, like "#! /bin/sh\n", keep going. */
+ } else {
+ /* Found start of interpreter */
+ break;
+ }
+ }
+
+ if (ihp == &vdata[IMG_SHSIZE]) {
+ /* All whitespace, like "#! " */
+ return (ENOEXEC);
}
- line_endp = ihp;
- ihp = &vdata[2];
- /* Skip over leading spaces - until the interpreter name */
- while ( ihp < line_endp && ((*ihp == ' ') || (*ihp == '\t')))
- ihp++;
+ line_startp = ihp;
- /*
- * Find the last non-whitespace character before the end of line or
- * the beginning of a comment; this is our new end of line.
- */
- for (;line_endp > ihp && ((*line_endp == ' ') || (*line_endp == '\t')); line_endp--)
- continue;
+ /* Try to find the end of the interpreter+args string */
+ for ( ; ihp < &vdata[IMG_SHSIZE]; ihp++ ) {
+ if (IS_EOL(*ihp)) {
+ /* Got it */
+ break;
+ } else {
+ /* Still part of interpreter or args */
+ }
+ }
- /* Empty? */
- if (line_endp == ihp)
+ if (ihp == &vdata[IMG_SHSIZE]) {
+ /* A long line, like "#! blah blah blah" without end */
return (ENOEXEC);
+ }
+
+ /* Backtrack until we find the last non-whitespace */
+ while (IS_EOL(*ihp) || IS_WHITESPACE(*ihp)) {
+ ihp--;
+ }
+
+ /* The character after the last non-whitespace is our logical end of line */
+ line_endp = ihp + 1;
+
+ /*
+ * Now we have pointers to the usable part of:
+ *
+ * "#! /usr/bin/int first second third \n"
+ * ^ line_startp ^ line_endp
+ */
/* copy the interpreter name */
- interp = imgp->ip_interp_name;
- while ((ihp < line_endp) && (*ihp != ' ') && (*ihp != '\t'))
- *interp++ = *ihp++;
+ interp = imgp->ip_interp_buffer;
+ for ( ihp = line_startp; (ihp < line_endp) && !IS_WHITESPACE(*ihp); ihp++)
+ *interp++ = *ihp;
*interp = '\0';
- exec_save_path(imgp, CAST_USER_ADDR_T(imgp->ip_interp_name),
- UIO_SYSSPACE32);
+ exec_reset_save_path(imgp);
+ exec_save_path(imgp, CAST_USER_ADDR_T(imgp->ip_interp_buffer),
+ UIO_SYSSPACE, NULL);
- ihp = &vdata[2];
- while (ihp < line_endp) {
- /* Skip leading whitespace before each argument */
- while ((*ihp == ' ') || (*ihp == '\t'))
- ihp++;
+ /* Copy the entire interpreter + args for later processing into argv[] */
+ interp = imgp->ip_interp_buffer;
+ for ( ihp = line_startp; (ihp < line_endp); ihp++)
+ *interp++ = *ihp;
+ *interp = '\0';
- if (ihp >= line_endp)
- break;
+ /*
+ * If we have a SUID oder SGID script, create a file descriptor
+ * from the vnode and pass /dev/fd/%d instead of the actual
+ * path name so that the script does not get opened twice
+ */
+ if (imgp->ip_origvattr->va_mode & (VSUID | VSGID)) {
+ p = vfs_context_proc(imgp->ip_vfs_context);
+ error = falloc(p, &fp, &fd, imgp->ip_vfs_context);
+ if (error)
+ return(error);
- /* We have an argument; copy it */
- while ((ihp < line_endp) && (*ihp != ' ') && (*ihp != '\t')) {
- *imgp->ip_strendp++ = *ihp++;
- imgp->ip_strspace--;
- }
- *imgp->ip_strendp++ = 0;
- imgp->ip_strspace--;
- imgp->ip_argc++;
+ fp->f_fglob->fg_flag = FREAD;
+ fp->f_fglob->fg_ops = &vnops;
+ fp->f_fglob->fg_data = (caddr_t)imgp->ip_vp;
+
+ proc_fdlock(p);
+ procfdtbl_releasefd(p, fd, NULL);
+ fp_drop(p, fd, fp, 1);
+ proc_fdunlock(p);
+ vnode_ref(imgp->ip_vp);
+
+ imgp->ip_interp_sugid_fd = fd;
}
return (-3);
* reloading the first page for the image with a first page from the
* offset location indicated by the fat header.
*
+ * Parameters; struct image_params * image parameter block
+ *
+ * Returns: -1 not a fat binary (keep looking)
+ * -2 Success: encapsulated binary: reread
+ * >0 Failure: error number
+ *
* Important: This image activator is byte order neutral.
*
- * Note: If we find an encapsulated binary, we make no assertions
+ * Note: A return value other than -1 indicates subsequent image
+ * activators should not be given the opportunity to attempt
+ * to activate the image.
+ *
+ * If we find an encapsulated binary, we make no assertions
* about its validity; instead, we leave that up to a rescan
* for an activator to claim it, and, if it is claimed by one,
* that activator is responsible for determining validity.
static int
exec_fat_imgact(struct image_params *imgp)
{
- struct proc *p = vfs_context_proc(imgp->ip_vfs_context);
+ proc_t p = vfs_context_proc(imgp->ip_vfs_context);
kauth_cred_t cred = kauth_cred_proc_ref(p);
struct fat_header *fat_header = (struct fat_header *)imgp->ip_vdata;
+ struct _posix_spawnattr *psa = NULL;
struct fat_arch fat_arch;
int resid, error;
load_return_t lret;
+ if (imgp->ip_origcputype != 0) {
+ /* Fat header previously matched, don't allow another fat file inside */
+ return (-1);
+ }
+
/* Make sure it's a fat binary */
- if ((fat_header->magic != FAT_MAGIC) &&
- (fat_header->magic != FAT_CIGAM)) {
- error = -1;
+ if (OSSwapBigToHostInt32(fat_header->magic) != FAT_MAGIC) {
+ error = -1; /* not claimed */
+ goto bad;
+ }
+
+ /* imgp->ip_vdata has PAGE_SIZE, zerofilled if the file is smaller */
+ lret = fatfile_validate_fatarches((vm_offset_t)fat_header, PAGE_SIZE);
+ if (lret != LOAD_SUCCESS) {
+ error = load_return_to_errno(lret);
+ goto bad;
+ }
+
+ /* If posix_spawn binprefs exist, respect those prefs. */
+ psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
+ if (psa != NULL && psa->psa_binprefs[0] != 0) {
+ uint32_t pr = 0;
+
+ /* Check each preference listed against all arches in header */
+ for (pr = 0; pr < NBINPREFS; pr++) {
+ cpu_type_t pref = psa->psa_binprefs[pr];
+ if (pref == 0) {
+ /* No suitable arch in the pref list */
+ error = EBADARCH;
+ goto bad;
+ }
+
+ if (pref == CPU_TYPE_ANY) {
+ /* Fall through to regular grading */
+ goto regular_grading;
+ }
+
+ lret = fatfile_getbestarch_for_cputype(pref,
+ (vm_offset_t)fat_header,
+ PAGE_SIZE,
+ &fat_arch);
+ if (lret == LOAD_SUCCESS) {
+ goto use_arch;
+ }
+ }
+
+ /* Requested binary preference was not honored */
+ error = EBADEXEC;
goto bad;
}
+regular_grading:
/* Look up our preferred architecture in the fat file. */
- lret = fatfile_getarch_affinity(imgp->ip_vp,
- (vm_offset_t)fat_header,
- &fat_arch,
- (p->p_flag & P_AFFINITY));
+ lret = fatfile_getbestarch((vm_offset_t)fat_header,
+ PAGE_SIZE,
+ &fat_arch);
if (lret != LOAD_SUCCESS) {
error = load_return_to_errno(lret);
goto bad;
}
- /* Read the Mach-O header out of it */
+use_arch:
+ /* Read the Mach-O header out of fat_arch */
error = vn_rdwr(UIO_READ, imgp->ip_vp, imgp->ip_vdata,
PAGE_SIZE, fat_arch.offset,
- UIO_SYSSPACE32, (IO_UNIT|IO_NODELOCKED),
+ UIO_SYSSPACE, (IO_UNIT|IO_NODELOCKED),
cred, &resid, p);
if (error) {
goto bad;
}
- /* Did we read a complete header? */
if (resid) {
- error = EBADEXEC;
- goto bad;
+ memset(imgp->ip_vdata + (PAGE_SIZE - resid), 0x0, resid);
}
/* Success. Indicate we have identified an encapsulated binary */
error = -2;
imgp->ip_arch_offset = (user_size_t)fat_arch.offset;
imgp->ip_arch_size = (user_size_t)fat_arch.size;
+ imgp->ip_origcputype = fat_arch.cputype;
+ imgp->ip_origcpusubtype = fat_arch.cpusubtype;
bad:
kauth_cred_unref(&cred);
*
* Image activator for mach-o 1.0 binaries.
*
+ * Parameters; struct image_params * image parameter block
+ *
+ * Returns: -1 not a fat binary (keep looking)
+ * -2 Success: encapsulated binary: reread
+ * >0 Failure: error number
+ * EBADARCH Mach-o binary, but with an unrecognized
+ * architecture
+ * ENOMEM No memory for child process after -
+ * can only happen after vfork()
+ *
* Important: This image activator is NOT byte order neutral.
+ *
+ * Note: A return value other than -1 indicates subsequent image
+ * activators should not be given the opportunity to attempt
+ * to activate the image.
+ *
+ * TODO: More gracefully handle failures after vfork
*/
static int
exec_mach_imgact(struct image_params *imgp)
{
struct mach_header *mach_header = (struct mach_header *)imgp->ip_vdata;
- kauth_cred_t cred = vfs_context_ucred(imgp->ip_vfs_context);
- struct proc *p = vfs_context_proc(imgp->ip_vfs_context);
+ proc_t p = vfs_context_proc(imgp->ip_vfs_context);
int error = 0;
- int vfexec = 0;
task_t task;
- task_t new_task;
+ task_t new_task = NULL; /* protected by vfexec */
thread_t thread;
struct uthread *uthread;
vm_map_t old_map = VM_MAP_NULL;
vm_map_t map;
- boolean_t clean_regions = FALSE;
load_return_t lret;
load_result_t load_result;
- shared_region_mapping_t shared_region, initial_region;
-#ifdef IMGPF_POWERPC
- int powerpcParent, powerpcImage;
-#endif /* IMGPF_POWERPC */
-
+ struct _posix_spawnattr *psa = NULL;
+ int spawn = (imgp->ip_flags & IMGPF_SPAWN);
+ int vfexec = (imgp->ip_flags & IMGPF_VFORK_EXEC);
+ int p_name_len;
+
/*
* make sure it's a Mach-O 1.0 or Mach-O 2.0 binary; the difference
* is a reserved field on the end, so for the most part, we can
- * treat them as if they were identical.
- */
+ * treat them as if they were identical. Reverse-endian Mach-O
+ * binaries are recognized but not compatible.
+ */
+ if ((mach_header->magic == MH_CIGAM) ||
+ (mach_header->magic == MH_CIGAM_64)) {
+ error = EBADARCH;
+ goto bad;
+ }
+
if ((mach_header->magic != MH_MAGIC) &&
(mach_header->magic != MH_MAGIC_64)) {
- error = -1;
+ error = -1;
+ goto bad;
+ }
+
+ if (mach_header->filetype != MH_EXECUTE) {
+ error = -1;
goto bad;
}
+ if (imgp->ip_origcputype != 0) {
+ /* Fat header previously had an idea about this thin file */
+ if (imgp->ip_origcputype != mach_header->cputype ||
+ imgp->ip_origcpusubtype != mach_header->cpusubtype) {
+ error = EBADARCH;
+ goto bad;
+ }
+ } else {
+ imgp->ip_origcputype = mach_header->cputype;
+ imgp->ip_origcpusubtype = mach_header->cpusubtype;
+ }
+
task = current_task();
thread = current_thread();
uthread = get_bsdthread_info(thread);
- if (uthread->uu_flag & UT_VFORK)
- vfexec = 1; /* Mark in exec */
-
if ((mach_header->cputype & CPU_ARCH_ABI64) == CPU_ARCH_ABI64)
imgp->ip_flags |= IMGPF_IS_64BIT;
- if (!grade_binary(mach_header->cputype, mach_header->cpusubtype)) {
+ /* If posix_spawn binprefs exist, respect those prefs. */
+ psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
+ if (psa != NULL && psa->psa_binprefs[0] != 0) {
+ int pr = 0;
+ for (pr = 0; pr < NBINPREFS; pr++) {
+ cpu_type_t pref = psa->psa_binprefs[pr];
+ if (pref == 0) {
+ /* No suitable arch in the pref list */
+ error = EBADARCH;
+ goto bad;
+ }
+
+ if (pref == CPU_TYPE_ANY) {
+ /* Jump to regular grading */
+ goto grade;
+ }
+
+ if (pref == imgp->ip_origcputype) {
+ /* We have a match! */
+ goto grade;
+ }
+ }
error = EBADARCH;
goto bad;
}
-
- /*
- * Copy in arguments/environment from the old process, if the
- * vector is non-NULL (i.e. exec is not being called from
- * load_init_program(), as a special case, at system startup).
- */
- if (imgp->ip_user_argv != 0LL) {
- error = exec_extract_strings(imgp);
- if (error)
- goto bad;
+grade:
+ if (!grade_binary(imgp->ip_origcputype, imgp->ip_origcpusubtype & ~CPU_SUBTYPE_MASK)) {
+ error = EBADARCH;
+ goto bad;
}
+ /* Copy in arguments/environment from the old process */
+ error = exec_extract_strings(imgp);
+ if (error)
+ goto bad;
+
+ error = exec_add_apple_strings(imgp);
+ if (error)
+ goto bad;
+
+ AUDIT_ARG(argv, imgp->ip_startargv, imgp->ip_argc,
+ imgp->ip_endargv - imgp->ip_startargv);
+ AUDIT_ARG(envv, imgp->ip_endargv, imgp->ip_envc,
+ imgp->ip_endenvv - imgp->ip_endargv);
+
/*
- * Hack for binary compatability; put three NULs on the end of the
- * string area, and round it up to the next word boundary. This
- * ensures padding with NULs to the boundary.
+ * We are being called to activate an image subsequent to a vfork()
+ * operation; in this case, we know that our task, thread, and
+ * uthread are actually those of our parent, and our proc, which we
+ * obtained indirectly from the image_params vfs_context_t, is the
+ * new child process.
*/
- imgp->ip_strendp[0] = 0;
- imgp->ip_strendp[1] = 0;
- imgp->ip_strendp[2] = 0;
- imgp->ip_strendp += (((imgp->ip_strendp - imgp->ip_strings) + NBPW-1) & ~(NBPW-1));
+ if (vfexec || spawn) {
+ if (vfexec) {
+ imgp->ip_new_thread = fork_create_child(task, NULL, p, FALSE, (imgp->ip_flags & IMGPF_IS_64BIT));
+ if (imgp->ip_new_thread == NULL) {
+ error = ENOMEM;
+ goto bad;
+ }
+ }
-#ifdef IMGPF_POWERPC
- /*
- * XXX
- *
- * Should be factored out; this is here because we might be getting
- * invoked this way as the result of a shell script, and the check
- * in exec_check_permissions() is not interior to the jump back up
- * to the "encapsulated_binary:" label in execve().
- */
- if (imgp->ip_vattr->va_fsid == exec_archhandler_ppc.fsid &&
- imgp->ip_vattr->va_fileid == (uint64_t)((u_long)exec_archhandler_ppc.fileid)) {
- imgp->ip_flags |= IMGPF_POWERPC;
- }
-#endif /* IMGPF_POWERPC */
-
- if (vfexec) {
- kern_return_t result;
-
- result = task_create_internal(task, FALSE, (imgp->ip_flags & IMGPF_IS_64BIT), &new_task);
- if (result != KERN_SUCCESS)
- printf("execve: task_create failed. Code: 0x%x\n", result);
- p->task = new_task;
- set_bsdtask_info(new_task, p);
- if (p->p_nice != 0)
- resetpriority(p);
- map = get_task_map(new_task);
-
- if (imgp->ip_flags & IMGPF_IS_64BIT)
- vm_map_set_64bit(map);
- else
- vm_map_set_32bit(map);
-
- result = thread_create(new_task, &imgp->ip_vfork_thread);
- if (result != KERN_SUCCESS)
- printf("execve: thread_create failed. Code: 0x%x\n", result);
- /* reset local idea of task, thread, uthread */
- task = new_task;
- thread = imgp->ip_vfork_thread;
+ /* reset local idea of thread, uthread, task */
+ thread = imgp->ip_new_thread;
uthread = get_bsdthread_info(thread);
+ task = new_task = get_threadtask(thread);
+ map = get_task_map(task);
} else {
map = VM_MAP_NULL;
}
* We set these flags here; this is OK, since if we fail after
* this point, we have already destroyed the parent process anyway.
*/
+ task_set_dyld_info(task, MACH_VM_MIN_ADDRESS, 0);
if (imgp->ip_flags & IMGPF_IS_64BIT) {
task_set_64bit(task, TRUE);
- p->p_flag |= P_LP64;
+ OSBitOrAtomic(P_LP64, &p->p_flag);
} else {
task_set_64bit(task, FALSE);
- p->p_flag &= ~P_LP64;
+ OSBitAndAtomic(~((uint32_t)P_LP64), &p->p_flag);
}
/*
* Load the Mach-O file.
- */
-/* LP64 - remove following "if" statement after osfmk/vm/task_working_set.c */
-if((imgp->ip_flags & IMGPF_IS_64BIT) == 0)
- if(imgp->ip_tws_cache_name) {
- tws_handle_startup_file(task, kauth_cred_getuid(cred),
- imgp->ip_tws_cache_name, imgp->ip_vp, &clean_regions);
- }
-
- vm_get_shared_region(task, &initial_region);
-
-#ifdef IMGPF_POWERPC
- /*
- * If we are transitioning to/from powerpc, then we need to do extra
- * work here.
- */
- powerpcParent = (p->p_flag & P_TRANSLATED) ? 1 : 0;
- powerpcImage = (imgp->ip_flags & IMGPF_POWERPC) ? 1 : 0;
-
- if (powerpcParent ^ powerpcImage) {
- cpu_type_t cpu = (powerpcImage ? CPU_TYPE_POWERPC : cpu_type());
- struct vnode *rootDir = p->p_fd->fd_rdir;
-
- shared_region = lookup_default_shared_region((int)rootDir, cpu);
- if (shared_region == NULL) {
- shared_region_mapping_t old_region;
- shared_region_mapping_t new_region;
- vm_get_shared_region(current_task(), &old_region);
- /* grrrr... this sets current_task(), not task
- * -- they're different (usually)
- */
- shared_file_boot_time_init((int)rootDir,cpu);
- if ( current_task() != task ) {
- vm_get_shared_region(current_task(),&new_region);
- vm_set_shared_region(task,new_region);
- vm_set_shared_region(current_task(),old_region);
- }
- } else {
- vm_set_shared_region(task, shared_region);
- }
- shared_region_mapping_dealloc(initial_region);
- } else
-#endif /* IMGPF_POWERPC */
-
- {
- struct shared_region_task_mappings map_info;
- shared_region_mapping_t next;
-
- shared_region_mapping_info(initial_region,
- &map_info.text_region,
- &map_info.text_size,
- &map_info.data_region,
- &map_info.data_size,
- &map_info.region_mappings,
- &map_info.client_base,
- &map_info.alternate_base,
- &map_info.alternate_next,
- &map_info.fs_base,
- &map_info.system,
- &map_info.flags,
- &next);
- if (map_info.flags & SHARED_REGION_STANDALONE) {
- /*
- * We were using a private shared region.
- * Try and get back to a system-wide shared region
- * with matching "fs_base" (for chroot) and "system"
- * (for CPU type).
- */
- shared_region = lookup_default_shared_region(
- map_info.fs_base,
- map_info.system);
- if (shared_region == NULL) {
- /*
- * No system-wide default regions, stick to
- * our private region...
- */
- } else {
- SHARED_REGION_TRACE(
- SHARED_REGION_TRACE_INFO,
- ("shared_region: %p [%d(%s)] "
- "exec(\"%s\"): "
- "moving from private %p[%x,%x,%x] "
- "to default %p\n",
- current_thread(),
- p->p_pid, p->p_comm,
- (imgp->ip_p_comm[0] ?
- imgp->ip_p_comm :
- imgp->ip_ndp->ni_cnd.cn_nameptr),
- initial_region,
- map_info.fs_base,
- map_info.system,
- map_info.flags,
- shared_region));
- vm_set_shared_region(task, shared_region);
- shared_region_mapping_dealloc(initial_region);
- }
- }
- }
-
- /*
+ *
* NOTE: An error after this point indicates we have potentially
- * destroyed or overwrote some process state while attempting an
+ * destroyed or overwritten some process state while attempting an
* execve() following a vfork(), which is an unrecoverable condition.
+ * We send the new process an immediate SIGKILL to avoid it executing
+ * any instructions in the mutated address space. For true spawns,
+ * this is not the case, and "too late" is still not too late to
+ * return an error code to the parent process.
*/
- /*
- * We reset the task to 64-bit (or not) here. It may have picked up
- * a new map, and we need that to reflect its true 64-bit nature.
- */
-
- task_set_64bit(task,
- ((imgp->ip_flags & IMGPF_IS_64BIT) == IMGPF_IS_64BIT));
-
/*
* Actually load the image file we previously decided to load.
*/
- lret = load_machfile(imgp, mach_header, thread, map, clean_regions, &load_result);
+ lret = load_machfile(imgp, mach_header, thread, map, &load_result);
if (lret != LOAD_SUCCESS) {
error = load_return_to_errno(lret);
goto badtoolate;
}
- /* load_machfile() maps the vnode */
- (void)ubc_map(imgp->ip_vp, PROT_EXEC);
+ proc_lock(p);
+ p->p_cputype = imgp->ip_origcputype;
+ p->p_cpusubtype = imgp->ip_origcpusubtype;
+ proc_unlock(p);
+
+ vm_map_set_user_wire_limit(get_task_map(task), p->p_rlimit[RLIMIT_MEMLOCK].rlim_cur);
+
+ /*
+ * Set code-signing flags if this binary is signed, or if parent has
+ * requested them on exec.
+ */
+ if (load_result.csflags & CS_VALID) {
+ imgp->ip_csflags |= load_result.csflags &
+ (CS_VALID|
+ CS_HARD|CS_KILL|CS_RESTRICT|CS_ENFORCEMENT|CS_REQUIRE_LV|CS_DYLD_PLATFORM|
+ CS_EXEC_SET_HARD|CS_EXEC_SET_KILL|CS_EXEC_SET_ENFORCEMENT);
+ } else {
+ imgp->ip_csflags &= ~CS_VALID;
+ }
+
+ if (p->p_csflags & CS_EXEC_SET_HARD)
+ imgp->ip_csflags |= CS_HARD;
+ if (p->p_csflags & CS_EXEC_SET_KILL)
+ imgp->ip_csflags |= CS_KILL;
+ if (p->p_csflags & CS_EXEC_SET_ENFORCEMENT)
+ imgp->ip_csflags |= CS_ENFORCEMENT;
+ if (p->p_csflags & CS_EXEC_SET_INSTALLER)
+ imgp->ip_csflags |= CS_INSTALLER;
+
+
+ /*
+ * Set up the system reserved areas in the new address space.
+ */
+ vm_map_exec(get_task_map(task),
+ task,
+ (void *) p->p_fd->fd_rdir,
+ cpu_type());
+
+ /*
+ * Close file descriptors which specify close-on-exec.
+ */
+ fdexec(p, psa != NULL ? psa->psa_flags : 0);
/*
* deal with set[ug]id.
*/
error = exec_handle_sugid(imgp);
+ if (error) {
+ goto badtoolate;
+ }
- KNOTE(&p->p_klist, NOTE_EXEC);
+ /*
+ * deal with voucher on exec-calling thread.
+ */
+ if (imgp->ip_new_thread == NULL)
+ thread_set_mach_voucher(current_thread(), IPC_VOUCHER_NULL);
- if (!vfexec && (p->p_flag & P_TRACED))
+ /* Make sure we won't interrupt ourself signalling a partial process */
+ if (!vfexec && !spawn && (p->p_lflag & P_LTRACED))
psignal(p, SIGTRAP);
- if (error) {
- goto badtoolate;
- }
- vnode_put(imgp->ip_vp);
- imgp->ip_vp = NULL;
-
if (load_result.unixproc &&
create_unix_stack(get_task_map(task),
- load_result.user_stack, load_result.customstack, p)) {
+ &load_result,
+ p) != KERN_SUCCESS) {
error = load_return_to_errno(LOAD_NOSPACE);
goto badtoolate;
}
- if (vfexec) {
+ if (vfexec || spawn) {
old_map = vm_map_switch(get_task_map(task));
}
ap = p->user_stack;
error = exec_copyout_strings(imgp, &ap);
if (error) {
- if (vfexec)
+ if (vfexec || spawn)
vm_map_switch(old_map);
goto badtoolate;
}
if (load_result.dynlinker) {
uint64_t ap;
+ int new_ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT) ? 8 : 4;
/* Adjust the stack */
- if (imgp->ip_flags & IMGPF_IS_64BIT) {
- ap = thread_adjuserstack(thread, -8);
- error = copyoutptr(load_result.mach_header, ap, 8);
- } else {
- ap = thread_adjuserstack(thread, -4);
- error = suword(ap, load_result.mach_header);
- }
+ ap = thread_adjuserstack(thread, -new_ptr_size);
+ error = copyoutptr(load_result.mach_header, ap, new_ptr_size);
+
if (error) {
- if (vfexec)
+ if (vfexec || spawn)
vm_map_switch(old_map);
goto badtoolate;
}
+ task_set_dyld_info(task, load_result.all_image_info_addr,
+ load_result.all_image_info_size);
}
- if (vfexec) {
+ /* Avoid immediate VM faults back into kernel */
+ exec_prefault_data(p, imgp, &load_result);
+
+ if (vfexec || spawn) {
vm_map_switch(old_map);
}
/* Set the entry point */
*/
execsigs(p, thread);
- /*
- * Close file descriptors
- * which specify close-on-exec.
- */
- fdexec(p);
-
/*
* need to cancel async IO requests that can be cancelled and wait for those
* already active. MAY BLOCK!
*/
_aio_exec( p );
+#if SYSV_SHM
/* FIXME: Till vmspace inherit is fixed: */
if (!vfexec && p->vm_shm)
shmexec(p);
+#endif
+#if SYSV_SEM
/* Clean up the semaphores */
semexit(p);
+#endif
/*
* Remember file name for accounting.
*/
p->p_acflag &= ~AFORK;
- /* If the translated name isn't NULL, then we want to use
- * that translated name as the name we show as the "real" name.
- * Otherwise, use the name passed into exec.
+
+ /*
+ * Set p->p_comm and p->p_name to the name passed to exec
*/
- if (0 != imgp->ip_p_comm[0]) {
- bcopy((caddr_t)imgp->ip_p_comm, (caddr_t)p->p_comm,
- sizeof(p->p_comm));
- } else {
- if (imgp->ip_ndp->ni_cnd.cn_namelen > MAXCOMLEN)
- imgp->ip_ndp->ni_cnd.cn_namelen = MAXCOMLEN;
- bcopy((caddr_t)imgp->ip_ndp->ni_cnd.cn_nameptr, (caddr_t)p->p_comm,
- (unsigned)imgp->ip_ndp->ni_cnd.cn_namelen);
- p->p_comm[imgp->ip_ndp->ni_cnd.cn_namelen] = '\0';
- }
+ p_name_len = sizeof(p->p_name) - 1;
+ if(imgp->ip_ndp->ni_cnd.cn_namelen > p_name_len)
+ imgp->ip_ndp->ni_cnd.cn_namelen = p_name_len;
+ bcopy((caddr_t)imgp->ip_ndp->ni_cnd.cn_nameptr, (caddr_t)p->p_name,
+ (unsigned)imgp->ip_ndp->ni_cnd.cn_namelen);
+ p->p_name[imgp->ip_ndp->ni_cnd.cn_namelen] = '\0';
+
+ if (imgp->ip_ndp->ni_cnd.cn_namelen > MAXCOMLEN)
+ imgp->ip_ndp->ni_cnd.cn_namelen = MAXCOMLEN;
+ bcopy((caddr_t)imgp->ip_ndp->ni_cnd.cn_nameptr, (caddr_t)p->p_comm,
+ (unsigned)imgp->ip_ndp->ni_cnd.cn_namelen);
+ p->p_comm[imgp->ip_ndp->ni_cnd.cn_namelen] = '\0';
+
+ pal_dbg_set_task_name( p->task );
+
+#if DEVELOPMENT || DEBUG
+ /*
+ * Update the pid an proc name for importance base if any
+ */
+ task_importance_update_owner_info(p->task);
+#endif
- if (kdebug_enable) {
- long dbg_arg1, dbg_arg2, dbg_arg3, dbg_arg4;
-
- /*
- * Collect the pathname for tracing
- */
- kdbg_trace_string(p, &dbg_arg1, &dbg_arg2, &dbg_arg3, &dbg_arg4);
-
- if (vfexec)
- {
- KERNEL_DEBUG_CONSTANT1((TRACEDBG_CODE(DBG_TRACE_DATA, 2)) | DBG_FUNC_NONE,
- p->p_pid ,0,0,0, (unsigned int)thread);
- KERNEL_DEBUG_CONSTANT1((TRACEDBG_CODE(DBG_TRACE_STRING, 2)) | DBG_FUNC_NONE,
- dbg_arg1, dbg_arg2, dbg_arg3, dbg_arg4, (unsigned int)thread);
- }
- else
- {
- KERNEL_DEBUG_CONSTANT((TRACEDBG_CODE(DBG_TRACE_DATA, 2)) | DBG_FUNC_NONE,
- p->p_pid ,0,0,0,0);
- KERNEL_DEBUG_CONSTANT((TRACEDBG_CODE(DBG_TRACE_STRING, 2)) | DBG_FUNC_NONE,
- dbg_arg1, dbg_arg2, dbg_arg3, dbg_arg4, 0);
- }
- }
-
-#ifdef IMGPF_POWERPC
- /*
- * Mark the process as powerpc or not. If powerpc, set the affinity
- * flag, which will be used for grading binaries in future exec's
- * from the process.
- */
- if (((imgp->ip_flags & IMGPF_POWERPC) != 0))
- p->p_flag |= P_TRANSLATED;
- else
-#endif /* IMGPF_POWERPC */
- p->p_flag &= ~P_TRANSLATED;
- p->p_flag &= ~P_AFFINITY;
+ memcpy(&p->p_uuid[0], &load_result.uuid[0], sizeof(p->p_uuid));
+// <rdar://6598155> dtrace code cleanup needed
+#if CONFIG_DTRACE
/*
- * mark as execed, wakeup the process that vforked (if any) and tell
- * it that it now has it's own resources back
+ * Invalidate any predicate evaluation already cached for this thread by DTrace.
+ * That's because we've just stored to p_comm and DTrace refers to that when it
+ * evaluates the "execname" special variable. uid and gid may have changed as well.
*/
- p->p_flag |= P_EXEC;
- if (p->p_pptr && (p->p_flag & P_PPWAIT)) {
- p->p_flag &= ~P_PPWAIT;
- wakeup((caddr_t)p->p_pptr);
- }
+ dtrace_set_thread_predcache(current_thread(), 0);
- if (vfexec && (p->p_flag & P_TRACED)) {
- psignal_vfork(p, new_task, thread, SIGTRAP);
+ /*
+ * Free any outstanding lazy dof entries. It is imperative we
+ * always call dtrace_lazy_dofs_destroy, rather than null check
+ * and call if !NULL. If we NULL test, during lazy dof faulting
+ * we can race with the faulting code and proceed from here to
+ * beyond the helpers cleanup. The lazy dof faulting will then
+ * install new helpers which no longer belong to this process!
+ */
+ dtrace_lazy_dofs_destroy(p);
+
+
+ /*
+ * Clean up any DTrace helpers for the process.
+ */
+ if (p->p_dtrace_helpers != NULL && dtrace_helpers_cleanup) {
+ (*dtrace_helpers_cleanup)(p);
+ }
+
+ /*
+ * Cleanup the DTrace provider associated with this process.
+ */
+ proc_lock(p);
+ if (p->p_dtrace_probes && dtrace_fasttrap_exec_ptr) {
+ (*dtrace_fasttrap_exec_ptr)(p);
+ }
+ proc_unlock(p);
+#endif
+
+ if (kdebug_enable) {
+ long dbg_arg1, dbg_arg2, dbg_arg3, dbg_arg4;
+
+ /*
+ * Collect the pathname for tracing
+ */
+ kdbg_trace_string(p, &dbg_arg1, &dbg_arg2, &dbg_arg3, &dbg_arg4);
+
+ if (vfexec || spawn) {
+ KERNEL_DEBUG_CONSTANT1(TRACE_DATA_EXEC | DBG_FUNC_NONE,
+ p->p_pid ,0,0,0, (uintptr_t)thread_tid(thread));
+ KERNEL_DEBUG_CONSTANT1(TRACE_STRING_EXEC | DBG_FUNC_NONE,
+ dbg_arg1, dbg_arg2, dbg_arg3, dbg_arg4, (uintptr_t)thread_tid(thread));
+ } else {
+ KERNEL_DEBUG_CONSTANT(TRACE_DATA_EXEC | DBG_FUNC_NONE,
+ p->p_pid ,0,0,0,0);
+ KERNEL_DEBUG_CONSTANT(TRACE_STRING_EXEC | DBG_FUNC_NONE,
+ dbg_arg1, dbg_arg2, dbg_arg3, dbg_arg4, 0);
+ }
+ }
+
+ /*
+ * If posix_spawned with the START_SUSPENDED flag, stop the
+ * process before it runs.
+ */
+ if (imgp->ip_px_sa != NULL) {
+ psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
+ if (psa->psa_flags & POSIX_SPAWN_START_SUSPENDED) {
+ proc_lock(p);
+ p->p_stat = SSTOP;
+ proc_unlock(p);
+ (void) task_suspend_internal(p->task);
+ }
+ }
+
+ /*
+ * mark as execed, wakeup the process that vforked (if any) and tell
+ * it that it now has its own resources back
+ */
+ OSBitOrAtomic(P_EXEC, &p->p_flag);
+ proc_resetregister(p);
+ if (p->p_pptr && (p->p_lflag & P_LPPWAIT)) {
+ proc_lock(p);
+ p->p_lflag &= ~P_LPPWAIT;
+ proc_unlock(p);
+ wakeup((caddr_t)p->p_pptr);
+ }
+
+ /*
+ * Pay for our earlier safety; deliver the delayed signals from
+ * the incomplete vfexec process now that it's complete.
+ */
+ if (vfexec && (p->p_lflag & P_LTRACED)) {
+ psignal_vfork(p, new_task, thread, SIGTRAP);
}
+ goto done;
+
badtoolate:
- if (vfexec) {
+ /* Don't allow child process to execute any instructions */
+ if (!spawn) {
+ if (vfexec) {
+ psignal_vfork(p, new_task, thread, SIGKILL);
+ } else {
+ psignal(p, SIGKILL);
+ }
+
+ /* We can't stop this system call at this point, so just pretend we succeeded */
+ error = 0;
+ }
+
+done:
+ if (!spawn) {
+ /* notify only if it has not failed due to FP Key error */
+ if ((p->p_lflag & P_LTERM_DECRYPTFAIL) == 0)
+ proc_knote(p, NOTE_EXEC);
+ }
+
+ /* Drop extra references for cases where we don't expect the caller to clean up */
+ if (vfexec || (spawn && error == 0)) {
task_deallocate(new_task);
thread_deallocate(thread);
- if (error)
- error = 0;
}
bad:
} execsw[] = {
{ exec_mach_imgact, "Mach-o Binary" },
{ exec_fat_imgact, "Fat Binary" },
-#ifdef IMGPF_POWERPC
- { exec_powerpc32_imgact, "PowerPC binary" },
-#endif /* IMGPF_POWERPC */
{ exec_shell_imgact, "Interpreter Script" },
{ NULL, NULL}
};
/*
- * TODO: Dynamic linker header address on stack is copied via suword()
+ * exec_activate_image
+ *
+ * Description: Iterate through the available image activators, and activate
+ * the image associated with the imgp structure. We start with
+ * the
+ *
+ * Parameters: struct image_params * Image parameter block
+ *
+ * Returns: 0 Success
+ * EBADEXEC The executable is corrupt/unknown
+ * execargs_alloc:EINVAL Invalid argument
+ * execargs_alloc:EACCES Permission denied
+ * execargs_alloc:EINTR Interrupted function
+ * execargs_alloc:ENOMEM Not enough space
+ * exec_save_path:EFAULT Bad address
+ * exec_save_path:ENAMETOOLONG Filename too long
+ * exec_check_permissions:EACCES Permission denied
+ * exec_check_permissions:ENOEXEC Executable file format error
+ * exec_check_permissions:ETXTBSY Text file busy [misuse of error code]
+ * exec_check_permissions:???
+ * namei:???
+ * vn_rdwr:??? [anything vn_rdwr can return]
+ * <ex_imgact>:??? [anything an imgact can return]
*/
-/* ARGSUSED */
-int
-execve(struct proc *p, struct execve_args *uap, register_t *retval)
+static int
+exec_activate_image(struct image_params *imgp)
{
- kauth_cred_t cred = kauth_cred_proc_ref(p);
- struct image_params image_params, *imgp;
- struct vnode_attr va;
- struct vnode_attr origva;
- struct nameidata nd;
- struct uthread *uthread;
- int i;
- int resid, error;
- task_t task;
- int numthreads;
- int vfexec=0;
+ struct nameidata *ndp = NULL;
+ const char *excpath;
+ int error;
+ int resid;
int once = 1; /* save SGUID-ness for interpreted files */
- char alt_p_comm[sizeof(p->p_comm)] = {0}; /* for PowerPC */
- int is_64 = IS_64BIT_PROCESS(p);
- int seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
- struct vfs_context context;
-
- context.vc_proc = p;
- context.vc_ucred = cred; /* XXX must NOT be kauth_cred_get() */
-
-
- imgp = &image_params;
-
- /* Initialize the common data in the image_params structure */
- bzero(imgp, sizeof(*imgp));
- imgp->ip_user_fname = uap->fname;
- imgp->ip_user_argv = uap->argp;
- imgp->ip_user_envv = uap->envp;
- imgp->ip_vattr = &va;
- imgp->ip_origvattr = &origva;
- imgp->ip_vfs_context = &context;
- imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT : IMGPF_NONE);
- imgp->ip_tws_cache_name = NULL;
- imgp->ip_p_comm = alt_p_comm; /* for PowerPC */
-
- /*
- * XXXAUDIT: Currently, we only audit the pathname of the binary.
- * There may also be poor interaction with dyld.
- */
-
- task = current_task();
- uthread = get_bsdthread_info(current_thread());
-
- if (uthread->uu_flag & UT_VFORK) {
- vfexec = 1; /* Mark in exec */
- } else {
- if (task != kernel_task) {
- numthreads = get_task_numacts(task);
- if (numthreads <= 0 ) {
- kauth_cred_unref(&cred);
- return(EINVAL);
- }
- if (numthreads > 1) {
- kauth_cred_unref(&cred);
- return(ENOTSUP);
- }
- }
- }
+ int i;
+ int itercount = 0;
+ proc_t p = vfs_context_proc(imgp->ip_vfs_context);
error = execargs_alloc(imgp);
+ if (error)
+ goto bad_notrans;
+
+ error = exec_save_path(imgp, imgp->ip_user_fname, imgp->ip_seg, &excpath);
if (error) {
- kauth_cred_unref(&cred);
- return(error);
- }
- /*
- * XXXAUDIT: Note: the double copyin introduces an audit
- * race. To correct this race, we must use a single
- * copyin(), e.g. by passing a flag to namei to indicate an
- * external path buffer is being used.
- */
- error = exec_save_path(imgp, uap->fname, seg);
- if (error) {
- execargs_free(imgp);
- kauth_cred_unref(&cred);
- return(error);
+ goto bad_notrans;
}
- /*
- * No app profiles under chroot
- */
- if((p->p_fd->fd_rdir == NULLVP) && (app_profile != 0)) {
+ /* Use excpath, which contains the copyin-ed exec path */
+ DTRACE_PROC1(exec, uintptr_t, excpath);
- /* grab the name of the file out of its path */
- /* we will need this for lookup within the */
- /* name file */
- /* Scan backwards for the first '/' or start of string */
- imgp->ip_tws_cache_name = imgp->ip_strendp;
- while (imgp->ip_tws_cache_name[0] != '/') {
- if(imgp->ip_tws_cache_name == imgp->ip_strings) {
- imgp->ip_tws_cache_name--;
- break;
- }
- imgp->ip_tws_cache_name--;
- }
- imgp->ip_tws_cache_name++;
+ MALLOC(ndp, struct nameidata *, sizeof(*ndp), M_TEMP, M_WAITOK | M_ZERO);
+ if (ndp == NULL) {
+ error = ENOMEM;
+ goto bad_notrans;
}
- NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNPATH1,
- seg, uap->fname, imgp->ip_vfs_context);
+
+ NDINIT(ndp, LOOKUP, OP_LOOKUP, FOLLOW | LOCKLEAF | AUDITVNPATH1,
+ UIO_SYSSPACE, CAST_USER_ADDR_T(excpath), imgp->ip_vfs_context);
again:
- error = namei(&nd);
+ error = namei(ndp);
if (error)
- goto bad;
- imgp->ip_ndp = &nd; /* successful namei(); call nameidone() later */
- imgp->ip_vp = nd.ni_vp; /* if set, need to vnode_put() at some point */
+ goto bad_notrans;
+ imgp->ip_ndp = ndp; /* successful namei(); call nameidone() later */
+ imgp->ip_vp = ndp->ni_vp; /* if set, need to vnode_put() at some point */
+
+ /*
+ * Before we start the transition from binary A to binary B, make
+ * sure another thread hasn't started exiting the process. We grab
+ * the proc lock to check p_lflag initially, and the transition
+ * mechanism ensures that the value doesn't change after we release
+ * the lock.
+ */
+ proc_lock(p);
+ if (p->p_lflag & P_LEXIT) {
+ proc_unlock(p);
+ goto bad_notrans;
+ }
+ error = proc_transstart(p, 1, 0);
+ proc_unlock(p);
+ if (error)
+ goto bad_notrans;
error = exec_check_permissions(imgp);
if (error)
/* Copy; avoid invocation of an interpreter overwriting the original */
if (once) {
once = 0;
- origva = va;
+ *imgp->ip_origvattr = *imgp->ip_vattr;
}
error = vn_rdwr(UIO_READ, imgp->ip_vp, imgp->ip_vdata, PAGE_SIZE, 0,
- UIO_SYSSPACE32, IO_NODELOCKED, cred, &resid, p);
+ UIO_SYSSPACE, IO_NODELOCKED,
+ vfs_context_ucred(imgp->ip_vfs_context),
+ &resid, vfs_context_proc(imgp->ip_vfs_context));
if (error)
goto bad;
-
+
+ if (resid) {
+ memset(imgp->ip_vdata + (PAGE_SIZE - resid), 0x0, resid);
+ }
+
encapsulated_binary:
+ /* Limit the number of iterations we will attempt on each binary */
+ if (++itercount > EAI_ITERLIMIT) {
+ error = EBADEXEC;
+ goto bad;
+ }
error = -1;
for(i = 0; error == -1 && execsw[i].ex_imgact != NULL; i++) {
switch (error) {
/* case -1: not claimed: continue */
- case -2: /* Encapsulated binary */
+ case -2: /* Encapsulated binary, imgp->ip_XXX set for next iteration */
goto encapsulated_binary;
case -3: /* Interpreter */
- vnode_put(imgp->ip_vp);
- imgp->ip_vp = NULL; /* already put */
- nd.ni_cnd.cn_nameiop = LOOKUP;
- nd.ni_cnd.cn_flags = (nd.ni_cnd.cn_flags & HASBUF) |
- (FOLLOW | LOCKLEAF);
+#if CONFIG_MACF
+ /*
+ * Copy the script label for later use. Note that
+ * the label can be different when the script is
+ * actually read by the interpreter.
+ */
+ if (imgp->ip_scriptlabelp)
+ mac_vnode_label_free(imgp->ip_scriptlabelp);
+ imgp->ip_scriptlabelp = mac_vnode_label_alloc();
+ if (imgp->ip_scriptlabelp == NULL) {
+ error = ENOMEM;
+ break;
+ }
+ mac_vnode_label_copy(imgp->ip_vp->v_label,
+ imgp->ip_scriptlabelp);
-#ifdef IMGPF_POWERPC
/*
- * PowerPC does not follow symlinks because the
- * code which sets exec_archhandler_ppc.fsid and
- * exec_archhandler_ppc.fileid doesn't follow them.
+ * Take a ref of the script vnode for later use.
*/
- if (imgp->ip_flags & IMGPF_POWERPC)
- nd.ni_cnd.cn_flags &= ~FOLLOW;
-#endif /* IMGPF_POWERPC */
+ if (imgp->ip_scriptvp)
+ vnode_put(imgp->ip_scriptvp);
+ if (vnode_getwithref(imgp->ip_vp) == 0)
+ imgp->ip_scriptvp = imgp->ip_vp;
+#endif
+
+ nameidone(ndp);
- nd.ni_segflg = UIO_SYSSPACE32;
- nd.ni_dirp = CAST_USER_ADDR_T(imgp->ip_interp_name);
+ vnode_put(imgp->ip_vp);
+ imgp->ip_vp = NULL; /* already put */
+ imgp->ip_ndp = NULL; /* already nameidone */
+
+ /* Use excpath, which exec_shell_imgact reset to the interpreter */
+ NDINIT(ndp, LOOKUP, OP_LOOKUP, FOLLOW | LOCKLEAF,
+ UIO_SYSSPACE, CAST_USER_ADDR_T(excpath), imgp->ip_vfs_context);
+
+ proc_transend(p, 0);
goto again;
default:
break;
}
}
-
- /* call out to allow 3rd party notification of exec.
+
+ /*
+ * Call out to allow 3rd party notification of exec.
* Ignore result of kauth_authorize_fileop call.
*/
if (error == 0 && kauth_authorize_fileop_has_listeners()) {
- kauth_authorize_fileop(vfs_context_ucred(&context), KAUTH_FILEOP_EXEC,
- (uintptr_t)nd.ni_vp, 0);
+ kauth_authorize_fileop(vfs_context_ucred(imgp->ip_vfs_context),
+ KAUTH_FILEOP_EXEC,
+ (uintptr_t)ndp->ni_vp, 0);
}
-
- /* Image not claimed by any activator? */
- if (error == -1)
- error = ENOEXEC;
bad:
- kauth_cred_unref(&cred);
+ proc_transend(p, 0);
- if (imgp->ip_ndp)
- nameidone(imgp->ip_ndp);
- if (imgp->ip_vp)
- vnode_put(imgp->ip_vp);
+bad_notrans:
if (imgp->ip_strings)
execargs_free(imgp);
- if (!error && vfexec) {
- vfork_return(current_thread(), p->p_pptr, p, retval);
- (void)thread_resume(imgp->ip_vfork_thread);
- return(0);
- }
- return(error);
+ if (imgp->ip_ndp)
+ nameidone(imgp->ip_ndp);
+ if (ndp)
+ FREE(ndp, M_TEMP);
+
+ return (error);
}
-static int
-copyinptr(user_addr_t froma, user_addr_t *toptr, int ptr_size)
+/*
+ * exec_handle_spawnattr_policy
+ *
+ * Description: Decode and apply the posix_spawn apptype, qos clamp, and watchport ports to the task.
+ *
+ * Parameters: proc_t p process to apply attributes to
+ * int psa_apptype posix spawn attribute apptype
+ *
+ * Returns: 0 Success
+ */
+static errno_t
+exec_handle_spawnattr_policy(proc_t p, int psa_apptype, uint64_t psa_qos_clamp, uint64_t psa_darwin_role,
+ ipc_port_t * portwatch_ports, int portwatch_count)
{
- int error;
+ int apptype = TASK_APPTYPE_NONE;
+ int qos_clamp = THREAD_QOS_UNSPECIFIED;
+ int role = TASK_UNSPECIFIED;
- if (ptr_size == 4) {
- /* 64 bit value containing 32 bit address */
- unsigned int i;
+ if ((psa_apptype & POSIX_SPAWN_PROC_TYPE_MASK) != 0) {
+ int proctype = psa_apptype & POSIX_SPAWN_PROC_TYPE_MASK;
- error = copyin(froma, &i, 4);
- *toptr = CAST_USER_ADDR_T(i); /* SAFE */
- } else {
- error = copyin(froma, toptr, 8);
+ switch(proctype) {
+ case POSIX_SPAWN_PROC_TYPE_DAEMON_INTERACTIVE:
+ apptype = TASK_APPTYPE_DAEMON_INTERACTIVE;
+ break;
+ case POSIX_SPAWN_PROC_TYPE_DAEMON_STANDARD:
+ apptype = TASK_APPTYPE_DAEMON_STANDARD;
+ break;
+ case POSIX_SPAWN_PROC_TYPE_DAEMON_ADAPTIVE:
+ apptype = TASK_APPTYPE_DAEMON_ADAPTIVE;
+ break;
+ case POSIX_SPAWN_PROC_TYPE_DAEMON_BACKGROUND:
+ apptype = TASK_APPTYPE_DAEMON_BACKGROUND;
+ break;
+ case POSIX_SPAWN_PROC_TYPE_APP_DEFAULT:
+ apptype = TASK_APPTYPE_APP_DEFAULT;
+ break;
+ case POSIX_SPAWN_PROC_TYPE_APP_TAL:
+ apptype = TASK_APPTYPE_APP_TAL;
+ break;
+ default:
+ apptype = TASK_APPTYPE_NONE;
+ /* TODO: Should an invalid value here fail the spawn? */
+ break;
+ }
}
- return (error);
-}
+ if (psa_qos_clamp != POSIX_SPAWN_PROC_CLAMP_NONE) {
+ switch (psa_qos_clamp) {
+ case POSIX_SPAWN_PROC_CLAMP_UTILITY:
+ qos_clamp = THREAD_QOS_UTILITY;
+ break;
+ case POSIX_SPAWN_PROC_CLAMP_BACKGROUND:
+ qos_clamp = THREAD_QOS_BACKGROUND;
+ break;
+ case POSIX_SPAWN_PROC_CLAMP_MAINTENANCE:
+ qos_clamp = THREAD_QOS_MAINTENANCE;
+ break;
+ default:
+ qos_clamp = THREAD_QOS_UNSPECIFIED;
+ /* TODO: Should an invalid value here fail the spawn? */
+ break;
+ }
+ }
-static int
-copyoutptr(user_addr_t ua, user_addr_t ptr, int ptr_size)
-{
- int error;
-
- if (ptr_size == 4) {
- /* 64 bit value containing 32 bit address */
- unsigned int i = CAST_DOWN(unsigned int,ua); /* SAFE */
+ if (psa_darwin_role != PRIO_DARWIN_ROLE_DEFAULT) {
+ proc_darwin_role_to_task_role(psa_darwin_role, &role);
+ }
- error = copyout(&i, ptr, 4);
- } else {
- error = copyout(&ua, ptr, 8);
+ if (apptype != TASK_APPTYPE_NONE ||
+ qos_clamp != THREAD_QOS_UNSPECIFIED ||
+ role != TASK_UNSPECIFIED) {
+ proc_set_task_spawnpolicy(p->task, apptype, qos_clamp, role,
+ portwatch_ports, portwatch_count);
}
- return (error);
+
+ return (0);
}
/*
- * exec_copyout_strings
+ * exec_handle_port_actions
*
- * Copy out the strings segment to user space. The strings segment is put
- * on a preinitialized stack frame.
+ * Description: Go through the _posix_port_actions_t contents,
+ * calling task_set_special_port, task_set_exception_ports
+ * and/or audit_session_spawnjoin for the current task.
*
- * Parameters: struct image_params * the image parameter block
- * int * a pointer to the stack offset variable
+ * Parameters: struct image_params * Image parameter block
+ * short psa_flags posix spawn attribute flags
*
* Returns: 0 Success
- * !0 Faiure: errno
- *
- * Implicit returns:
- * (*stackp) The stack offset, modified
- *
- * Note: The strings segment layout is backward, from the beginning
- * of the top of the stack to consume the minimal amount of
- * space possible; the returned stack pointer points to the
- * end of the area consumed (stacks grow upward).
- *
- * argc is an int; arg[i] are pointers; env[i] are pointers;
- * exec_path is a pointer; the 0's are (void *)NULL's
+ * EINVAL Failure
+ * ENOTSUP Illegal posix_spawn attr flag was set
+ */
+static errno_t
+exec_handle_port_actions(struct image_params *imgp, short psa_flags, boolean_t * portwatch_present, ipc_port_t * portwatch_ports)
+{
+ _posix_spawn_port_actions_t pacts = imgp->ip_px_spa;
+ proc_t p = vfs_context_proc(imgp->ip_vfs_context);
+ _ps_port_action_t *act = NULL;
+ task_t task = p->task;
+ ipc_port_t port = NULL;
+ errno_t ret = 0;
+ int i;
+
+ *portwatch_present = FALSE;
+
+ for (i = 0; i < pacts->pspa_count; i++) {
+ act = &pacts->pspa_actions[i];
+
+ if (ipc_object_copyin(get_task_ipcspace(current_task()),
+ act->new_port, MACH_MSG_TYPE_COPY_SEND,
+ (ipc_object_t *) &port) != KERN_SUCCESS) {
+ ret = EINVAL;
+ goto done;
+ }
+
+ switch (act->port_type) {
+ case PSPA_SPECIAL:
+ /* Only allowed when not under vfork */
+ if (!(psa_flags & POSIX_SPAWN_SETEXEC))
+ ret = ENOTSUP;
+ else if (task_set_special_port(task,
+ act->which, port) != KERN_SUCCESS)
+ ret = EINVAL;
+ break;
+
+ case PSPA_EXCEPTION:
+ /* Only allowed when not under vfork */
+ if (!(psa_flags & POSIX_SPAWN_SETEXEC))
+ ret = ENOTSUP;
+ else if (task_set_exception_ports(task,
+ act->mask, port, act->behavior,
+ act->flavor) != KERN_SUCCESS)
+ ret = EINVAL;
+ break;
+#if CONFIG_AUDIT
+ case PSPA_AU_SESSION:
+ ret = audit_session_spawnjoin(p, port);
+ break;
+#endif
+ case PSPA_IMP_WATCHPORTS:
+ if (portwatch_ports != NULL) {
+ *portwatch_present = TRUE;
+ /* hold on to this till end of spawn */
+ portwatch_ports[i] = port;
+ ret = 0;
+ } else
+ ipc_port_release_send(port);
+ break;
+ default:
+ ret = EINVAL;
+ break;
+ }
+
+ /* action failed, so release port resources */
+
+ if (ret) {
+ ipc_port_release_send(port);
+ break;
+ }
+ }
+
+done:
+ if (0 != ret)
+ DTRACE_PROC1(spawn__port__failure, mach_port_name_t, act->new_port);
+ return (ret);
+}
+
+/*
+ * exec_handle_file_actions
*
- * The stack frame layout is:
+ * Description: Go through the _posix_file_actions_t contents applying the
+ * open, close, and dup2 operations to the open file table for
+ * the current process.
*
- * +-------------+
- * sp-> | argc |
- * +-------------+
- * | arg[0] |
- * +-------------+
- * :
- * :
- * +-------------+
- * | arg[argc-1] |
- * +-------------+
- * | 0 |
- * +-------------+
- * | env[0] |
- * +-------------+
- * :
- * :
- * +-------------+
- * | env[n] |
- * +-------------+
- * | 0 |
- * +-------------+
- * | exec_path | In MacOS X PR2 Beaker2E the path passed to exec() is
- * +-------------+ passed on the stack just after the trailing 0 of the
- * | 0 | the envp[] array as a pointer to a string.
- * +-------------+
- * | PATH AREA |
- * +-------------+
- * | STRING AREA |
- * :
- * :
- * | | <- p->user_stack
- * +-------------+
+ * Parameters: struct image_params * Image parameter block
*
- * Although technically a part of the STRING AREA, we treat the PATH AREA as
- * a separate entity. This allows us to align the beginning of the PATH AREA
- * to a pointer boundary so that the exec_path, env[i], and argv[i] pointers
- * which preceed it on the stack are properly aligned.
+ * Returns: 0 Success
+ * ???
*
- * TODO: argc copied with suword(), which takes a 64 bit address
+ * Note: Actions are applied in the order specified, with the credential
+ * of the parent process. This is done to permit the parent
+ * process to utilize POSIX_SPAWN_RESETIDS to drop privilege in
+ * the child following operations the child may in fact not be
+ * normally permitted to perform.
*/
static int
-exec_copyout_strings(struct image_params *imgp, user_addr_t *stackp)
+exec_handle_file_actions(struct image_params *imgp, short psa_flags)
{
- struct proc *p = vfs_context_proc(imgp->ip_vfs_context);
- int ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT) ? 8 : 4;
- char *argv = imgp->ip_argv; /* modifiable copy of argv */
- user_addr_t string_area; /* *argv[], *env[] */
- user_addr_t path_area; /* package launch path */
- user_addr_t ptr_area; /* argv[], env[], exec_path */
- user_addr_t stack;
- int stringc = imgp->ip_argc + imgp->ip_envc;
- int len;
- int error;
- int strspace;
-
- stack = *stackp;
+ int error = 0;
+ int action;
+ proc_t p = vfs_context_proc(imgp->ip_vfs_context);
+ _posix_spawn_file_actions_t px_sfap = imgp->ip_px_sfa;
+ int ival[2]; /* dummy retval for system calls) */
- unsigned patharea_len = imgp->ip_argv - imgp->ip_strings;
- int envc_add = 0;
-
-#ifdef IMGPF_POWERPC
- /*
- * oah750 expects /usr/lib/dyld\0 as the start of the program name.
- * It also expects to have a certain environment variable set to 0.
- * 50 bytes for each to ensure we have enough space without having
- * to count every byte.
- */
- char *progname, *envvar;
- char progname_str[] = "/usr/lib/dyld";
- char envvar_str[] = "OAH750_CFG_FU_STACK_SIZE=0";
-
- if (imgp->ip_flags & IMGPF_POWERPC) {
- progname = progname_str;
- envvar = envvar_str;
- patharea_len += strlen(progname) + strlen(envvar) + 2;
- envc_add = 1;
- }
-#endif /* IMGPF_POWERPC */
- /*
- * Set up pointers to the beginning of the string area, the beginning
- * of the path area, and the beginning of the pointer area (actually,
- * the location of argc, an int, which may be smaller than a pointer,
- * but we use ptr_size worth of space for it, for alignment).
- */
- string_area = stack - (((imgp->ip_strendp - imgp->ip_strings) + ptr_size-1) & ~(ptr_size-1)) - ptr_size;
- path_area = string_area - ((patharea_len + ptr_size-1) & ~(ptr_size-1));
- ptr_area = path_area - ((imgp->ip_argc + imgp->ip_envc + 4 + envc_add) * ptr_size) - ptr_size /*argc*/;
+ for (action = 0; action < px_sfap->psfa_act_count; action++) {
+ _psfa_action_t *psfa = &px_sfap->psfa_act_acts[ action];
- /* Return the initial stack address: the location of argc */
- *stackp = ptr_area;
+ switch(psfa->psfaa_type) {
+ case PSFA_OPEN: {
+ /*
+ * Open is different, in that it requires the use of
+ * a path argument, which is normally copied in from
+ * user space; because of this, we have to support an
+ * open from kernel space that passes an address space
+ * context of UIO_SYSSPACE, and casts the address
+ * argument to a user_addr_t.
+ */
+ char *bufp = NULL;
+ struct vnode_attr *vap;
+ struct nameidata *ndp;
+ int mode = psfa->psfaa_openargs.psfao_mode;
+ struct dup2_args dup2a;
+ struct close_nocancel_args ca;
+ int origfd;
+
+ MALLOC(bufp, char *, sizeof(*vap) + sizeof(*ndp), M_TEMP, M_WAITOK | M_ZERO);
+ if (bufp == NULL) {
+ error = ENOMEM;
+ break;
+ }
- /*
- * Record the size of the arguments area so that sysctl_procargs()
- * can return the argument area without having to parse the arguments.
- */
- p->p_argc = imgp->ip_argc;
- p->p_argslen = (int)(stack - path_area);
+ vap = (struct vnode_attr *) bufp;
+ ndp = (struct nameidata *) (bufp + sizeof(*vap));
+ VATTR_INIT(vap);
+ /* Mask off all but regular access permissions */
+ mode = ((mode &~ p->p_fd->fd_cmask) & ALLPERMS) & ~S_ISTXT;
+ VATTR_SET(vap, va_mode, mode & ACCESSPERMS);
- /*
- * Support for new app package launching for Mac OS X allocates
- * the "path" at the begining of the imgp->ip_strings buffer.
- * copy it just before the string area.
- */
- len = 0;
-#ifdef IMGPF_POWERPC
- if (imgp->ip_flags & IMGPF_POWERPC) {
- error = copyoutstr(progname, path_area,
- patharea_len,
- (size_t *)&len);
- if (error)
- goto bad;
- error = copyoutstr(imgp->ip_strings, path_area + strlen(progname) + 1,
- patharea_len,
- (size_t *)&len);
- } else
-#endif /* IMGPF_POWERPC */
- error = copyoutstr(imgp->ip_strings, path_area,
- patharea_len,
- (size_t *)&len);
- if (error)
- goto bad;
+ NDINIT(ndp, LOOKUP, OP_OPEN, FOLLOW | AUDITVNPATH1, UIO_SYSSPACE,
+ CAST_USER_ADDR_T(psfa->psfaa_openargs.psfao_path),
+ imgp->ip_vfs_context);
+ error = open1(imgp->ip_vfs_context,
+ ndp,
+ psfa->psfaa_openargs.psfao_oflag,
+ vap,
+ fileproc_alloc_init, NULL,
+ ival);
- /* Save a NULL pointer below it */
- (void)copyoutptr(0LL, path_area - ptr_size, ptr_size);
+ FREE(bufp, M_TEMP);
- /* Save the pointer to "path" just below it */
- (void)copyoutptr(path_area, path_area - 2*ptr_size, ptr_size);
+ /*
+ * If there's an error, or we get the right fd by
+ * accident, then drop out here. This is easier than
+ * reworking all the open code to preallocate fd
+ * slots, and internally taking one as an argument.
+ */
+ if (error || ival[0] == psfa->psfaa_filedes)
+ break;
+
+ origfd = ival[0];
+ /*
+ * If we didn't fall out from an error, we ended up
+ * with the wrong fd; so now we've got to try to dup2
+ * it to the right one.
+ */
+ dup2a.from = origfd;
+ dup2a.to = psfa->psfaa_filedes;
+
+ /*
+ * The dup2() system call implementation sets
+ * ival to newfd in the success case, but we
+ * can ignore that, since if we didn't get the
+ * fd we wanted, the error will stop us.
+ */
+ error = dup2(p, &dup2a, ival);
+ if (error)
+ break;
+
+ /*
+ * Finally, close the original fd.
+ */
+ ca.fd = origfd;
+
+ error = close_nocancel(p, &ca, ival);
+ }
+ break;
+
+ case PSFA_DUP2: {
+ struct dup2_args dup2a;
+
+ dup2a.from = psfa->psfaa_filedes;
+ dup2a.to = psfa->psfaa_openargs.psfao_oflag;
+
+ /*
+ * The dup2() system call implementation sets
+ * ival to newfd in the success case, but we
+ * can ignore that, since if we didn't get the
+ * fd we wanted, the error will stop us.
+ */
+ error = dup2(p, &dup2a, ival);
+ }
+ break;
+
+ case PSFA_CLOSE: {
+ struct close_nocancel_args ca;
+
+ ca.fd = psfa->psfaa_filedes;
+
+ error = close_nocancel(p, &ca, ival);
+ }
+ break;
+
+ case PSFA_INHERIT: {
+ struct fcntl_nocancel_args fcntla;
+
+ /*
+ * Check to see if the descriptor exists, and
+ * ensure it's -not- marked as close-on-exec.
+ *
+ * Attempting to "inherit" a guarded fd will
+ * result in a error.
+ */
+ fcntla.fd = psfa->psfaa_filedes;
+ fcntla.cmd = F_GETFD;
+ if ((error = fcntl_nocancel(p, &fcntla, ival)) != 0)
+ break;
+
+ if ((ival[0] & FD_CLOEXEC) == FD_CLOEXEC) {
+ fcntla.fd = psfa->psfaa_filedes;
+ fcntla.cmd = F_SETFD;
+ fcntla.arg = ival[0] & ~FD_CLOEXEC;
+ error = fcntl_nocancel(p, &fcntla, ival);
+ }
+
+ }
+ break;
+
+ default:
+ error = EINVAL;
+ break;
+ }
+
+ /* All file actions failures are considered fatal, per POSIX */
+
+ if (error) {
+ if (PSFA_OPEN == psfa->psfaa_type) {
+ DTRACE_PROC1(spawn__open__failure, uintptr_t,
+ psfa->psfaa_openargs.psfao_path);
+ } else {
+ DTRACE_PROC1(spawn__fd__failure, int, psfa->psfaa_filedes);
+ }
+ break;
+ }
+ }
+
+ if (error != 0 || (psa_flags & POSIX_SPAWN_CLOEXEC_DEFAULT) == 0)
+ return (error);
+
+ /*
+ * If POSIX_SPAWN_CLOEXEC_DEFAULT is set, behave (during
+ * this spawn only) as if "close on exec" is the default
+ * disposition of all pre-existing file descriptors. In this case,
+ * the list of file descriptors mentioned in the file actions
+ * are the only ones that can be inherited, so mark them now.
+ *
+ * The actual closing part comes later, in fdexec().
+ */
+ proc_fdlock(p);
+ for (action = 0; action < px_sfap->psfa_act_count; action++) {
+ _psfa_action_t *psfa = &px_sfap->psfa_act_acts[action];
+ int fd = psfa->psfaa_filedes;
+
+ switch (psfa->psfaa_type) {
+ case PSFA_DUP2:
+ fd = psfa->psfaa_openargs.psfao_oflag;
+ /*FALLTHROUGH*/
+ case PSFA_OPEN:
+ case PSFA_INHERIT:
+ *fdflags(p, fd) |= UF_INHERIT;
+ break;
+
+ case PSFA_CLOSE:
+ break;
+ }
+ }
+ proc_fdunlock(p);
+
+ return (0);
+}
+
+#if CONFIG_MACF
+/*
+ * exec_spawnattr_getmacpolicyinfo
+ */
+void *
+exec_spawnattr_getmacpolicyinfo(const void *macextensions, const char *policyname, size_t *lenp)
+{
+ const struct _posix_spawn_mac_policy_extensions *psmx = macextensions;
+ int i;
+
+ if (psmx == NULL)
+ return NULL;
+
+ for (i = 0; i < psmx->psmx_count; i++) {
+ const _ps_mac_policy_extension_t *extension = &psmx->psmx_extensions[i];
+ if (strncmp(extension->policyname, policyname, sizeof(extension->policyname)) == 0) {
+ if (lenp != NULL)
+ *lenp = extension->datalen;
+ return extension->datap;
+ }
+ }
+
+ if (lenp != NULL)
+ *lenp = 0;
+ return NULL;
+}
+
+static int
+spawn_copyin_macpolicyinfo(const struct user__posix_spawn_args_desc *px_args, _posix_spawn_mac_policy_extensions_t *psmxp)
+{
+ _posix_spawn_mac_policy_extensions_t psmx = NULL;
+ int error = 0;
+ int copycnt = 0;
+ int i = 0;
+
+ *psmxp = NULL;
+
+ if (px_args->mac_extensions_size < PS_MAC_EXTENSIONS_SIZE(1) ||
+ px_args->mac_extensions_size > PAGE_SIZE) {
+ error = EINVAL;
+ goto bad;
+ }
+
+ MALLOC(psmx, _posix_spawn_mac_policy_extensions_t, px_args->mac_extensions_size, M_TEMP, M_WAITOK);
+ if ((error = copyin(px_args->mac_extensions, psmx, px_args->mac_extensions_size)) != 0)
+ goto bad;
+
+ if (PS_MAC_EXTENSIONS_SIZE(psmx->psmx_count) > px_args->mac_extensions_size) {
+ error = EINVAL;
+ goto bad;
+ }
+
+ for (i = 0; i < psmx->psmx_count; i++) {
+ _ps_mac_policy_extension_t *extension = &psmx->psmx_extensions[i];
+ if (extension->datalen == 0 || extension->datalen > PAGE_SIZE) {
+ error = EINVAL;
+ goto bad;
+ }
+ }
+
+ for (copycnt = 0; copycnt < psmx->psmx_count; copycnt++) {
+ _ps_mac_policy_extension_t *extension = &psmx->psmx_extensions[copycnt];
+ void *data = NULL;
+
+ MALLOC(data, void *, extension->datalen, M_TEMP, M_WAITOK);
+ if ((error = copyin(extension->data, data, extension->datalen)) != 0) {
+ FREE(data, M_TEMP);
+ goto bad;
+ }
+ extension->datap = data;
+ }
+
+ *psmxp = psmx;
+ return 0;
+
+bad:
+ if (psmx != NULL) {
+ for (i = 0; i < copycnt; i++)
+ FREE(psmx->psmx_extensions[i].datap, M_TEMP);
+ FREE(psmx, M_TEMP);
+ }
+ return error;
+}
+
+static void
+spawn_free_macpolicyinfo(_posix_spawn_mac_policy_extensions_t psmx)
+{
+ int i;
+
+ if (psmx == NULL)
+ return;
+ for (i = 0; i < psmx->psmx_count; i++)
+ FREE(psmx->psmx_extensions[i].datap, M_TEMP);
+ FREE(psmx, M_TEMP);
+}
+#endif /* CONFIG_MACF */
+
+#if CONFIG_COALITIONS
+static inline void spawn_coalitions_release_all(coalition_t coal[COALITION_NUM_TYPES])
+{
+ for (int c = 0; c < COALITION_NUM_TYPES; c++) {
+ if (coal[c]) {
+ coalition_remove_active(coal[c]);
+ coalition_release(coal[c]);
+ }
+ }
+}
+#endif
+
+void
+proc_set_return_wait(proc_t p)
+{
+ proc_lock(p);
+ p->p_lflag |= P_LRETURNWAIT;
+ proc_unlock(p);
+}
+
+void
+proc_clear_return_wait(proc_t p, thread_t child_thread)
+{
+ proc_lock(p);
+
+ p->p_lflag &= ~P_LRETURNWAIT;
+ if (p->p_lflag & P_LRETURNWAITER) {
+ wakeup(&p->p_lflag);
+ }
+
+ proc_unlock(p);
+
+ (void)thread_resume(child_thread);
+}
+
+void
+proc_wait_to_return()
+{
+ proc_t p;
+
+ p = current_proc();
+ proc_lock(p);
+
+ if (p->p_lflag & P_LRETURNWAIT) {
+ p->p_lflag |= P_LRETURNWAITER;
+ do {
+ msleep(&p->p_lflag, &p->p_mlock, 0,
+ "thread_check_setup_complete", NULL);
+ } while (p->p_lflag & P_LRETURNWAIT);
+ p->p_lflag &= ~P_LRETURNWAITER;
+ }
+
+ proc_unlock(p);
+ thread_bootstrap_return();
+}
+
+/*
+ * posix_spawn
+ *
+ * Parameters: uap->pid Pointer to pid return area
+ * uap->fname File name to exec
+ * uap->argp Argument list
+ * uap->envp Environment list
+ *
+ * Returns: 0 Success
+ * EINVAL Invalid argument
+ * ENOTSUP Not supported
+ * ENOEXEC Executable file format error
+ * exec_activate_image:EINVAL Invalid argument
+ * exec_activate_image:EACCES Permission denied
+ * exec_activate_image:EINTR Interrupted function
+ * exec_activate_image:ENOMEM Not enough space
+ * exec_activate_image:EFAULT Bad address
+ * exec_activate_image:ENAMETOOLONG Filename too long
+ * exec_activate_image:ENOEXEC Executable file format error
+ * exec_activate_image:ETXTBSY Text file busy [misuse of error code]
+ * exec_activate_image:EBADEXEC The executable is corrupt/unknown
+ * exec_activate_image:???
+ * mac_execve_enter:???
+ *
+ * TODO: Expect to need __mac_posix_spawn() at some point...
+ * Handle posix_spawnattr_t
+ * Handle posix_spawn_file_actions_t
+ */
+int
+posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
+{
+ proc_t p = ap; /* quiet bogus GCC vfork() warning */
+ user_addr_t pid = uap->pid;
+ int ival[2]; /* dummy retval for setpgid() */
+ char *bufp = NULL;
+ struct image_params *imgp;
+ struct vnode_attr *vap;
+ struct vnode_attr *origvap;
+ struct uthread *uthread = 0; /* compiler complains if not set to 0*/
+ int error, sig;
+ int is_64 = IS_64BIT_PROCESS(p);
+ struct vfs_context context;
+ struct user__posix_spawn_args_desc px_args;
+ struct _posix_spawnattr px_sa;
+ _posix_spawn_file_actions_t px_sfap = NULL;
+ _posix_spawn_port_actions_t px_spap = NULL;
+ struct __kern_sigaction vec;
+ boolean_t spawn_no_exec = FALSE;
+ boolean_t proc_transit_set = TRUE;
+ boolean_t exec_done = FALSE;
+ int portwatch_count = 0;
+ ipc_port_t * portwatch_ports = NULL;
+ vm_size_t px_sa_offset = offsetof(struct _posix_spawnattr, psa_ports);
+
+ /*
+ * Allocate a big chunk for locals instead of using stack since these
+ * structures are pretty big.
+ */
+ MALLOC(bufp, char *, (sizeof(*imgp) + sizeof(*vap) + sizeof(*origvap)), M_TEMP, M_WAITOK | M_ZERO);
+ imgp = (struct image_params *) bufp;
+ if (bufp == NULL) {
+ error = ENOMEM;
+ goto bad;
+ }
+ vap = (struct vnode_attr *) (bufp + sizeof(*imgp));
+ origvap = (struct vnode_attr *) (bufp + sizeof(*imgp) + sizeof(*vap));
+
+ /* Initialize the common data in the image_params structure */
+ imgp->ip_user_fname = uap->path;
+ imgp->ip_user_argv = uap->argv;
+ imgp->ip_user_envv = uap->envp;
+ imgp->ip_vattr = vap;
+ imgp->ip_origvattr = origvap;
+ imgp->ip_vfs_context = &context;
+ imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT : IMGPF_NONE);
+ imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
+ imgp->ip_mac_return = 0;
+ imgp->ip_reserved = NULL;
+
+ if (uap->adesc != USER_ADDR_NULL) {
+ if(is_64) {
+ error = copyin(uap->adesc, &px_args, sizeof(px_args));
+ } else {
+ struct user32__posix_spawn_args_desc px_args32;
+
+ error = copyin(uap->adesc, &px_args32, sizeof(px_args32));
+
+ /*
+ * Convert arguments descriptor from external 32 bit
+ * representation to internal 64 bit representation
+ */
+ px_args.attr_size = px_args32.attr_size;
+ px_args.attrp = CAST_USER_ADDR_T(px_args32.attrp);
+ px_args.file_actions_size = px_args32.file_actions_size;
+ px_args.file_actions = CAST_USER_ADDR_T(px_args32.file_actions);
+ px_args.port_actions_size = px_args32.port_actions_size;
+ px_args.port_actions = CAST_USER_ADDR_T(px_args32.port_actions);
+ px_args.mac_extensions_size = px_args32.mac_extensions_size;
+ px_args.mac_extensions = CAST_USER_ADDR_T(px_args32.mac_extensions);
+ px_args.coal_info_size = px_args32.coal_info_size;
+ px_args.coal_info = CAST_USER_ADDR_T(px_args32.coal_info);
+ px_args.reserved = 0;
+ px_args.reserved_size = 0;
+ }
+ if (error)
+ goto bad;
+
+ if (px_args.attr_size != 0) {
+ /*
+ * We are not copying the port_actions pointer,
+ * because we already have it from px_args.
+ * This is a bit fragile: <rdar://problem/16427422>
+ */
+
+ if ((error = copyin(px_args.attrp, &px_sa, px_sa_offset) != 0))
+ goto bad;
+
+ bzero( (void *)( (unsigned long) &px_sa + px_sa_offset), sizeof(px_sa) - px_sa_offset );
+
+ imgp->ip_px_sa = &px_sa;
+ }
+ if (px_args.file_actions_size != 0) {
+ /* Limit file_actions to allowed number of open files */
+ int maxfa = (p->p_limit ? p->p_rlimit[RLIMIT_NOFILE].rlim_cur : NOFILE);
+ if (px_args.file_actions_size < PSF_ACTIONS_SIZE(1) ||
+ px_args.file_actions_size > PSF_ACTIONS_SIZE(maxfa)) {
+ error = EINVAL;
+ goto bad;
+ }
+ MALLOC(px_sfap, _posix_spawn_file_actions_t, px_args.file_actions_size, M_TEMP, M_WAITOK);
+ if (px_sfap == NULL) {
+ error = ENOMEM;
+ goto bad;
+ }
+ imgp->ip_px_sfa = px_sfap;
+
+ if ((error = copyin(px_args.file_actions, px_sfap,
+ px_args.file_actions_size)) != 0)
+ goto bad;
+
+ /* Verify that the action count matches the struct size */
+ if (PSF_ACTIONS_SIZE(px_sfap->psfa_act_count) != px_args.file_actions_size) {
+ error = EINVAL;
+ goto bad;
+ }
+ }
+ if (px_args.port_actions_size != 0) {
+ /* Limit port_actions to one page of data */
+ if (px_args.port_actions_size < PS_PORT_ACTIONS_SIZE(1) ||
+ px_args.port_actions_size > PAGE_SIZE) {
+ error = EINVAL;
+ goto bad;
+ }
+
+ MALLOC(px_spap, _posix_spawn_port_actions_t,
+ px_args.port_actions_size, M_TEMP, M_WAITOK);
+ if (px_spap == NULL) {
+ error = ENOMEM;
+ goto bad;
+ }
+ imgp->ip_px_spa = px_spap;
+
+ if ((error = copyin(px_args.port_actions, px_spap,
+ px_args.port_actions_size)) != 0)
+ goto bad;
+
+ /* Verify that the action count matches the struct size */
+ if (PS_PORT_ACTIONS_SIZE(px_spap->pspa_count) != px_args.port_actions_size) {
+ error = EINVAL;
+ goto bad;
+ }
+ }
+
+#if CONFIG_MACF
+ if (px_args.mac_extensions_size != 0) {
+ if ((error = spawn_copyin_macpolicyinfo(&px_args, (_posix_spawn_mac_policy_extensions_t *)&imgp->ip_px_smpx)) != 0)
+ goto bad;
+ }
+#endif /* CONFIG_MACF */
+ }
+
+ /* set uthread to parent */
+ uthread = get_bsdthread_info(current_thread());
+
+ /*
+ * <rdar://6640530>; this does not result in a behaviour change
+ * relative to Leopard, so there should not be any existing code
+ * which depends on it.
+ */
+ if (uthread->uu_flag & UT_VFORK) {
+ error = EINVAL;
+ goto bad;
+ }
+
+ /*
+ * If we don't have the extension flag that turns "posix_spawn()"
+ * into "execve() with options", then we will be creating a new
+ * process which does not inherit memory from the parent process,
+ * which is one of the most expensive things about using fork()
+ * and execve().
+ */
+ if (imgp->ip_px_sa == NULL || !(px_sa.psa_flags & POSIX_SPAWN_SETEXEC)){
+
+ /* Set the new task's coalition, if it is requested. */
+ coalition_t coal[COALITION_NUM_TYPES] = { COALITION_NULL };
+#if CONFIG_COALITIONS
+ int i, ncoals;
+ kern_return_t kr = KERN_SUCCESS;
+ struct _posix_spawn_coalition_info coal_info;
+ int coal_role[COALITION_NUM_TYPES];
+
+ if (imgp->ip_px_sa == NULL || !px_args.coal_info)
+ goto do_fork1;
+
+ memset(&coal_info, 0, sizeof(coal_info));
+
+ if (px_args.coal_info_size > sizeof(coal_info))
+ px_args.coal_info_size = sizeof(coal_info);
+ error = copyin(px_args.coal_info,
+ &coal_info, px_args.coal_info_size);
+ if (error != 0)
+ goto bad;
+
+ ncoals = 0;
+ for (i = 0; i < COALITION_NUM_TYPES; i++) {
+ uint64_t cid = coal_info.psci_info[i].psci_id;
+ if (cid != 0) {
+ /*
+ * don't allow tasks which are not in a
+ * privileged coalition to spawn processes
+ * into coalitions other than their own
+ */
+ if (!task_is_in_privileged_coalition(p->task, i)) {
+ coal_dbg("ERROR: %d not in privilegd "
+ "coalition of type %d",
+ p->p_pid, i);
+ spawn_coalitions_release_all(coal);
+ error = EPERM;
+ goto bad;
+ }
+
+ coal_dbg("searching for coalition id:%llu", cid);
+ /*
+ * take a reference and activation on the
+ * coalition to guard against free-while-spawn
+ * races
+ */
+ coal[i] = coalition_find_and_activate_by_id(cid);
+ if (coal[i] == COALITION_NULL) {
+ coal_dbg("could not find coalition id:%llu "
+ "(perhaps it has been terminated or reaped)", cid);
+ /*
+ * release any other coalition's we
+ * may have a reference to
+ */
+ spawn_coalitions_release_all(coal);
+ error = ESRCH;
+ goto bad;
+ }
+ if (coalition_type(coal[i]) != i) {
+ coal_dbg("coalition with id:%lld is not of type:%d"
+ " (it's type:%d)", cid, i, coalition_type(coal[i]));
+ error = ESRCH;
+ goto bad;
+ }
+ coal_role[i] = coal_info.psci_info[i].psci_role;
+ ncoals++;
+ }
+ }
+ if (ncoals < COALITION_NUM_TYPES) {
+ /*
+ * If the user is attempting to spawn into a subset of
+ * the known coalition types, then make sure they have
+ * _at_least_ specified a resource coalition. If not,
+ * the following fork1() call will implicitly force an
+ * inheritance from 'p' and won't actually spawn the
+ * new task into the coalitions the user specified.
+ * (also the call to coalitions_set_roles will panic)
+ */
+ if (coal[COALITION_TYPE_RESOURCE] == COALITION_NULL) {
+ spawn_coalitions_release_all(coal);
+ error = EINVAL;
+ goto bad;
+ }
+ }
+do_fork1:
+#endif /* CONFIG_COALITIONS */
+
+ error = fork1(p, &imgp->ip_new_thread, PROC_CREATE_SPAWN, coal);
+
+#if CONFIG_COALITIONS
+ /* set the roles of this task within each given coalition */
+ if (error == 0) {
+ kr = coalitions_set_roles(coal, get_threadtask(imgp->ip_new_thread), coal_role);
+ if (kr != KERN_SUCCESS)
+ error = EINVAL;
+ }
+
+ /* drop our references and activations - fork1() now holds them */
+ spawn_coalitions_release_all(coal);
+#endif /* CONFIG_COALITIONS */
+ if (error != 0) {
+ goto bad;
+ }
+ imgp->ip_flags |= IMGPF_SPAWN; /* spawn w/o exec */
+ spawn_no_exec = TRUE; /* used in later tests */
+
+ }
+
+ if (spawn_no_exec) {
+ p = (proc_t)get_bsdthreadtask_info(imgp->ip_new_thread);
+
+ /*
+ * We had to wait until this point before firing the
+ * proc:::create probe, otherwise p would not point to the
+ * child process.
+ */
+ DTRACE_PROC1(create, proc_t, p);
+ }
+ assert(p != NULL);
+
+ /* By default, the thread everyone plays with is the parent */
+ context.vc_thread = current_thread();
+ context.vc_ucred = p->p_ucred; /* XXX must NOT be kauth_cred_get() */
+
+ /*
+ * However, if we're not in the setexec case, redirect the context
+ * to the newly created process instead
+ */
+ if (spawn_no_exec)
+ context.vc_thread = imgp->ip_new_thread;
+
+ /*
+ * Post fdcopy(), pre exec_handle_sugid() - this is where we want
+ * to handle the file_actions. Since vfork() also ends up setting
+ * us into the parent process group, and saved off the signal flags,
+ * this is also where we want to handle the spawn flags.
+ */
+
+ /* Has spawn file actions? */
+ if (imgp->ip_px_sfa != NULL) {
+ /*
+ * The POSIX_SPAWN_CLOEXEC_DEFAULT flag
+ * is handled in exec_handle_file_actions().
+ */
+ if ((error = exec_handle_file_actions(imgp,
+ imgp->ip_px_sa != NULL ? px_sa.psa_flags : 0)) != 0)
+ goto bad;
+ }
+
+ /* Has spawn port actions? */
+ if (imgp->ip_px_spa != NULL) {
+ boolean_t is_adaptive = FALSE;
+ boolean_t portwatch_present = FALSE;
+
+ /* Will this process become adaptive? The apptype isn't ready yet, so we can't look there. */
+ if (imgp->ip_px_sa != NULL && px_sa.psa_apptype == POSIX_SPAWN_PROC_TYPE_DAEMON_ADAPTIVE)
+ is_adaptive = TRUE;
+
+ /*
+ * portwatch only:
+ * Allocate a place to store the ports we want to bind to the new task
+ * We can't bind them until after the apptype is set.
+ */
+ if (px_spap->pspa_count != 0 && is_adaptive) {
+ portwatch_count = px_spap->pspa_count;
+ MALLOC(portwatch_ports, ipc_port_t *, (sizeof(ipc_port_t) * portwatch_count), M_TEMP, M_WAITOK | M_ZERO);
+ } else {
+ portwatch_ports = NULL;
+ }
+
+ if ((error = exec_handle_port_actions(imgp,
+ imgp->ip_px_sa != NULL ? px_sa.psa_flags : 0, &portwatch_present, portwatch_ports)) != 0)
+ goto bad;
+
+ if (portwatch_present == FALSE && portwatch_ports != NULL) {
+ FREE(portwatch_ports, M_TEMP);
+ portwatch_ports = NULL;
+ portwatch_count = 0;
+ }
+ }
+
+ /* Has spawn attr? */
+ if (imgp->ip_px_sa != NULL) {
+ /*
+ * Set the process group ID of the child process; this has
+ * to happen before the image activation.
+ */
+ if (px_sa.psa_flags & POSIX_SPAWN_SETPGROUP) {
+ struct setpgid_args spga;
+ spga.pid = p->p_pid;
+ spga.pgid = px_sa.psa_pgroup;
+ /*
+ * Effectively, call setpgid() system call; works
+ * because there are no pointer arguments.
+ */
+ if((error = setpgid(p, &spga, ival)) != 0)
+ goto bad;
+ }
+
+ /*
+ * Reset UID/GID to parent's RUID/RGID; This works only
+ * because the operation occurs *after* the vfork() and
+ * before the call to exec_handle_sugid() by the image
+ * activator called from exec_activate_image(). POSIX
+ * requires that any setuid/setgid bits on the process
+ * image will take precedence over the spawn attributes
+ * (re)setting them.
+ *
+ * The use of p_ucred is safe, since we are acting on the
+ * new process, and it has no threads other than the one
+ * we are creating for it.
+ */
+ if (px_sa.psa_flags & POSIX_SPAWN_RESETIDS) {
+ kauth_cred_t my_cred = p->p_ucred;
+ kauth_cred_t my_new_cred = kauth_cred_setuidgid(my_cred, kauth_cred_getruid(my_cred), kauth_cred_getrgid(my_cred));
+ if (my_new_cred != my_cred) {
+ p->p_ucred = my_new_cred;
+ /* update cred on proc */
+ PROC_UPDATE_CREDS_ONPROC(p);
+ }
+ }
+
+#if !SECURE_KERNEL
+ /*
+ * Disable ASLR for the spawned process.
+ *
+ * But only do so if we are not embedded + RELEASE.
+ * While embedded allows for a boot-arg (-disable_aslr)
+ * to deal with this (which itself is only honored on
+ * DEVELOPMENT or DEBUG builds of xnu), it is often
+ * useful or necessary to disable ASLR on a per-process
+ * basis for unit testing and debugging.
+ */
+ if (px_sa.psa_flags & _POSIX_SPAWN_DISABLE_ASLR)
+ OSBitOrAtomic(P_DISABLE_ASLR, &p->p_flag);
+#endif /* !SECURE_KERNEL */
+
+ /*
+ * Forcibly disallow execution from data pages for the spawned process
+ * even if it would otherwise be permitted by the architecture default.
+ */
+ if (px_sa.psa_flags & _POSIX_SPAWN_ALLOW_DATA_EXEC)
+ imgp->ip_flags |= IMGPF_ALLOW_DATA_EXEC;
+ }
+
+ /*
+ * Disable ASLR during image activation. This occurs either if the
+ * _POSIX_SPAWN_DISABLE_ASLR attribute was found above or if
+ * P_DISABLE_ASLR was inherited from the parent process.
+ */
+ if (p->p_flag & P_DISABLE_ASLR)
+ imgp->ip_flags |= IMGPF_DISABLE_ASLR;
+
+ /*
+ * Clear transition flag so we won't hang if exec_activate_image() causes
+ * an automount (and launchd does a proc sysctl to service it).
+ *
+ * <rdar://problem/6848672>, <rdar://problem/5959568>.
+ */
+ if (spawn_no_exec) {
+ proc_transend(p, 0);
+ proc_transit_set = 0;
+ }
+
+#if MAC_SPAWN /* XXX */
+ if (uap->mac_p != USER_ADDR_NULL) {
+ error = mac_execve_enter(uap->mac_p, imgp);
+ if (error)
+ goto bad;
+ }
+#endif
+
+ /*
+ * Activate the image
+ */
+ error = exec_activate_image(imgp);
+
+ if (error == 0) {
+ /* process completed the exec */
+ exec_done = TRUE;
+ } else if (error == -1) {
+ /* Image not claimed by any activator? */
+ error = ENOEXEC;
+ }
+
+ /*
+ * If we have a spawn attr, and it contains signal related flags,
+ * the we need to process them in the "context" of the new child
+ * process, so we have to process it following image activation,
+ * prior to making the thread runnable in user space. This is
+ * necessitated by some signal information being per-thread rather
+ * than per-process, and we don't have the new allocation in hand
+ * until after the image is activated.
+ */
+ if (!error && imgp->ip_px_sa != NULL) {
+ thread_t child_thread = current_thread();
+ uthread_t child_uthread = uthread;
+
+ /*
+ * If we created a new child thread, then the thread and
+ * uthread are different than the current ones; otherwise,
+ * we leave them, since we are in the exec case instead.
+ */
+ if (spawn_no_exec) {
+ child_thread = imgp->ip_new_thread;
+ child_uthread = get_bsdthread_info(child_thread);
+ }
+
+ /*
+ * Mask a list of signals, instead of them being unmasked, if
+ * they were unmasked in the parent; note that some signals
+ * are not maskable.
+ */
+ if (px_sa.psa_flags & POSIX_SPAWN_SETSIGMASK)
+ child_uthread->uu_sigmask = (px_sa.psa_sigmask & ~sigcantmask);
+ /*
+ * Default a list of signals instead of ignoring them, if
+ * they were ignored in the parent. Note that we pass
+ * spawn_no_exec to setsigvec() to indicate that we called
+ * fork1() and therefore do not need to call proc_signalstart()
+ * internally.
+ */
+ if (px_sa.psa_flags & POSIX_SPAWN_SETSIGDEF) {
+ vec.sa_handler = SIG_DFL;
+ vec.sa_tramp = 0;
+ vec.sa_mask = 0;
+ vec.sa_flags = 0;
+ for (sig = 0; sig < NSIG; sig++)
+ if (px_sa.psa_sigdefault & (1 << sig)) {
+ error = setsigvec(p, child_thread, sig + 1, &vec, spawn_no_exec);
+ }
+ }
+
+ /*
+ * Activate the CPU usage monitor, if requested. This is done via a task-wide, per-thread CPU
+ * usage limit, which will generate a resource exceeded exception if any one thread exceeds the
+ * limit.
+ *
+ * Userland gives us interval in seconds, and the kernel SPI expects nanoseconds.
+ */
+ if (px_sa.psa_cpumonitor_percent != 0) {
+ /*
+ * Always treat a CPU monitor activation coming from spawn as entitled. Requiring
+ * an entitlement to configure the monitor a certain way seems silly, since
+ * whomever is turning it on could just as easily choose not to do so.
+ */
+ error = proc_set_task_ruse_cpu(p->task,
+ TASK_POLICY_RESOURCE_ATTRIBUTE_NOTIFY_EXC,
+ px_sa.psa_cpumonitor_percent,
+ px_sa.psa_cpumonitor_interval * NSEC_PER_SEC,
+ 0, TRUE);
+ }
+ }
+
+bad:
+
+ if (error == 0) {
+ /* reset delay idle sleep status if set */
+ if ((p->p_flag & P_DELAYIDLESLEEP) == P_DELAYIDLESLEEP)
+ OSBitAndAtomic(~((uint32_t)P_DELAYIDLESLEEP), &p->p_flag);
+ /* upon successful spawn, re/set the proc control state */
+ if (imgp->ip_px_sa != NULL) {
+ switch (px_sa.psa_pcontrol) {
+ case POSIX_SPAWN_PCONTROL_THROTTLE:
+ p->p_pcaction = P_PCTHROTTLE;
+ break;
+ case POSIX_SPAWN_PCONTROL_SUSPEND:
+ p->p_pcaction = P_PCSUSP;
+ break;
+ case POSIX_SPAWN_PCONTROL_KILL:
+ p->p_pcaction = P_PCKILL;
+ break;
+ case POSIX_SPAWN_PCONTROL_NONE:
+ default:
+ p->p_pcaction = 0;
+ break;
+ };
+ }
+ exec_resettextvp(p, imgp);
+
+#if CONFIG_MEMORYSTATUS && CONFIG_JETSAM
+ /* Has jetsam attributes? */
+ if (imgp->ip_px_sa != NULL && (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_SET)) {
+ /*
+ * With 2-level high-water-mark support, POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND is no
+ * longer relevant, as background limits are described via the inactive limit slots.
+ * At the kernel layer, the flag is ignored.
+ *
+ * That said, however, if the POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND is passed in,
+ * we attempt to mimic previous behavior by forcing the BG limit data into the
+ * inactive/non-fatal mode and force the active slots to hold system_wide/fatal mode.
+ * The kernel layer will flag this mapping.
+ */
+ if (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND) {
+ memorystatus_update(p, px_sa.psa_priority, 0,
+ (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_USE_EFFECTIVE_PRIORITY),
+ TRUE,
+ -1, TRUE,
+ px_sa.psa_memlimit_inactive, FALSE,
+ (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND));
+ } else {
+ memorystatus_update(p, px_sa.psa_priority, 0,
+ (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_USE_EFFECTIVE_PRIORITY),
+ TRUE,
+ px_sa.psa_memlimit_active,
+ (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_MEMLIMIT_ACTIVE_FATAL),
+ px_sa.psa_memlimit_inactive,
+ (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_MEMLIMIT_INACTIVE_FATAL),
+ (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND));
+ }
+
+ }
+#endif /* CONFIG_MEMORYSTATUS && CONFIG_JETSAM*/
+ }
+
+ /*
+ * If we successfully called fork1(), we always need to do this;
+ * we identify this case by noting the IMGPF_SPAWN flag. This is
+ * because we come back from that call with signals blocked in the
+ * child, and we have to unblock them, but we want to wait until
+ * after we've performed any spawn actions. This has to happen
+ * before check_for_signature(), which uses psignal.
+ */
+ if (spawn_no_exec) {
+ if (proc_transit_set)
+ proc_transend(p, 0);
+
+ /*
+ * Drop the signal lock on the child which was taken on our
+ * behalf by forkproc()/cloneproc() to prevent signals being
+ * received by the child in a partially constructed state.
+ */
+ proc_signalend(p, 0);
+
+ /* flag the 'fork' has occurred */
+ proc_knote(p->p_pptr, NOTE_FORK | p->p_pid);
+ /* then flag exec has occurred */
+ /* notify only if it has not failed due to FP Key error */
+ if ((p->p_lflag & P_LTERM_DECRYPTFAIL) == 0)
+ proc_knote(p, NOTE_EXEC);
+ } else if (error == 0) {
+ /* reset the importance attribute from our previous life */
+ task_importance_reset(p->task);
+
+ /* reset atm context from task */
+ task_atm_reset(p->task);
+ }
+
+ /*
+ * Apply the spawnattr policy, apptype (which primes the task for importance donation),
+ * and bind any portwatch ports to the new task.
+ * This must be done after the exec so that the child's thread is ready,
+ * and after the in transit state has been released, because priority is
+ * dropped here so we need to be prepared for a potentially long preemption interval
+ *
+ * TODO: Consider splitting this up into separate phases
+ */
+ if (error == 0 && imgp->ip_px_sa != NULL) {
+ struct _posix_spawnattr *psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
+
+ exec_handle_spawnattr_policy(p, psa->psa_apptype, psa->psa_qos_clamp, psa->psa_darwin_role,
+ portwatch_ports, portwatch_count);
+ }
+
+ /* Apply the main thread qos */
+ if (error == 0) {
+ thread_t main_thread = (imgp->ip_new_thread != NULL) ? imgp->ip_new_thread : current_thread();
+
+ task_set_main_thread_qos(p->task, main_thread);
+ }
+
+ /*
+ * Release any ports we kept around for binding to the new task
+ * We need to release the rights even if the posix_spawn has failed.
+ */
+ if (portwatch_ports != NULL) {
+ for (int i = 0; i < portwatch_count; i++) {
+ ipc_port_t port = NULL;
+ if ((port = portwatch_ports[i]) != NULL) {
+ ipc_port_release_send(port);
+ }
+ }
+ FREE(portwatch_ports, M_TEMP);
+ portwatch_ports = NULL;
+ portwatch_count = 0;
+ }
+
+ /*
+ * We have to delay operations which might throw a signal until after
+ * the signals have been unblocked; however, we want that to happen
+ * after exec_resettextvp() so that the textvp is correct when they
+ * fire.
+ */
+ if (error == 0) {
+ error = check_for_signature(p, imgp);
+
+ /*
+ * Pay for our earlier safety; deliver the delayed signals from
+ * the incomplete spawn process now that it's complete.
+ */
+ if (imgp != NULL && spawn_no_exec && (p->p_lflag & P_LTRACED)) {
+ psignal_vfork(p, p->task, imgp->ip_new_thread, SIGTRAP);
+ }
+ }
+
+
+ if (imgp != NULL) {
+ if (imgp->ip_vp)
+ vnode_put(imgp->ip_vp);
+ if (imgp->ip_scriptvp)
+ vnode_put(imgp->ip_scriptvp);
+ if (imgp->ip_strings)
+ execargs_free(imgp);
+ if (imgp->ip_px_sfa != NULL)
+ FREE(imgp->ip_px_sfa, M_TEMP);
+ if (imgp->ip_px_spa != NULL)
+ FREE(imgp->ip_px_spa, M_TEMP);
+#if CONFIG_MACF
+ if (imgp->ip_px_smpx != NULL)
+ spawn_free_macpolicyinfo(imgp->ip_px_smpx);
+ if (imgp->ip_execlabelp)
+ mac_cred_label_free(imgp->ip_execlabelp);
+ if (imgp->ip_scriptlabelp)
+ mac_vnode_label_free(imgp->ip_scriptlabelp);
+#endif
+ }
+
+#if CONFIG_DTRACE
+ if (spawn_no_exec) {
+ /*
+ * In the original DTrace reference implementation,
+ * posix_spawn() was a libc routine that just
+ * did vfork(2) then exec(2). Thus the proc::: probes
+ * are very fork/exec oriented. The details of this
+ * in-kernel implementation of posix_spawn() is different
+ * (while producing the same process-observable effects)
+ * particularly w.r.t. errors, and which thread/process
+ * is constructing what on behalf of whom.
+ */
+ if (error) {
+ DTRACE_PROC1(spawn__failure, int, error);
+ } else {
+ DTRACE_PROC(spawn__success);
+ /*
+ * Some DTrace scripts, e.g. newproc.d in
+ * /usr/bin, rely on the the 'exec-success'
+ * probe being fired in the child after the
+ * new process image has been constructed
+ * in order to determine the associated pid.
+ *
+ * So, even though the parent built the image
+ * here, for compatibility, mark the new thread
+ * so 'exec-success' fires on it as it leaves
+ * the kernel.
+ */
+ dtrace_thread_didexec(imgp->ip_new_thread);
+ }
+ } else {
+ if (error) {
+ DTRACE_PROC1(exec__failure, int, error);
+ } else {
+ DTRACE_PROC(exec__success);
+ }
+ }
+
+ if ((dtrace_proc_waitfor_hook = dtrace_proc_waitfor_exec_ptr) != NULL)
+ (*dtrace_proc_waitfor_hook)(p);
+#endif
+
+ /* Return to both the parent and the child? */
+ if (imgp != NULL && spawn_no_exec) {
+ /*
+ * If the parent wants the pid, copy it out
+ */
+ if (pid != USER_ADDR_NULL)
+ (void)suword(pid, p->p_pid);
+ retval[0] = error;
+
+ /*
+ * If we had an error, perform an internal reap ; this is
+ * entirely safe, as we have a real process backing us.
+ */
+ if (error) {
+ proc_list_lock();
+ p->p_listflag |= P_LIST_DEADPARENT;
+ proc_list_unlock();
+ proc_lock(p);
+ /* make sure no one else has killed it off... */
+ if (p->p_stat != SZOMB && p->exit_thread == NULL) {
+ p->exit_thread = current_thread();
+ proc_unlock(p);
+ exit1(p, 1, (int *)NULL);
+ proc_clear_return_wait(p, imgp->ip_new_thread);
+ if (exec_done == FALSE) {
+ task_deallocate(get_threadtask(imgp->ip_new_thread));
+ thread_deallocate(imgp->ip_new_thread);
+ }
+ } else {
+ /* someone is doing it for us; just skip it */
+ proc_unlock(p);
+ proc_clear_return_wait(p, imgp->ip_new_thread);
+ }
+ } else {
+
+ /*
+ * Return to the child
+ *
+ * Note: the image activator earlier dropped the
+ * task/thread references to the newly spawned
+ * process; this is OK, since we still have suspended
+ * queue references on them, so we should be fine
+ * with the delayed resume of the thread here.
+ */
+ proc_clear_return_wait(p, imgp->ip_new_thread);
+ }
+ }
+ if (bufp != NULL) {
+ FREE(bufp, M_TEMP);
+ }
+
+ return(error);
+}
+
+
+/*
+ * execve
+ *
+ * Parameters: uap->fname File name to exec
+ * uap->argp Argument list
+ * uap->envp Environment list
+ *
+ * Returns: 0 Success
+ * __mac_execve:EINVAL Invalid argument
+ * __mac_execve:ENOTSUP Invalid argument
+ * __mac_execve:EACCES Permission denied
+ * __mac_execve:EINTR Interrupted function
+ * __mac_execve:ENOMEM Not enough space
+ * __mac_execve:EFAULT Bad address
+ * __mac_execve:ENAMETOOLONG Filename too long
+ * __mac_execve:ENOEXEC Executable file format error
+ * __mac_execve:ETXTBSY Text file busy [misuse of error code]
+ * __mac_execve:???
+ *
+ * TODO: Dynamic linker header address on stack is copied via suword()
+ */
+/* ARGSUSED */
+int
+execve(proc_t p, struct execve_args *uap, int32_t *retval)
+{
+ struct __mac_execve_args muap;
+ int err;
+
+ memoryshot(VM_EXECVE, DBG_FUNC_NONE);
+
+ muap.fname = uap->fname;
+ muap.argp = uap->argp;
+ muap.envp = uap->envp;
+ muap.mac_p = USER_ADDR_NULL;
+ err = __mac_execve(p, &muap, retval);
+
+ return(err);
+}
+
+/*
+ * __mac_execve
+ *
+ * Parameters: uap->fname File name to exec
+ * uap->argp Argument list
+ * uap->envp Environment list
+ * uap->mac_p MAC label supplied by caller
+ *
+ * Returns: 0 Success
+ * EINVAL Invalid argument
+ * ENOTSUP Not supported
+ * ENOEXEC Executable file format error
+ * exec_activate_image:EINVAL Invalid argument
+ * exec_activate_image:EACCES Permission denied
+ * exec_activate_image:EINTR Interrupted function
+ * exec_activate_image:ENOMEM Not enough space
+ * exec_activate_image:EFAULT Bad address
+ * exec_activate_image:ENAMETOOLONG Filename too long
+ * exec_activate_image:ENOEXEC Executable file format error
+ * exec_activate_image:ETXTBSY Text file busy [misuse of error code]
+ * exec_activate_image:EBADEXEC The executable is corrupt/unknown
+ * exec_activate_image:???
+ * mac_execve_enter:???
+ *
+ * TODO: Dynamic linker header address on stack is copied via suword()
+ */
+int
+__mac_execve(proc_t p, struct __mac_execve_args *uap, int32_t *retval)
+{
+ char *bufp = NULL;
+ struct image_params *imgp;
+ struct vnode_attr *vap;
+ struct vnode_attr *origvap;
+ int error;
+ int is_64 = IS_64BIT_PROCESS(p);
+ struct vfs_context context;
+ struct uthread *uthread;
+
+ context.vc_thread = current_thread();
+ context.vc_ucred = kauth_cred_proc_ref(p); /* XXX must NOT be kauth_cred_get() */
+
+ /* Allocate a big chunk for locals instead of using stack since these
+ * structures a pretty big.
+ */
+ MALLOC(bufp, char *, (sizeof(*imgp) + sizeof(*vap) + sizeof(*origvap)), M_TEMP, M_WAITOK | M_ZERO);
+ imgp = (struct image_params *) bufp;
+ if (bufp == NULL) {
+ error = ENOMEM;
+ goto exit_with_error;
+ }
+ vap = (struct vnode_attr *) (bufp + sizeof(*imgp));
+ origvap = (struct vnode_attr *) (bufp + sizeof(*imgp) + sizeof(*vap));
+
+ /* Initialize the common data in the image_params structure */
+ imgp->ip_user_fname = uap->fname;
+ imgp->ip_user_argv = uap->argp;
+ imgp->ip_user_envv = uap->envp;
+ imgp->ip_vattr = vap;
+ imgp->ip_origvattr = origvap;
+ imgp->ip_vfs_context = &context;
+ imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT : IMGPF_NONE) | ((p->p_flag & P_DISABLE_ASLR) ? IMGPF_DISABLE_ASLR : IMGPF_NONE);
+ imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
+ imgp->ip_mac_return = 0;
+
+ uthread = get_bsdthread_info(current_thread());
+ if (uthread->uu_flag & UT_VFORK) {
+ imgp->ip_flags |= IMGPF_VFORK_EXEC;
+ }
+
+#if CONFIG_MACF
+ if (uap->mac_p != USER_ADDR_NULL) {
+ error = mac_execve_enter(uap->mac_p, imgp);
+ if (error) {
+ kauth_cred_unref(&context.vc_ucred);
+ goto exit_with_error;
+ }
+ }
+#endif
+
+ error = exec_activate_image(imgp);
+
+ kauth_cred_unref(&context.vc_ucred);
+
+ /* Image not claimed by any activator? */
+ if (error == -1)
+ error = ENOEXEC;
+
+ if (error == 0) {
+ exec_resettextvp(p, imgp);
+ error = check_for_signature(p, imgp);
+ }
+ if (imgp->ip_vp != NULLVP)
+ vnode_put(imgp->ip_vp);
+ if (imgp->ip_scriptvp != NULLVP)
+ vnode_put(imgp->ip_scriptvp);
+ if (imgp->ip_strings)
+ execargs_free(imgp);
+#if CONFIG_MACF
+ if (imgp->ip_execlabelp)
+ mac_cred_label_free(imgp->ip_execlabelp);
+ if (imgp->ip_scriptlabelp)
+ mac_vnode_label_free(imgp->ip_scriptlabelp);
+#endif
+ if (!error) {
+ /* Sever any extant thread affinity */
+ thread_affinity_exec(current_thread());
+
+ thread_t main_thread = (imgp->ip_new_thread != NULL) ? imgp->ip_new_thread : current_thread();
+
+ task_set_main_thread_qos(p->task, main_thread);
+
+ /* reset task importance */
+ task_importance_reset(p->task);
+
+ /* reset atm context from task */
+ task_atm_reset(p->task);
+
+ DTRACE_PROC(exec__success);
+
+#if CONFIG_DTRACE
+ if ((dtrace_proc_waitfor_hook = dtrace_proc_waitfor_exec_ptr) != NULL)
+ (*dtrace_proc_waitfor_hook)(p);
+#endif
+
+ if (imgp->ip_flags & IMGPF_VFORK_EXEC) {
+ vfork_return(p, retval, p->p_pid);
+ proc_clear_return_wait(p, imgp->ip_new_thread);
+ }
+ } else {
+ DTRACE_PROC1(exec__failure, int, error);
+ }
+
+exit_with_error:
+ if (bufp != NULL) {
+ FREE(bufp, M_TEMP);
+ }
+
+ return(error);
+}
+
+
+/*
+ * copyinptr
+ *
+ * Description: Copy a pointer in from user space to a user_addr_t in kernel
+ * space, based on 32/64 bitness of the user space
+ *
+ * Parameters: froma User space address
+ * toptr Address of kernel space user_addr_t
+ * ptr_size 4/8, based on 'froma' address space
+ *
+ * Returns: 0 Success
+ * EFAULT Bad 'froma'
+ *
+ * Implicit returns:
+ * *ptr_size Modified
+ */
+static int
+copyinptr(user_addr_t froma, user_addr_t *toptr, int ptr_size)
+{
+ int error;
+
+ if (ptr_size == 4) {
+ /* 64 bit value containing 32 bit address */
+ unsigned int i;
+
+ error = copyin(froma, &i, 4);
+ *toptr = CAST_USER_ADDR_T(i); /* SAFE */
+ } else {
+ error = copyin(froma, toptr, 8);
+ }
+ return (error);
+}
+
+
+/*
+ * copyoutptr
+ *
+ * Description: Copy a pointer out from a user_addr_t in kernel space to
+ * user space, based on 32/64 bitness of the user space
+ *
+ * Parameters: ua User space address to copy to
+ * ptr Address of kernel space user_addr_t
+ * ptr_size 4/8, based on 'ua' address space
+ *
+ * Returns: 0 Success
+ * EFAULT Bad 'ua'
+ *
+ */
+static int
+copyoutptr(user_addr_t ua, user_addr_t ptr, int ptr_size)
+{
+ int error;
+
+ if (ptr_size == 4) {
+ /* 64 bit value containing 32 bit address */
+ unsigned int i = CAST_DOWN_EXPLICIT(unsigned int,ua); /* SAFE */
+
+ error = copyout(&i, ptr, 4);
+ } else {
+ error = copyout(&ua, ptr, 8);
+ }
+ return (error);
+}
+
+
+/*
+ * exec_copyout_strings
+ *
+ * Copy out the strings segment to user space. The strings segment is put
+ * on a preinitialized stack frame.
+ *
+ * Parameters: struct image_params * the image parameter block
+ * int * a pointer to the stack offset variable
+ *
+ * Returns: 0 Success
+ * !0 Faiure: errno
+ *
+ * Implicit returns:
+ * (*stackp) The stack offset, modified
+ *
+ * Note: The strings segment layout is backward, from the beginning
+ * of the top of the stack to consume the minimal amount of
+ * space possible; the returned stack pointer points to the
+ * end of the area consumed (stacks grow downward).
+ *
+ * argc is an int; arg[i] are pointers; env[i] are pointers;
+ * the 0's are (void *)NULL's
+ *
+ * The stack frame layout is:
+ *
+ * +-------------+ <- p->user_stack
+ * | 16b |
+ * +-------------+
+ * | STRING AREA |
+ * | : |
+ * | : |
+ * | : |
+ * +- -- -- -- --+
+ * | PATH AREA |
+ * +-------------+
+ * | 0 |
+ * +-------------+
+ * | applev[n] |
+ * +-------------+
+ * :
+ * :
+ * +-------------+
+ * | applev[1] |
+ * +-------------+
+ * | exec_path / |
+ * | applev[0] |
+ * +-------------+
+ * | 0 |
+ * +-------------+
+ * | env[n] |
+ * +-------------+
+ * :
+ * :
+ * +-------------+
+ * | env[0] |
+ * +-------------+
+ * | 0 |
+ * +-------------+
+ * | arg[argc-1] |
+ * +-------------+
+ * :
+ * :
+ * +-------------+
+ * | arg[0] |
+ * +-------------+
+ * | argc |
+ * sp-> +-------------+
+ *
+ * Although technically a part of the STRING AREA, we treat the PATH AREA as
+ * a separate entity. This allows us to align the beginning of the PATH AREA
+ * to a pointer boundary so that the exec_path, env[i], and argv[i] pointers
+ * which preceed it on the stack are properly aligned.
+ */
+
+static int
+exec_copyout_strings(struct image_params *imgp, user_addr_t *stackp)
+{
+ proc_t p = vfs_context_proc(imgp->ip_vfs_context);
+ int ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT) ? 8 : 4;
+ int ptr_area_size;
+ void *ptr_buffer_start, *ptr_buffer;
+ int string_size;
+
+ user_addr_t string_area; /* *argv[], *env[] */
+ user_addr_t ptr_area; /* argv[], env[], applev[] */
+ user_addr_t argc_area; /* argc */
+ user_addr_t stack;
+ int error;
+
+ unsigned i;
+ struct copyout_desc {
+ char *start_string;
+ int count;
+#if CONFIG_DTRACE
+ user_addr_t *dtrace_cookie;
+#endif
+ boolean_t null_term;
+ } descriptors[] = {
+ {
+ .start_string = imgp->ip_startargv,
+ .count = imgp->ip_argc,
+#if CONFIG_DTRACE
+ .dtrace_cookie = &p->p_dtrace_argv,
+#endif
+ .null_term = TRUE
+ },
+ {
+ .start_string = imgp->ip_endargv,
+ .count = imgp->ip_envc,
+#if CONFIG_DTRACE
+ .dtrace_cookie = &p->p_dtrace_envp,
+#endif
+ .null_term = TRUE
+ },
+ {
+ .start_string = imgp->ip_strings,
+ .count = 1,
+#if CONFIG_DTRACE
+ .dtrace_cookie = NULL,
+#endif
+ .null_term = FALSE
+ },
+ {
+ .start_string = imgp->ip_endenvv,
+ .count = imgp->ip_applec - 1, /* exec_path handled above */
+#if CONFIG_DTRACE
+ .dtrace_cookie = NULL,
+#endif
+ .null_term = TRUE
+ }
+ };
+
+ stack = *stackp;
/*
- * ptr_size for 2 NULL one each ofter arg[argc -1] and env[n]
- * ptr_size for argc
- * skip over saved path, ptr_size for pointer to path,
- * and ptr_size for the NULL after pointer to path.
+ * All previous contributors to the string area
+ * should have aligned their sub-area
*/
+ if (imgp->ip_strspace % ptr_size != 0) {
+ error = EINVAL;
+ goto bad;
+ }
- /* argc (int32, stored in a ptr_size area) */
- (void)suword(ptr_area, imgp->ip_argc);
- ptr_area += sizeof(int);
- /* pad to ptr_size, if 64 bit image, to ensure user stack alignment */
- if (imgp->ip_flags & IMGPF_IS_64BIT) {
- (void)suword(ptr_area, 0); /* int, not long: ignored */
- ptr_area += sizeof(int);
- }
-
-
- /*
- * We use (string_area - path_area) here rather than the more
- * intuitive (imgp->ip_argv - imgp->ip_strings) because we are
- * interested in the length of the PATH_AREA in user space,
- * rather than the actual length of the execution path, since
- * it includes alignment padding of the PATH_AREA + STRING_AREA
- * to a ptr_size boundary.
- */
- strspace = SIZE_IMG_STRSPACE - (string_area - path_area);
- for (;;) {
- if (stringc == imgp->ip_envc) {
- /* argv[n] = NULL */
- (void)copyoutptr(0LL, ptr_area, ptr_size);
- ptr_area += ptr_size;
-#ifdef IMGPF_POWERPC
- if (envc_add) {
- (void)copyoutptr(string_area, ptr_area, ptr_size);
-
- do {
- if (strspace <= 0) {
- error = E2BIG;
- break;
- }
- error = copyoutstr(envvar, string_area,
- (unsigned)strspace,
- (size_t *)&len);
- string_area += len;
- envvar += len;
- strspace -= len;
- } while (error == ENAMETOOLONG);
- if (error == EFAULT || error == E2BIG)
- break;
- ptr_area += ptr_size;
- }
-#endif /* IMGPF_POWERPC */
+ /* Grow the stack down for the strings we've been building up */
+ string_size = imgp->ip_strendp - imgp->ip_strings;
+ stack -= string_size;
+ string_area = stack;
+
+ /*
+ * Need room for one pointer for each string, plus
+ * one for the NULLs terminating the argv, envv, and apple areas.
+ */
+ ptr_area_size = (imgp->ip_argc + imgp->ip_envc + imgp->ip_applec + 3) *
+ ptr_size;
+ stack -= ptr_area_size;
+ ptr_area = stack;
+
+ /* We'll construct all the pointer arrays in our string buffer,
+ * which we already know is aligned properly, and ip_argspace
+ * was used to verify we have enough space.
+ */
+ ptr_buffer_start = ptr_buffer = (void *)imgp->ip_strendp;
+
+ /*
+ * Need room for pointer-aligned argc slot.
+ */
+ stack -= ptr_size;
+ argc_area = stack;
+
+ /*
+ * Record the size of the arguments area so that sysctl_procargs()
+ * can return the argument area without having to parse the arguments.
+ */
+ proc_lock(p);
+ p->p_argc = imgp->ip_argc;
+ p->p_argslen = (int)(*stackp - string_area);
+ proc_unlock(p);
+
+ /* Return the initial stack address: the location of argc */
+ *stackp = stack;
+
+ /*
+ * Copy out the entire strings area.
+ */
+ error = copyout(imgp->ip_strings, string_area,
+ string_size);
+ if (error)
+ goto bad;
+
+ for (i = 0; i < sizeof(descriptors)/sizeof(descriptors[0]); i++) {
+ char *cur_string = descriptors[i].start_string;
+ int j;
+
+#if CONFIG_DTRACE
+ if (descriptors[i].dtrace_cookie) {
+ proc_lock(p);
+ *descriptors[i].dtrace_cookie = ptr_area + ((uintptr_t)ptr_buffer - (uintptr_t)ptr_buffer_start); /* dtrace convenience */
+ proc_unlock(p);
}
- if (--stringc < 0)
- break;
+#endif /* CONFIG_DTRACE */
- /* pointer: argv[n]/env[n] */
- (void)copyoutptr(string_area, ptr_area, ptr_size);
+ /*
+ * For each segment (argv, envv, applev), copy as many pointers as requested
+ * to our pointer buffer.
+ */
+ for (j = 0; j < descriptors[i].count; j++) {
+ user_addr_t cur_address = string_area + (cur_string - imgp->ip_strings);
+
+ /* Copy out the pointer to the current string. Alignment has been verified */
+ if (ptr_size == 8) {
+ *(uint64_t *)ptr_buffer = (uint64_t)cur_address;
+ } else {
+ *(uint32_t *)ptr_buffer = (uint32_t)cur_address;
+ }
+
+ ptr_buffer = (void *)((uintptr_t)ptr_buffer + ptr_size);
+ cur_string += strlen(cur_string) + 1; /* Only a NUL between strings in the same area */
+ }
- /* string : argv[n][]/env[n][] */
- do {
- if (strspace <= 0) {
- error = E2BIG;
- break;
+ if (descriptors[i].null_term) {
+ if (ptr_size == 8) {
+ *(uint64_t *)ptr_buffer = 0ULL;
+ } else {
+ *(uint32_t *)ptr_buffer = 0;
}
- error = copyoutstr(argv, string_area,
- (unsigned)strspace,
- (size_t *)&len);
- string_area += len;
- argv += len;
- strspace -= len;
- } while (error == ENAMETOOLONG);
- if (error == EFAULT || error == E2BIG)
- break; /* bad stack - user's problem */
- ptr_area += ptr_size;
- }
- /* env[n] = NULL */
- (void)copyoutptr(0LL, ptr_area, ptr_size);
+
+ ptr_buffer = (void *)((uintptr_t)ptr_buffer + ptr_size);
+ }
+ }
+
+ /*
+ * Copy out all our pointer arrays in bulk.
+ */
+ error = copyout(ptr_buffer_start, ptr_area,
+ ptr_area_size);
+ if (error)
+ goto bad;
+
+ /* argc (int32, stored in a ptr_size area) */
+ error = copyoutptr((user_addr_t)imgp->ip_argc, argc_area, ptr_size);
+ if (error)
+ goto bad;
bad:
return(error);
* Copy arguments and environment from user space into work area; we may
* have already copied some early arguments into the work area, and if
* so, any arguments opied in are appended to those already there.
+ * This function is the primary manipulator of ip_argspace, since
+ * these are the arguments the client of execve(2) knows about. After
+ * each argv[]/envv[] string is copied, we charge the string length
+ * and argv[]/envv[] pointer slot to ip_argspace, so that we can
+ * full preflight the arg list size.
*
* Parameters: struct image_params * the image parameter block
*
* Implicit returns;
* (imgp->ip_argc) Count of arguments, updated
* (imgp->ip_envc) Count of environment strings, updated
+ * (imgp->ip_argspace) Count of remaining of NCARGS
+ * (imgp->ip_interp_buffer) Interpreter and args (mutated in place)
*
*
- * Notes: The argument and environment vectors are user space pointers
+ * Note: The argument and environment vectors are user space pointers
* to arrays of user space pointers.
*/
static int
exec_extract_strings(struct image_params *imgp)
{
int error = 0;
- struct proc *p = vfs_context_proc(imgp->ip_vfs_context);
- int seg = (IS_64BIT_PROCESS(p) ? UIO_USERSPACE64 : UIO_USERSPACE32);
int ptr_size = (imgp->ip_flags & IMGPF_WAS_64BIT) ? 8 : 4;
+ int new_ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT) ? 8 : 4;
user_addr_t argv = imgp->ip_user_argv;
user_addr_t envv = imgp->ip_user_envv;
- /* Now, get rest of arguments */
+ /*
+ * Adjust space reserved for the path name by however much padding it
+ * needs. Doing this here since we didn't know if this would be a 32-
+ * or 64-bit process back in exec_save_path.
+ */
+ while (imgp->ip_strspace % new_ptr_size != 0) {
+ *imgp->ip_strendp++ = '\0';
+ imgp->ip_strspace--;
+ /* imgp->ip_argspace--; not counted towards exec args total */
+ }
/*
- * If we are running an interpreter, replace the av[0] that was
- * passed to execve() with the fully qualified path name that was
- * passed to execve() for interpreters which do not use the PATH
- * to locate their script arguments.
+ * From now on, we start attributing string space to ip_argspace
*/
- if((imgp->ip_flags & IMGPF_INTERPRET) != 0 && argv != 0LL) {
+ imgp->ip_startargv = imgp->ip_strendp;
+ imgp->ip_argc = 0;
+
+ if((imgp->ip_flags & IMGPF_INTERPRET) != 0) {
user_addr_t arg;
+ char *argstart, *ch;
+
+ /* First, the arguments in the "#!" string are tokenized and extracted. */
+ argstart = imgp->ip_interp_buffer;
+ while (argstart) {
+ ch = argstart;
+ while (*ch && !IS_WHITESPACE(*ch)) {
+ ch++;
+ }
- error = copyinptr(argv, &arg, ptr_size);
- if (error)
- goto bad;
- if (arg != 0LL && arg != (user_addr_t)-1) {
- argv += ptr_size;
- error = exec_add_string(imgp, imgp->ip_user_fname, seg);
+ if (*ch == '\0') {
+ /* last argument, no need to NUL-terminate */
+ error = exec_add_user_string(imgp, CAST_USER_ADDR_T(argstart), UIO_SYSSPACE, TRUE);
+ argstart = NULL;
+ } else {
+ /* NUL-terminate */
+ *ch = '\0';
+ error = exec_add_user_string(imgp, CAST_USER_ADDR_T(argstart), UIO_SYSSPACE, TRUE);
+
+ /*
+ * Find the next string. We know spaces at the end of the string have already
+ * been stripped.
+ */
+ argstart = ch + 1;
+ while (IS_WHITESPACE(*argstart)) {
+ argstart++;
+ }
+ }
+
+ /* Error-check, regardless of whether this is the last interpreter arg or not */
if (error)
goto bad;
+ if (imgp->ip_argspace < new_ptr_size) {
+ error = E2BIG;
+ goto bad;
+ }
+ imgp->ip_argspace -= new_ptr_size; /* to hold argv[] entry */
imgp->ip_argc++;
}
+
+ if (argv != 0LL) {
+ /*
+ * If we are running an interpreter, replace the av[0] that was
+ * passed to execve() with the path name that was
+ * passed to execve() for interpreters which do not use the PATH
+ * to locate their script arguments.
+ */
+ error = copyinptr(argv, &arg, ptr_size);
+ if (error)
+ goto bad;
+ if (arg != 0LL) {
+ argv += ptr_size; /* consume without using */
+ }
+ }
+
+ if (imgp->ip_interp_sugid_fd != -1) {
+ char temp[19]; /* "/dev/fd/" + 10 digits + NUL */
+ snprintf(temp, sizeof(temp), "/dev/fd/%d", imgp->ip_interp_sugid_fd);
+ error = exec_add_user_string(imgp, CAST_USER_ADDR_T(temp), UIO_SYSSPACE, TRUE);
+ } else {
+ error = exec_add_user_string(imgp, imgp->ip_user_fname, imgp->ip_seg, TRUE);
+ }
+
+ if (error)
+ goto bad;
+ if (imgp->ip_argspace < new_ptr_size) {
+ error = E2BIG;
+ goto bad;
+ }
+ imgp->ip_argspace -= new_ptr_size; /* to hold argv[] entry */
+ imgp->ip_argc++;
}
while (argv != 0LL) {
if (error)
goto bad;
- argv += ptr_size;
if (arg == 0LL) {
break;
- } else if (arg == (user_addr_t)-1) {
- /* Um... why would it be -1? */
- error = EFAULT;
- goto bad;
}
+
+ argv += ptr_size;
+
/*
* av[n...] = arg[n]
*/
- error = exec_add_string(imgp, arg, seg);
+ error = exec_add_user_string(imgp, arg, imgp->ip_seg, TRUE);
if (error)
goto bad;
+ if (imgp->ip_argspace < new_ptr_size) {
+ error = E2BIG;
+ goto bad;
+ }
+ imgp->ip_argspace -= new_ptr_size; /* to hold argv[] entry */
imgp->ip_argc++;
}
+ /* Save space for argv[] NULL terminator */
+ if (imgp->ip_argspace < new_ptr_size) {
+ error = E2BIG;
+ goto bad;
+ }
+ imgp->ip_argspace -= new_ptr_size;
+
+ /* Note where the args ends and env begins. */
+ imgp->ip_endargv = imgp->ip_strendp;
+ imgp->ip_envc = 0;
+
/* Now, get the environment */
while (envv != 0LL) {
user_addr_t env;
- error = copyinptr(envv, &env, ptr_size);
- if (error)
- goto bad;
+ error = copyinptr(envv, &env, ptr_size);
+ if (error)
+ goto bad;
+
+ envv += ptr_size;
+ if (env == 0LL) {
+ break;
+ }
+ /*
+ * av[n...] = env[n]
+ */
+ error = exec_add_user_string(imgp, env, imgp->ip_seg, TRUE);
+ if (error)
+ goto bad;
+ if (imgp->ip_argspace < new_ptr_size) {
+ error = E2BIG;
+ goto bad;
+ }
+ imgp->ip_argspace -= new_ptr_size; /* to hold envv[] entry */
+ imgp->ip_envc++;
+ }
+
+ /* Save space for envv[] NULL terminator */
+ if (imgp->ip_argspace < new_ptr_size) {
+ error = E2BIG;
+ goto bad;
+ }
+ imgp->ip_argspace -= new_ptr_size;
+
+ /* Align the tail of the combined argv+envv area */
+ while (imgp->ip_strspace % new_ptr_size != 0) {
+ if (imgp->ip_argspace < 1) {
+ error = E2BIG;
+ goto bad;
+ }
+ *imgp->ip_strendp++ = '\0';
+ imgp->ip_strspace--;
+ imgp->ip_argspace--;
+ }
+
+ /* Note where the envv ends and applev begins. */
+ imgp->ip_endenvv = imgp->ip_strendp;
+
+ /*
+ * From now on, we are no longer charging argument
+ * space to ip_argspace.
+ */
+
+bad:
+ return error;
+}
+
+static char *
+random_hex_str(char *str, int len, boolean_t embedNUL)
+{
+ uint64_t low, high, value;
+ int idx;
+ char digit;
+
+ /* A 64-bit value will only take 16 characters, plus '0x' and NULL. */
+ if (len > 19)
+ len = 19;
+
+ /* We need enough room for at least 1 digit */
+ if (len < 4)
+ return (NULL);
+
+ low = random();
+ high = random();
+ value = high << 32 | low;
+
+ if (embedNUL) {
+ /*
+ * Zero a byte to protect against C string vulnerabilities
+ * e.g. for userland __stack_chk_guard.
+ */
+ value &= ~(0xffull << 8);
+ }
+
+ str[0] = '0';
+ str[1] = 'x';
+ for (idx = 2; idx < len - 1; idx++) {
+ digit = value & 0xf;
+ value = value >> 4;
+ if (digit < 10)
+ str[idx] = '0' + digit;
+ else
+ str[idx] = 'a' + (digit - 10);
+ }
+ str[idx] = '\0';
+ return (str);
+}
+
+/*
+ * Libc has an 8-element array set up for stack guard values. It only fills
+ * in one of those entries, and both gcc and llvm seem to use only a single
+ * 8-byte guard. Until somebody needs more than an 8-byte guard value, don't
+ * do the work to construct them.
+ */
+#define GUARD_VALUES 1
+#define GUARD_KEY "stack_guard="
+
+/*
+ * System malloc needs some entropy when it is initialized.
+ */
+#define ENTROPY_VALUES 2
+#define ENTROPY_KEY "malloc_entropy="
+
+/*
+ * System malloc engages nanozone for UIAPP.
+ */
+#define NANO_ENGAGE_KEY "MallocNanoZone=1"
+
+#define PFZ_KEY "pfz="
+extern user32_addr_t commpage_text32_location;
+extern user64_addr_t commpage_text64_location;
+/*
+ * Build up the contents of the apple[] string vector
+ */
+static int
+exec_add_apple_strings(struct image_params *imgp)
+{
+ int i, error;
+ int new_ptr_size=4;
+ char guard[19];
+ char guard_vec[strlen(GUARD_KEY) + 19 * GUARD_VALUES + 1];
+
+ char entropy[19];
+ char entropy_vec[strlen(ENTROPY_KEY) + 19 * ENTROPY_VALUES + 1];
+
+ char pfz_string[strlen(PFZ_KEY) + 16 + 4 +1];
+
+ if( imgp->ip_flags & IMGPF_IS_64BIT) {
+ new_ptr_size = 8;
+ snprintf(pfz_string, sizeof(pfz_string),PFZ_KEY "0x%llx",commpage_text64_location);
+ } else {
+ snprintf(pfz_string, sizeof(pfz_string),PFZ_KEY "0x%x",commpage_text32_location);
+ }
+
+ /* exec_save_path stored the first string */
+ imgp->ip_applec = 1;
+
+ /* adding the pfz string */
+ error = exec_add_user_string(imgp, CAST_USER_ADDR_T(pfz_string),UIO_SYSSPACE,FALSE);
+ if(error)
+ goto bad;
+ imgp->ip_applec++;
+
+ /* adding the NANO_ENGAGE_KEY key */
+ if (imgp->ip_px_sa) {
+ int proc_flags = (((struct _posix_spawnattr *) imgp->ip_px_sa)->psa_flags);
+
+ if ((proc_flags & _POSIX_SPAWN_NANO_ALLOCATOR) == _POSIX_SPAWN_NANO_ALLOCATOR) {
+ char uiapp_string[strlen(NANO_ENGAGE_KEY) + 1];
+
+ snprintf(uiapp_string, sizeof(uiapp_string), NANO_ENGAGE_KEY);
+ error = exec_add_user_string(imgp, CAST_USER_ADDR_T(uiapp_string),UIO_SYSSPACE,FALSE);
+ if (error)
+ goto bad;
+ imgp->ip_applec++;
+ }
+ }
+
+ /*
+ * Supply libc with a collection of random values to use when
+ * implementing -fstack-protector.
+ *
+ * (The first random string always contains an embedded NUL so that
+ * __stack_chk_guard also protects against C string vulnerabilities)
+ */
+ (void)strlcpy(guard_vec, GUARD_KEY, sizeof (guard_vec));
+ for (i = 0; i < GUARD_VALUES; i++) {
+ random_hex_str(guard, sizeof (guard), i == 0);
+ if (i)
+ (void)strlcat(guard_vec, ",", sizeof (guard_vec));
+ (void)strlcat(guard_vec, guard, sizeof (guard_vec));
+ }
+
+ error = exec_add_user_string(imgp, CAST_USER_ADDR_T(guard_vec), UIO_SYSSPACE, FALSE);
+ if (error)
+ goto bad;
+ imgp->ip_applec++;
+
+ /*
+ * Supply libc with entropy for system malloc.
+ */
+ (void)strlcpy(entropy_vec, ENTROPY_KEY, sizeof(entropy_vec));
+ for (i = 0; i < ENTROPY_VALUES; i++) {
+ random_hex_str(entropy, sizeof (entropy), FALSE);
+ if (i)
+ (void)strlcat(entropy_vec, ",", sizeof (entropy_vec));
+ (void)strlcat(entropy_vec, entropy, sizeof (entropy_vec));
+ }
+
+ error = exec_add_user_string(imgp, CAST_USER_ADDR_T(entropy_vec), UIO_SYSSPACE, FALSE);
+ if (error)
+ goto bad;
+ imgp->ip_applec++;
- envv += ptr_size;
- if (env == 0LL) {
- break;
- } else if (env == (user_addr_t)-1) {
- error = EFAULT;
- goto bad;
- }
- /*
- * av[n...] = env[n]
- */
- error = exec_add_string(imgp, env, seg);
- if (error)
- goto bad;
- imgp->ip_envc++;
+ /* Align the tail of the combined applev area */
+ while (imgp->ip_strspace % new_ptr_size != 0) {
+ *imgp->ip_strendp++ = '\0';
+ imgp->ip_strspace--;
}
+
bad:
return error;
}
-
#define unix_stack_size(p) (p->p_rlimit[RLIMIT_STACK].rlim_cur)
+/*
+ * exec_check_permissions
+ *
+ * Description: Verify that the file that is being attempted to be executed
+ * is in fact allowed to be executed based on it POSIX file
+ * permissions and other access control criteria
+ *
+ * Parameters: struct image_params * the image parameter block
+ *
+ * Returns: 0 Success
+ * EACCES Permission denied
+ * ENOEXEC Executable file format error
+ * ETXTBSY Text file busy [misuse of error code]
+ * vnode_getattr:???
+ * vnode_authorize:???
+ */
static int
exec_check_permissions(struct image_params *imgp)
{
struct vnode *vp = imgp->ip_vp;
struct vnode_attr *vap = imgp->ip_vattr;
- struct proc *p = vfs_context_proc(imgp->ip_vfs_context);
+ proc_t p = vfs_context_proc(imgp->ip_vfs_context);
int error;
kauth_action_t action;
* will always succeed, and we don't want to happen unless the
* file really is executable.
*/
- if ((vap->va_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0)
+ if (!vfs_authopaque(vnode_mount(vp)) && ((vap->va_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0))
return (EACCES);
/* Disallow zero length files */
imgp->ip_arch_size = vap->va_data_size;
/* Disable setuid-ness for traced programs or if MNT_NOSUID */
- if ((vp->v_mount->mnt_flag & MNT_NOSUID) || (p->p_flag & P_TRACED))
+ if ((vp->v_mount->mnt_flag & MNT_NOSUID) || (p->p_lflag & P_LTRACED))
vap->va_mode &= ~(VSUID | VSGID);
+ /*
+ * Disable _POSIX_SPAWN_ALLOW_DATA_EXEC and _POSIX_SPAWN_DISABLE_ASLR
+ * flags for setuid/setgid binaries.
+ */
+ if (vap->va_mode & (VSUID | VSGID))
+ imgp->ip_flags &= ~(IMGPF_ALLOW_DATA_EXEC | IMGPF_DISABLE_ASLR);
+
+#if CONFIG_MACF
+ error = mac_vnode_check_exec(imgp->ip_vfs_context, vp, imgp);
+ if (error)
+ return (error);
+#endif
+
/* Check for execute permission */
action = KAUTH_VNODE_EXECUTE;
/* Traced images must also be readable */
- if (p->p_flag & P_TRACED)
+ if (p->p_lflag & P_LTRACED)
action |= KAUTH_VNODE_READ_DATA;
if ((error = vnode_authorize(vp, NULL, action, imgp->ip_vfs_context)) != 0)
return (error);
+#if 0
/* Don't let it run if anyone had it open for writing */
- if (vp->v_writecount)
+ vnode_lock(vp);
+ if (vp->v_writecount) {
+ panic("going to return ETXTBSY %x", vp);
+ vnode_unlock(vp);
return (ETXTBSY);
+ }
+ vnode_unlock(vp);
+#endif
+
+
+ /* XXX May want to indicate to underlying FS that vnode is open */
+
+ return (error);
+}
+
+
+/*
+ * exec_handle_sugid
+ *
+ * Initially clear the P_SUGID in the process flags; if an SUGID process is
+ * exec'ing a non-SUGID image, then this is the point of no return.
+ *
+ * If the image being activated is SUGID, then replace the credential with a
+ * copy, disable tracing (unless the tracing process is root), reset the
+ * mach task port to revoke it, set the P_SUGID bit,
+ *
+ * If the saved user and group ID will be changing, then make sure it happens
+ * to a new credential, rather than a shared one.
+ *
+ * Set the security token (this is probably obsolete, given that the token
+ * should not technically be separate from the credential itself).
+ *
+ * Parameters: struct image_params * the image parameter block
+ *
+ * Returns: void No failure indication
+ *
+ * Implicit returns:
+ * <process credential> Potentially modified/replaced
+ * <task port> Potentially revoked
+ * <process flags> P_SUGID bit potentially modified
+ * <security token> Potentially modified
+ */
+static int
+exec_handle_sugid(struct image_params *imgp)
+{
+ kauth_cred_t cred = vfs_context_ucred(imgp->ip_vfs_context);
+ proc_t p = vfs_context_proc(imgp->ip_vfs_context);
+ int i;
+ int leave_sugid_clear = 0;
+ int mac_reset_ipc = 0;
+ int error = 0;
+#if CONFIG_MACF
+ int mac_transition, disjoint_cred = 0;
+ int label_update_return = 0;
+
+ /*
+ * Determine whether a call to update the MAC label will result in the
+ * credential changing.
+ *
+ * Note: MAC policies which do not actually end up modifying
+ * the label subsequently are strongly encouraged to
+ * return 0 for this check, since a non-zero answer will
+ * slow down the exec fast path for normal binaries.
+ */
+ mac_transition = mac_cred_check_label_update_execve(
+ imgp->ip_vfs_context,
+ imgp->ip_vp,
+ imgp->ip_arch_offset,
+ imgp->ip_scriptvp,
+ imgp->ip_scriptlabelp,
+ imgp->ip_execlabelp,
+ p,
+ imgp->ip_px_smpx);
+#endif
+
+ OSBitAndAtomic(~((uint32_t)P_SUGID), &p->p_flag);
+
+ /*
+ * Order of the following is important; group checks must go last,
+ * as we use the success of the 'ismember' check combined with the
+ * failure of the explicit match to indicate that we will be setting
+ * the egid of the process even though the new process did not
+ * require VSUID/VSGID bits in order for it to set the new group as
+ * its egid.
+ *
+ * Note: Technically, by this we are implying a call to
+ * setegid() in the new process, rather than implying
+ * it used its VSGID bit to set the effective group,
+ * even though there is no code in that process to make
+ * such a call.
+ */
+ if (((imgp->ip_origvattr->va_mode & VSUID) != 0 &&
+ kauth_cred_getuid(cred) != imgp->ip_origvattr->va_uid) ||
+ ((imgp->ip_origvattr->va_mode & VSGID) != 0 &&
+ ((kauth_cred_ismember_gid(cred, imgp->ip_origvattr->va_gid, &leave_sugid_clear) || !leave_sugid_clear) ||
+ (kauth_cred_getgid(cred) != imgp->ip_origvattr->va_gid)))) {
+
+#if CONFIG_MACF
+/* label for MAC transition and neither VSUID nor VSGID */
+handle_mac_transition:
+#endif
+
+ /*
+ * Replace the credential with a copy of itself if euid or
+ * egid change.
+ *
+ * Note: setuid binaries will automatically opt out of
+ * group resolver participation as a side effect
+ * of this operation. This is an intentional
+ * part of the security model, which requires a
+ * participating credential be established by
+ * escalating privilege, setting up all other
+ * aspects of the credential including whether
+ * or not to participate in external group
+ * membership resolution, then dropping their
+ * effective privilege to that of the desired
+ * final credential state.
+ */
+ if (imgp->ip_origvattr->va_mode & VSUID) {
+ p->p_ucred = kauth_cred_setresuid(p->p_ucred, KAUTH_UID_NONE, imgp->ip_origvattr->va_uid, imgp->ip_origvattr->va_uid, KAUTH_UID_NONE);
+ /* update cred on proc */
+ PROC_UPDATE_CREDS_ONPROC(p);
+ }
+ if (imgp->ip_origvattr->va_mode & VSGID) {
+ p->p_ucred = kauth_cred_setresgid(p->p_ucred, KAUTH_GID_NONE, imgp->ip_origvattr->va_gid, imgp->ip_origvattr->va_gid);
+ /* update cred on proc */
+ PROC_UPDATE_CREDS_ONPROC(p);
+ }
+
+#if CONFIG_MACF
+ /*
+ * If a policy has indicated that it will transition the label,
+ * before making the call into the MAC policies, get a new
+ * duplicate credential, so they can modify it without
+ * modifying any others sharing it.
+ */
+ if (mac_transition) {
+ kauth_proc_label_update_execve(p,
+ imgp->ip_vfs_context,
+ imgp->ip_vp,
+ imgp->ip_arch_offset,
+ imgp->ip_scriptvp,
+ imgp->ip_scriptlabelp,
+ imgp->ip_execlabelp,
+ &imgp->ip_csflags,
+ imgp->ip_px_smpx,
+ &disjoint_cred, /* will be non zero if disjoint */
+ &label_update_return);
+
+ if (disjoint_cred) {
+ /*
+ * If updating the MAC label resulted in a
+ * disjoint credential, flag that we need to
+ * set the P_SUGID bit. This protects
+ * against debuggers being attached by an
+ * insufficiently privileged process onto the
+ * result of a transition to a more privileged
+ * credential.
+ */
+ leave_sugid_clear = 0;
+ }
+
+ imgp->ip_mac_return = label_update_return;
+ }
+
+ mac_reset_ipc = mac_proc_check_inherit_ipc_ports(p, p->p_textvp, p->p_textoff, imgp->ip_vp, imgp->ip_arch_offset, imgp->ip_scriptvp);
+
+#endif /* CONFIG_MACF */
+
+ /*
+ * If 'leave_sugid_clear' is non-zero, then we passed the
+ * VSUID and MACF checks, and successfully determined that
+ * the previous cred was a member of the VSGID group, but
+ * that it was not the default at the time of the execve,
+ * and that the post-labelling credential was not disjoint.
+ * So we don't set the P_SUGID or reset mach ports and fds
+ * on the basis of simply running this code.
+ */
+ if (mac_reset_ipc || !leave_sugid_clear) {
+ /*
+ * Have mach reset the task and thread ports.
+ * We don't want anyone who had the ports before
+ * a setuid exec to be able to access/control the
+ * task/thread after.
+ */
+ ipc_task_reset(p->task);
+ ipc_thread_reset((imgp->ip_new_thread != NULL) ?
+ imgp->ip_new_thread : current_thread());
+ }
+
+ if (!leave_sugid_clear) {
+ /*
+ * Flag the process as setuid.
+ */
+ OSBitOrAtomic(P_SUGID, &p->p_flag);
+
+ /*
+ * Radar 2261856; setuid security hole fix
+ * XXX For setuid processes, attempt to ensure that
+ * stdin, stdout, and stderr are already allocated.
+ * We do not want userland to accidentally allocate
+ * descriptors in this range which has implied meaning
+ * to libc.
+ */
+ for (i = 0; i < 3; i++) {
+
+ if (p->p_fd->fd_ofiles[i] != NULL)
+ continue;
+
+ /*
+ * Do the kernel equivalent of
+ *
+ * if i == 0
+ * (void) open("/dev/null", O_RDONLY);
+ * else
+ * (void) open("/dev/null", O_WRONLY);
+ */
-#ifdef IMGPF_POWERPC
+ struct fileproc *fp;
+ int indx;
+ int flag;
+ struct nameidata *ndp = NULL;
+
+ if (i == 0)
+ flag = FREAD;
+ else
+ flag = FWRITE;
+
+ if ((error = falloc(p,
+ &fp, &indx, imgp->ip_vfs_context)) != 0)
+ continue;
+
+ MALLOC(ndp, struct nameidata *, sizeof(*ndp), M_TEMP, M_WAITOK | M_ZERO);
+ if (ndp == NULL) {
+ error = ENOMEM;
+ break;
+ }
+
+ NDINIT(ndp, LOOKUP, OP_OPEN, FOLLOW, UIO_SYSSPACE,
+ CAST_USER_ADDR_T("/dev/null"),
+ imgp->ip_vfs_context);
+
+ if ((error = vn_open(ndp, flag, 0)) != 0) {
+ fp_free(p, indx, fp);
+ break;
+ }
+
+ struct fileglob *fg = fp->f_fglob;
+
+ fg->fg_flag = flag;
+ fg->fg_ops = &vnops;
+ fg->fg_data = ndp->ni_vp;
+
+ vnode_put(ndp->ni_vp);
+
+ proc_fdlock(p);
+ procfdtbl_releasefd(p, indx, NULL);
+ fp_drop(p, indx, fp, 1);
+ proc_fdunlock(p);
+
+ FREE(ndp, M_TEMP);
+ }
+ }
+ }
+#if CONFIG_MACF
+ else {
+ /*
+ * We are here because we were told that the MAC label will
+ * be transitioned, and the binary is not VSUID or VSGID; to
+ * deal with this case, we could either duplicate a lot of
+ * code, or we can indicate we want to default the P_SUGID
+ * bit clear and jump back up.
+ */
+ if (mac_transition) {
+ leave_sugid_clear = 1;
+ goto handle_mac_transition;
+ }
+ }
+
+#endif /* CONFIG_MACF */
+
+ /*
+ * Implement the semantic where the effective user and group become
+ * the saved user and group in exec'ed programs.
+ */
+ p->p_ucred = kauth_cred_setsvuidgid(p->p_ucred, kauth_cred_getuid(p->p_ucred), kauth_cred_getgid(p->p_ucred));
+ /* update cred on proc */
+ PROC_UPDATE_CREDS_ONPROC(p);
+
+ /* Update the process' identity version and set the security token */
+ p->p_idversion++;
+ set_security_token(p);
+
+ return(error);
+}
+
+
+/*
+ * create_unix_stack
+ *
+ * Description: Set the user stack address for the process to the provided
+ * address. If a custom stack was not set as a result of the
+ * load process (i.e. as specified by the image file for the
+ * executable), then allocate the stack in the provided map and
+ * set up appropriate guard pages for enforcing administrative
+ * limits on stack growth, if they end up being needed.
+ *
+ * Parameters: p Process to set stack on
+ * load_result Information from mach-o load commands
+ * map Address map in which to allocate the new stack
+ *
+ * Returns: KERN_SUCCESS Stack successfully created
+ * !KERN_SUCCESS Mach failure code
+ */
+static kern_return_t
+create_unix_stack(vm_map_t map, load_result_t* load_result,
+ proc_t p)
+{
+ mach_vm_size_t size, prot_size;
+ mach_vm_offset_t addr, prot_addr;
+ kern_return_t kr;
+
+ mach_vm_address_t user_stack = load_result->user_stack;
+
+ proc_lock(p);
+ p->user_stack = user_stack;
+ proc_unlock(p);
+
+ if (!load_result->prog_allocated_stack) {
+ /*
+ * Allocate enough space for the maximum stack size we
+ * will ever authorize and an extra page to act as
+ * a guard page for stack overflows. For default stacks,
+ * vm_initial_limit_stack takes care of the extra guard page.
+ * Otherwise we must allocate it ourselves.
+ */
+
+ size = mach_vm_round_page(load_result->user_stack_size);
+ if (load_result->prog_stack_size)
+ size += PAGE_SIZE;
+ addr = mach_vm_trunc_page(load_result->user_stack - size);
+ kr = mach_vm_allocate(map, &addr, size,
+ VM_MAKE_TAG(VM_MEMORY_STACK) |
+ VM_FLAGS_FIXED);
+ if (kr != KERN_SUCCESS) {
+ /* If can't allocate at default location, try anywhere */
+ addr = 0;
+ kr = mach_vm_allocate(map, &addr, size,
+ VM_MAKE_TAG(VM_MEMORY_STACK) |
+ VM_FLAGS_ANYWHERE);
+ if (kr != KERN_SUCCESS)
+ return kr;
+
+ user_stack = addr + size;
+ load_result->user_stack = user_stack;
+
+ proc_lock(p);
+ p->user_stack = user_stack;
+ proc_unlock(p);
+ }
+
+ /*
+ * And prevent access to what's above the current stack
+ * size limit for this process.
+ */
+ prot_addr = addr;
+ if (load_result->prog_stack_size)
+ prot_size = PAGE_SIZE;
+ else
+ prot_size = mach_vm_trunc_page(size - unix_stack_size(p));
+ kr = mach_vm_protect(map,
+ prot_addr,
+ prot_size,
+ FALSE,
+ VM_PROT_NONE);
+ if (kr != KERN_SUCCESS) {
+ (void) mach_vm_deallocate(map, addr, size);
+ return kr;
+ }
+ }
+
+ return KERN_SUCCESS;
+}
+
+#include <sys/reboot.h>
+
+/*
+ * load_init_program_at_path
+ *
+ * Description: Load the "init" program; in most cases, this will be "launchd"
+ *
+ * Parameters: p Process to call execve() to create
+ * the "init" program
+ * scratch_addr Page in p, scratch space
+ * path NULL terminated path
+ *
+ * Returns: KERN_SUCCESS Success
+ * !KERN_SUCCESS See execve/mac_execve for error codes
+ *
+ * Notes: The process that is passed in is the first manufactured
+ * process on the system, and gets here via bsd_ast() firing
+ * for the first time. This is done to ensure that bsd_init()
+ * has run to completion.
+ *
+ * The address map of the first manufactured process is 32 bit.
+ * WHEN this becomes 64b, this code will fail; it needs to be
+ * made 64b capable.
+ */
+static int
+load_init_program_at_path(proc_t p, user_addr_t scratch_addr, const char* path)
+{
+ uint32_t argv[3];
+ uint32_t argc = 0;
+ int retval[2];
+ struct execve_args init_exec_args;
+
+ /*
+ * Validate inputs and pre-conditions
+ */
+ assert(p);
+ assert(scratch_addr);
+ assert(path);
+
+ if (IS_64BIT_PROCESS(p)) {
+ panic("Init against 64b primordial proc not implemented");
+ }
+
+ /*
+ * Copy out program name.
+ */
+ size_t path_length = strlen(path) + 1;
+ (void) copyout(path, scratch_addr, path_length);
+
+ argv[argc++] = (uint32_t)scratch_addr;
+ scratch_addr = USER_ADDR_ALIGN(scratch_addr + path_length, 16);
+
+ /*
+ * Put out first (and only) argument, similarly.
+ * Assumes everything fits in a page as allocated above.
+ */
+ if (boothowto & RB_SINGLE) {
+ const char *init_args = "-s";
+ size_t init_args_length = strlen(init_args)+1;
+
+ copyout(init_args, scratch_addr, init_args_length);
+
+ argv[argc++] = (uint32_t)scratch_addr;
+ scratch_addr = USER_ADDR_ALIGN(scratch_addr + init_args_length, 16);
+ }
+
+ /*
+ * Null-end the argument list
+ */
+ argv[argc] = 0;
+
/*
- * If the file we are about to attempt to load is the exec_handler_ppc,
- * which is determined by matching the vattr fields against previously
- * cached values, then we set the PowerPC environment flag.
+ * Copy out the argument list.
*/
- if (vap->va_fsid == exec_archhandler_ppc.fsid &&
- vap->va_fileid == (uint64_t)((u_long)exec_archhandler_ppc.fileid)) {
- imgp->ip_flags |= IMGPF_POWERPC;
+ (void) copyout(argv, scratch_addr, sizeof(argv));
+
+ /*
+ * Set up argument block for fake call to execve.
+ */
+ init_exec_args.fname = CAST_USER_ADDR_T(argv[0]);
+ init_exec_args.argp = scratch_addr;
+ init_exec_args.envp = USER_ADDR_NULL;
+
+ /*
+ * So that init task is set with uid,gid 0 token
+ */
+ set_security_token(p);
+
+ return execve(p, &init_exec_args, retval);
+}
+
+static const char * init_programs[] = {
+#if DEBUG
+ "/usr/local/sbin/launchd.debug",
+#endif
+#if DEVELOPMENT || DEBUG
+ /* Remove DEBUG conditional when <rdar://problem/17931977> is fixed */
+ "/usr/local/sbin/launchd.development",
+#endif
+ "/sbin/launchd",
+};
+
+/*
+ * load_init_program
+ *
+ * Description: Load the "init" program; in most cases, this will be "launchd"
+ *
+ * Parameters: p Process to call execve() to create
+ * the "init" program
+ *
+ * Returns: (void)
+ *
+ * Notes: The process that is passed in is the first manufactured
+ * process on the system, and gets here via bsd_ast() firing
+ * for the first time. This is done to ensure that bsd_init()
+ * has run to completion.
+ *
+ * In DEBUG & DEVELOPMENT builds, the launchdsuffix boot-arg
+ * may be used to select a specific launchd executable. As with
+ * the kcsuffix boot-arg, setting launchdsuffix to "" or "release"
+ * will force /sbin/launchd to be selected.
+ *
+ * The DEBUG kernel will continue to check for a .development
+ * version until <rdar://problem/17931977> is fixed.
+ *
+ * Search order by build:
+ *
+ * DEBUG DEVELOPMENT RELEASE PATH
+ * ----------------------------------------------------------------------------------
+ * 1 1 NA /usr/local/sbin/launchd.$LAUNCHDSUFFIX
+ * 2 NA NA /usr/local/sbin/launchd.debug
+ * 3 2 NA /usr/local/sbin/launchd.development
+ * 4 3 1 /sbin/launchd
+ */
+void
+load_init_program(proc_t p)
+{
+ uint32_t i;
+ int error;
+ vm_offset_t scratch_addr = VM_MIN_ADDRESS;
+
+ (void) vm_allocate(current_map(), &scratch_addr, PAGE_SIZE, VM_FLAGS_ANYWHERE);
+#if CONFIG_MEMORYSTATUS && CONFIG_JETSAM
+ (void) memorystatus_init_at_boot_snapshot();
+#endif /* CONFIG_MEMORYSTATUS && CONFIG_JETSAM */
+
+#if DEBUG || DEVELOPMENT
+ /* Check for boot-arg suffix first */
+ char launchd_suffix[64];
+ if (PE_parse_boot_argn("launchdsuffix", launchd_suffix, sizeof(launchd_suffix))) {
+ char launchd_path[128];
+ boolean_t is_release_suffix = ((launchd_suffix[0] == 0) ||
+ (strcmp(launchd_suffix, "release") == 0));
+
+ if (is_release_suffix) {
+ error = load_init_program_at_path(p, CAST_USER_ADDR_T(scratch_addr), "/sbin/launchd");
+ if (!error)
+ return;
+
+ panic("Process 1 exec of launchd.release failed, errno %d", error);
+ } else {
+ strlcpy(launchd_path, "/usr/local/sbin/launchd.", sizeof(launchd_path));
+ strlcat(launchd_path, launchd_suffix, sizeof(launchd_path));
+
+ /* All the error data is lost in the loop below, don't
+ * attempt to save it. */
+ if (!load_init_program_at_path(p, CAST_USER_ADDR_T(scratch_addr), launchd_path)) {
+ return;
+ }
+ }
}
-#endif /* IMGPF_POWERPC */
+#endif
- /* XXX May want to indicate to underlying FS that vnode is open */
+ error = ENOENT;
+ for (i = 0; i < sizeof(init_programs)/sizeof(init_programs[0]); i++) {
+ error = load_init_program_at_path(p, CAST_USER_ADDR_T(scratch_addr), init_programs[i]);
+ if (!error)
+ return;
+ }
- return (error);
+ panic("Process 1 exec of %s failed, errno %d", ((i == 0) ? "<null>" : init_programs[i-1]), error);
}
/*
- * exec_handle_sugid
+ * load_return_to_errno
*
- * Initially clear the P_SUGID in the process flags; if an SUGID process is
- * exec'ing a non-SUGID image, then this is the point of no return.
+ * Description: Convert a load_return_t (Mach error) to an errno (BSD error)
*
- * If the image being activated is SUGI, then replace the credential with a
- * copy, disable tracing (unless the tracing process is root), reset the
- * mach task port to revoke it, set the P_SUGID bit,
+ * Parameters: lrtn Mach error number
*
- * If the saved user and group ID will be changing, then make sure it happens
- * to a new credential, rather than a shared one.
+ * Returns: (int) BSD error number
+ * 0 Success
+ * EBADARCH Bad architecture
+ * EBADMACHO Bad Mach object file
+ * ESHLIBVERS Bad shared library version
+ * ENOMEM Out of memory/resource shortage
+ * EACCES Access denied
+ * ENOENT Entry not found (usually "file does
+ * does not exist")
+ * EIO An I/O error occurred
+ * EBADEXEC The executable is corrupt/unknown
+ */
+static int
+load_return_to_errno(load_return_t lrtn)
+{
+ switch (lrtn) {
+ case LOAD_SUCCESS:
+ return 0;
+ case LOAD_BADARCH:
+ return EBADARCH;
+ case LOAD_BADMACHO:
+ return EBADMACHO;
+ case LOAD_SHLIB:
+ return ESHLIBVERS;
+ case LOAD_NOSPACE:
+ case LOAD_RESOURCE:
+ return ENOMEM;
+ case LOAD_PROTECT:
+ return EACCES;
+ case LOAD_ENOENT:
+ return ENOENT;
+ case LOAD_IOERROR:
+ return EIO;
+ case LOAD_FAILURE:
+ case LOAD_DECRYPTFAIL:
+ default:
+ return EBADEXEC;
+ }
+}
+
+#include <mach/mach_types.h>
+#include <mach/vm_prot.h>
+#include <mach/semaphore.h>
+#include <mach/sync_policy.h>
+#include <kern/clock.h>
+#include <mach/kern_return.h>
+
+/*
+ * execargs_alloc
*
- * Set the security token (this is probably obsolete, given that the token
- * should not technically be separate from the credential itself).
+ * Description: Allocate the block of memory used by the execve arguments.
+ * At the same time, we allocate a page so that we can read in
+ * the first page of the image.
*
* Parameters: struct image_params * the image parameter block
*
- * Returns: void No failure indication
+ * Returns: 0 Success
+ * EINVAL Invalid argument
+ * EACCES Permission denied
+ * EINTR Interrupted function
+ * ENOMEM Not enough space
*
- * Implicit returns:
- * <process credential> Potentially modified/replaced
- * <task port> Potentially revoked
- * <process flags> P_SUGID bit potentially modified
- * <security token> Potentially modified
+ * Notes: This is a temporary allocation into the kernel address space
+ * to enable us to copy arguments in from user space. This is
+ * necessitated by not mapping the process calling execve() into
+ * the kernel address space during the execve() system call.
+ *
+ * We assemble the argument and environment, etc., into this
+ * region before copying it as a single block into the child
+ * process address space (at the top or bottom of the stack,
+ * depending on which way the stack grows; see the function
+ * exec_copyout_strings() for details).
+ *
+ * This ends up with a second (possibly unnecessary) copy compared
+ * with assembing the data directly into the child address space,
+ * instead, but since we cannot be guaranteed that the parent has
+ * not modified its environment, we can't really know that it's
+ * really a block there as well.
*/
-static int
-exec_handle_sugid(struct image_params *imgp)
-{
- kauth_cred_t cred = vfs_context_ucred(imgp->ip_vfs_context);
- struct proc *p = vfs_context_proc(imgp->ip_vfs_context);
- int i;
- int error = 0;
- static struct vnode *dev_null = NULLVP;
- p->p_flag &= ~P_SUGID;
- if (((imgp->ip_origvattr->va_mode & VSUID) != 0 &&
- kauth_cred_getuid(cred) != imgp->ip_origvattr->va_uid) ||
- ((imgp->ip_origvattr->va_mode & VSGID) != 0 &&
- cred->cr_gid != imgp->ip_origvattr->va_gid)) {
-#if KTRACE
- /*
- * If process is being ktraced, turn off - unless
- * root set it.
- */
- if (p->p_tracep && !(p->p_traceflag & KTRFAC_ROOT)) {
- struct vnode *tvp = p->p_tracep;
- p->p_tracep = NULL;
- p->p_traceflag = 0;
- vnode_rele(tvp);
- }
-#endif
- /*
- * Replace the credential with a copy of itself if euid or egid change.
- */
- if (imgp->ip_origvattr->va_mode & VSUID) {
- p->p_ucred = kauth_cred_seteuid(p->p_ucred, imgp->ip_origvattr->va_uid);
- }
- if (imgp->ip_origvattr->va_mode & VSGID) {
- p->p_ucred = kauth_cred_setegid(p->p_ucred, imgp->ip_origvattr->va_gid);
- }
+static int execargs_waiters = 0;
+lck_mtx_t *execargs_cache_lock;
- /*
- * Have mach reset the task port. We don't want
- * anyone who had the task port before a setuid
- * exec to be able to access/control the task
- * after.
- */
- if (current_task() == p->task)
- ipc_task_reset(p->task);
+static void
+execargs_lock_lock(void) {
+ lck_mtx_lock_spin(execargs_cache_lock);
+}
+
+static void
+execargs_lock_unlock(void) {
+ lck_mtx_unlock(execargs_cache_lock);
+}
+
+static wait_result_t
+execargs_lock_sleep(void) {
+ return(lck_mtx_sleep(execargs_cache_lock, LCK_SLEEP_DEFAULT, &execargs_free_count, THREAD_INTERRUPTIBLE));
+}
- p->p_flag |= P_SUGID;
+static kern_return_t
+execargs_purgeable_allocate(char **execarg_address) {
+ kern_return_t kr = vm_allocate(bsd_pageable_map, (vm_offset_t *)execarg_address, BSD_PAGEABLE_SIZE_PER_EXEC, VM_FLAGS_ANYWHERE | VM_FLAGS_PURGABLE);
+ assert(kr == KERN_SUCCESS);
+ return kr;
+}
- /* Cache the vnode for /dev/null the first time around */
- if (dev_null == NULLVP) {
- struct nameidata nd1;
+static kern_return_t
+execargs_purgeable_reference(void *execarg_address) {
+ int state = VM_PURGABLE_NONVOLATILE;
+ kern_return_t kr = vm_purgable_control(bsd_pageable_map, (vm_offset_t) execarg_address, VM_PURGABLE_SET_STATE, &state);
- NDINIT(&nd1, LOOKUP, FOLLOW, UIO_SYSSPACE32,
- CAST_USER_ADDR_T("/dev/null"),
- imgp->ip_vfs_context);
+ assert(kr == KERN_SUCCESS);
+ return kr;
+}
- if ((error = vn_open(&nd1, FREAD, 0)) == 0) {
- dev_null = nd1.ni_vp;
- /*
- * vn_open returns with both a use_count
- * and an io_count on the found vnode
- * drop the io_count, but keep the use_count
- */
- vnode_put(nd1.ni_vp);
- }
- }
+static kern_return_t
+execargs_purgeable_volatilize(void *execarg_address) {
+ int state = VM_PURGABLE_VOLATILE | VM_PURGABLE_ORDERING_OBSOLETE;
+ kern_return_t kr;
+ kr = vm_purgable_control(bsd_pageable_map, (vm_offset_t) execarg_address, VM_PURGABLE_SET_STATE, &state);
- /* Radar 2261856; setuid security hole fix */
- /* Patch from OpenBSD: A. Ramesh */
- /*
- * XXX For setuid processes, attempt to ensure that
- * stdin, stdout, and stderr are already allocated.
- * We do not want userland to accidentally allocate
- * descriptors in this range which has implied meaning
- * to libc.
- */
- if (dev_null != NULLVP) {
- for (i = 0; i < 3; i++) {
- struct fileproc *fp;
- int indx;
+ assert(kr == KERN_SUCCESS);
- if (p->p_fd->fd_ofiles[i] != NULL)
- continue;
+ return kr;
+}
- if ((error = falloc(p, &fp, &indx)) != 0)
- continue;
+static void
+execargs_wakeup_waiters(void) {
+ thread_wakeup(&execargs_free_count);
+}
- if ((error = vnode_ref_ext(dev_null, FREAD)) != 0) {
- fp_free(p, indx, fp);
- break;
- }
+static int
+execargs_alloc(struct image_params *imgp)
+{
+ kern_return_t kret;
+ wait_result_t res;
+ int i, cache_index = -1;
- fp->f_fglob->fg_flag = FREAD;
- fp->f_fglob->fg_type = DTYPE_VNODE;
- fp->f_fglob->fg_ops = &vnops;
- fp->f_fglob->fg_data = (caddr_t)dev_null;
-
- proc_fdlock(p);
- *fdflags(p, indx) &= ~UF_RESERVED;
- fp_drop(p, indx, fp, 1);
- proc_fdunlock(p);
- }
- /*
- * for now we need to drop the reference immediately
- * since we don't have any mechanism in place to
- * release it before starting to unmount "/dev"
- * during a reboot/shutdown
- */
- vnode_rele(dev_null);
- dev_null = NULLVP;
+ execargs_lock_lock();
+
+ while (execargs_free_count == 0) {
+ execargs_waiters++;
+ res = execargs_lock_sleep();
+ execargs_waiters--;
+ if (res != THREAD_AWAKENED) {
+ execargs_lock_unlock();
+ return (EINTR);
}
}
- /*
- * Implement the semantic where the effective user and group become
- * the saved user and group in exec'ed programs.
- */
- p->p_ucred = kauth_cred_setsvuidgid(p->p_ucred, kauth_cred_getuid(p->p_ucred), p->p_ucred->cr_gid);
-
- /* XXX Obsolete; security token should not be separate from cred */
- set_security_token(p);
+ execargs_free_count--;
- return(error);
-}
+ for (i = 0; i < execargs_cache_size; i++) {
+ vm_offset_t element = execargs_cache[i];
+ if (element) {
+ cache_index = i;
+ imgp->ip_strings = (char *)(execargs_cache[i]);
+ execargs_cache[i] = 0;
+ break;
+ }
+ }
-static kern_return_t
-create_unix_stack(vm_map_t map, user_addr_t user_stack, int customstack,
- struct proc *p)
-{
- mach_vm_size_t size;
- mach_vm_offset_t addr;
+ assert(execargs_free_count >= 0);
- p->user_stack = user_stack;
- if (!customstack) {
- size = mach_vm_round_page(unix_stack_size(p));
- addr = mach_vm_trunc_page(user_stack - size);
- return (mach_vm_allocate(map, &addr, size,
- VM_MAKE_TAG(VM_MEMORY_STACK) |
- VM_FLAGS_FIXED));
- } else
- return(KERN_SUCCESS);
-}
+ execargs_lock_unlock();
+
+ if (cache_index == -1) {
+ kret = execargs_purgeable_allocate(&imgp->ip_strings);
+ }
+ else
+ kret = execargs_purgeable_reference(imgp->ip_strings);
-#include <sys/reboot.h>
+ assert(kret == KERN_SUCCESS);
+ if (kret != KERN_SUCCESS) {
+ return (ENOMEM);
+ }
-static char init_program_name[128] = "/sbin/launchd";
-static const char * other_init = "/sbin/mach_init";
+ /* last page used to read in file headers */
+ imgp->ip_vdata = imgp->ip_strings + ( NCARGS + PAGE_SIZE );
+ imgp->ip_strendp = imgp->ip_strings;
+ imgp->ip_argspace = NCARGS;
+ imgp->ip_strspace = ( NCARGS + PAGE_SIZE );
-char init_args[128] = "";
+ return (0);
+}
-struct execve_args init_exec_args;
-int init_attempts = 0;
+/*
+ * execargs_free
+ *
+ * Description: Free the block of memory used by the execve arguments and the
+ * first page of the executable by a previous call to the function
+ * execargs_alloc().
+ *
+ * Parameters: struct image_params * the image parameter block
+ *
+ * Returns: 0 Success
+ * EINVAL Invalid argument
+ * EINTR Oeration interrupted
+ */
+static int
+execargs_free(struct image_params *imgp)
+{
+ kern_return_t kret;
+ int i;
+ boolean_t needs_wakeup = FALSE;
+
+ kret = execargs_purgeable_volatilize(imgp->ip_strings);
+ execargs_lock_lock();
+ execargs_free_count++;
-void
-load_init_program(struct proc *p)
-{
- vm_offset_t init_addr;
- char *argv[3];
- int error;
- register_t retval[2];
+ for (i = 0; i < execargs_cache_size; i++) {
+ vm_offset_t element = execargs_cache[i];
+ if (element == 0) {
+ execargs_cache[i] = (vm_offset_t) imgp->ip_strings;
+ imgp->ip_strings = NULL;
+ break;
+ }
+ }
- error = 0;
+ assert(imgp->ip_strings == NULL);
- /* init_args are copied in string form directly from bootstrap */
+ if (execargs_waiters > 0)
+ needs_wakeup = TRUE;
- do {
- if (boothowto & RB_INITNAME) {
- printf("init program? ");
-#if FIXME /* [ */
- gets(init_program_name, init_program_name);
-#endif /* FIXME ] */
- }
+ execargs_lock_unlock();
- if (error && ((boothowto & RB_INITNAME) == 0) &&
- (init_attempts == 1)) {
- printf("Load of %s, errno %d, trying %s\n",
- init_program_name, error, other_init);
- error = 0;
- bcopy(other_init, init_program_name,
- sizeof(other_init));
- }
+ if (needs_wakeup == TRUE)
+ execargs_wakeup_waiters();
- init_attempts++;
+ return ((kret == KERN_SUCCESS ? 0 : EINVAL));
+}
- if (error) {
- printf("Load of %s failed, errno %d\n",
- init_program_name, error);
- error = 0;
- boothowto |= RB_INITNAME;
- continue;
- }
+static void
+exec_resettextvp(proc_t p, struct image_params *imgp)
+{
+ vnode_t vp;
+ off_t offset;
+ vnode_t tvp = p->p_textvp;
+ int ret;
+
+ vp = imgp->ip_vp;
+ offset = imgp->ip_arch_offset;
+
+ if (vp == NULLVP)
+ panic("exec_resettextvp: expected valid vp");
+
+ ret = vnode_ref(vp);
+ proc_lock(p);
+ if (ret == 0) {
+ p->p_textvp = vp;
+ p->p_textoff = offset;
+ } else {
+ p->p_textvp = NULLVP; /* this is paranoia */
+ p->p_textoff = 0;
+ }
+ proc_unlock(p);
- /*
- * Copy out program name.
- */
+ if ( tvp != NULLVP) {
+ if (vnode_getwithref(tvp) == 0) {
+ vnode_rele(tvp);
+ vnode_put(tvp);
+ }
+ }
- init_addr = VM_MIN_ADDRESS;
- (void) vm_allocate(current_map(), &init_addr,
- PAGE_SIZE, VM_FLAGS_ANYWHERE);
- if (init_addr == 0)
- init_addr++;
+}
- (void) copyout((caddr_t) init_program_name,
- CAST_USER_ADDR_T(init_addr),
- (unsigned) sizeof(init_program_name)+1);
+/*
+ * If the process is not signed or if it contains entitlements, we
+ * need to communicate through the task_access_port to taskgated.
+ *
+ * taskgated will provide a detached code signature if present, and
+ * will enforce any restrictions on entitlements.
+ */
- argv[0] = (char *) init_addr;
- init_addr += sizeof(init_program_name);
- init_addr = (vm_offset_t)ROUND_PTR(char, init_addr);
+static boolean_t
+taskgated_required(proc_t p, boolean_t *require_success)
+{
+ size_t length;
+ void *blob;
+ int error;
- /*
- * Put out first (and only) argument, similarly.
- * Assumes everything fits in a page as allocated
- * above.
- */
+ if (cs_debug > 2)
+ csvnode_print_debug(p->p_textvp);
- (void) copyout((caddr_t) init_args,
- CAST_USER_ADDR_T(init_addr),
- (unsigned) sizeof(init_args));
+ const int can_skip_taskgated = csproc_get_platform_binary(p) && !csproc_get_platform_path(p);
+ if (can_skip_taskgated) {
+ if (cs_debug) printf("taskgated not required for: %s\n", p->p_name);
+ *require_success = FALSE;
+ return FALSE;
+ }
- argv[1] = (char *) init_addr;
- init_addr += sizeof(init_args);
- init_addr = (vm_offset_t)ROUND_PTR(char, init_addr);
+ if ((p->p_csflags & CS_VALID) == 0) {
+ *require_success = FALSE;
+ return TRUE;
+ }
+ error = cs_entitlements_blob_get(p, &blob, &length);
+ if (error == 0 && blob != NULL) {
/*
- * Null-end the argument list
+ * fatal on the desktop when entitlements are present,
+ * unless we started in single-user mode
*/
-
- argv[2] = (char *) 0;
-
+ if ((boothowto & RB_SINGLE) == 0)
+ *require_success = TRUE;
/*
- * Copy out the argument list.
+ * Allow initproc to run without causing taskgated to launch
*/
-
- (void) copyout((caddr_t) argv,
- CAST_USER_ADDR_T(init_addr),
- (unsigned) sizeof(argv));
+ if (p == initproc) {
+ *require_success = FALSE;
+ return FALSE;
+ }
- /*
- * Set up argument block for fake call to execve.
- */
+ if (cs_debug) printf("taskgated required for: %s\n", p->p_name);
- init_exec_args.fname = CAST_USER_ADDR_T(argv[0]);
- init_exec_args.argp = CAST_USER_ADDR_T((char **)init_addr);
- init_exec_args.envp = CAST_USER_ADDR_T(0);
-
- /* So that mach_init task
- * is set with uid,gid 0 token
- */
- set_security_token(p);
+ return TRUE;
+ }
- error = execve(p,&init_exec_args,retval);
- } while (error);
+ *require_success = FALSE;
+ return FALSE;
}
/*
- * Convert a load_return_t to an errno.
+ * __EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__
+ *
+ * Description: Waits for the userspace daemon to respond to the request
+ * we made. Function declared non inline to be visible in
+ * stackshots and spindumps as well as debugging.
*/
-static int
-load_return_to_errno(load_return_t lrtn)
+__attribute__((noinline)) int
+__EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__(mach_port_t task_access_port, int32_t new_pid)
{
- switch (lrtn) {
- case LOAD_SUCCESS:
- return 0;
- case LOAD_BADARCH:
- return EBADARCH;
- case LOAD_BADMACHO:
- return EBADMACHO;
- case LOAD_SHLIB:
- return ESHLIBVERS;
- case LOAD_NOSPACE:
- case LOAD_RESOURCE:
- return ENOMEM;
- case LOAD_PROTECT:
- return EACCES;
- case LOAD_ENOENT:
- return ENOENT;
- case LOAD_IOERROR:
- return EIO;
- case LOAD_FAILURE:
- default:
- return EBADEXEC;
- }
+ return find_code_signature(task_access_port, new_pid);
}
-#include <mach/mach_types.h>
-#include <mach/vm_prot.h>
-#include <mach/semaphore.h>
-#include <mach/sync_policy.h>
-#include <kern/clock.h>
-#include <mach/kern_return.h>
-
-extern semaphore_t execve_semaphore;
-
-/*
- * The block of memory used by the execve arguments. At the same time,
- * we allocate a page so that we can read in the first page of the image.
- */
static int
-execargs_alloc(struct image_params *imgp)
+check_for_signature(proc_t p, struct image_params *imgp)
{
- kern_return_t kret;
+ mach_port_t port = NULL;
+ kern_return_t kr = KERN_FAILURE;
+ int error = EACCES;
+ boolean_t unexpected_failure = FALSE;
+ unsigned char hash[SHA1_RESULTLEN];
+ boolean_t require_success = FALSE;
+ int spawn = (imgp->ip_flags & IMGPF_SPAWN);
+ int vfexec = (imgp->ip_flags & IMGPF_VFORK_EXEC);
- kret = semaphore_wait(execve_semaphore);
- if (kret != KERN_SUCCESS)
- switch (kret) {
- default:
- return (EINVAL);
- case KERN_INVALID_ADDRESS:
- case KERN_PROTECTION_FAILURE:
- return (EACCES);
- case KERN_ABORTED:
- case KERN_OPERATION_TIMED_OUT:
- return (EINTR);
+ /*
+ * Override inherited code signing flags with the
+ * ones for the process that is being successfully
+ * loaded
+ */
+ proc_lock(p);
+ p->p_csflags = imgp->ip_csflags;
+ proc_unlock(p);
+
+ /* Set the switch_protect flag on the map */
+ if(p->p_csflags & (CS_HARD|CS_KILL)) {
+ vm_map_switch_protect(get_task_map(p->task), TRUE);
+ }
+
+ /*
+ * image activation may be failed due to policy
+ * which is unexpected but security framework does not
+ * approve of exec, kill and return immediately.
+ */
+ if (imgp->ip_mac_return != 0) {
+ error = imgp->ip_mac_return;
+ unexpected_failure = TRUE;
+ goto done;
+ }
+
+ /* check if callout to taskgated is needed */
+ if (!taskgated_required(p, &require_success)) {
+ error = 0;
+ goto done;
+ }
+
+ kr = task_get_task_access_port(p->task, &port);
+ if (KERN_SUCCESS != kr || !IPC_PORT_VALID(port)) {
+ error = 0;
+ if (require_success)
+ error = EACCES;
+ goto done;
+ }
+
+ /*
+ * taskgated returns KERN_SUCCESS if it has completed its work
+ * and the exec should continue, KERN_FAILURE if the exec should
+ * fail, or it may error out with different error code in an
+ * event of mig failure (e.g. process was signalled during the
+ * rpc call, taskgated died, mig server died etc.).
+ */
+
+ kr = __EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__(port, p->p_pid);
+ switch (kr) {
+ case KERN_SUCCESS:
+ error = 0;
+ break;
+ case KERN_FAILURE:
+ error = EACCES;
+ goto done;
+ default:
+ error = EACCES;
+ unexpected_failure = TRUE;
+ goto done;
+ }
+
+ /* Only do this if exec_resettextvp() did not fail */
+ if (p->p_textvp != NULLVP) {
+ /*
+ * If there's a new code directory, mark this process
+ * as signed.
+ */
+ if (0 == ubc_cs_getcdhash(p->p_textvp, p->p_textoff, hash)) {
+ proc_lock(p);
+ p->p_csflags |= CS_VALID;
+ proc_unlock(p);
}
+ }
- kret = kmem_alloc_pageable(bsd_pageable_map, (vm_offset_t *)&imgp->ip_strings, NCARGS + PAGE_SIZE);
- imgp->ip_vdata = imgp->ip_strings + NCARGS;
- if (kret != KERN_SUCCESS) {
- semaphore_signal(execve_semaphore);
- return (ENOMEM);
+done:
+ if (0 != error) {
+ if (!unexpected_failure)
+ p->p_csflags |= CS_KILLED;
+ /* make very sure execution fails */
+ if (vfexec || spawn) {
+ psignal_vfork(p, p->task, imgp->ip_new_thread, SIGKILL);
+ error = 0;
+ } else {
+ psignal(p, SIGKILL);
+ }
}
- return (0);
+ return error;
}
-static int
-execargs_free(struct image_params *imgp)
+/*
+ * Typically as soon as we start executing this process, the
+ * first instruction will trigger a VM fault to bring the text
+ * pages (as executable) into the address space, followed soon
+ * thereafter by dyld data structures (for dynamic executable).
+ * To optimize this, as well as improve support for hardware
+ * debuggers that can only access resident pages present
+ * in the process' page tables, we prefault some pages if
+ * possible. Errors are non-fatal.
+ */
+static void exec_prefault_data(proc_t p __unused, struct image_params *imgp, load_result_t *load_result)
{
- kern_return_t kret;
+ int ret;
+ size_t expected_all_image_infos_size;
- kmem_free(bsd_pageable_map, (vm_offset_t)imgp->ip_strings, NCARGS + PAGE_SIZE);
- imgp->ip_strings = NULL;
-
- kret = semaphore_signal(execve_semaphore);
- switch (kret) {
- case KERN_INVALID_ADDRESS:
- case KERN_PROTECTION_FAILURE:
- return (EINVAL);
- case KERN_ABORTED:
- case KERN_OPERATION_TIMED_OUT:
- return (EINTR);
- case KERN_SUCCESS:
- return(0);
- default:
- return (EINVAL);
+ /*
+ * Prefault executable or dyld entry point.
+ */
+ vm_fault(current_map(),
+ vm_map_trunc_page(load_result->entry_point,
+ vm_map_page_mask(current_map())),
+ VM_PROT_READ | VM_PROT_EXECUTE,
+ FALSE,
+ THREAD_UNINT, NULL, 0);
+
+ if (imgp->ip_flags & IMGPF_IS_64BIT) {
+ expected_all_image_infos_size = sizeof(struct user64_dyld_all_image_infos);
+ } else {
+ expected_all_image_infos_size = sizeof(struct user32_dyld_all_image_infos);
+ }
+
+ /* Decode dyld anchor structure from <mach-o/dyld_images.h> */
+ if (load_result->dynlinker &&
+ load_result->all_image_info_addr &&
+ load_result->all_image_info_size >= expected_all_image_infos_size) {
+ union {
+ struct user64_dyld_all_image_infos infos64;
+ struct user32_dyld_all_image_infos infos32;
+ } all_image_infos;
+
+ /*
+ * Pre-fault to avoid copyin() going through the trap handler
+ * and recovery path.
+ */
+ vm_fault(current_map(),
+ vm_map_trunc_page(load_result->all_image_info_addr,
+ vm_map_page_mask(current_map())),
+ VM_PROT_READ | VM_PROT_WRITE,
+ FALSE,
+ THREAD_UNINT, NULL, 0);
+ if ((load_result->all_image_info_addr & PAGE_MASK) + expected_all_image_infos_size > PAGE_SIZE) {
+ /* all_image_infos straddles a page */
+ vm_fault(current_map(),
+ vm_map_trunc_page(load_result->all_image_info_addr + expected_all_image_infos_size - 1,
+ vm_map_page_mask(current_map())),
+ VM_PROT_READ | VM_PROT_WRITE,
+ FALSE,
+ THREAD_UNINT, NULL, 0);
+ }
+
+ ret = copyin(load_result->all_image_info_addr,
+ &all_image_infos,
+ expected_all_image_infos_size);
+ if (ret == 0 && all_image_infos.infos32.version >= 9) {
+
+ user_addr_t notification_address;
+ user_addr_t dyld_image_address;
+ user_addr_t dyld_version_address;
+ user_addr_t dyld_all_image_infos_address;
+ user_addr_t dyld_slide_amount;
+
+ if (imgp->ip_flags & IMGPF_IS_64BIT) {
+ notification_address = all_image_infos.infos64.notification;
+ dyld_image_address = all_image_infos.infos64.dyldImageLoadAddress;
+ dyld_version_address = all_image_infos.infos64.dyldVersion;
+ dyld_all_image_infos_address = all_image_infos.infos64.dyldAllImageInfosAddress;
+ } else {
+ notification_address = all_image_infos.infos32.notification;
+ dyld_image_address = all_image_infos.infos32.dyldImageLoadAddress;
+ dyld_version_address = all_image_infos.infos32.dyldVersion;
+ dyld_all_image_infos_address = all_image_infos.infos32.dyldAllImageInfosAddress;
+ }
+
+ /*
+ * dyld statically sets up the all_image_infos in its Mach-O
+ * binary at static link time, with pointers relative to its default
+ * load address. Since ASLR might slide dyld before its first
+ * instruction is executed, "dyld_slide_amount" tells us how far
+ * dyld was loaded compared to its default expected load address.
+ * All other pointers into dyld's image should be adjusted by this
+ * amount. At some point later, dyld will fix up pointers to take
+ * into account the slide, at which point the all_image_infos_address
+ * field in the structure will match the runtime load address, and
+ * "dyld_slide_amount" will be 0, if we were to consult it again.
+ */
+
+ dyld_slide_amount = load_result->all_image_info_addr - dyld_all_image_infos_address;
+
+#if 0
+ kprintf("exec_prefault: 0x%016llx 0x%08x 0x%016llx 0x%016llx 0x%016llx 0x%016llx\n",
+ (uint64_t)load_result->all_image_info_addr,
+ all_image_infos.infos32.version,
+ (uint64_t)notification_address,
+ (uint64_t)dyld_image_address,
+ (uint64_t)dyld_version_address,
+ (uint64_t)dyld_all_image_infos_address);
+#endif
+
+ vm_fault(current_map(),
+ vm_map_trunc_page(notification_address + dyld_slide_amount,
+ vm_map_page_mask(current_map())),
+ VM_PROT_READ | VM_PROT_EXECUTE,
+ FALSE,
+ THREAD_UNINT, NULL, 0);
+ vm_fault(current_map(),
+ vm_map_trunc_page(dyld_image_address + dyld_slide_amount,
+ vm_map_page_mask(current_map())),
+ VM_PROT_READ | VM_PROT_EXECUTE,
+ FALSE,
+ THREAD_UNINT, NULL, 0);
+ vm_fault(current_map(),
+ vm_map_trunc_page(dyld_version_address + dyld_slide_amount,
+ vm_map_page_mask(current_map())),
+ VM_PROT_READ,
+ FALSE,
+ THREAD_UNINT, NULL, 0);
+ vm_fault(current_map(),
+ vm_map_trunc_page(dyld_all_image_infos_address + dyld_slide_amount,
+ vm_map_page_mask(current_map())),
+ VM_PROT_READ | VM_PROT_WRITE,
+ FALSE,
+ THREAD_UNINT, NULL, 0);
+ }
}
}
projects / apple / xnu.git / blobdiff