+ for (copycnt = 0; copycnt < psmx->psmx_count; copycnt++) {
+ _ps_mac_policy_extension_t *extension = &psmx->psmx_extensions[copycnt];
+ void *data = NULL;
+
+ MALLOC(data, void *, extension->datalen, M_TEMP, M_WAITOK);
+ if ((error = copyin(extension->data, data, extension->datalen)) != 0) {
+ FREE(data, M_TEMP);
+ goto bad;
+ }
+ extension->datap = data;
+ }
+
+ *psmxp = psmx;
+ return 0;
+
+bad:
+ if (psmx != NULL) {
+ for (i = 0; i < copycnt; i++) {
+ FREE(psmx->psmx_extensions[i].datap, M_TEMP);
+ }
+ FREE(psmx, M_TEMP);
+ }
+ return error;
+}
+
+static void
+spawn_free_macpolicyinfo(_posix_spawn_mac_policy_extensions_t psmx)
+{
+ int i;
+
+ if (psmx == NULL) {
+ return;
+ }
+ for (i = 0; i < psmx->psmx_count; i++) {
+ FREE(psmx->psmx_extensions[i].datap, M_TEMP);
+ }
+ FREE(psmx, M_TEMP);
+}
+#endif /* CONFIG_MACF */
+
+#if CONFIG_COALITIONS
+static inline void
+spawn_coalitions_release_all(coalition_t coal[COALITION_NUM_TYPES])
+{
+ for (int c = 0; c < COALITION_NUM_TYPES; c++) {
+ if (coal[c]) {
+ coalition_remove_active(coal[c]);
+ coalition_release(coal[c]);
+ }
+ }
+}
+#endif
+
+#if CONFIG_PERSONAS
+static int
+spawn_validate_persona(struct _posix_spawn_persona_info *px_persona)
+{
+ int error = 0;
+ struct persona *persona = NULL;
+ int verify = px_persona->pspi_flags & POSIX_SPAWN_PERSONA_FLAGS_VERIFY;
+
+ if (!IOTaskHasEntitlement(current_task(), PERSONA_MGMT_ENTITLEMENT)) {
+ return EPERM;
+ }
+
+ if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GROUPS) {
+ if (px_persona->pspi_ngroups > NGROUPS_MAX) {
+ return EINVAL;
+ }
+ }
+
+ persona = persona_lookup(px_persona->pspi_id);
+ if (!persona) {
+ error = ESRCH;
+ goto out;
+ }
+
+ if (verify) {
+ if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_UID) {
+ if (px_persona->pspi_uid != persona_get_uid(persona)) {
+ error = EINVAL;
+ goto out;
+ }
+ }
+ if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GID) {
+ if (px_persona->pspi_gid != persona_get_gid(persona)) {
+ error = EINVAL;
+ goto out;
+ }
+ }
+ if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GROUPS) {
+ unsigned ngroups = 0;
+ gid_t groups[NGROUPS_MAX];
+
+ if (persona_get_groups(persona, &ngroups, groups,
+ px_persona->pspi_ngroups) != 0) {
+ error = EINVAL;
+ goto out;
+ }
+ if (ngroups != px_persona->pspi_ngroups) {
+ error = EINVAL;
+ goto out;
+ }
+ while (ngroups--) {
+ if (px_persona->pspi_groups[ngroups] != groups[ngroups]) {
+ error = EINVAL;
+ goto out;
+ }
+ }
+ if (px_persona->pspi_gmuid != persona_get_gmuid(persona)) {
+ error = EINVAL;
+ goto out;
+ }
+ }
+ }
+
+out:
+ if (persona) {
+ persona_put(persona);
+ }
+
+ return error;
+}
+
+static int
+spawn_persona_adopt(proc_t p, struct _posix_spawn_persona_info *px_persona)
+{
+ int ret;
+ kauth_cred_t cred;
+ struct persona *persona = NULL;
+ int override = !!(px_persona->pspi_flags & POSIX_SPAWN_PERSONA_FLAGS_OVERRIDE);
+
+ if (!override) {
+ return persona_proc_adopt_id(p, px_persona->pspi_id, NULL);
+ }
+
+ /*
+ * we want to spawn into the given persona, but we want to override
+ * the kauth with a different UID/GID combo
+ */
+ persona = persona_lookup(px_persona->pspi_id);
+ if (!persona) {
+ return ESRCH;
+ }
+
+ cred = persona_get_cred(persona);
+ if (!cred) {
+ ret = EINVAL;
+ goto out;
+ }
+
+ if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_UID) {
+ cred = kauth_cred_setresuid(cred,
+ px_persona->pspi_uid,
+ px_persona->pspi_uid,
+ px_persona->pspi_uid,
+ KAUTH_UID_NONE);
+ }
+
+ if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GID) {
+ cred = kauth_cred_setresgid(cred,
+ px_persona->pspi_gid,
+ px_persona->pspi_gid,
+ px_persona->pspi_gid);
+ }
+
+ if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GROUPS) {
+ cred = kauth_cred_setgroups(cred,
+ px_persona->pspi_groups,
+ px_persona->pspi_ngroups,
+ px_persona->pspi_gmuid);
+ }
+
+ ret = persona_proc_adopt(p, persona, cred);
+
+out:
+ persona_put(persona);
+ return ret;
+}
+#endif
+
+#if __arm64__
+extern int legacy_footprint_entitlement_mode;
+static inline void
+proc_legacy_footprint_entitled(proc_t p, task_t task, const char *caller)
+{
+#pragma unused(p, caller)
+ boolean_t legacy_footprint_entitled;
+
+ switch (legacy_footprint_entitlement_mode) {
+ case LEGACY_FOOTPRINT_ENTITLEMENT_IGNORE:
+ /* the entitlement is ignored */
+ break;
+ case LEGACY_FOOTPRINT_ENTITLEMENT_IOS11_ACCT:
+ /* the entitlement grants iOS11 legacy accounting */
+ legacy_footprint_entitled = IOTaskHasEntitlement(task,
+ "com.apple.private.memory.legacy_footprint");
+ if (legacy_footprint_entitled) {
+ task_set_legacy_footprint(task);
+ }
+ break;
+ case LEGACY_FOOTPRINT_ENTITLEMENT_LIMIT_INCREASE:
+ /* the entitlement grants a footprint limit increase */
+ legacy_footprint_entitled = IOTaskHasEntitlement(task,
+ "com.apple.private.memory.legacy_footprint");
+ if (legacy_footprint_entitled) {
+ task_set_extra_footprint_limit(task);
+ }
+ break;
+ default:
+ break;
+ }
+}
+
+static inline void
+proc_ios13extended_footprint_entitled(proc_t p, task_t task, const char *caller)
+{
+#pragma unused(p, caller)
+ boolean_t ios13extended_footprint_entitled;
+
+ /* the entitlement grants a footprint limit increase */
+ ios13extended_footprint_entitled = IOTaskHasEntitlement(task,
+ "com.apple.developer.memory.ios13extended_footprint");
+ if (ios13extended_footprint_entitled) {
+ task_set_ios13extended_footprint_limit(task);
+ }
+}
+#endif /* __arm64__ */
+
+/*
+ * Apply a modification on the proc's kauth cred until it converges.
+ *
+ * `update` consumes its argument to return a new kauth cred.
+ */
+static void
+apply_kauth_cred_update(proc_t p,
+ kauth_cred_t (^update)(kauth_cred_t orig_cred))
+{
+ kauth_cred_t my_cred, my_new_cred;
+
+ my_cred = kauth_cred_proc_ref(p);
+ for (;;) {
+ my_new_cred = update(my_cred);
+ if (my_cred == my_new_cred) {
+ kauth_cred_unref(&my_new_cred);
+ break;
+ }
+
+ /* try update cred on proc */
+ proc_ucred_lock(p);
+
+ if (p->p_ucred == my_cred) {
+ /* base pointer didn't change, donate our ref */
+ p->p_ucred = my_new_cred;
+ PROC_UPDATE_CREDS_ONPROC(p);
+ proc_ucred_unlock(p);
+
+ /* drop p->p_ucred reference */
+ kauth_cred_unref(&my_cred);
+ break;
+ }
+
+ /* base pointer changed, retry */
+ my_cred = p->p_ucred;
+ kauth_cred_ref(my_cred);
+ proc_ucred_unlock(p);
+
+ kauth_cred_unref(&my_new_cred);
+ }
+}
+
+static int
+spawn_posix_cred_adopt(proc_t p,
+ struct _posix_spawn_posix_cred_info *px_pcred_info)
+{
+ int error = 0;
+
+ if (px_pcred_info->pspci_flags & POSIX_SPAWN_POSIX_CRED_GID) {
+ struct setgid_args args = {
+ .gid = px_pcred_info->pspci_gid,
+ };
+ error = setgid(p, &args, NULL);
+ if (error) {
+ return error;
+ }
+ }
+
+ if (px_pcred_info->pspci_flags & POSIX_SPAWN_POSIX_CRED_GROUPS) {
+ error = setgroups_internal(p,
+ px_pcred_info->pspci_ngroups,
+ px_pcred_info->pspci_groups,
+ px_pcred_info->pspci_gmuid);
+ if (error) {
+ return error;
+ }
+ }
+
+ if (px_pcred_info->pspci_flags & POSIX_SPAWN_POSIX_CRED_UID) {
+ struct setuid_args args = {
+ .uid = px_pcred_info->pspci_uid,
+ };
+ error = setuid(p, &args, NULL);
+ if (error) {
+ return error;
+ }
+ }
+ return 0;
+}
+
+/*
+ * posix_spawn
+ *
+ * Parameters: uap->pid Pointer to pid return area
+ * uap->fname File name to exec
+ * uap->argp Argument list
+ * uap->envp Environment list
+ *
+ * Returns: 0 Success
+ * EINVAL Invalid argument
+ * ENOTSUP Not supported
+ * ENOEXEC Executable file format error
+ * exec_activate_image:EINVAL Invalid argument
+ * exec_activate_image:EACCES Permission denied
+ * exec_activate_image:EINTR Interrupted function
+ * exec_activate_image:ENOMEM Not enough space
+ * exec_activate_image:EFAULT Bad address
+ * exec_activate_image:ENAMETOOLONG Filename too long
+ * exec_activate_image:ENOEXEC Executable file format error
+ * exec_activate_image:ETXTBSY Text file busy [misuse of error code]
+ * exec_activate_image:EAUTH Image decryption failed
+ * exec_activate_image:EBADEXEC The executable is corrupt/unknown
+ * exec_activate_image:???
+ * mac_execve_enter:???
+ *
+ * TODO: Expect to need __mac_posix_spawn() at some point...
+ * Handle posix_spawnattr_t
+ * Handle posix_spawn_file_actions_t
+ */
+int
+posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
+{
+ proc_t p = ap; /* quiet bogus GCC vfork() warning */
+ user_addr_t pid = uap->pid;
+ int ival[2]; /* dummy retval for setpgid() */
+ char *bufp = NULL;
+ struct image_params *imgp;
+ struct vnode_attr *vap;
+ struct vnode_attr *origvap;
+ struct uthread *uthread = 0; /* compiler complains if not set to 0*/
+ int error, sig;
+ int is_64 = IS_64BIT_PROCESS(p);
+ struct vfs_context context;
+ struct user__posix_spawn_args_desc px_args;
+ struct _posix_spawnattr px_sa;
+ _posix_spawn_file_actions_t px_sfap = NULL;
+ _posix_spawn_port_actions_t px_spap = NULL;
+ struct __kern_sigaction vec;
+ boolean_t spawn_no_exec = FALSE;
+ boolean_t proc_transit_set = TRUE;
+ boolean_t exec_done = FALSE;
+ struct exec_port_actions port_actions = { };
+ vm_size_t px_sa_offset = offsetof(struct _posix_spawnattr, psa_ports);
+ task_t old_task = current_task();
+ task_t new_task = NULL;
+ boolean_t should_release_proc_ref = FALSE;
+ void *inherit = NULL;
+#if CONFIG_PERSONAS
+ struct _posix_spawn_persona_info *px_persona = NULL;
+#endif
+ struct _posix_spawn_posix_cred_info *px_pcred_info = NULL;
+
+ /*
+ * Allocate a big chunk for locals instead of using stack since these
+ * structures are pretty big.
+ */
+ MALLOC(bufp, char *, (sizeof(*imgp) + sizeof(*vap) + sizeof(*origvap)), M_TEMP, M_WAITOK | M_ZERO);
+ imgp = (struct image_params *) bufp;
+ if (bufp == NULL) {
+ error = ENOMEM;
+ goto bad;
+ }
+ vap = (struct vnode_attr *) (bufp + sizeof(*imgp));
+ origvap = (struct vnode_attr *) (bufp + sizeof(*imgp) + sizeof(*vap));
+
+ /* Initialize the common data in the image_params structure */
+ imgp->ip_user_fname = uap->path;
+ imgp->ip_user_argv = uap->argv;
+ imgp->ip_user_envv = uap->envp;
+ imgp->ip_vattr = vap;
+ imgp->ip_origvattr = origvap;
+ imgp->ip_vfs_context = &context;
+ imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT_ADDR : IMGPF_NONE);
+ imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
+ imgp->ip_mac_return = 0;
+ imgp->ip_px_persona = NULL;
+ imgp->ip_px_pcred_info = NULL;
+ imgp->ip_cs_error = OS_REASON_NULL;
+ imgp->ip_simulator_binary = IMGPF_SB_DEFAULT;
+
+ if (uap->adesc != USER_ADDR_NULL) {
+ if (is_64) {
+ error = copyin(uap->adesc, &px_args, sizeof(px_args));
+ } else {
+ struct user32__posix_spawn_args_desc px_args32;
+
+ error = copyin(uap->adesc, &px_args32, sizeof(px_args32));
+
+ /*
+ * Convert arguments descriptor from external 32 bit
+ * representation to internal 64 bit representation
+ */
+ px_args.attr_size = px_args32.attr_size;
+ px_args.attrp = CAST_USER_ADDR_T(px_args32.attrp);
+ px_args.file_actions_size = px_args32.file_actions_size;
+ px_args.file_actions = CAST_USER_ADDR_T(px_args32.file_actions);
+ px_args.port_actions_size = px_args32.port_actions_size;
+ px_args.port_actions = CAST_USER_ADDR_T(px_args32.port_actions);
+ px_args.mac_extensions_size = px_args32.mac_extensions_size;
+ px_args.mac_extensions = CAST_USER_ADDR_T(px_args32.mac_extensions);
+ px_args.coal_info_size = px_args32.coal_info_size;
+ px_args.coal_info = CAST_USER_ADDR_T(px_args32.coal_info);
+ px_args.persona_info_size = px_args32.persona_info_size;
+ px_args.persona_info = CAST_USER_ADDR_T(px_args32.persona_info);
+ px_args.posix_cred_info_size = px_args32.posix_cred_info_size;
+ px_args.posix_cred_info = CAST_USER_ADDR_T(px_args32.posix_cred_info);
+ }
+ if (error) {
+ goto bad;
+ }
+
+ if (px_args.attr_size != 0) {
+ /*
+ * We are not copying the port_actions pointer,
+ * because we already have it from px_args.
+ * This is a bit fragile: <rdar://problem/16427422>
+ */
+
+ if ((error = copyin(px_args.attrp, &px_sa, px_sa_offset)) != 0) {
+ goto bad;
+ }
+
+ bzero((void *)((unsigned long) &px_sa + px_sa_offset), sizeof(px_sa) - px_sa_offset );
+
+ imgp->ip_px_sa = &px_sa;
+ }
+ if (px_args.file_actions_size != 0) {
+ /* Limit file_actions to allowed number of open files */
+ int maxfa = (p->p_limit ? p->p_rlimit[RLIMIT_NOFILE].rlim_cur : NOFILE);
+ size_t maxfa_size = PSF_ACTIONS_SIZE(maxfa);
+ if (px_args.file_actions_size < PSF_ACTIONS_SIZE(1) ||
+ maxfa_size == 0 || px_args.file_actions_size > maxfa_size) {
+ error = EINVAL;
+ goto bad;
+ }
+ MALLOC(px_sfap, _posix_spawn_file_actions_t, px_args.file_actions_size, M_TEMP, M_WAITOK);
+ if (px_sfap == NULL) {
+ error = ENOMEM;
+ goto bad;
+ }
+ imgp->ip_px_sfa = px_sfap;
+
+ if ((error = copyin(px_args.file_actions, px_sfap,
+ px_args.file_actions_size)) != 0) {
+ goto bad;
+ }
+
+ /* Verify that the action count matches the struct size */
+ size_t psfsize = PSF_ACTIONS_SIZE(px_sfap->psfa_act_count);
+ if (psfsize == 0 || psfsize != px_args.file_actions_size) {
+ error = EINVAL;
+ goto bad;
+ }
+ }
+ if (px_args.port_actions_size != 0) {
+ /* Limit port_actions to one page of data */
+ if (px_args.port_actions_size < PS_PORT_ACTIONS_SIZE(1) ||
+ px_args.port_actions_size > PAGE_SIZE) {
+ error = EINVAL;
+ goto bad;
+ }
+
+ MALLOC(px_spap, _posix_spawn_port_actions_t,
+ px_args.port_actions_size, M_TEMP, M_WAITOK);
+ if (px_spap == NULL) {
+ error = ENOMEM;
+ goto bad;
+ }
+ imgp->ip_px_spa = px_spap;
+
+ if ((error = copyin(px_args.port_actions, px_spap,
+ px_args.port_actions_size)) != 0) {
+ goto bad;
+ }
+
+ /* Verify that the action count matches the struct size */
+ size_t pasize = PS_PORT_ACTIONS_SIZE(px_spap->pspa_count);
+ if (pasize == 0 || pasize != px_args.port_actions_size) {
+ error = EINVAL;
+ goto bad;
+ }
+ }
+#if CONFIG_PERSONAS
+ /* copy in the persona info */
+ if (px_args.persona_info_size != 0 && px_args.persona_info != 0) {
+ /* for now, we need the exact same struct in user space */
+ if (px_args.persona_info_size != sizeof(*px_persona)) {
+ error = ERANGE;
+ goto bad;
+ }
+
+ MALLOC(px_persona, struct _posix_spawn_persona_info *, px_args.persona_info_size, M_TEMP, M_WAITOK | M_ZERO);
+ if (px_persona == NULL) {
+ error = ENOMEM;
+ goto bad;
+ }
+ imgp->ip_px_persona = px_persona;
+
+ if ((error = copyin(px_args.persona_info, px_persona,
+ px_args.persona_info_size)) != 0) {
+ goto bad;
+ }
+ if ((error = spawn_validate_persona(px_persona)) != 0) {
+ goto bad;
+ }
+ }
+#endif
+ /* copy in the posix cred info */
+ if (px_args.posix_cred_info_size != 0 && px_args.posix_cred_info != 0) {
+ /* for now, we need the exact same struct in user space */
+ if (px_args.posix_cred_info_size != sizeof(*px_pcred_info)) {
+ error = ERANGE;
+ goto bad;
+ }
+
+ if (!kauth_cred_issuser(kauth_cred_get())) {
+ error = EPERM;
+ goto bad;
+ }
+
+ MALLOC(px_pcred_info, struct _posix_spawn_posix_cred_info *,
+ px_args.posix_cred_info_size, M_TEMP, M_WAITOK | M_ZERO);
+ if (px_pcred_info == NULL) {
+ error = ENOMEM;
+ goto bad;
+ }
+ imgp->ip_px_pcred_info = px_pcred_info;
+
+ if ((error = copyin(px_args.posix_cred_info, px_pcred_info,
+ px_args.posix_cred_info_size)) != 0) {
+ goto bad;
+ }
+
+ if (px_pcred_info->pspci_flags & POSIX_SPAWN_POSIX_CRED_GROUPS) {
+ if (px_pcred_info->pspci_ngroups > NGROUPS_MAX) {
+ error = EINVAL;
+ goto bad;
+ }
+ }
+ }
+#if CONFIG_MACF
+ if (px_args.mac_extensions_size != 0) {
+ if ((error = spawn_copyin_macpolicyinfo(&px_args, (_posix_spawn_mac_policy_extensions_t *)&imgp->ip_px_smpx)) != 0) {
+ goto bad;
+ }
+ }
+#endif /* CONFIG_MACF */
+ }
+
+ /* set uthread to parent */
+ uthread = get_bsdthread_info(current_thread());
+
+ /*
+ * <rdar://6640530>; this does not result in a behaviour change
+ * relative to Leopard, so there should not be any existing code
+ * which depends on it.
+ */
+ if (uthread->uu_flag & UT_VFORK) {
+ error = EINVAL;
+ goto bad;
+ }
+
+ if (imgp->ip_px_sa != NULL) {
+ struct _posix_spawnattr *psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
+ if ((error = exec_validate_spawnattr_policy(psa->psa_apptype)) != 0) {
+ goto bad;
+ }
+ }
+
+ /*
+ * If we don't have the extension flag that turns "posix_spawn()"
+ * into "execve() with options", then we will be creating a new
+ * process which does not inherit memory from the parent process,
+ * which is one of the most expensive things about using fork()
+ * and execve().
+ */
+ if (imgp->ip_px_sa == NULL || !(px_sa.psa_flags & POSIX_SPAWN_SETEXEC)) {
+ /* Set the new task's coalition, if it is requested. */
+ coalition_t coal[COALITION_NUM_TYPES] = { COALITION_NULL };
+#if CONFIG_COALITIONS
+ int i, ncoals;
+ kern_return_t kr = KERN_SUCCESS;
+ struct _posix_spawn_coalition_info coal_info;
+ int coal_role[COALITION_NUM_TYPES];
+
+ if (imgp->ip_px_sa == NULL || !px_args.coal_info) {
+ goto do_fork1;
+ }
+
+ memset(&coal_info, 0, sizeof(coal_info));
+
+ if (px_args.coal_info_size > sizeof(coal_info)) {
+ px_args.coal_info_size = sizeof(coal_info);
+ }
+ error = copyin(px_args.coal_info,
+ &coal_info, px_args.coal_info_size);
+ if (error != 0) {
+ goto bad;
+ }
+
+ ncoals = 0;
+ for (i = 0; i < COALITION_NUM_TYPES; i++) {
+ uint64_t cid = coal_info.psci_info[i].psci_id;
+ if (cid != 0) {
+ /*
+ * don't allow tasks which are not in a
+ * privileged coalition to spawn processes
+ * into coalitions other than their own
+ */
+ if (!task_is_in_privileged_coalition(p->task, i)) {
+ coal_dbg("ERROR: %d not in privilegd "
+ "coalition of type %d",
+ p->p_pid, i);
+ spawn_coalitions_release_all(coal);
+ error = EPERM;
+ goto bad;
+ }
+
+ coal_dbg("searching for coalition id:%llu", cid);
+ /*
+ * take a reference and activation on the
+ * coalition to guard against free-while-spawn
+ * races
+ */
+ coal[i] = coalition_find_and_activate_by_id(cid);
+ if (coal[i] == COALITION_NULL) {
+ coal_dbg("could not find coalition id:%llu "
+ "(perhaps it has been terminated or reaped)", cid);
+ /*
+ * release any other coalition's we
+ * may have a reference to
+ */
+ spawn_coalitions_release_all(coal);
+ error = ESRCH;
+ goto bad;
+ }
+ if (coalition_type(coal[i]) != i) {
+ coal_dbg("coalition with id:%lld is not of type:%d"
+ " (it's type:%d)", cid, i, coalition_type(coal[i]));
+ error = ESRCH;
+ goto bad;
+ }
+ coal_role[i] = coal_info.psci_info[i].psci_role;
+ ncoals++;
+ }
+ }
+ if (ncoals < COALITION_NUM_TYPES) {
+ /*
+ * If the user is attempting to spawn into a subset of
+ * the known coalition types, then make sure they have
+ * _at_least_ specified a resource coalition. If not,
+ * the following fork1() call will implicitly force an
+ * inheritance from 'p' and won't actually spawn the
+ * new task into the coalitions the user specified.
+ * (also the call to coalitions_set_roles will panic)
projects / apple / xnu.git / blobdiff