]> git.saurik.com Git - apple/xnu.git/blobdiff - bsd/kern/kern_exec.c
projects / apple / xnu.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
xnu-3248.50.21.tar.gz
[apple/xnu.git] / bsd / kern / kern_exec.c
diff --git a/bsd/kern/kern_exec.c b/bsd/kern/kern_exec.c
index 4f17498f4e8d6aa2ea178893ecc119ae8029235b..20b1f0317a610aa49e332cbc21555defa5903312 100644 (file)
--- a/bsd/kern/kern_exec.c
+++ b/bsd/kern/kern_exec.c
@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright (c) 2000-2007 Apple Inc. All rights reserved.
+ * Copyright (c) 2000-2011 Apple Inc. All rights reserved.
  *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
  * 
  *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
  * 
@@ -33,8 +33,6 @@
  * the terms and conditions for use and redistribution.
  */
  
  * the terms and conditions for use and redistribution.
  */
  
-#include <cputypes.h>
-
 /*-
  * Copyright (c) 1982, 1986, 1991, 1993
  *     The Regents of the University of California.  All rights reserved.
 /*-
  * Copyright (c) 1982, 1986, 1991, 1993
  *     The Regents of the University of California.  All rights reserved.
@@ -81,6 +79,7 @@
  * Version 2.0.
  */
 #include <machine/reg.h>
  * Version 2.0.
  */
 #include <machine/reg.h>
+#include <machine/cpu_capabilities.h>
 
 #include <sys/param.h>
 #include <sys/systm.h>
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -103,15 +102,19 @@
 #include <sys/signal.h>
 #include <sys/aio_kern.h>
 #include <sys/sysproto.h>
 #include <sys/signal.h>
 #include <sys/aio_kern.h>
 #include <sys/sysproto.h>
+#include <sys/persona.h>
 #if SYSV_SHM
 #include <sys/shm_internal.h>          /* shmexec() */
 #endif
 #include <sys/ubc_internal.h>          /* ubc_map() */
 #include <sys/spawn.h>
 #include <sys/spawn_internal.h>
 #if SYSV_SHM
 #include <sys/shm_internal.h>          /* shmexec() */
 #endif
 #include <sys/ubc_internal.h>          /* ubc_map() */
 #include <sys/spawn.h>
 #include <sys/spawn_internal.h>
+#include <sys/process_policy.h>
 #include <sys/codesign.h>
 #include <crypto/sha1.h>
 
 #include <sys/codesign.h>
 #include <crypto/sha1.h>
 
+#include <libkern/libkern.h>
+
 #include <security/audit/audit.h>
 
 #include <ipc/ipc_types.h>
 #include <security/audit/audit.h>
 
 #include <ipc/ipc_types.h>
@@ -128,6 +131,9 @@
 #include <kern/sched_prim.h> /* thread_wakeup() */
 #include <kern/affinity.h>
 #include <kern/assert.h>
 #include <kern/sched_prim.h> /* thread_wakeup() */
 #include <kern/affinity.h>
 #include <kern/assert.h>
+#include <kern/task.h>
+#include <kern/coalition.h>
+#include <kern/kalloc.h>
 
 #if CONFIG_MACF
 #include <security/mac.h>
 
 #if CONFIG_MACF
 #include <security/mac.h>
@@ -138,23 +144,39 @@
 #include <vm/vm_kern.h>
 #include <vm/vm_protos.h>
 #include <vm/vm_kern.h>
 #include <vm/vm_kern.h>
 #include <vm/vm_protos.h>
 #include <vm/vm_kern.h>
+#include <vm/vm_fault.h>
+#include <vm/vm_pageout.h>
+
+#include <kdp/kdp_dyld.h>
 
 
+#include <machine/pal_routines.h>
+
+#include <pexpert/pexpert.h>
+
+#if CONFIG_MEMORYSTATUS
+#include <sys/kern_memorystatus.h>
+#endif
 
 #if CONFIG_DTRACE
 /* Do not include dtrace.h, it redefines kmem_[alloc/free] */
 extern void (*dtrace_fasttrap_exec_ptr)(proc_t);
 
 #if CONFIG_DTRACE
 /* Do not include dtrace.h, it redefines kmem_[alloc/free] */
 extern void (*dtrace_fasttrap_exec_ptr)(proc_t);
+extern void (*dtrace_proc_waitfor_exec_ptr)(proc_t);
 extern void (*dtrace_helpers_cleanup)(proc_t);
 extern void dtrace_lazy_dofs_destroy(proc_t);
 
 extern void (*dtrace_helpers_cleanup)(proc_t);
 extern void dtrace_lazy_dofs_destroy(proc_t);
 
+/*
+ * Since dtrace_proc_waitfor_exec_ptr can be added/removed in dtrace_subr.c,
+ * we will store its value before actually calling it.
+ */
+static void (*dtrace_proc_waitfor_hook)(proc_t) = NULL;
+
 #include <sys/dtrace_ptss.h>
 #endif
 
 /* support for child creation in exec after vfork */
 #include <sys/dtrace_ptss.h>
 #endif
 
 /* support for child creation in exec after vfork */
-thread_t fork_create_child(task_t parent_task, proc_t child_proc, int inherit_memory, int is64bit);
+thread_t fork_create_child(task_t parent_task, coalition_t *parent_coalition, proc_t child_proc, int inherit_memory, int is64bit);
 void vfork_exit(proc_t p, int rv);
 void vfork_exit(proc_t p, int rv);
-int setsigvec(proc_t, thread_t, int, struct __kern_sigaction *, boolean_t in_sigstart);
-void workqueue_exit(struct proc *);
-
+extern void proc_apply_task_networkbg_internal(proc_t, thread_t);
 
 /*
  * Mach things for which prototypes are unavailable from Mach headers
 
 /*
  * Mach things for which prototypes are unavailable from Mach headers
@@ -170,8 +192,14 @@ kern_return_t ipc_object_copyin(
        ipc_object_t            *objectp);
 void ipc_port_release_send(ipc_port_t);
 
        ipc_object_t            *objectp);
 void ipc_port_release_send(ipc_port_t);
 
+#if DEVELOPMENT || DEBUG
+void task_importance_update_owner_info(task_t);
+#endif
+
 extern struct savearea *get_user_regs(thread_t);
 extern struct savearea *get_user_regs(thread_t);
+extern kern_return_t machine_thread_neon_state_initialize(thread_t thread);
 
 
+__attribute__((noinline)) int __EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__(mach_port_t task_access_port, int32_t new_pid);
 
 #include <kern/thread.h>
 #include <kern/task.h>
 
 #include <kern/thread.h>
 #include <kern/task.h>
@@ -186,29 +214,25 @@ extern struct savearea *get_user_regs(thread_t);
 #include <sys/sdt.h>
 
 
 #include <sys/sdt.h>
 
 
-/*
- * SIZE_MAXPTR         The maximum size of a user space pointer, in bytes
- * SIZE_IMG_STRSPACE   The available string space, minus two pointers; we
- *                     define it interms of the maximum, since we don't
- *                     know the pointer size going in, until after we've
- *                     parsed the executable image.
- */
-#define        SIZE_MAXPTR             8                               /* 64 bits */
-#define        SIZE_IMG_STRSPACE       (NCARGS - 2 * SIZE_MAXPTR)
-
 /*
  * EAI_ITERLIMIT       The maximum number of times to iterate an image
  *                     activator in exec_activate_image() before treating
  *                     it as malformed/corrupt.
  */
 /*
  * EAI_ITERLIMIT       The maximum number of times to iterate an image
  *                     activator in exec_activate_image() before treating
  *                     it as malformed/corrupt.
  */
-#define EAI_ITERLIMIT          10
+#define EAI_ITERLIMIT          3
+
+/*
+ * For #! interpreter parsing
+ */
+#define IS_WHITESPACE(ch) ((ch == ' ') || (ch == '\t'))
+#define IS_EOL(ch) ((ch == '#') || (ch == '\n'))
 
 extern vm_map_t bsd_pageable_map;
 
 extern vm_map_t bsd_pageable_map;
-extern struct fileops vnops;
+extern const struct fileops vnops;
 
 
-#define        ROUND_PTR(type, addr)   \
-       (type *)( ( (uintptr_t)(addr) + 16 - 1) \
-                 & ~(16 - 1) )
+#define        USER_ADDR_ALIGN(addr, val) \
+       ( ( (user_addr_t)(addr) + (val) - 1) \
+               & ~((val) - 1) )
 
 struct image_params;   /* Forward */
 static int exec_activate_image(struct image_params *imgp);
 
 struct image_params;   /* Forward */
 static int exec_activate_image(struct image_params *imgp);
@@ -218,26 +242,28 @@ static int execargs_alloc(struct image_params *imgp);
 static int execargs_free(struct image_params *imgp);
 static int exec_check_permissions(struct image_params *imgp);
 static int exec_extract_strings(struct image_params *imgp);
 static int execargs_free(struct image_params *imgp);
 static int exec_check_permissions(struct image_params *imgp);
 static int exec_extract_strings(struct image_params *imgp);
+static int exec_add_apple_strings(struct image_params *imgp);
 static int exec_handle_sugid(struct image_params *imgp);
 static int sugid_scripts = 0;
 static int exec_handle_sugid(struct image_params *imgp);
 static int sugid_scripts = 0;
-SYSCTL_INT (_kern, OID_AUTO, sugid_scripts, CTLFLAG_RW, &sugid_scripts, 0, "");
-static kern_return_t create_unix_stack(vm_map_t map, user_addr_t user_stack,
-                                       int customstack, proc_t p);
+SYSCTL_INT (_kern, OID_AUTO, sugid_scripts, CTLFLAG_RW | CTLFLAG_LOCKED, &sugid_scripts, 0, "");
+static kern_return_t create_unix_stack(vm_map_t map, load_result_t* load_result, proc_t p);
 static int copyoutptr(user_addr_t ua, user_addr_t ptr, int ptr_size);
 static void exec_resettextvp(proc_t, struct image_params *);
 static int check_for_signature(proc_t, struct image_params *);
 static int copyoutptr(user_addr_t ua, user_addr_t ptr, int ptr_size);
 static void exec_resettextvp(proc_t, struct image_params *);
 static int check_for_signature(proc_t, struct image_params *);
-
-/* We don't want this one exported */
-__private_extern__
-int  open1(vfs_context_t, struct nameidata *, int, struct vnode_attr *, int32_t *);
+static void exec_prefault_data(proc_t, struct image_params *, load_result_t *);
+static errno_t exec_handle_port_actions(struct image_params *imgp, short psa_flags, boolean_t * portwatch_present, ipc_port_t * portwatch_ports);
+static errno_t exec_handle_spawnattr_policy(proc_t p, int psa_apptype, uint64_t psa_qos_clamp, uint64_t psa_darwin_role,
+                             ipc_port_t * portwatch_ports, int portwatch_count);
 
 /*
 
 /*
- * exec_add_string
+ * exec_add_user_string
  *
  * Add the requested string to the string space area.
  *
  * Parameters; struct image_params *           image parameter block
  *             user_addr_t                     string to add to strings area
  *
  * Add the requested string to the string space area.
  *
  * Parameters; struct image_params *           image parameter block
  *             user_addr_t                     string to add to strings area
+ *             int                             segment from which string comes
+ *             boolean_t                       TRUE if string contributes to NCARGS
  *
  * Returns:    0                       Success
  *             !0                      Failure errno from copyinstr()
  *
  * Returns:    0                       Success
  *             !0                      Failure errno from copyinstr()
@@ -245,43 +271,60 @@ int  open1(vfs_context_t, struct nameidata *, int, struct vnode_attr *, int32_t
  * Implicit returns:
  *             (imgp->ip_strendp)      updated location of next add, if any
  *             (imgp->ip_strspace)     updated byte count of space remaining
  * Implicit returns:
  *             (imgp->ip_strendp)      updated location of next add, if any
  *             (imgp->ip_strspace)     updated byte count of space remaining
+ *             (imgp->ip_argspace) updated byte count of space in NCARGS
  */
 static int
  */
 static int
-exec_add_string(struct image_params *imgp, user_addr_t str)
+exec_add_user_string(struct image_params *imgp, user_addr_t str, int seg, boolean_t is_ncargs)
 {
 {
-        int error = 0;
-
-        do {
-                size_t len = 0;
-               if (imgp->ip_strspace <= 0) {
+       int error = 0;
+       
+       do {
+               size_t len = 0;
+               int space;
+               
+               if (is_ncargs)
+                       space = imgp->ip_argspace; /* by definition smaller than ip_strspace */
+               else
+                       space = imgp->ip_strspace;
+               
+               if (space <= 0) {
                        error = E2BIG;
                        break;
                }
                        error = E2BIG;
                        break;
                }
-               if (!UIO_SEG_IS_USER_SPACE(imgp->ip_seg)) {
+               
+               if (!UIO_SEG_IS_USER_SPACE(seg)) {
                        char *kstr = CAST_DOWN(char *,str);     /* SAFE */
                        char *kstr = CAST_DOWN(char *,str);     /* SAFE */
-                       error = copystr(kstr, imgp->ip_strendp, imgp->ip_strspace, &len);
+                       error = copystr(kstr, imgp->ip_strendp, space, &len);
                } else  {
                } else  {
-                       error = copyinstr(str, imgp->ip_strendp, imgp->ip_strspace,
-                           &len);
+                       error = copyinstr(str, imgp->ip_strendp, space, &len);
                }
                }
+
                imgp->ip_strendp += len;
                imgp->ip_strspace -= len;
                imgp->ip_strendp += len;
                imgp->ip_strspace -= len;
+               if (is_ncargs)
+                       imgp->ip_argspace -= len;
+               
        } while (error == ENAMETOOLONG);
        } while (error == ENAMETOOLONG);
-
+       
        return error;
 }
 
        return error;
 }
 
+/*
+ * dyld is now passed the executable path as a getenv-like variable
+ * in the same fashion as the stack_guard and malloc_entropy keys.
+ */
+#define        EXECUTABLE_KEY "executable_path="
+
 /*
  * exec_save_path
  *
  * To support new app package launching for Mac OS X, the dyld needs the
  * first argument to execve() stored on the user stack.
  *
 /*
  * exec_save_path
  *
  * To support new app package launching for Mac OS X, the dyld needs the
  * first argument to execve() stored on the user stack.
  *
- * Save the executable path name at the top of the strings area and set
+ * Save the executable path name at the bottom of the strings area and set
  * the argument vector pointer to the location following that to indicate
  * the start of the argument and environment tuples, setting the remaining
  * the argument vector pointer to the location following that to indicate
  * the start of the argument and environment tuples, setting the remaining
- * string space count to the size of the string area minus the path length
- * and a reserve for two pointers.
+ * string space count to the size of the string area minus the path length.
  *
  * Parameters; struct image_params *           image parameter block
  *             char *                          path used to invoke program
  *
  * Parameters; struct image_params *           image parameter block
  *             char *                          path used to invoke program
@@ -295,8 +338,9 @@ exec_add_string(struct image_params *imgp, user_addr_t str)
  * Implicit returns:
  *             (imgp->ip_strings)              saved path
  *             (imgp->ip_strspace)             space remaining in ip_strings
  * Implicit returns:
  *             (imgp->ip_strings)              saved path
  *             (imgp->ip_strspace)             space remaining in ip_strings
- *             (imgp->ip_argv)                 beginning of argument list
  *             (imgp->ip_strendp)              start of remaining copy area
  *             (imgp->ip_strendp)              start of remaining copy area
+ *             (imgp->ip_argspace)             space remaining of NCARGS
+ *             (imgp->ip_applec)               Initial applev[0]
  *
  * Note:       We have to do this before the initial namei() since in the
  *             path contains symbolic links, namei() will overwrite the
  *
  * Note:       We have to do this before the initial namei() since in the
  *             path contains symbolic links, namei() will overwrite the
@@ -306,24 +350,26 @@ exec_add_string(struct image_params *imgp, user_addr_t str)
  *             unacceptable for dyld.
  */
 static int
  *             unacceptable for dyld.
  */
 static int
-exec_save_path(struct image_params *imgp, user_addr_t path, int seg)
+exec_save_path(struct image_params *imgp, user_addr_t path, int seg, const char **excpath)
 {
        int error;
 {
        int error;
-       size_t  len;
-       char *kpath = CAST_DOWN(char *,path);   /* SAFE */
+       size_t len;
+       char *kpath;
 
 
-       imgp->ip_strendp = imgp->ip_strings;
-       imgp->ip_strspace = SIZE_IMG_STRSPACE;
+       // imgp->ip_strings can come out of a cache, so we need to obliterate the
+       // old path.
+       memset(imgp->ip_strings, '\0', strlen(EXECUTABLE_KEY) + MAXPATHLEN);
 
        len = MIN(MAXPATHLEN, imgp->ip_strspace);
 
        switch(seg) {
        case UIO_USERSPACE32:
        case UIO_USERSPACE64:   /* Same for copyin()... */
 
        len = MIN(MAXPATHLEN, imgp->ip_strspace);
 
        switch(seg) {
        case UIO_USERSPACE32:
        case UIO_USERSPACE64:   /* Same for copyin()... */
-               error = copyinstr(path, imgp->ip_strings, len, &len);
+               error = copyinstr(path, imgp->ip_strings + strlen(EXECUTABLE_KEY), len, &len);
                break;
        case UIO_SYSSPACE:
                break;
        case UIO_SYSSPACE:
-               error = copystr(kpath, imgp->ip_strings, len, &len);
+               kpath = CAST_DOWN(char *,path); /* SAFE */
+               error = copystr(kpath, imgp->ip_strings + strlen(EXECUTABLE_KEY), len, &len);
                break;
        default:
                error = EFAULT;
                break;
        default:
                error = EFAULT;
@@ -331,111 +377,58 @@ exec_save_path(struct image_params *imgp, user_addr_t path, int seg)
        }
 
        if (!error) {
        }
 
        if (!error) {
+               bcopy(EXECUTABLE_KEY, imgp->ip_strings, strlen(EXECUTABLE_KEY));
+               len += strlen(EXECUTABLE_KEY);
+
                imgp->ip_strendp += len;
                imgp->ip_strspace -= len;
                imgp->ip_strendp += len;
                imgp->ip_strspace -= len;
-               imgp->ip_argv = imgp->ip_strendp;
+
+               if (excpath) {
+                       *excpath = imgp->ip_strings + strlen(EXECUTABLE_KEY);
+               }
        }
 
        return(error);
 }
 
        }
 
        return(error);
 }
 
-#ifdef IMGPF_POWERPC
 /*
 /*
- * exec_powerpc32_imgact
+ * exec_reset_save_path
  *
  *
- * Implicitly invoke the PowerPC handler for a byte-swapped image magic
- * number.  This may happen either as a result of an attempt to invoke a
- * PowerPC image directly, or indirectly as the interpreter used in an
- * interpreter script.
- *
- * Parameters; struct image_params *   image parameter block
+ * If we detect a shell script, we need to reset the string area
+ * state so that the interpreter can be saved onto the stack.
+
+ * Parameters; struct image_params *           image parameter block
  *
  *
- * Returns:    -1              not an PowerPC image (keep looking)
- *             -3              Success: exec_archhandler_ppc: relookup
- *             >0              Failure: exec_archhandler_ppc: error number
+ * Returns:    int                     0       Success
  *
  *
- * Note:       This image activator does not handle the case of a direct
- *             invocation of the exec_archhandler_ppc, since in that case, the
- *             exec_archhandler_ppc itself is not a PowerPC binary; instead,
- *             binary image activators must recognize the exec_archhandler_ppc;
- *             This is managed in exec_check_permissions().
+ * Implicit returns:
+ *             (imgp->ip_strings)              saved path
+ *             (imgp->ip_strspace)             space remaining in ip_strings
+ *             (imgp->ip_strendp)              start of remaining copy area
+ *             (imgp->ip_argspace)             space remaining of NCARGS
  *
  *
- * Note:       This image activator is limited to 32 bit powerpc images;
- *             if support for 64 bit powerpc images is desired, it would
- *             be more in line with this design to write a separate 64 bit
- *             image activator.
  */
 static int
  */
 static int
-exec_powerpc32_imgact(struct image_params *imgp)
+exec_reset_save_path(struct image_params *imgp)
 {
 {
-       struct mach_header *mach_header = (struct mach_header *)imgp->ip_vdata;
-       int error;
-       size_t len = 0;
-
-       /*
-        * Make sure it's a PowerPC binary.  If we've already redirected
-        * from an interpreted file once, don't do it again.
-        */
-       if (mach_header->magic != MH_CIGAM) {
-               /*
-                * If it's a cross-architecture 64 bit binary, then claim
-                * it, but refuse to run it.
-                */
-               if (mach_header->magic == MH_CIGAM_64)
-                       return (EBADARCH);
-               return (-1);
-       }
-
-       /* If there is no exec_archhandler_ppc, we can't run it */
-       if (exec_archhandler_ppc.path[0] == 0)
-               return (EBADARCH);
-
-       /* Remember the type of the original file for later grading */
-       if (!imgp->ip_origcputype) {
-               imgp->ip_origcputype = 
-                       OSSwapBigToHostInt32(mach_header->cputype);
-               imgp->ip_origcpusubtype = 
-                       OSSwapBigToHostInt32(mach_header->cpusubtype);
-       }
-
-       /*
-        * The PowerPC flag will be set by the exec_check_permissions()
-        * call anyway; however, we set this flag here so that the relookup
-        * in execve() does not follow symbolic links, as a side effect.
-        */
-       imgp->ip_flags |= IMGPF_POWERPC;
-
-       /* impute an interpreter */
-       error = copystr(exec_archhandler_ppc.path, imgp->ip_interp_name,
-                       IMG_SHSIZE, &len);
-       if (error)
-               return (error);
-
-       /*
-        * provide a replacement string for p->p_comm; we have to use an
-        * alternate buffer for this, rather than replacing it directly,
-        * since the exec may fail and return to the parent.  In that case,
-        * we would have erroneously changed the parent p->p_comm instead.
-        */
-       strlcpy(imgp->ip_p_comm, imgp->ip_ndp->ni_cnd.cn_nameptr, MAXCOMLEN+1);
-                                               /* +1 to allow MAXCOMLEN characters to be copied */
+       imgp->ip_strendp = imgp->ip_strings;
+       imgp->ip_argspace = NCARGS;
+       imgp->ip_strspace = ( NCARGS + PAGE_SIZE );
 
 
-       return (-3);
+       return (0);
 }
 }
-#endif /* IMGPF_POWERPC */
-
 
 /*
  * exec_shell_imgact
  *
 
 /*
  * exec_shell_imgact
  *
- * Image activator for interpreter scripts.  If the image begins with the
- * characters "#!", then it is an interpreter script.  Verify that we are
- * not already executing in PowerPC mode, and that the length of the script
- * line indicating the interpreter is not in excess of the maximum allowed
- * size.  If this is the case, then break out the arguments, if any, which
- * are separated by white space, and copy them into the argument save area
- * as if they were provided on the command line before all other arguments.
- * The line ends when we encounter a comment character ('#') or newline.
+ * Image activator for interpreter scripts.  If the image begins with
+ * the characters "#!", then it is an interpreter script.  Verify the
+ * length of the script line indicating the interpreter is not in
+ * excess of the maximum allowed size.  If this is the case, then
+ * break out the arguments, if any, which are separated by white
+ * space, and copy them into the argument save area as if they were
+ * provided on the command line before all other arguments.  The line
+ * ends when we encounter a comment character ('#') or newline.
  *
  * Parameters; struct image_params *   image parameter block
  *
  *
  * Parameters; struct image_params *   image parameter block
  *
@@ -451,22 +444,16 @@ exec_shell_imgact(struct image_params *imgp)
 {
        char *vdata = imgp->ip_vdata;
        char *ihp;
 {
        char *vdata = imgp->ip_vdata;
        char *ihp;
-       char *line_endp;
+       char *line_startp, *line_endp;
        char *interp;
        char *interp;
-       char temp[16];
        proc_t p;
        struct fileproc *fp;
        int fd;
        int error;
        proc_t p;
        struct fileproc *fp;
        int fd;
        int error;
-       size_t len;
 
        /*
         * Make sure it's a shell script.  If we've already redirected
         * from an interpreted file once, don't do it again.
 
        /*
         * Make sure it's a shell script.  If we've already redirected
         * from an interpreted file once, don't do it again.
-        *
-        * Note: We disallow PowerPC, since the expectation is that we
-        * may run a PowerPC interpreter, but not an interpret a PowerPC 
-        * image.  This is consistent with historical behaviour.
         */
        if (vdata[0] != '#' ||
            vdata[1] != '!' ||
         */
        if (vdata[0] != '#' ||
            vdata[1] != '!' ||
@@ -474,71 +461,88 @@ exec_shell_imgact(struct image_params *imgp)
                return (-1);
        }
 
                return (-1);
        }
 
-#ifdef IMGPF_POWERPC
-       if ((imgp->ip_flags & IMGPF_POWERPC) != 0)
-                 return (EBADARCH);
-#endif /* IMGPF_POWERPC */
+       if (imgp->ip_origcputype != 0) {
+               /* Fat header previously matched, don't allow shell script inside */
+               return (-1);
+       }
 
        imgp->ip_flags |= IMGPF_INTERPRET;
 
        imgp->ip_flags |= IMGPF_INTERPRET;
+       imgp->ip_interp_sugid_fd = -1;
+       imgp->ip_interp_buffer[0] = '\0';
 
 
-        /* Check to see if SUGID scripts are permitted.  If they aren't then
+       /* Check to see if SUGID scripts are permitted.  If they aren't then
         * clear the SUGID bits.
         * imgp->ip_vattr is known to be valid.
         * clear the SUGID bits.
         * imgp->ip_vattr is known to be valid.
-         */
-        if (sugid_scripts == 0) {
-          imgp->ip_origvattr->va_mode &= ~(VSUID | VSGID);
+        */
+       if (sugid_scripts == 0) {
+               imgp->ip_origvattr->va_mode &= ~(VSUID | VSGID);
        }
 
        }
 
-       /* Find the nominal end of the interpreter line */
-       for( ihp = &vdata[2]; *ihp != '\n' && *ihp != '#'; ihp++) {
-               if (ihp >= &vdata[IMG_SHSIZE])
+       /* Try to find the first non-whitespace character */
+       for( ihp = &vdata[2]; ihp < &vdata[IMG_SHSIZE]; ihp++ ) {
+               if (IS_EOL(*ihp)) {
+                       /* Did not find interpreter, "#!\n" */
                        return (ENOEXEC);
                        return (ENOEXEC);
+               } else if (IS_WHITESPACE(*ihp)) {
+                       /* Whitespace, like "#!    /bin/sh\n", keep going. */
+               } else {
+                       /* Found start of interpreter */
+                       break;
+               }
        }
 
        }
 
-       line_endp = ihp;
-       ihp = &vdata[2];
-       /* Skip over leading spaces - until the interpreter name */
-       while ( ihp < line_endp && ((*ihp == ' ') || (*ihp == '\t')))
-               ihp++;
+       if (ihp == &vdata[IMG_SHSIZE]) {
+               /* All whitespace, like "#!           " */
+               return (ENOEXEC);
+       }
 
 
-       /*
-        * Find the last non-whitespace character before the end of line or
-        * the beginning of a comment; this is our new end of line.
-        */
-       for (;line_endp > ihp && ((*line_endp == ' ') || (*line_endp == '\t')); line_endp--)
-               continue;
+       line_startp = ihp;
+
+       /* Try to find the end of the interpreter+args string */
+       for ( ; ihp < &vdata[IMG_SHSIZE]; ihp++ ) {
+               if (IS_EOL(*ihp)) {
+                       /* Got it */
+                       break;
+               } else {
+                       /* Still part of interpreter or args */
+               }
+       }
 
 
-       /* Empty? */
-       if (line_endp == ihp)
+       if (ihp == &vdata[IMG_SHSIZE]) {
+               /* A long line, like "#! blah blah blah" without end */
                return (ENOEXEC);
                return (ENOEXEC);
+       }
 
 
-       /* copy the interpreter name */
-       interp = imgp->ip_interp_name;
-       while ((ihp < line_endp) && (*ihp != ' ') && (*ihp != '\t'))
-               *interp++ = *ihp++;
-       *interp = '\0';
+       /* Backtrack until we find the last non-whitespace */
+       while (IS_EOL(*ihp) || IS_WHITESPACE(*ihp)) {
+               ihp--;
+       }
 
 
-       exec_save_path(imgp, CAST_USER_ADDR_T(imgp->ip_interp_name),
-                                                       UIO_SYSSPACE);
+       /* The character after the last non-whitespace is our logical end of line */
+       line_endp = ihp + 1;
+
+       /*
+        * Now we have pointers to the usable part of:
+        *
+        * "#!  /usr/bin/int first    second   third    \n"
+        *      ^ line_startp                       ^ line_endp
+        */
 
 
-       ihp = &vdata[2];
-       while (ihp < line_endp) {
-               /* Skip leading whitespace before each argument */
-               while ((*ihp == ' ') || (*ihp == '\t'))
-                       ihp++;
+       /* copy the interpreter name */
+       interp = imgp->ip_interp_buffer;
+       for ( ihp = line_startp; (ihp < line_endp) && !IS_WHITESPACE(*ihp); ihp++)
+               *interp++ = *ihp;
+       *interp = '\0';
 
 
-               if (ihp >= line_endp)
-                       break;
+       exec_reset_save_path(imgp);
+       exec_save_path(imgp, CAST_USER_ADDR_T(imgp->ip_interp_buffer),
+                                                       UIO_SYSSPACE, NULL);
 
 
-               /* We have an argument; copy it */
-               while ((ihp < line_endp) && (*ihp != ' ') && (*ihp != '\t')) {  
-                       *imgp->ip_strendp++ = *ihp++;
-                       imgp->ip_strspace--;
-               }
-               *imgp->ip_strendp++ = 0;
-               imgp->ip_strspace--;
-               imgp->ip_argc++;
-       }
+       /* Copy the entire interpreter + args for later processing into argv[] */
+       interp = imgp->ip_interp_buffer;
+       for ( ihp = line_startp; (ihp < line_endp); ihp++)
+               *interp++ = *ihp;
+       *interp = '\0';
 
        /*
         * If we have a SUID oder SGID script, create a file descriptor
 
        /*
         * If we have a SUID oder SGID script, create a file descriptor
@@ -552,7 +556,6 @@ exec_shell_imgact(struct image_params *imgp)
                        return(error);
 
                fp->f_fglob->fg_flag = FREAD;
                        return(error);
 
                fp->f_fglob->fg_flag = FREAD;
-               fp->f_fglob->fg_type = DTYPE_VNODE;
                fp->f_fglob->fg_ops = &vnops;
                fp->f_fglob->fg_data = (caddr_t)imgp->ip_vp;
                
                fp->f_fglob->fg_ops = &vnops;
                fp->f_fglob->fg_data = (caddr_t)imgp->ip_vp;
                
@@ -562,10 +565,7 @@ exec_shell_imgact(struct image_params *imgp)
                proc_fdunlock(p);
                vnode_ref(imgp->ip_vp);
 
                proc_fdunlock(p);
                vnode_ref(imgp->ip_vp);
 
-               snprintf(temp, sizeof(temp), "/dev/fd/%d", fd);
-               error = copyoutstr(temp, imgp->ip_user_fname, sizeof(temp), &len);
-               if (error)
-                       return(error);
+               imgp->ip_interp_sugid_fd = fd;
        }
 
        return (-3);
        }
 
        return (-3);
@@ -610,20 +610,29 @@ exec_fat_imgact(struct image_params *imgp)
        int resid, error;
        load_return_t lret;
 
        int resid, error;
        load_return_t lret;
 
+       if (imgp->ip_origcputype != 0) {
+               /* Fat header previously matched, don't allow another fat file inside */
+               return (-1);
+       }
+
        /* Make sure it's a fat binary */
        /* Make sure it's a fat binary */
-       if ((fat_header->magic != FAT_MAGIC) &&
-            (fat_header->magic != FAT_CIGAM)) {
-               error = -1;
+       if (OSSwapBigToHostInt32(fat_header->magic) != FAT_MAGIC) {
+               error = -1; /* not claimed */
+               goto bad;
+       }
+
+       /* imgp->ip_vdata has PAGE_SIZE, zerofilled if the file is smaller */
+       lret = fatfile_validate_fatarches((vm_offset_t)fat_header, PAGE_SIZE);
+       if (lret != LOAD_SUCCESS) {
+               error = load_return_to_errno(lret);
                goto bad;
        }
 
        /* If posix_spawn binprefs exist, respect those prefs. */
        psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
        if (psa != NULL && psa->psa_binprefs[0] != 0) {
                goto bad;
        }
 
        /* If posix_spawn binprefs exist, respect those prefs. */
        psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
        if (psa != NULL && psa->psa_binprefs[0] != 0) {
-               struct fat_arch *arches = (struct fat_arch *) (fat_header + 1);
-               int nfat_arch = 0, pr = 0, f = 0;
+               uint32_t pr = 0;
 
 
-               nfat_arch = OSSwapBigToHostInt32(fat_header->nfat_arch);
                /* Check each preference listed against all arches in header */
                for (pr = 0; pr < NBINPREFS; pr++) {
                        cpu_type_t pref = psa->psa_binprefs[pr];
                /* Check each preference listed against all arches in header */
                for (pr = 0; pr < NBINPREFS; pr++) {
                        cpu_type_t pref = psa->psa_binprefs[pr];
@@ -635,36 +644,28 @@ exec_fat_imgact(struct image_params *imgp)
 
                        if (pref == CPU_TYPE_ANY) {
                                /* Fall through to regular grading */
 
                        if (pref == CPU_TYPE_ANY) {
                                /* Fall through to regular grading */
-                               break;
+                               goto regular_grading;
                        }
 
                        }
 
-                       for (f = 0; f < nfat_arch; f++) {
-                               cpu_type_t archtype = OSSwapBigToHostInt32(
-                                               arches[f].cputype);
-                               cpu_type_t archsubtype = OSSwapBigToHostInt32(
-                                               arches[f].cpusubtype) & ~CPU_SUBTYPE_MASK;
-                               if (pref == archtype &&
-                                       grade_binary(archtype, archsubtype)) {
-                                       /* We have a winner! */
-                                       fat_arch.cputype = archtype; 
-                                       fat_arch.cpusubtype = archsubtype; 
-                                       fat_arch.offset = OSSwapBigToHostInt32(
-                                                       arches[f].offset);
-                                       fat_arch.size = OSSwapBigToHostInt32(
-                                                       arches[f].size);
-                                       fat_arch.align = OSSwapBigToHostInt32(
-                                                       arches[f].align);
-                                       goto use_arch;
-                               }
+                       lret = fatfile_getbestarch_for_cputype(pref,
+                                                       (vm_offset_t)fat_header,
+                                                       PAGE_SIZE,
+                                                       &fat_arch);
+                       if (lret == LOAD_SUCCESS) {
+                               goto use_arch;
                        }
                }
                        }
                }
+
+               /* Requested binary preference was not honored */
+               error = EBADEXEC;
+               goto bad;
        }
 
        }
 
+regular_grading:
        /* Look up our preferred architecture in the fat file. */
        /* Look up our preferred architecture in the fat file. */
-       lret = fatfile_getarch_affinity(imgp->ip_vp,
-                                       (vm_offset_t)fat_header,
-                                       &fat_arch,
-                                       (p->p_flag & P_AFFINITY));
+       lret = fatfile_getbestarch((vm_offset_t)fat_header,
+                               PAGE_SIZE,
+                               &fat_arch);
        if (lret != LOAD_SUCCESS) {
                error = load_return_to_errno(lret);
                goto bad;
        if (lret != LOAD_SUCCESS) {
                error = load_return_to_errno(lret);
                goto bad;
@@ -680,22 +681,56 @@ use_arch:
                goto bad;
        }
 
                goto bad;
        }
 
-       /* Did we read a complete header? */
        if (resid) {
        if (resid) {
-               error = EBADEXEC;
-               goto bad;
+               memset(imgp->ip_vdata + (PAGE_SIZE - resid), 0x0, resid);
        }
 
        /* Success.  Indicate we have identified an encapsulated binary */
        error = -2;
        imgp->ip_arch_offset = (user_size_t)fat_arch.offset;
        imgp->ip_arch_size = (user_size_t)fat_arch.size;
        }
 
        /* Success.  Indicate we have identified an encapsulated binary */
        error = -2;
        imgp->ip_arch_offset = (user_size_t)fat_arch.offset;
        imgp->ip_arch_size = (user_size_t)fat_arch.size;
+       imgp->ip_origcputype = fat_arch.cputype;
+       imgp->ip_origcpusubtype = fat_arch.cpusubtype;
 
 bad:
        kauth_cred_unref(&cred);
        return (error);
 }
 
 
 bad:
        kauth_cred_unref(&cred);
        return (error);
 }
 
+static int
+activate_thread_state(thread_t thread, load_result_t *result)
+{
+       int ret;
+
+       ret = thread_state_initialize(thread);
+       if (ret != KERN_SUCCESS) {
+               return ret;
+       }
+
+
+       if (result->threadstate) {
+               uint32_t *ts = result->threadstate;
+               uint32_t total_size = result->threadstate_sz;
+
+               while (total_size > 0) {
+                       uint32_t flavor = *ts++;
+                       uint32_t size = *ts++;
+
+                       ret = thread_setstatus(thread, flavor, (thread_state_t)ts, size);
+                       if (ret) {
+                               return ret;
+                       }
+                       ts += size;
+                       total_size -= (size + 2) * sizeof(uint32_t);
+               }
+       }
+
+       thread_setentrypoint(thread, result->entry_point);
+
+       return KERN_SUCCESS;
+}
+
+
 /*
  * exec_mach_imgact
  *
 /*
  * exec_mach_imgact
  *
@@ -725,7 +760,6 @@ exec_mach_imgact(struct image_params *imgp)
        struct mach_header *mach_header = (struct mach_header *)imgp->ip_vdata;
        proc_t                  p = vfs_context_proc(imgp->ip_vfs_context);
        int                     error = 0;
        struct mach_header *mach_header = (struct mach_header *)imgp->ip_vdata;
        proc_t                  p = vfs_context_proc(imgp->ip_vfs_context);
        int                     error = 0;
-       int                     vfexec = 0;
        task_t                  task;
        task_t                  new_task = NULL; /* protected by vfexec */
        thread_t                thread;
        task_t                  task;
        task_t                  new_task = NULL; /* protected by vfexec */
        thread_t                thread;
@@ -735,27 +769,41 @@ exec_mach_imgact(struct image_params *imgp)
        load_return_t           lret;
        load_result_t           load_result;
        struct _posix_spawnattr *psa = NULL;
        load_return_t           lret;
        load_result_t           load_result;
        struct _posix_spawnattr *psa = NULL;
-       int spawn = (imgp->ip_flags & IMGPF_SPAWN);
+       int                     spawn = (imgp->ip_flags & IMGPF_SPAWN);
+       int                     vfexec = (imgp->ip_flags & IMGPF_VFORK_EXEC);
+       int                     p_name_len;
 
        /*
         * make sure it's a Mach-O 1.0 or Mach-O 2.0 binary; the difference
         * is a reserved field on the end, so for the most part, we can
 
        /*
         * make sure it's a Mach-O 1.0 or Mach-O 2.0 binary; the difference
         * is a reserved field on the end, so for the most part, we can
-        * treat them as if they were identical.
-        */
+        * treat them as if they were identical. Reverse-endian Mach-O
+        * binaries are recognized but not compatible.
+        */
+       if ((mach_header->magic == MH_CIGAM) ||
+           (mach_header->magic == MH_CIGAM_64)) {
+               error = EBADARCH;
+               goto bad;
+       }
+
        if ((mach_header->magic != MH_MAGIC) &&
            (mach_header->magic != MH_MAGIC_64)) {
                error = -1;
                goto bad;
        }
 
        if ((mach_header->magic != MH_MAGIC) &&
            (mach_header->magic != MH_MAGIC_64)) {
                error = -1;
                goto bad;
        }
 
-       switch (mach_header->filetype) {
-       case MH_DYLIB:
-       case MH_BUNDLE:
+       if (mach_header->filetype != MH_EXECUTE) {
                error = -1;
                goto bad;
        }
 
                error = -1;
                goto bad;
        }
 
-       if (!imgp->ip_origcputype) {
+       if (imgp->ip_origcputype != 0) {
+               /* Fat header previously had an idea about this thin file */
+               if (imgp->ip_origcputype != mach_header->cputype ||
+                       imgp->ip_origcpusubtype != mach_header->cpusubtype) {
+                       error = EBADARCH;
+                       goto bad;
+               }
+       } else {
                imgp->ip_origcputype = mach_header->cputype;
                imgp->ip_origcpusubtype = mach_header->cpusubtype;
        }
                imgp->ip_origcputype = mach_header->cputype;
                imgp->ip_origcpusubtype = mach_header->cpusubtype;
        }
@@ -764,15 +812,6 @@ exec_mach_imgact(struct image_params *imgp)
        thread = current_thread();
        uthread = get_bsdthread_info(thread);
 
        thread = current_thread();
        uthread = get_bsdthread_info(thread);
 
-       /*
-        * Save off the vfexec state up front; we have to do this, because
-        * we need to know if we were in this state initally subsequent to
-        * creating the backing task, thread, and uthread for the child
-        * process (from the vfs_context_t from in img_parms).
-        */
-       if (uthread->uu_flag & UT_VFORK)
-               vfexec = 1;      /* Mark in exec */
-
        if ((mach_header->cputype & CPU_ARCH_ABI64) == CPU_ARCH_ABI64)
                imgp->ip_flags |= IMGPF_IS_64BIT;
 
        if ((mach_header->cputype & CPU_ARCH_ABI64) == CPU_ARCH_ABI64)
                imgp->ip_flags |= IMGPF_IS_64BIT;
 
@@ -802,8 +841,7 @@ exec_mach_imgact(struct image_params *imgp)
                goto bad;
        }
 grade:
                goto bad;
        }
 grade:
-       if (!grade_binary(imgp->ip_origcputype & ~CPU_SUBTYPE_LIB64, 
-                               imgp->ip_origcpusubtype & ~CPU_SUBTYPE_MASK)) {
+       if (!grade_binary(imgp->ip_origcputype, imgp->ip_origcpusubtype & ~CPU_SUBTYPE_MASK)) {
                error = EBADARCH;
                goto bad;
        }
                error = EBADARCH;
                goto bad;
        }
@@ -813,46 +851,25 @@ grade:
        if (error)
                goto bad;
 
        if (error)
                goto bad;
 
-       AUDIT_ARG(argv, imgp->ip_argv, imgp->ip_argc, 
-           imgp->ip_strendargvp - imgp->ip_argv);
-       AUDIT_ARG(envv, imgp->ip_strendargvp, imgp->ip_envc,
-           imgp->ip_strendp - imgp->ip_strendargvp);
-
-       /*
-        * Hack for binary compatability; put three NULs on the end of the
-        * string area, and round it up to the next word boundary.  This
-        * ensures padding with NULs to the boundary.
-        */
-       imgp->ip_strendp[0] = 0;
-       imgp->ip_strendp[1] = 0;
-       imgp->ip_strendp[2] = 0;
-       imgp->ip_strendp += (((imgp->ip_strendp - imgp->ip_strings) + NBPW-1) & ~(NBPW-1));
+       error = exec_add_apple_strings(imgp);
+       if (error)
+               goto bad;
 
 
-#ifdef IMGPF_POWERPC
-       /*
-        * XXX
-        *
-        * Should be factored out; this is here because we might be getting
-        * invoked this way as the result of a shell script, and the check
-        * in exec_check_permissions() is not interior to the jump back up
-        * to the "encapsulated_binary:" label in exec_activate_image().
-        */
-       if (imgp->ip_vattr->va_fsid == exec_archhandler_ppc.fsid &&
-               imgp->ip_vattr->va_fileid == (uint64_t)((u_long)exec_archhandler_ppc.fileid)) {
-               imgp->ip_flags |= IMGPF_POWERPC;
-       }
-#endif /* IMGPF_POWERPC */
+       AUDIT_ARG(argv, imgp->ip_startargv, imgp->ip_argc, 
+           imgp->ip_endargv - imgp->ip_startargv);
+       AUDIT_ARG(envv, imgp->ip_endargv, imgp->ip_envc,
+           imgp->ip_endenvv - imgp->ip_endargv);
 
        /*
         * We are being called to activate an image subsequent to a vfork()
         * operation; in this case, we know that our task, thread, and
 
        /*
         * We are being called to activate an image subsequent to a vfork()
         * operation; in this case, we know that our task, thread, and
-        * uthread are actualy those of our parent, and our proc, which we
+        * uthread are actually those of our parent, and our proc, which we
         * obtained indirectly from the image_params vfs_context_t, is the
         * new child process.
         */
        if (vfexec || spawn) {
                if (vfexec) {
         * obtained indirectly from the image_params vfs_context_t, is the
         * new child process.
         */
        if (vfexec || spawn) {
                if (vfexec) {
-                       imgp->ip_new_thread = fork_create_child(task, p, FALSE, (imgp->ip_flags & IMGPF_IS_64BIT));
+                       imgp->ip_new_thread = fork_create_child(task, NULL, p, FALSE, (imgp->ip_flags & IMGPF_IS_64BIT));
                        if (imgp->ip_new_thread == NULL) {
                                error = ENOMEM;
                                goto bad;
                        if (imgp->ip_new_thread == NULL) {
                                error = ENOMEM;
                                goto bad;
@@ -885,30 +902,40 @@ grade:
         *      Load the Mach-O file.
         *
         * NOTE: An error after this point  indicates we have potentially
         *      Load the Mach-O file.
         *
         * NOTE: An error after this point  indicates we have potentially
-        * destroyed or overwrote some process state while attempting an
+        * destroyed or overwritten some process state while attempting an
         * execve() following a vfork(), which is an unrecoverable condition.
         * execve() following a vfork(), which is an unrecoverable condition.
+        * We send the new process an immediate SIGKILL to avoid it executing
+        * any instructions in the mutated address space. For true spawns,
+        * this is not the case, and "too late" is still not too late to
+        * return an error code to the parent process.
         */
 
        /*
         * Actually load the image file we previously decided to load.
         */
         */
 
        /*
         * Actually load the image file we previously decided to load.
         */
-       lret = load_machfile(imgp, mach_header, thread, map, &load_result);
+       lret = load_machfile(imgp, mach_header, thread, &map, &load_result);
 
        if (lret != LOAD_SUCCESS) {
                error = load_return_to_errno(lret);
                goto badtoolate;
        }
 
 
        if (lret != LOAD_SUCCESS) {
                error = load_return_to_errno(lret);
                goto badtoolate;
        }
 
-       vm_map_set_user_wire_limit(get_task_map(task), p->p_rlimit[RLIMIT_MEMLOCK].rlim_cur);
+       proc_lock(p);
+       p->p_cputype = imgp->ip_origcputype;
+       p->p_cpusubtype = imgp->ip_origcpusubtype;
+       proc_unlock(p);
+
+       vm_map_set_user_wire_limit(map, p->p_rlimit[RLIMIT_MEMLOCK].rlim_cur);
 
        /* 
         * Set code-signing flags if this binary is signed, or if parent has
         * requested them on exec.
         */
        if (load_result.csflags & CS_VALID) {
 
        /* 
         * Set code-signing flags if this binary is signed, or if parent has
         * requested them on exec.
         */
        if (load_result.csflags & CS_VALID) {
-               imgp->ip_csflags |= load_result.csflags &
+               imgp->ip_csflags |= load_result.csflags & 
                        (CS_VALID|
                        (CS_VALID|
-                        CS_HARD|CS_KILL|CS_EXEC_SET_HARD|CS_EXEC_SET_KILL);
+                        CS_HARD|CS_KILL|CS_RESTRICT|CS_ENFORCEMENT|CS_REQUIRE_LV|CS_DYLD_PLATFORM|
+                        CS_EXEC_SET_HARD|CS_EXEC_SET_KILL|CS_EXEC_SET_ENFORCEMENT);
        } else {
                imgp->ip_csflags &= ~CS_VALID;
        }
        } else {
                imgp->ip_csflags &= ~CS_VALID;
        }
@@ -917,56 +944,67 @@ grade:
                imgp->ip_csflags |= CS_HARD;
        if (p->p_csflags & CS_EXEC_SET_KILL)
                imgp->ip_csflags |= CS_KILL;
                imgp->ip_csflags |= CS_HARD;
        if (p->p_csflags & CS_EXEC_SET_KILL)
                imgp->ip_csflags |= CS_KILL;
-
+       if (p->p_csflags & CS_EXEC_SET_ENFORCEMENT)
+               imgp->ip_csflags |= CS_ENFORCEMENT;
+       if (p->p_csflags & CS_EXEC_SET_INSTALLER)
+               imgp->ip_csflags |= CS_INSTALLER;
 
        /*
         * Set up the system reserved areas in the new address space.
         */
 
        /*
         * Set up the system reserved areas in the new address space.
         */
-       vm_map_exec(get_task_map(task),
-                   task,
-                   (void *) p->p_fd->fd_rdir,
-#ifdef IMGPF_POWERPC
-                   imgp->ip_flags & IMGPF_POWERPC ?
-                   CPU_TYPE_POWERPC :
-#endif
-                   cpu_type());
-       
+       vm_map_exec(map, task, (void *)p->p_fd->fd_rdir, cpu_type());
+
        /*
        /*
-        * Close file descriptors
-        * which specify close-on-exec.
+        * Close file descriptors which specify close-on-exec.
         */
         */
-       fdexec(p);
+       fdexec(p, psa != NULL ? psa->psa_flags : 0);
 
        /*
         * deal with set[ug]id.
         */
        error = exec_handle_sugid(imgp);
 
        /*
         * deal with set[ug]id.
         */
        error = exec_handle_sugid(imgp);
+       if (error) {
+               if (spawn || !vfexec) {
+                       vm_map_deallocate(map);
+               }
+               goto badtoolate;
+       }
+
+       /*
+        * Commit to new map.
+        *
+        * Swap the new map for the old, which consumes our new map reference but
+        * each leaves us responsible for the old_map reference.  That lets us get
+        * off the pmap associated with it, and then we can release it.
+        */
+       if (!vfexec) {
+               old_map = swap_task_map(task, thread, map, !spawn);
+               vm_map_deallocate(old_map);
+       }
+
+       lret = activate_thread_state(thread, &load_result);
+       if (lret != KERN_SUCCESS) {
+               goto badtoolate;
+       }
+
+       /*
+        * deal with voucher on exec-calling thread.
+        */
+       if (imgp->ip_new_thread == NULL)
+               thread_set_mach_voucher(current_thread(), IPC_VOUCHER_NULL);
 
        /* Make sure we won't interrupt ourself signalling a partial process */
        if (!vfexec && !spawn && (p->p_lflag & P_LTRACED))
                psignal(p, SIGTRAP);
 
 
        /* Make sure we won't interrupt ourself signalling a partial process */
        if (!vfexec && !spawn && (p->p_lflag & P_LTRACED))
                psignal(p, SIGTRAP);
 
-       if (error) {
-               goto badtoolate;
-       }
-       
        if (load_result.unixproc &&
                create_unix_stack(get_task_map(task),
        if (load_result.unixproc &&
                create_unix_stack(get_task_map(task),
-                                 load_result.user_stack,
-                                 load_result.customstack,
+                                 &load_result,
                                  p) != KERN_SUCCESS) {
                error = load_return_to_errno(LOAD_NOSPACE);
                goto badtoolate;
        }
 
                                  p) != KERN_SUCCESS) {
                error = load_return_to_errno(LOAD_NOSPACE);
                goto badtoolate;
        }
 
-       /*  
-        * There is no  continuing workq context during 
-        * vfork exec. So no need to reset then. Otherwise
-        * clear the workqueue context.
-        */
-       if (vfexec == 0 && spawn == 0) {
-               (void)workqueue_exit(p);
-       }
        if (vfexec || spawn) {
                old_map = vm_map_switch(get_task_map(task));
        }
        if (vfexec || spawn) {
                old_map = vm_map_switch(get_task_map(task));
        }
@@ -988,32 +1026,30 @@ grade:
                /* Set the stack */
                thread_setuserstack(thread, ap);
        }
                /* Set the stack */
                thread_setuserstack(thread, ap);
        }
-       
+
        if (load_result.dynlinker) {
                uint64_t        ap;
        if (load_result.dynlinker) {
                uint64_t        ap;
+               int                     new_ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT) ? 8 : 4;
 
                /* Adjust the stack */
 
                /* Adjust the stack */
-               if (imgp->ip_flags & IMGPF_IS_64BIT) {
-                       ap = thread_adjuserstack(thread, -8);
-                       error = copyoutptr(load_result.mach_header, ap, 8);
-               } else {
-                       ap = thread_adjuserstack(thread, -4);
-                       error = suword(ap, load_result.mach_header);
-               }
+               ap = thread_adjuserstack(thread, -new_ptr_size);
+               error = copyoutptr(load_result.mach_header, ap, new_ptr_size);
+
                if (error) {
                if (error) {
-                       if (vfexec || spawn)
-                               vm_map_switch(old_map);
+                       if (vfexec || spawn)
+                               vm_map_switch(old_map);
                        goto badtoolate;
                }
                task_set_dyld_info(task, load_result.all_image_info_addr,
                    load_result.all_image_info_size);
        }
 
                        goto badtoolate;
                }
                task_set_dyld_info(task, load_result.all_image_info_addr,
                    load_result.all_image_info_size);
        }
 
+       /* Avoid immediate VM faults back into kernel */
+       exec_prefault_data(p, imgp, &load_result);
+
        if (vfexec || spawn) {
                vm_map_switch(old_map);
        }
        if (vfexec || spawn) {
                vm_map_switch(old_map);
        }
-       /* Set the entry point */
-       thread_setentrypoint(thread, load_result.entry_point);
 
        /* Stop profiling */
        stopprofclock(p);
 
        /* Stop profiling */
        stopprofclock(p);
@@ -1043,20 +1079,31 @@ grade:
         * Remember file name for accounting.
         */
        p->p_acflag &= ~AFORK;
         * Remember file name for accounting.
         */
        p->p_acflag &= ~AFORK;
-       /* If the translated name isn't NULL, then we want to use
-        * that translated name as the name we show as the "real" name.
-        * Otherwise, use the name passed into exec.
+
+       /*
+        * Set p->p_comm and p->p_name to the name passed to exec
         */
         */
-       if (0 != imgp->ip_p_comm[0]) {
-               bcopy((caddr_t)imgp->ip_p_comm, (caddr_t)p->p_comm,
-                       sizeof(p->p_comm));
-       } else {
-               if (imgp->ip_ndp->ni_cnd.cn_namelen > MAXCOMLEN)
-                       imgp->ip_ndp->ni_cnd.cn_namelen = MAXCOMLEN;
-               bcopy((caddr_t)imgp->ip_ndp->ni_cnd.cn_nameptr, (caddr_t)p->p_comm,
-                       (unsigned)imgp->ip_ndp->ni_cnd.cn_namelen);
-               p->p_comm[imgp->ip_ndp->ni_cnd.cn_namelen] = '\0';
-       }
+       p_name_len = sizeof(p->p_name) - 1;
+       if(imgp->ip_ndp->ni_cnd.cn_namelen > p_name_len)
+               imgp->ip_ndp->ni_cnd.cn_namelen = p_name_len;
+       bcopy((caddr_t)imgp->ip_ndp->ni_cnd.cn_nameptr, (caddr_t)p->p_name,
+               (unsigned)imgp->ip_ndp->ni_cnd.cn_namelen);
+       p->p_name[imgp->ip_ndp->ni_cnd.cn_namelen] = '\0';
+
+       if (imgp->ip_ndp->ni_cnd.cn_namelen > MAXCOMLEN)
+               imgp->ip_ndp->ni_cnd.cn_namelen = MAXCOMLEN;
+       bcopy((caddr_t)imgp->ip_ndp->ni_cnd.cn_nameptr, (caddr_t)p->p_comm,
+               (unsigned)imgp->ip_ndp->ni_cnd.cn_namelen);
+       p->p_comm[imgp->ip_ndp->ni_cnd.cn_namelen] = '\0';
+
+       pal_dbg_set_task_name( p->task );
+
+#if DEVELOPMENT || DEBUG
+       /* 
+        * Update the pid an proc name for importance base if any
+        */
+       task_importance_update_owner_info(p->task);
+#endif
 
        memcpy(&p->p_uuid[0], &load_result.uuid[0], sizeof(p->p_uuid));
 
 
        memcpy(&p->p_uuid[0], &load_result.uuid[0], sizeof(p->p_uuid));
 
@@ -1092,8 +1139,8 @@ grade:
         */
        proc_lock(p);
        if (p->p_dtrace_probes && dtrace_fasttrap_exec_ptr) {
         */
        proc_lock(p);
        if (p->p_dtrace_probes && dtrace_fasttrap_exec_ptr) {
-               (*dtrace_fasttrap_exec_ptr)(p);
-       }
+               (*dtrace_fasttrap_exec_ptr)(p);
+       }
        proc_unlock(p);
 #endif
 
        proc_unlock(p);
 #endif
 
@@ -1106,31 +1153,18 @@ grade:
                kdbg_trace_string(p, &dbg_arg1, &dbg_arg2, &dbg_arg3, &dbg_arg4);
 
                if (vfexec || spawn) {
                kdbg_trace_string(p, &dbg_arg1, &dbg_arg2, &dbg_arg3, &dbg_arg4);
 
                if (vfexec || spawn) {
-                       KERNEL_DEBUG_CONSTANT1((TRACEDBG_CODE(DBG_TRACE_DATA, 2)) | DBG_FUNC_NONE,
+                       KERNEL_DEBUG_CONSTANT1(TRACE_DATA_EXEC | DBG_FUNC_NONE,
                                        p->p_pid ,0,0,0, (uintptr_t)thread_tid(thread));
                                        p->p_pid ,0,0,0, (uintptr_t)thread_tid(thread));
-                       KERNEL_DEBUG_CONSTANT1((TRACEDBG_CODE(DBG_TRACE_STRING, 2)) | DBG_FUNC_NONE,
+                       KERNEL_DEBUG_CONSTANT1(TRACE_STRING_EXEC | DBG_FUNC_NONE,
                                        dbg_arg1, dbg_arg2, dbg_arg3, dbg_arg4, (uintptr_t)thread_tid(thread));
                } else {
                                        dbg_arg1, dbg_arg2, dbg_arg3, dbg_arg4, (uintptr_t)thread_tid(thread));
                } else {
-                       KERNEL_DEBUG_CONSTANT((TRACEDBG_CODE(DBG_TRACE_DATA, 2)) | DBG_FUNC_NONE,
+                       KERNEL_DEBUG_CONSTANT(TRACE_DATA_EXEC | DBG_FUNC_NONE,
                                        p->p_pid ,0,0,0,0);
                                        p->p_pid ,0,0,0,0);
-                       KERNEL_DEBUG_CONSTANT((TRACEDBG_CODE(DBG_TRACE_STRING, 2)) | DBG_FUNC_NONE,
+                       KERNEL_DEBUG_CONSTANT(TRACE_STRING_EXEC | DBG_FUNC_NONE,
                                        dbg_arg1, dbg_arg2, dbg_arg3, dbg_arg4, 0);
                }
        }
 
                                        dbg_arg1, dbg_arg2, dbg_arg3, dbg_arg4, 0);
                }
        }
 
-#ifdef IMGPF_POWERPC
-       /*
-        * Mark the process as powerpc or not.  If powerpc, set the affinity
-        * flag, which will be used for grading binaries in future exec's
-        * from the process.
-        */
-       if (((imgp->ip_flags & IMGPF_POWERPC) != 0))
-               OSBitOrAtomic(P_TRANSLATED, &p->p_flag);
-       else
-#endif /* IMGPF_POWERPC */
-               OSBitAndAtomic(~((uint32_t)P_TRANSLATED), &p->p_flag);
-       OSBitAndAtomic(~((uint32_t)P_AFFINITY), &p->p_flag);
-
        /*
         * If posix_spawned with the START_SUSPENDED flag, stop the
         * process before it runs.
        /*
         * If posix_spawned with the START_SUSPENDED flag, stop the
         * process before it runs.
@@ -1141,7 +1175,7 @@ grade:
                        proc_lock(p);
                        p->p_stat = SSTOP;
                        proc_unlock(p);
                        proc_lock(p);
                        p->p_stat = SSTOP;
                        proc_unlock(p);
-                       (void) task_suspend(p->task);
+                       (void) task_suspend_internal(p->task);
                }
        }
 
                }
        }
 
@@ -1166,15 +1200,37 @@ grade:
                psignal_vfork(p, new_task, thread, SIGTRAP);
        }
 
                psignal_vfork(p, new_task, thread, SIGTRAP);
        }
 
+       goto done;
+
 badtoolate:
 badtoolate:
-if (!spawn)
-       proc_knote(p, NOTE_EXEC);
+       /* Don't allow child process to execute any instructions */
+       if (!spawn) {
+               if (vfexec) {
+                       psignal_vfork(p, new_task, thread, SIGKILL);
+               } else {
+                       psignal(p, SIGKILL);
+               }
 
 
-       if (vfexec || spawn) {
+               /* We can't stop this system call at this point, so just pretend we succeeded */
+               error = 0;
+       }
+       
+done:
+       if (!spawn) {
+               /* notify only if it has not failed due to FP Key error */
+               if ((p->p_lflag & P_LTERM_DECRYPTFAIL) == 0)
+                       proc_knote(p, NOTE_EXEC);
+       }
+
+       /* Drop extra references for cases where we don't expect the caller to clean up */
+       if (vfexec || (spawn && error == 0)) {
                task_deallocate(new_task);
                thread_deallocate(thread);
                task_deallocate(new_task);
                thread_deallocate(thread);
-               if (error)
-                       error = 0;
+       }
+
+       if (load_result.threadstate) {
+               kfree(load_result.threadstate, load_result.threadstate_sz);
+               load_result.threadstate = NULL;
        }
 
 bad:
        }
 
 bad:
@@ -1197,9 +1253,6 @@ struct execsw {
 } execsw[] = {
        { exec_mach_imgact,             "Mach-o Binary" },
        { exec_fat_imgact,              "Fat Binary" },
 } execsw[] = {
        { exec_mach_imgact,             "Mach-o Binary" },
        { exec_fat_imgact,              "Fat Binary" },
-#ifdef IMGPF_POWERPC
-       { exec_powerpc32_imgact,        "PowerPC binary" },
-#endif /* IMGPF_POWERPC */
        { exec_shell_imgact,            "Interpreter Script" },
        { NULL, NULL}
 };
        { exec_shell_imgact,            "Interpreter Script" },
        { NULL, NULL}
 };
@@ -1229,46 +1282,63 @@ struct execsw {
  *     namei:???
  *     vn_rdwr:???                     [anything vn_rdwr can return]
  *     <ex_imgact>:???                 [anything an imgact can return]
  *     namei:???
  *     vn_rdwr:???                     [anything vn_rdwr can return]
  *     <ex_imgact>:???                 [anything an imgact can return]
+ *     EDEADLK                         Process is being terminated
  */
 static int
 exec_activate_image(struct image_params *imgp)
 {
  */
 static int
 exec_activate_image(struct image_params *imgp)
 {
-       struct nameidata nd;
+       struct nameidata *ndp = NULL;
+       const char *excpath;
        int error;
        int resid;
        int once = 1;   /* save SGUID-ness for interpreted files */
        int i;
        int error;
        int resid;
        int once = 1;   /* save SGUID-ness for interpreted files */
        int i;
-       int iterlimit = EAI_ITERLIMIT;
+       int itercount = 0;
        proc_t p = vfs_context_proc(imgp->ip_vfs_context);
 
        error = execargs_alloc(imgp);
        if (error)
        proc_t p = vfs_context_proc(imgp->ip_vfs_context);
 
        error = execargs_alloc(imgp);
        if (error)
-               goto bad;
+               goto bad_notrans;
        
        
-       /*
-        * XXXAUDIT: Note: the double copyin introduces an audit
-        * race.  To correct this race, we must use a single
-        * copyin(), e.g. by passing a flag to namei to indicate an
-        * external path buffer is being used.
-        */
-       error = exec_save_path(imgp, imgp->ip_user_fname, imgp->ip_seg);
+       error = exec_save_path(imgp, imgp->ip_user_fname, imgp->ip_seg, &excpath);
        if (error) {
                goto bad_notrans;
        }
 
        if (error) {
                goto bad_notrans;
        }
 
-       DTRACE_PROC1(exec, uintptr_t, imgp->ip_strings);
+       /* Use excpath, which contains the copyin-ed exec path */
+       DTRACE_PROC1(exec, uintptr_t, excpath);
+
+       MALLOC(ndp, struct nameidata *, sizeof(*ndp), M_TEMP, M_WAITOK | M_ZERO);
+       if (ndp == NULL) {
+               error = ENOMEM;
+               goto bad_notrans;
+       }
 
 
-       NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNPATH1,
-               imgp->ip_seg, imgp->ip_user_fname, imgp->ip_vfs_context);
+       NDINIT(ndp, LOOKUP, OP_LOOKUP, FOLLOW | LOCKLEAF | AUDITVNPATH1,
+                  UIO_SYSSPACE, CAST_USER_ADDR_T(excpath), imgp->ip_vfs_context);
 
 again:
 
 again:
-       error = namei(&nd);
+       error = namei(ndp);
        if (error)
                goto bad_notrans;
        if (error)
                goto bad_notrans;
-       imgp->ip_ndp = &nd;     /* successful namei(); call nameidone() later */
-       imgp->ip_vp = nd.ni_vp; /* if set, need to vnode_put() at some point */
+       imgp->ip_ndp = ndp;     /* successful namei(); call nameidone() later */
+       imgp->ip_vp = ndp->ni_vp;       /* if set, need to vnode_put() at some point */
 
 
-       error = proc_transstart(p, 0);
+       /*
+        * Before we start the transition from binary A to binary B, make
+        * sure another thread hasn't started exiting the process.  We grab
+        * the proc lock to check p_lflag initially, and the transition
+        * mechanism ensures that the value doesn't change after we release
+        * the lock.
+        */
+       proc_lock(p);
+       if (p->p_lflag & P_LEXIT) {
+               error = EDEADLK;
+               proc_unlock(p);
+               goto bad_notrans;
+       }
+       error = proc_transstart(p, 1, 0);
+       proc_unlock(p);
        if (error)
                goto bad_notrans;
 
        if (error)
                goto bad_notrans;
 
@@ -1288,10 +1358,14 @@ again:
                        &resid, vfs_context_proc(imgp->ip_vfs_context));
        if (error)
                goto bad;
                        &resid, vfs_context_proc(imgp->ip_vfs_context));
        if (error)
                goto bad;
-               
+
+       if (resid) {
+               memset(imgp->ip_vdata + (PAGE_SIZE - resid), 0x0, resid);
+       }
+
 encapsulated_binary:
        /* Limit the number of iterations we will attempt on each binary */
 encapsulated_binary:
        /* Limit the number of iterations we will attempt on each binary */
-       if (--iterlimit == 0) {
+       if (++itercount > EAI_ITERLIMIT) {
                error = EBADEXEC;
                goto bad;
        }
                error = EBADEXEC;
                goto bad;
        }
@@ -1302,7 +1376,7 @@ encapsulated_binary:
 
                switch (error) {
                /* case -1: not claimed: continue */
 
                switch (error) {
                /* case -1: not claimed: continue */
-               case -2:                /* Encapsulated binary */
+               case -2:                /* Encapsulated binary, imgp->ip_XXX set for next iteration */
                        goto encapsulated_binary;
 
                case -3:                /* Interpreter */
                        goto encapsulated_binary;
 
                case -3:                /* Interpreter */
@@ -1321,22 +1395,25 @@ encapsulated_binary:
                        }
                        mac_vnode_label_copy(imgp->ip_vp->v_label,
                                             imgp->ip_scriptlabelp);
                        }
                        mac_vnode_label_copy(imgp->ip_vp->v_label,
                                             imgp->ip_scriptlabelp);
+
+                       /*
+                        * Take a ref of the script vnode for later use.
+                        */
+                       if (imgp->ip_scriptvp)
+                               vnode_put(imgp->ip_scriptvp);
+                       if (vnode_getwithref(imgp->ip_vp) == 0)
+                               imgp->ip_scriptvp = imgp->ip_vp;
 #endif
 #endif
+
+                       nameidone(ndp);
+
                        vnode_put(imgp->ip_vp);
                        imgp->ip_vp = NULL;     /* already put */
                        vnode_put(imgp->ip_vp);
                        imgp->ip_vp = NULL;     /* already put */
-                
-                       NDINIT(&nd, LOOKUP, (nd.ni_cnd.cn_flags & HASBUF) | (FOLLOW | LOCKLEAF),
-                               UIO_SYSSPACE, CAST_USER_ADDR_T(imgp->ip_interp_name), imgp->ip_vfs_context);
+                       imgp->ip_ndp = NULL; /* already nameidone */
 
 
-#ifdef IMGPF_POWERPC
-                       /*
-                        * PowerPC does not follow symlinks because the
-                        * code which sets exec_archhandler_ppc.fsid and
-                        * exec_archhandler_ppc.fileid doesn't follow them.
-                        */
-                       if (imgp->ip_flags & IMGPF_POWERPC)
-                               nd.ni_cnd.cn_flags &= ~FOLLOW;
-#endif /* IMGPF_POWERPC */
+                       /* Use excpath, which exec_shell_imgact reset to the interpreter */
+                       NDINIT(ndp, LOOKUP, OP_LOOKUP, FOLLOW | LOCKLEAF,
+                                  UIO_SYSSPACE, CAST_USER_ADDR_T(excpath), imgp->ip_vfs_context);
 
                        proc_transend(p, 0);
                        goto again;
 
                        proc_transend(p, 0);
                        goto again;
@@ -1353,21 +1430,115 @@ encapsulated_binary:
        if (error == 0 && kauth_authorize_fileop_has_listeners()) {
                kauth_authorize_fileop(vfs_context_ucred(imgp->ip_vfs_context),
                                        KAUTH_FILEOP_EXEC,
        if (error == 0 && kauth_authorize_fileop_has_listeners()) {
                kauth_authorize_fileop(vfs_context_ucred(imgp->ip_vfs_context),
                                        KAUTH_FILEOP_EXEC,
-                                       (uintptr_t)nd.ni_vp, 0);
+                                       (uintptr_t)ndp->ni_vp, 0);
        }
 
        }
 
-bad:
-       proc_transend(p, 0);
-
-bad_notrans:
+       if (error == 0) {
+               /*
+                * Reset atm context from task
+                */
+               task_atm_reset(p->task);
+
+               /*
+                * Reset old bank context from task
+                */
+               task_bank_reset(p->task);
+       }
+bad:
+       proc_transend(p, 0);
+
+bad_notrans:
        if (imgp->ip_strings)
                execargs_free(imgp);
        if (imgp->ip_ndp)
                nameidone(imgp->ip_ndp);
        if (imgp->ip_strings)
                execargs_free(imgp);
        if (imgp->ip_ndp)
                nameidone(imgp->ip_ndp);
+       if (ndp)
+               FREE(ndp, M_TEMP);
 
        return (error);
 }
 
 
        return (error);
 }
 
+
+/*
+ * exec_handle_spawnattr_policy
+ *
+ * Description: Decode and apply the posix_spawn apptype, qos clamp, and watchport ports to the task.
+ *
+ * Parameters:  proc_t p                process to apply attributes to
+ *              int psa_apptype         posix spawn attribute apptype
+ *
+ * Returns:     0                       Success
+ */
+static errno_t
+exec_handle_spawnattr_policy(proc_t p, int psa_apptype, uint64_t psa_qos_clamp, uint64_t psa_darwin_role,
+                             ipc_port_t * portwatch_ports, int portwatch_count)
+{
+       int apptype     = TASK_APPTYPE_NONE;
+       int qos_clamp   = THREAD_QOS_UNSPECIFIED;
+       int role        = TASK_UNSPECIFIED;
+
+       if ((psa_apptype & POSIX_SPAWN_PROC_TYPE_MASK) != 0) {
+               int proctype = psa_apptype & POSIX_SPAWN_PROC_TYPE_MASK;
+
+               switch(proctype) {
+                       case POSIX_SPAWN_PROC_TYPE_DAEMON_INTERACTIVE:
+                               apptype = TASK_APPTYPE_DAEMON_INTERACTIVE;
+                               break;
+                       case POSIX_SPAWN_PROC_TYPE_DAEMON_STANDARD:
+                               apptype = TASK_APPTYPE_DAEMON_STANDARD;
+                               break;
+                       case POSIX_SPAWN_PROC_TYPE_DAEMON_ADAPTIVE:
+                               apptype = TASK_APPTYPE_DAEMON_ADAPTIVE;
+                               break;
+                       case POSIX_SPAWN_PROC_TYPE_DAEMON_BACKGROUND:
+                               apptype = TASK_APPTYPE_DAEMON_BACKGROUND;
+                               break;
+                       case POSIX_SPAWN_PROC_TYPE_APP_DEFAULT:
+                               apptype = TASK_APPTYPE_APP_DEFAULT;
+                               break;
+                       case POSIX_SPAWN_PROC_TYPE_APP_TAL:
+                               apptype = TASK_APPTYPE_APP_TAL;
+                               break;
+                       default:
+                               apptype = TASK_APPTYPE_NONE;
+                               /* TODO: Should an invalid value here fail the spawn? */
+                               break;
+               }
+       }
+
+       if (psa_qos_clamp != POSIX_SPAWN_PROC_CLAMP_NONE) {
+               switch (psa_qos_clamp) {
+                       case POSIX_SPAWN_PROC_CLAMP_UTILITY:
+                               qos_clamp = THREAD_QOS_UTILITY;
+                               break;
+                       case POSIX_SPAWN_PROC_CLAMP_BACKGROUND:
+                               qos_clamp = THREAD_QOS_BACKGROUND;
+                               break;
+                       case POSIX_SPAWN_PROC_CLAMP_MAINTENANCE:
+                               qos_clamp = THREAD_QOS_MAINTENANCE;
+                               break;
+                       default:
+                               qos_clamp = THREAD_QOS_UNSPECIFIED;
+                               /* TODO: Should an invalid value here fail the spawn? */
+                               break;
+               }
+       }
+
+       if (psa_darwin_role != PRIO_DARWIN_ROLE_DEFAULT) {
+               proc_darwin_role_to_task_role(psa_darwin_role, &role);
+       }
+
+       if (apptype   != TASK_APPTYPE_NONE      ||
+           qos_clamp != THREAD_QOS_UNSPECIFIED ||
+           role      != TASK_UNSPECIFIED) {
+               proc_set_task_spawnpolicy(p->task, apptype, qos_clamp, role,
+                                         portwatch_ports, portwatch_count);
+       }
+
+       return (0);
+}
+
+
 /*
  * exec_handle_port_actions
  *
 /*
  * exec_handle_port_actions
  *
@@ -1379,67 +1550,82 @@ bad_notrans:
  *             short psa_flags         posix spawn attribute flags
  *
  * Returns:    0                       Success
  *             short psa_flags         posix spawn attribute flags
  *
  * Returns:    0                       Success
- *             KERN_FAILURE            Failure
+ *             EINVAL                  Failure
  *             ENOTSUP                 Illegal posix_spawn attr flag was set
  */
  *             ENOTSUP                 Illegal posix_spawn attr flag was set
  */
-static int
-exec_handle_port_actions(struct image_params *imgp, short psa_flags)
+static errno_t
+exec_handle_port_actions(struct image_params *imgp, short psa_flags, boolean_t * portwatch_present, ipc_port_t * portwatch_ports)
 {
        _posix_spawn_port_actions_t pacts = imgp->ip_px_spa;
        proc_t p = vfs_context_proc(imgp->ip_vfs_context);
        _ps_port_action_t *act = NULL;
        task_t task = p->task;
        ipc_port_t port = NULL;
 {
        _posix_spawn_port_actions_t pacts = imgp->ip_px_spa;
        proc_t p = vfs_context_proc(imgp->ip_vfs_context);
        _ps_port_action_t *act = NULL;
        task_t task = p->task;
        ipc_port_t port = NULL;
-       kern_return_t ret = KERN_SUCCESS;
+       errno_t ret = 0;
        int i;
 
        int i;
 
+       *portwatch_present = FALSE;
+
        for (i = 0; i < pacts->pspa_count; i++) {
                act = &pacts->pspa_actions[i];
 
        for (i = 0; i < pacts->pspa_count; i++) {
                act = &pacts->pspa_actions[i];
 
-               ret = ipc_object_copyin(get_task_ipcspace(current_task()),
-                               CAST_MACH_PORT_TO_NAME(act->new_port),
-                               MACH_MSG_TYPE_COPY_SEND,
-                               (ipc_object_t *) &port);
-
-               if (ret)                        
-                       return ret;
+               if (ipc_object_copyin(get_task_ipcspace(current_task()),
+                   act->new_port, MACH_MSG_TYPE_COPY_SEND,
+                   (ipc_object_t *) &port) != KERN_SUCCESS) {
+                       ret = EINVAL;
+                       goto done;
+               }
 
                switch (act->port_type) {
 
                switch (act->port_type) {
-                       case PSPA_SPECIAL:
-                               /* Only allowed when not under vfork */
-                               if (!(psa_flags & POSIX_SPAWN_SETEXEC))
-                                       return ENOTSUP;
-                               ret = task_set_special_port(task, 
-                                               act->which, 
-                                               port);
-                               break;
-                       case PSPA_EXCEPTION:
-                               /* Only allowed when not under vfork */
-                               if (!(psa_flags & POSIX_SPAWN_SETEXEC))
-                                       return ENOTSUP;
-                               ret = task_set_exception_ports(task, 
-                                               act->mask,
-                                               port
-                                               act->behavior, 
-                                               act->flavor);
-                               break;
+               case PSPA_SPECIAL:
+                       /* Only allowed when not under vfork */
+                       if (!(psa_flags & POSIX_SPAWN_SETEXEC))
+                               ret = ENOTSUP;
+                       else if (task_set_special_port(task,
+                       act->which, port) != KERN_SUCCESS)
+                               ret = EINVAL;
+                       break;
+
+               case PSPA_EXCEPTION:
+                       /* Only allowed when not under vfork */
+                       if (!(psa_flags & POSIX_SPAWN_SETEXEC))
+                               ret = ENOTSUP;
+                       else if (task_set_exception_ports(task, 
+                       act->mask, port, act->behavior
+                       act->flavor) != KERN_SUCCESS)
+                               ret = EINVAL;
+                       break;
 #if CONFIG_AUDIT
 #if CONFIG_AUDIT
-                       case PSPA_AU_SESSION:
-                               ret = audit_session_spawnjoin(p, 
-                                               port);
-                               break;
+               case PSPA_AU_SESSION:
+                       ret = audit_session_spawnjoin(p, port);
+                       break;
 #endif
 #endif
-                       default:
-                               ret = KERN_FAILURE;
+               case PSPA_IMP_WATCHPORTS:
+                       if (portwatch_ports != NULL) {
+                               *portwatch_present = TRUE;
+                               /* hold on to this till end of spawn */
+                               portwatch_ports[i] = port;
+                               ret = 0;
+                       } else
+                               ipc_port_release_send(port);
+                       break;
+               default:
+                       ret = EINVAL;
+                       break;
                }
                }
+
                /* action failed, so release port resources */
                /* action failed, so release port resources */
+
                if (ret) { 
                        ipc_port_release_send(port);
                if (ret) { 
                        ipc_port_release_send(port);
-                       return ret;
+                       break;
                }
        }
 
                }
        }
 
-       return ret;
+done:
+       if (0 != ret)
+               DTRACE_PROC1(spawn__port__failure, mach_port_name_t, act->new_port);
+       return (ret);
 }
 
 /*
 }
 
 /*
@@ -1461,7 +1647,7 @@ exec_handle_port_actions(struct image_params *imgp, short psa_flags)
  *             normally permitted to perform.
  */
 static int
  *             normally permitted to perform.
  */
 static int
-exec_handle_file_actions(struct image_params *imgp)
+exec_handle_file_actions(struct image_params *imgp, short psa_flags)
 {
        int error = 0;
        int action;
 {
        int error = 0;
        int action;
@@ -1479,35 +1665,48 @@ exec_handle_file_actions(struct image_params *imgp)
                         * a path argument, which is normally copied in from
                         * user space; because of this, we have to support an
                         * open from kernel space that passes an address space
                         * a path argument, which is normally copied in from
                         * user space; because of this, we have to support an
                         * open from kernel space that passes an address space
-                        * context oof UIO_SYSSPACE, and casts the address
+                        * context of UIO_SYSSPACE, and casts the address
                         * argument to a user_addr_t.
                         */
                         * argument to a user_addr_t.
                         */
-                       struct vnode_attr va;
-                       struct nameidata nd;
+                       char *bufp = NULL;
+                       struct vnode_attr *vap;
+                       struct nameidata *ndp;
                        int mode = psfa->psfaa_openargs.psfao_mode;
                        struct dup2_args dup2a;
                        struct close_nocancel_args ca;
                        int origfd;
 
                        int mode = psfa->psfaa_openargs.psfao_mode;
                        struct dup2_args dup2a;
                        struct close_nocancel_args ca;
                        int origfd;
 
-                       VATTR_INIT(&va);
+                       MALLOC(bufp, char *, sizeof(*vap) + sizeof(*ndp), M_TEMP, M_WAITOK | M_ZERO);
+                       if (bufp == NULL) {
+                               error = ENOMEM;
+                               break;
+                       }
+
+                       vap = (struct vnode_attr *) bufp;
+                       ndp = (struct nameidata *) (bufp + sizeof(*vap));
+
+                       VATTR_INIT(vap);
                        /* Mask off all but regular access permissions */
                        mode = ((mode &~ p->p_fd->fd_cmask) & ALLPERMS) & ~S_ISTXT;
                        /* Mask off all but regular access permissions */
                        mode = ((mode &~ p->p_fd->fd_cmask) & ALLPERMS) & ~S_ISTXT;
-                       VATTR_SET(&va, va_mode, mode & ACCESSPERMS);
+                       VATTR_SET(vap, va_mode, mode & ACCESSPERMS);
 
 
-                       NDINIT(&nd, LOOKUP, FOLLOW | AUDITVNPATH1, UIO_SYSSPACE,
+                       NDINIT(ndp, LOOKUP, OP_OPEN, FOLLOW | AUDITVNPATH1, UIO_SYSSPACE,
                               CAST_USER_ADDR_T(psfa->psfaa_openargs.psfao_path),
                               imgp->ip_vfs_context);
 
                        error = open1(imgp->ip_vfs_context, 
                               CAST_USER_ADDR_T(psfa->psfaa_openargs.psfao_path),
                               imgp->ip_vfs_context);
 
                        error = open1(imgp->ip_vfs_context, 
-                                       &nd,
+                                       ndp,
                                        psfa->psfaa_openargs.psfao_oflag,
                                        psfa->psfaa_openargs.psfao_oflag,
-                                       &va,
+                                       vap,
+                                       fileproc_alloc_init, NULL,
                                        ival);
 
                                        ival);
 
+                       FREE(bufp, M_TEMP);
+
                        /*
                         * If there's an error, or we get the right fd by
                        /*
                         * If there's an error, or we get the right fd by
-                        * accident, then drop out here.  This is easier that
-                        * rearchitecting all the open code to preallocate fd
+                        * accident, then drop out here.  This is easier than
+                        * reworking all the open code to preallocate fd
                         * slots, and internally taking one as an argument.
                         */
                        if (error || ival[0] == psfa->psfaa_filedes)
                         * slots, and internally taking one as an argument.
                         */
                        if (error || ival[0] == psfa->psfaa_filedes)
@@ -1566,18 +1765,356 @@ exec_handle_file_actions(struct image_params *imgp)
                        }
                        break;
 
                        }
                        break;
 
+               case PSFA_INHERIT: {
+                       struct fcntl_nocancel_args fcntla;
+
+                       /*
+                        * Check to see if the descriptor exists, and
+                        * ensure it's -not- marked as close-on-exec.
+                        *
+                        * Attempting to "inherit" a guarded fd will
+                        * result in a error.
+                        */
+                       fcntla.fd = psfa->psfaa_filedes;
+                       fcntla.cmd = F_GETFD;
+                       if ((error = fcntl_nocancel(p, &fcntla, ival)) != 0)
+                               break;
+
+                       if ((ival[0] & FD_CLOEXEC) == FD_CLOEXEC) {
+                               fcntla.fd = psfa->psfaa_filedes;
+                               fcntla.cmd = F_SETFD;
+                               fcntla.arg = ival[0] & ~FD_CLOEXEC;
+                               error = fcntl_nocancel(p, &fcntla, ival);
+                       }
+
+                       }
+                       break;
+
                default:
                        error = EINVAL;
                        break;
                }
                default:
                        error = EINVAL;
                        break;
                }
+
                /* All file actions failures are considered fatal, per POSIX */
                /* All file actions failures are considered fatal, per POSIX */
-               if (error)
+
+               if (error) {
+                       if (PSFA_OPEN == psfa->psfaa_type) {
+                               DTRACE_PROC1(spawn__open__failure, uintptr_t,
+                                   psfa->psfaa_openargs.psfao_path);
+                       } else {
+                               DTRACE_PROC1(spawn__fd__failure, int, psfa->psfaa_filedes);
+                       }
                        break;
                        break;
+               }
        }
 
        }
 
-       return (error);
+       if (error != 0 || (psa_flags & POSIX_SPAWN_CLOEXEC_DEFAULT) == 0)
+               return (error);
+
+       /*
+        * If POSIX_SPAWN_CLOEXEC_DEFAULT is set, behave (during
+        * this spawn only) as if "close on exec" is the default
+        * disposition of all pre-existing file descriptors.  In this case,
+        * the list of file descriptors mentioned in the file actions
+        * are the only ones that can be inherited, so mark them now.
+        *
+        * The actual closing part comes later, in fdexec().
+        */
+       proc_fdlock(p);
+       for (action = 0; action < px_sfap->psfa_act_count; action++) {
+               _psfa_action_t *psfa = &px_sfap->psfa_act_acts[action];
+               int fd = psfa->psfaa_filedes;
+
+               switch (psfa->psfaa_type) {
+               case PSFA_DUP2:
+                       fd = psfa->psfaa_openargs.psfao_oflag;
+                       /*FALLTHROUGH*/
+               case PSFA_OPEN:
+               case PSFA_INHERIT:
+                       *fdflags(p, fd) |= UF_INHERIT;
+                       break;
+
+               case PSFA_CLOSE:
+                       break;
+               }
+       }
+       proc_fdunlock(p);
+
+       return (0);
+}
+
+#if CONFIG_MACF
+/*
+ * exec_spawnattr_getmacpolicyinfo
+ */
+void *
+exec_spawnattr_getmacpolicyinfo(const void *macextensions, const char *policyname, size_t *lenp)
+{
+       const struct _posix_spawn_mac_policy_extensions *psmx = macextensions;
+       int i;
+
+       if (psmx == NULL)
+               return NULL;
+
+       for (i = 0; i < psmx->psmx_count; i++) {
+               const _ps_mac_policy_extension_t *extension = &psmx->psmx_extensions[i];
+               if (strncmp(extension->policyname, policyname, sizeof(extension->policyname)) == 0) {
+                       if (lenp != NULL)
+                               *lenp = extension->datalen;
+                       return extension->datap;
+               }
+       }
+
+       if (lenp != NULL)
+               *lenp = 0;
+       return NULL;
+}
+
+static int
+spawn_copyin_macpolicyinfo(const struct user__posix_spawn_args_desc *px_args, _posix_spawn_mac_policy_extensions_t *psmxp)
+{
+       _posix_spawn_mac_policy_extensions_t psmx = NULL;
+       int error = 0;
+       int copycnt = 0;
+       int i = 0;
+
+       *psmxp = NULL;
+
+       if (px_args->mac_extensions_size < PS_MAC_EXTENSIONS_SIZE(1) ||
+           px_args->mac_extensions_size > PAGE_SIZE) {
+               error = EINVAL;
+               goto bad;
+       }
+
+       MALLOC(psmx, _posix_spawn_mac_policy_extensions_t, px_args->mac_extensions_size, M_TEMP, M_WAITOK);
+       if ((error = copyin(px_args->mac_extensions, psmx, px_args->mac_extensions_size)) != 0)
+               goto bad;
+
+       if (PS_MAC_EXTENSIONS_SIZE(psmx->psmx_count) > px_args->mac_extensions_size) {
+               error = EINVAL;
+               goto bad;
+       }
+
+       for (i = 0; i < psmx->psmx_count; i++) {
+               _ps_mac_policy_extension_t *extension = &psmx->psmx_extensions[i];
+               if (extension->datalen == 0 || extension->datalen > PAGE_SIZE) {
+                       error = EINVAL;
+                       goto bad;
+               }
+       }
+
+       for (copycnt = 0; copycnt < psmx->psmx_count; copycnt++) {
+               _ps_mac_policy_extension_t *extension = &psmx->psmx_extensions[copycnt];
+               void *data = NULL;
+
+               MALLOC(data, void *, extension->datalen, M_TEMP, M_WAITOK);
+               if ((error = copyin(extension->data, data, extension->datalen)) != 0) {
+                       FREE(data, M_TEMP);
+                       goto bad;
+               }
+               extension->datap = data;
+       }
+
+       *psmxp = psmx;
+       return 0;
+
+bad:
+       if (psmx != NULL) {
+               for (i = 0; i < copycnt; i++)
+                       FREE(psmx->psmx_extensions[i].datap, M_TEMP);
+               FREE(psmx, M_TEMP);
+       }
+       return error;
+}
+
+static void
+spawn_free_macpolicyinfo(_posix_spawn_mac_policy_extensions_t psmx)
+{
+       int i;
+
+       if (psmx == NULL)
+               return;
+       for (i = 0; i < psmx->psmx_count; i++)
+               FREE(psmx->psmx_extensions[i].datap, M_TEMP);
+       FREE(psmx, M_TEMP);
+}
+#endif /* CONFIG_MACF */
+
+#if CONFIG_COALITIONS
+static inline void spawn_coalitions_release_all(coalition_t coal[COALITION_NUM_TYPES])
+{
+       for (int c = 0; c < COALITION_NUM_TYPES; c++) {
+               if (coal[c]) {
+                       coalition_remove_active(coal[c]);
+                       coalition_release(coal[c]);
+               }
+       }
+}
+#endif
+
+#if CONFIG_PERSONAS
+static int spawn_validate_persona(struct _posix_spawn_persona_info *px_persona)
+{
+       int error = 0;
+       struct persona *persona = NULL;
+       int verify = px_persona->pspi_flags & POSIX_SPAWN_PERSONA_FLAGS_VERIFY;
+
+       /*
+        * TODO: rdar://problem/19981151
+        * Add entitlement check!
+        */
+       if (!kauth_cred_issuser(kauth_cred_get()))
+               return EPERM;
+
+       persona = persona_lookup(px_persona->pspi_id);
+       if (!persona) {
+               error = ESRCH;
+               goto out;
+       }
+
+       if (verify) {
+               if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_UID) {
+                       if (px_persona->pspi_uid != persona_get_uid(persona)) {
+                               error = EINVAL;
+                               goto out;
+                       }
+               }
+               if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GID) {
+                       if (px_persona->pspi_gid != persona_get_gid(persona)) {
+                               error = EINVAL;
+                               goto out;
+                       }
+               }
+               if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GROUPS) {
+                       int ngroups = 0;
+                       gid_t groups[NGROUPS_MAX];
+
+                       if (persona_get_groups(persona, &ngroups, groups,
+                                              px_persona->pspi_ngroups) != 0) {
+                               error = EINVAL;
+                               goto out;
+                       }
+                       if (ngroups != (int)px_persona->pspi_ngroups) {
+                               error = EINVAL;
+                               goto out;
+                       }
+                       while (ngroups--) {
+                               if (px_persona->pspi_groups[ngroups] != groups[ngroups]) {
+                                       error = EINVAL;
+                                       goto out;
+                               }
+                       }
+                       if (px_persona->pspi_gmuid != persona_get_gmuid(persona)) {
+                               error = EINVAL;
+                               goto out;
+                       }
+               }
+       }
+
+out:
+       if (persona)
+               persona_put(persona);
+
+       return error;
 }
 
 }
 
+static int spawn_persona_adopt(proc_t p, struct _posix_spawn_persona_info *px_persona)
+{
+       int ret;
+       kauth_cred_t cred;
+       struct persona *persona = NULL;
+       int override = !!(px_persona->pspi_flags & POSIX_SPAWN_PERSONA_FLAGS_OVERRIDE);
+
+       if (!override)
+               return persona_proc_adopt_id(p, px_persona->pspi_id, NULL);
+
+       /*
+        * we want to spawn into the given persona, but we want to override
+        * the kauth with a different UID/GID combo
+        */
+       persona = persona_lookup(px_persona->pspi_id);
+       if (!persona)
+               return ESRCH;
+
+       cred = persona_get_cred(persona);
+       if (!cred) {
+               ret = EINVAL;
+               goto out;
+       }
+
+       if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_UID) {
+               cred = kauth_cred_setresuid(cred,
+                                           px_persona->pspi_uid,
+                                           px_persona->pspi_uid,
+                                           px_persona->pspi_uid,
+                                           KAUTH_UID_NONE);
+       }
+
+       if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GID) {
+               cred = kauth_cred_setresgid(cred,
+                                           px_persona->pspi_gid,
+                                           px_persona->pspi_gid,
+                                           px_persona->pspi_gid);
+       }
+
+       if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GROUPS) {
+               cred = kauth_cred_setgroups(cred,
+                                           px_persona->pspi_groups,
+                                           px_persona->pspi_ngroups,
+                                           px_persona->pspi_gmuid);
+       }
+
+       ret = persona_proc_adopt(p, persona, cred);
+
+out:
+       persona_put(persona);
+       return ret;
+}
+#endif
+
+void
+proc_set_return_wait(proc_t p)
+{
+       proc_lock(p);
+       p->p_lflag |= P_LRETURNWAIT;
+       proc_unlock(p);
+}
+
+void
+proc_clear_return_wait(proc_t p, thread_t child_thread)
+{
+       proc_lock(p);
+
+       p->p_lflag &= ~P_LRETURNWAIT;
+       if (p->p_lflag & P_LRETURNWAITER) {
+               wakeup(&p->p_lflag);
+       }
+
+       proc_unlock(p);
+
+       (void)thread_resume(child_thread);
+}
+
+void
+proc_wait_to_return()
+{
+       proc_t  p;
+
+       p = current_proc();
+       proc_lock(p);
+
+       if (p->p_lflag & P_LRETURNWAIT) {
+               p->p_lflag |= P_LRETURNWAITER;
+               do {
+                       msleep(&p->p_lflag, &p->p_mlock, 0,
+                               "thread_check_setup_complete", NULL);
+               } while (p->p_lflag & P_LRETURNWAIT);
+               p->p_lflag &= ~P_LRETURNWAITER;
+       }
+
+       proc_unlock(p);
+       thread_bootstrap_return();
+}
 
 /*
  * posix_spawn
 
 /*
  * posix_spawn
@@ -1619,7 +2156,6 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
        struct vnode_attr *origvap;
        struct uthread  *uthread = 0;   /* compiler complains if not set to 0*/
        int error, sig;
        struct vnode_attr *origvap;
        struct uthread  *uthread = 0;   /* compiler complains if not set to 0*/
        int error, sig;
-       char alt_p_comm[sizeof(p->p_comm)] = {0};       /* for PowerPC */
        int is_64 = IS_64BIT_PROCESS(p);
        struct vfs_context context;
        struct user__posix_spawn_args_desc px_args;
        int is_64 = IS_64BIT_PROCESS(p);
        struct vfs_context context;
        struct user__posix_spawn_args_desc px_args;
@@ -1628,10 +2164,18 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
        _posix_spawn_port_actions_t px_spap = NULL;
        struct __kern_sigaction vec;
        boolean_t spawn_no_exec = FALSE;
        _posix_spawn_port_actions_t px_spap = NULL;
        struct __kern_sigaction vec;
        boolean_t spawn_no_exec = FALSE;
+       boolean_t proc_transit_set = TRUE;
+       boolean_t exec_done = FALSE;
+       int portwatch_count = 0;
+       ipc_port_t * portwatch_ports = NULL;
+       vm_size_t px_sa_offset = offsetof(struct _posix_spawnattr, psa_ports); 
+#if CONFIG_PERSONAS
+       struct _posix_spawn_persona_info *px_persona = NULL;
+#endif
 
        /*
         * Allocate a big chunk for locals instead of using stack since these  
 
        /*
         * Allocate a big chunk for locals instead of using stack since these  
-        * structures a pretty big.
+        * structures are pretty big.
         */
        MALLOC(bufp, char *, (sizeof(*imgp) + sizeof(*vap) + sizeof(*origvap)), M_TEMP, M_WAITOK | M_ZERO);
        imgp = (struct image_params *) bufp;
         */
        MALLOC(bufp, char *, (sizeof(*imgp) + sizeof(*vap) + sizeof(*origvap)), M_TEMP, M_WAITOK | M_ZERO);
        imgp = (struct image_params *) bufp;
@@ -1650,8 +2194,9 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
        imgp->ip_origvattr = origvap;
        imgp->ip_vfs_context = &context;
        imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT : IMGPF_NONE);
        imgp->ip_origvattr = origvap;
        imgp->ip_vfs_context = &context;
        imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT : IMGPF_NONE);
-       imgp->ip_p_comm = alt_p_comm;           /* for PowerPC */
        imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
        imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
+       imgp->ip_mac_return = 0;
+       imgp->ip_px_persona = NULL;
 
        if (uap->adesc != USER_ADDR_NULL) {
                if(is_64) {
 
        if (uap->adesc != USER_ADDR_NULL) {
                if(is_64) {
@@ -1671,17 +2216,27 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
                        px_args.file_actions = CAST_USER_ADDR_T(px_args32.file_actions);
                        px_args.port_actions_size = px_args32.port_actions_size;
                        px_args.port_actions = CAST_USER_ADDR_T(px_args32.port_actions);
                        px_args.file_actions = CAST_USER_ADDR_T(px_args32.file_actions);
                        px_args.port_actions_size = px_args32.port_actions_size;
                        px_args.port_actions = CAST_USER_ADDR_T(px_args32.port_actions);
+                       px_args.mac_extensions_size = px_args32.mac_extensions_size;
+                       px_args.mac_extensions = CAST_USER_ADDR_T(px_args32.mac_extensions);
+                       px_args.coal_info_size = px_args32.coal_info_size;
+                       px_args.coal_info = CAST_USER_ADDR_T(px_args32.coal_info);
+                       px_args.persona_info_size = px_args32.persona_info_size;
+                       px_args.persona_info = CAST_USER_ADDR_T(px_args32.persona_info);
                }
                if (error)
                        goto bad;
 
                if (px_args.attr_size != 0) {
                        /* 
                }
                if (error)
                        goto bad;
 
                if (px_args.attr_size != 0) {
                        /* 
-                        * This could lose some of the port_actions pointer, 
-                        * but we already have it from px_args. 
+                        * We are not copying the port_actions pointer, 
+                        * because we already have it from px_args. 
+                        * This is a bit fragile: <rdar://problem/16427422>
                         */
                         */
-                       if ((error = copyin(px_args.attrp, &px_sa, sizeof(px_sa))) != 0)
+
+                       if ((error = copyin(px_args.attrp, &px_sa, px_sa_offset) != 0)) 
                        goto bad;
                        goto bad;
+               
+                       bzero( (void *)( (unsigned long) &px_sa + px_sa_offset), sizeof(px_sa) - px_sa_offset );        
 
                        imgp->ip_px_sa = &px_sa;
                }
 
                        imgp->ip_px_sa = &px_sa;
                }
@@ -1703,6 +2258,12 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
                        if ((error = copyin(px_args.file_actions, px_sfap, 
                                                        px_args.file_actions_size)) != 0)
                                goto bad;
                        if ((error = copyin(px_args.file_actions, px_sfap, 
                                                        px_args.file_actions_size)) != 0)
                                goto bad;
+
+                       /* Verify that the action count matches the struct size */
+                       if (PSF_ACTIONS_SIZE(px_sfap->psfa_act_count) != px_args.file_actions_size) {
+                               error = EINVAL;
+                               goto bad;
+                       }
                }
                if (px_args.port_actions_size != 0) {
                        /* Limit port_actions to one page of data */
                }
                if (px_args.port_actions_size != 0) {
                        /* Limit port_actions to one page of data */
@@ -1723,7 +2284,42 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
                        if ((error = copyin(px_args.port_actions, px_spap, 
                                                        px_args.port_actions_size)) != 0)
                                goto bad;
                        if ((error = copyin(px_args.port_actions, px_spap, 
                                                        px_args.port_actions_size)) != 0)
                                goto bad;
+
+                       /* Verify that the action count matches the struct size */
+                       if (PS_PORT_ACTIONS_SIZE(px_spap->pspa_count) != px_args.port_actions_size) {
+                               error = EINVAL;
+                               goto bad;
+                       }
+               }
+#if CONFIG_PERSONAS
+               /* copy in the persona info */
+               if (px_args.persona_info_size != 0 && px_args.persona_info != 0) {
+                       /* for now, we need the exact same struct in user space */
+                       if (px_args.persona_info_size != sizeof(*px_persona)) {
+                               error = ERANGE;
+                               goto bad;
+                       }
+
+                       MALLOC(px_persona, struct _posix_spawn_persona_info *, px_args.persona_info_size, M_TEMP, M_WAITOK|M_ZERO);
+                       if (px_persona == NULL) {
+                               error = ENOMEM;
+                               goto bad;
+                       }
+                       imgp->ip_px_persona = px_persona;
+
+                       if ((error = copyin(px_args.persona_info, px_persona,
+                                           px_args.persona_info_size)) != 0)
+                               goto bad;
+                       if ((error = spawn_validate_persona(px_persona)) != 0)
+                               goto bad;
+               }
+#endif
+#if CONFIG_MACF
+               if (px_args.mac_extensions_size != 0) {
+                       if ((error = spawn_copyin_macpolicyinfo(&px_args, (_posix_spawn_mac_policy_extensions_t *)&imgp->ip_px_smpx)) != 0)
+                               goto bad;
                }
                }
+#endif /* CONFIG_MACF */
        }
 
        /* set uthread to parent */
        }
 
        /* set uthread to parent */
@@ -1740,22 +2336,159 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
        }
 
        /*
        }
 
        /*
-        * If we don't have the extention flag that turns "posix_spawn()"
+        * If we don't have the extension flag that turns "posix_spawn()"
         * into "execve() with options", then we will be creating a new
         * process which does not inherit memory from the parent process,
         * which is one of the most expensive things about using fork()
         * and execve().
         */
        if (imgp->ip_px_sa == NULL || !(px_sa.psa_flags & POSIX_SPAWN_SETEXEC)){
         * into "execve() with options", then we will be creating a new
         * process which does not inherit memory from the parent process,
         * which is one of the most expensive things about using fork()
         * and execve().
         */
        if (imgp->ip_px_sa == NULL || !(px_sa.psa_flags & POSIX_SPAWN_SETEXEC)){
-               if ((error = fork1(p, &imgp->ip_new_thread, PROC_CREATE_SPAWN)) != 0)
+
+               /* Set the new task's coalition, if it is requested.  */
+               coalition_t coal[COALITION_NUM_TYPES] = { COALITION_NULL };
+#if CONFIG_COALITIONS
+               int i, ncoals;
+               kern_return_t kr = KERN_SUCCESS;
+               struct _posix_spawn_coalition_info coal_info;
+               int coal_role[COALITION_NUM_TYPES];
+
+               if (imgp->ip_px_sa == NULL || !px_args.coal_info)
+                       goto do_fork1;
+
+               memset(&coal_info, 0, sizeof(coal_info));
+
+               if (px_args.coal_info_size > sizeof(coal_info))
+                       px_args.coal_info_size = sizeof(coal_info);
+               error = copyin(px_args.coal_info,
+                              &coal_info, px_args.coal_info_size);
+               if (error != 0)
+                       goto bad;
+
+               ncoals = 0;
+               for (i = 0; i < COALITION_NUM_TYPES; i++) {
+                       uint64_t cid = coal_info.psci_info[i].psci_id;
+                       if (cid != 0) {
+                               /*
+                                * don't allow tasks which are not in a
+                                * privileged coalition to spawn processes
+                                * into coalitions other than their own
+                                */
+                               if (!task_is_in_privileged_coalition(p->task, i)) {
+                                       coal_dbg("ERROR: %d not in privilegd "
+                                                "coalition of type %d",
+                                                p->p_pid, i);
+                                       spawn_coalitions_release_all(coal);
+                                       error = EPERM;
+                                       goto bad;
+                               }
+
+                               coal_dbg("searching for coalition id:%llu", cid);
+                               /*
+                                * take a reference and activation on the
+                                * coalition to guard against free-while-spawn
+                                * races
+                                */
+                               coal[i] = coalition_find_and_activate_by_id(cid);
+                               if (coal[i] == COALITION_NULL) {
+                                       coal_dbg("could not find coalition id:%llu "
+                                                "(perhaps it has been terminated or reaped)", cid);
+                                       /*
+                                        * release any other coalition's we
+                                        * may have a reference to
+                                        */
+                                       spawn_coalitions_release_all(coal);
+                                       error = ESRCH;
+                                       goto bad;
+                               }
+                               if (coalition_type(coal[i]) != i) {
+                                       coal_dbg("coalition with id:%lld is not of type:%d"
+                                                " (it's type:%d)", cid, i, coalition_type(coal[i]));
+                                       error = ESRCH;
+                                       goto bad;
+                               }
+                               coal_role[i] = coal_info.psci_info[i].psci_role;
+                               ncoals++;
+                       }
+               }
+               if (ncoals < COALITION_NUM_TYPES) {
+                       /*
+                        * If the user is attempting to spawn into a subset of
+                        * the known coalition types, then make sure they have
+                        * _at_least_ specified a resource coalition. If not,
+                        * the following fork1() call will implicitly force an
+                        * inheritance from 'p' and won't actually spawn the
+                        * new task into the coalitions the user specified.
+                        * (also the call to coalitions_set_roles will panic)
+                        */
+                       if (coal[COALITION_TYPE_RESOURCE] == COALITION_NULL) {
+                               spawn_coalitions_release_all(coal);
+                               error = EINVAL;
+                               goto bad;
+                       }
+               }
+do_fork1:
+#endif /* CONFIG_COALITIONS */
+
+               /*
+                * note that this will implicitly inherit the
+                * caller's persona (if it exists)
+                */
+               error = fork1(p, &imgp->ip_new_thread, PROC_CREATE_SPAWN, coal);
+
+#if CONFIG_COALITIONS
+               /* set the roles of this task within each given coalition */
+               if (error == 0) {
+                       kr = coalitions_set_roles(coal, get_threadtask(imgp->ip_new_thread), coal_role);
+                       if (kr != KERN_SUCCESS)
+                               error = EINVAL;
+               }
+
+               /* drop our references and activations - fork1() now holds them */
+               spawn_coalitions_release_all(coal);
+#endif /* CONFIG_COALITIONS */
+               if (error != 0) {
                        goto bad;
                        goto bad;
+               }
                imgp->ip_flags |= IMGPF_SPAWN;  /* spawn w/o exec */
                spawn_no_exec = TRUE;           /* used in later tests */
                imgp->ip_flags |= IMGPF_SPAWN;  /* spawn w/o exec */
                spawn_no_exec = TRUE;           /* used in later tests */
+
+#if CONFIG_PERSONAS
+               /*
+                * If the parent isn't in a persona (launchd), and
+                * hasn't specified a new persona for the process,
+                * then we'll put the process into the system persona
+                *
+                * TODO: this will have to be re-worked because as of
+                *       now, without any launchd adoption, the resulting
+                *       xpcproxy process will not have sufficient
+                *       privileges to setuid/gid.
+                */
+#if 0
+               if (!proc_has_persona(p) && imgp->ip_px_persona == NULL) {
+                       MALLOC(px_persona, struct _posix_spawn_persona_info *,
+                              sizeof(*px_persona), M_TEMP, M_WAITOK|M_ZERO);
+                       if (px_persona == NULL) {
+                               error = ENOMEM;
+                               goto bad;
+                       }
+                       px_persona->pspi_id = persona_get_id(g_system_persona);
+                       imgp->ip_px_persona = px_persona;
+               }
+#endif /* 0 */
+#endif /* CONFIG_PERSONAS */
        }
 
        }
 
-       if (spawn_no_exec)
+       if (spawn_no_exec) {
                p = (proc_t)get_bsdthreadtask_info(imgp->ip_new_thread);
                p = (proc_t)get_bsdthreadtask_info(imgp->ip_new_thread);
-
+               
+               /*
+                * We had to wait until this point before firing the
+                * proc:::create probe, otherwise p would not point to the
+                * child process.
+                */
+               DTRACE_PROC1(create, proc_t, p);
+       }
+       assert(p != NULL);
 
        /* By default, the thread everyone plays with is the parent */
        context.vc_thread = current_thread();
 
        /* By default, the thread everyone plays with is the parent */
        context.vc_thread = current_thread();
@@ -1768,27 +2501,54 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
        if (spawn_no_exec)
                context.vc_thread = imgp->ip_new_thread;
 
        if (spawn_no_exec)
                context.vc_thread = imgp->ip_new_thread;
 
-
        /*
         * Post fdcopy(), pre exec_handle_sugid() - this is where we want
         * to handle the file_actions.  Since vfork() also ends up setting
         * us into the parent process group, and saved off the signal flags,
         * this is also where we want to handle the spawn flags.
         */
        /*
         * Post fdcopy(), pre exec_handle_sugid() - this is where we want
         * to handle the file_actions.  Since vfork() also ends up setting
         * us into the parent process group, and saved off the signal flags,
         * this is also where we want to handle the spawn flags.
         */
+
        /* Has spawn file actions? */
        /* Has spawn file actions? */
-       if (imgp->ip_px_sfa != NULL &&
-           (error = exec_handle_file_actions(imgp)) != 0) {
-               goto bad;
+       if (imgp->ip_px_sfa != NULL) {
+               /*
+                * The POSIX_SPAWN_CLOEXEC_DEFAULT flag
+                * is handled in exec_handle_file_actions().
+                */
+               if ((error = exec_handle_file_actions(imgp,
+                   imgp->ip_px_sa != NULL ? px_sa.psa_flags : 0)) != 0)
+                       goto bad;
        }
 
        /* Has spawn port actions? */
        }
 
        /* Has spawn port actions? */
-       if (imgp->ip_px_spa != NULL) { 
-               /* 
-                * The check for the POSIX_SPAWN_SETEXEC flag is done in 
-                * exec_handle_port_actions().
+       if (imgp->ip_px_spa != NULL) {
+               boolean_t is_adaptive = FALSE;
+               boolean_t portwatch_present = FALSE;
+
+               /* Will this process become adaptive? The apptype isn't ready yet, so we can't look there. */
+               if (imgp->ip_px_sa != NULL && px_sa.psa_apptype == POSIX_SPAWN_PROC_TYPE_DAEMON_ADAPTIVE)
+                       is_adaptive = TRUE;
+
+               /*
+                * portwatch only:
+                * Allocate a place to store the ports we want to bind to the new task
+                * We can't bind them until after the apptype is set.
                 */
                 */
-               if((error = exec_handle_port_actions(imgp, px_sa.psa_flags)) != 0) 
+               if (px_spap->pspa_count != 0 && is_adaptive) {
+                       portwatch_count = px_spap->pspa_count;
+                       MALLOC(portwatch_ports, ipc_port_t *, (sizeof(ipc_port_t) * portwatch_count), M_TEMP, M_WAITOK | M_ZERO);
+               } else {
+                       portwatch_ports = NULL;
+               }
+
+               if ((error = exec_handle_port_actions(imgp,
+                   imgp->ip_px_sa != NULL ? px_sa.psa_flags : 0, &portwatch_present, portwatch_ports)) != 0) 
                        goto bad;
                        goto bad;
+
+               if (portwatch_present == FALSE && portwatch_ports != NULL) {
+                       FREE(portwatch_ports, M_TEMP);
+                       portwatch_ports = NULL;
+                       portwatch_count = 0;
+               }
        }
 
        /* Has spawn attr? */
        }
 
        /* Has spawn attr? */
@@ -1824,12 +2584,60 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
                 */
                if (px_sa.psa_flags & POSIX_SPAWN_RESETIDS) {
                        kauth_cred_t my_cred = p->p_ucred;
                 */
                if (px_sa.psa_flags & POSIX_SPAWN_RESETIDS) {
                        kauth_cred_t my_cred = p->p_ucred;
-                       kauth_cred_t my_new_cred = kauth_cred_setuidgid(my_cred, my_cred->cr_ruid, my_cred->cr_rgid);
-                       if (my_new_cred != my_cred)
+                       kauth_cred_t my_new_cred = kauth_cred_setuidgid(my_cred, kauth_cred_getruid(my_cred), kauth_cred_getrgid(my_cred));
+                       if (my_new_cred != my_cred) {
                                p->p_ucred = my_new_cred;
                                p->p_ucred = my_new_cred;
+                               /* update cred on proc */
+                               PROC_UPDATE_CREDS_ONPROC(p);
+                       }
+               }
+
+#if CONFIG_PERSONAS
+               if (spawn_no_exec && imgp->ip_px_persona != NULL) {
+                       /*
+                        * If we were asked to spawn a process into a new persona,
+                        * do the credential switch now (which may override the UID/GID
+                        * inherit done just above). It's important to do this switch
+                        * before image activation both for reasons stated above, and
+                        * to ensure that the new persona has access to the image/file
+                        * being executed.
+                        */
+                       error = spawn_persona_adopt(p, imgp->ip_px_persona);
+                       if (error != 0)
+                               goto bad;
                }
                }
+#endif /* CONFIG_PERSONAS */
+#if !SECURE_KERNEL
+               /*
+                * Disable ASLR for the spawned process.
+                *
+                * But only do so if we are not embedded + RELEASE.
+                * While embedded allows for a boot-arg (-disable_aslr)
+                * to deal with this (which itself is only honored on
+                * DEVELOPMENT or DEBUG builds of xnu), it is often
+                * useful or necessary to disable ASLR on a per-process
+                * basis for unit testing and debugging.
+                */
+               if (px_sa.psa_flags & _POSIX_SPAWN_DISABLE_ASLR)
+                       OSBitOrAtomic(P_DISABLE_ASLR, &p->p_flag);
+#endif /* !SECURE_KERNEL */
+
+               /*
+                * Forcibly disallow execution from data pages for the spawned process
+                * even if it would otherwise be permitted by the architecture default.
+                */
+               if (px_sa.psa_flags & _POSIX_SPAWN_ALLOW_DATA_EXEC)
+                       imgp->ip_flags |= IMGPF_ALLOW_DATA_EXEC;
        }
 
        }
 
+       /*
+        * Disable ASLR during image activation.  This occurs either if the
+        * _POSIX_SPAWN_DISABLE_ASLR attribute was found above or if
+        * P_DISABLE_ASLR was inherited from the parent process.
+        */
+       if (p->p_flag & P_DISABLE_ASLR)
+               imgp->ip_flags |= IMGPF_DISABLE_ASLR;
+
        /* 
         * Clear transition flag so we won't hang if exec_activate_image() causes
         * an automount (and launchd does a proc sysctl to service it).
        /* 
         * Clear transition flag so we won't hang if exec_activate_image() causes
         * an automount (and launchd does a proc sysctl to service it).
@@ -1838,6 +2646,7 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
         */
        if (spawn_no_exec) {
                proc_transend(p, 0);
         */
        if (spawn_no_exec) {
                proc_transend(p, 0);
+               proc_transit_set = 0;
        }
 
 #if MAC_SPAWN  /* XXX */
        }
 
 #if MAC_SPAWN  /* XXX */
@@ -1852,10 +2661,14 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
         * Activate the image
         */
        error = exec_activate_image(imgp);
         * Activate the image
         */
        error = exec_activate_image(imgp);
-
-       /* Image not claimed by any activator? */
-       if (error == -1)
+       
+       if (error == 0) {
+               /* process completed the exec */
+               exec_done = TRUE;
+       } else if (error == -1) {
+               /* Image not claimed by any activator? */
                error = ENOEXEC;
                error = ENOEXEC;
+       }
 
        /*
         * If we have a spawn attr, and it contains signal related flags,
 
        /*
         * If we have a spawn attr, and it contains signal related flags,
@@ -1904,10 +2717,34 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
                                        error = setsigvec(p, child_thread, sig + 1, &vec, spawn_no_exec);
                        }
                }
                                        error = setsigvec(p, child_thread, sig + 1, &vec, spawn_no_exec);
                        }
                }
+
+               /*
+                * Activate the CPU usage monitor, if requested. This is done via a task-wide, per-thread CPU
+                * usage limit, which will generate a resource exceeded exception if any one thread exceeds the
+                * limit.
+                *
+                * Userland gives us interval in seconds, and the kernel SPI expects nanoseconds.
+                */
+               if (px_sa.psa_cpumonitor_percent != 0) {
+                       /*
+                        * Always treat a CPU monitor activation coming from spawn as entitled. Requiring
+                        * an entitlement to configure the monitor a certain way seems silly, since
+                        * whomever is turning it on could just as easily choose not to do so.
+                        */
+                       error = proc_set_task_ruse_cpu(p->task,
+                                       TASK_POLICY_RESOURCE_ATTRIBUTE_NOTIFY_EXC,
+                                       px_sa.psa_cpumonitor_percent,
+                                       px_sa.psa_cpumonitor_interval * NSEC_PER_SEC,
+                                       0, TRUE);
+               }
        }
 
 bad:
        }
 
 bad:
+
        if (error == 0) {
        if (error == 0) {
+               /* reset delay idle sleep status if set */
+               if ((p->p_flag & P_DELAYIDLESLEEP) == P_DELAYIDLESLEEP)
+                       OSBitAndAtomic(~((uint32_t)P_DELAYIDLESLEEP), &p->p_flag);
                /* upon  successful spawn, re/set the proc control state */
                if (imgp->ip_px_sa != NULL) {
                        switch (px_sa.psa_pcontrol) {
                /* upon  successful spawn, re/set the proc control state */
                if (imgp->ip_px_sa != NULL) {
                        switch (px_sa.psa_pcontrol) {
@@ -1927,6 +2764,40 @@ bad:
                        };
                }
                exec_resettextvp(p, imgp);
                        };
                }
                exec_resettextvp(p, imgp);
+               
+#if CONFIG_MEMORYSTATUS && CONFIG_JETSAM
+               /* Has jetsam attributes? */
+               if (imgp->ip_px_sa != NULL && (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_SET)) {
+                       /*
+                        * With 2-level high-water-mark support, POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND is no
+                        * longer relevant, as background limits are described via the inactive limit slots.
+                        * At the kernel layer, the flag is ignored.
+                        *
+                        * That said, however, if the POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND is passed in,
+                        * we attempt to mimic previous behavior by forcing the BG limit data into the
+                        * inactive/non-fatal mode and force the active slots to hold system_wide/fatal mode.
+                        * The kernel layer will flag this mapping.
+                        */
+                       if (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND) {
+                               memorystatus_update(p, px_sa.psa_priority, 0,
+                                           (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_USE_EFFECTIVE_PRIORITY),
+                                           TRUE,
+                                           -1, TRUE,
+                                           px_sa.psa_memlimit_inactive, FALSE,
+                                           (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND));
+                       } else {
+                               memorystatus_update(p, px_sa.psa_priority, 0,
+                                           (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_USE_EFFECTIVE_PRIORITY),
+                                           TRUE,
+                                           px_sa.psa_memlimit_active,
+                                           (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_MEMLIMIT_ACTIVE_FATAL),
+                                           px_sa.psa_memlimit_inactive,
+                                           (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_MEMLIMIT_INACTIVE_FATAL),
+                                           (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND));
+                       }
+
+               }
+#endif /* CONFIG_MEMORYSTATUS && CONFIG_JETSAM*/
        }
 
        /*
        }
 
        /*
@@ -1938,6 +2809,9 @@ bad:
         * before check_for_signature(), which uses psignal.
         */
        if (spawn_no_exec) {
         * before check_for_signature(), which uses psignal.
         */
        if (spawn_no_exec) {
+               if (proc_transit_set)
+                       proc_transend(p, 0);
+
                /*
                 * Drop the signal lock on the child which was taken on our
                 * behalf by forkproc()/cloneproc() to prevent signals being
                /*
                 * Drop the signal lock on the child which was taken on our
                 * behalf by forkproc()/cloneproc() to prevent signals being
@@ -1945,11 +2819,70 @@ bad:
                 */
                proc_signalend(p, 0);
 
                 */
                proc_signalend(p, 0);
 
-               /* flag the 'fork' has occurred */
-               proc_knote(p->p_pptr, NOTE_FORK | p->p_pid);
-               /* then flag exec has occurred */
-               proc_knote(p, NOTE_EXEC);
-               DTRACE_PROC1(create, proc_t, p);
+               /* flag the 'fork' has occurred */
+               proc_knote(p->p_pptr, NOTE_FORK | p->p_pid);
+               /* then flag exec has occurred */
+               /* notify only if it has not failed due to FP Key error */
+               if ((p->p_lflag & P_LTERM_DECRYPTFAIL) == 0)
+                       proc_knote(p, NOTE_EXEC);
+       } else if (error == 0) {
+               /* reset the importance attribute from our previous life */
+               task_importance_reset(p->task);
+       }
+
+       if (error == 0) {
+               /*
+                * We need to initialize the bank context behind the protection of
+                * the proc_trans lock to prevent a race with exit. We can't do this during
+                * exec_activate_image because task_bank_init checks entitlements that
+                * aren't loaded until subsequent calls (including exec_resettextvp).
+                */
+               error = proc_transstart(p, 0, 0);
+
+               if (error == 0) {
+                       task_bank_init(p->task);
+                       proc_transend(p, 0);
+               }
+       }
+
+
+       /*
+        * Apply the spawnattr policy, apptype (which primes the task for importance donation),
+        * and bind any portwatch ports to the new task.
+        * This must be done after the exec so that the child's thread is ready,
+        * and after the in transit state has been released, because priority is
+        * dropped here so we need to be prepared for a potentially long preemption interval
+        *
+        * TODO: Consider splitting this up into separate phases
+        */
+       if (error == 0 && imgp->ip_px_sa != NULL) {
+               struct _posix_spawnattr *psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
+
+               exec_handle_spawnattr_policy(p, psa->psa_apptype, psa->psa_qos_clamp, psa->psa_darwin_role,
+                                             portwatch_ports, portwatch_count);
+       }
+
+       /* Apply the main thread qos */
+       if (error == 0) {
+               thread_t main_thread = (imgp->ip_new_thread != NULL) ? imgp->ip_new_thread : current_thread();
+
+               task_set_main_thread_qos(p->task, main_thread);
+       }
+
+       /*
+        * Release any ports we kept around for binding to the new task
+        * We need to release the rights even if the posix_spawn has failed.
+        */
+       if (portwatch_ports != NULL) {
+               for (int i = 0; i < portwatch_count; i++) {
+                       ipc_port_t port = NULL;
+                       if ((port = portwatch_ports[i]) != NULL) {
+                               ipc_port_release_send(port);
+                       }
+               }
+               FREE(portwatch_ports, M_TEMP);
+               portwatch_ports = NULL;
+               portwatch_count = 0;
        }
 
        /*
        }
 
        /*
@@ -1974,14 +2907,21 @@ bad:
        if (imgp != NULL) {
                if (imgp->ip_vp)
                        vnode_put(imgp->ip_vp);
        if (imgp != NULL) {
                if (imgp->ip_vp)
                        vnode_put(imgp->ip_vp);
+               if (imgp->ip_scriptvp)
+                       vnode_put(imgp->ip_scriptvp);
                if (imgp->ip_strings)
                        execargs_free(imgp);
                if (imgp->ip_px_sfa != NULL)
                        FREE(imgp->ip_px_sfa, M_TEMP);
                if (imgp->ip_px_spa != NULL)
                        FREE(imgp->ip_px_spa, M_TEMP);
                if (imgp->ip_strings)
                        execargs_free(imgp);
                if (imgp->ip_px_sfa != NULL)
                        FREE(imgp->ip_px_sfa, M_TEMP);
                if (imgp->ip_px_spa != NULL)
                        FREE(imgp->ip_px_spa, M_TEMP);
-               
+#if CONFIG_PERSONAS
+               if (imgp->ip_px_persona != NULL)
+                       FREE(imgp->ip_px_persona, M_TEMP);
+#endif
 #if CONFIG_MACF
 #if CONFIG_MACF
+               if (imgp->ip_px_smpx != NULL)
+                       spawn_free_macpolicyinfo(imgp->ip_px_smpx);
                if (imgp->ip_execlabelp)
                        mac_cred_label_free(imgp->ip_execlabelp);
                if (imgp->ip_scriptlabelp)
                if (imgp->ip_execlabelp)
                        mac_cred_label_free(imgp->ip_execlabelp);
                if (imgp->ip_scriptlabelp)
@@ -1989,34 +2929,48 @@ bad:
 #endif
        }
 
 #endif
        }
 
-       if (error) {
-               DTRACE_PROC1(exec__failure, int, error);
+#if CONFIG_DTRACE
+       if (spawn_no_exec) {
+               /*
+                * In the original DTrace reference implementation,
+                * posix_spawn() was a libc routine that just
+                * did vfork(2) then exec(2).  Thus the proc::: probes
+                * are very fork/exec oriented.  The details of this
+                * in-kernel implementation of posix_spawn() is different
+                * (while producing the same process-observable effects)
+                * particularly w.r.t. errors, and which thread/process
+                * is constructing what on behalf of whom.
+                */
+               if (error) {
+                       DTRACE_PROC1(spawn__failure, int, error);
+               } else {
+                       DTRACE_PROC(spawn__success);
+                       /*
+                        * Some DTrace scripts, e.g. newproc.d in
+                        * /usr/bin, rely on the the 'exec-success'
+                        * probe being fired in the child after the
+                        * new process image has been constructed
+                        * in order to determine the associated pid.
+                        *
+                        * So, even though the parent built the image
+                        * here, for compatibility, mark the new thread
+                        * so 'exec-success' fires on it as it leaves
+                        * the kernel.
+                        */
+                       dtrace_thread_didexec(imgp->ip_new_thread);
+               }
        } else {
        } else {
-            /*
-            * <rdar://6609474> temporary - so dtrace call to current_proc()
-            * returns the child process instead of the parent.
-            */
-           if (imgp != NULL && imgp->ip_flags & IMGPF_SPAWN) {
-               p->p_lflag |= P_LINVFORK;
-               p->p_vforkact = current_thread();
-               uthread->uu_proc = p;
-               uthread->uu_flag |= UT_VFORK;
-           }
-           
-           DTRACE_PROC(exec__success);
-           
-           /*
-            * <rdar://6609474> temporary - so dtrace call to current_proc()
-            * returns the child process instead of the parent.
-            */
-           if (imgp != NULL && imgp->ip_flags & IMGPF_SPAWN) {
-               p->p_lflag &= ~P_LINVFORK;
-               p->p_vforkact = NULL;
-               uthread->uu_proc = PROC_NULL;
-               uthread->uu_flag &= ~UT_VFORK;
-           }
+               if (error) {
+                       DTRACE_PROC1(exec__failure, int, error);
+               } else {
+                       DTRACE_PROC(exec__success);
+               }
        }
 
        }
 
+       if ((dtrace_proc_waitfor_hook = dtrace_proc_waitfor_exec_ptr) != NULL)
+               (*dtrace_proc_waitfor_hook)(p);
+#endif
+
        /* Return to both the parent and the child? */
        if (imgp != NULL && spawn_no_exec) {
                /*
        /* Return to both the parent and the child? */
        if (imgp != NULL && spawn_no_exec) {
                /*
@@ -2040,16 +2994,20 @@ bad:
                                p->exit_thread = current_thread();
                                proc_unlock(p);
                                exit1(p, 1, (int *)NULL);
                                p->exit_thread = current_thread();
                                proc_unlock(p);
                                exit1(p, 1, (int *)NULL);
-                               task_deallocate(get_threadtask(imgp->ip_new_thread));
-                               thread_deallocate(imgp->ip_new_thread);
+                               proc_clear_return_wait(p, imgp->ip_new_thread);
+                               if (exec_done == FALSE) {
+                                       task_deallocate(get_threadtask(imgp->ip_new_thread));
+                                       thread_deallocate(imgp->ip_new_thread);
+                               }
                        } else {
                                /* someone is doing it for us; just skip it */
                                proc_unlock(p);
                        } else {
                                /* someone is doing it for us; just skip it */
                                proc_unlock(p);
+                               proc_clear_return_wait(p, imgp->ip_new_thread);
                        }
                } else {
 
                        /*
                        }
                } else {
 
                        /*
-                        * Return" to the child
+                        * Return to the child
                         *
                         * Note: the image activator earlier dropped the
                         * task/thread references to the newly spawned
                         *
                         * Note: the image activator earlier dropped the
                         * task/thread references to the newly spawned
@@ -2057,7 +3015,7 @@ bad:
                         * queue references on them, so we should be fine
                         * with the delayed resume of the thread here.
                         */
                         * queue references on them, so we should be fine
                         * with the delayed resume of the thread here.
                         */
-                       (void)thread_resume(imgp->ip_new_thread);
+                       proc_clear_return_wait(p, imgp->ip_new_thread);
                }
        }
        if (bufp != NULL) {
                }
        }
        if (bufp != NULL) {
@@ -2096,6 +3054,8 @@ execve(proc_t p, struct execve_args *uap, int32_t *retval)
        struct __mac_execve_args muap;
        int err;
 
        struct __mac_execve_args muap;
        int err;
 
+       memoryshot(VM_EXECVE, DBG_FUNC_NONE);
+
        muap.fname = uap->fname;
        muap.argp = uap->argp;
        muap.envp = uap->envp;
        muap.fname = uap->fname;
        muap.argp = uap->argp;
        muap.envp = uap->envp;
@@ -2139,9 +3099,9 @@ __mac_execve(proc_t p, struct __mac_execve_args *uap, int32_t *retval)
        struct vnode_attr *vap;
        struct vnode_attr *origvap;
        int error;
        struct vnode_attr *vap;
        struct vnode_attr *origvap;
        int error;
-       char alt_p_comm[sizeof(p->p_comm)] = {0};       /* for PowerPC */
        int is_64 = IS_64BIT_PROCESS(p);
        struct vfs_context context;
        int is_64 = IS_64BIT_PROCESS(p);
        struct vfs_context context;
+       struct uthread  *uthread;
 
        context.vc_thread = current_thread();
        context.vc_ucred = kauth_cred_proc_ref(p);      /* XXX must NOT be kauth_cred_get() */
 
        context.vc_thread = current_thread();
        context.vc_ucred = kauth_cred_proc_ref(p);      /* XXX must NOT be kauth_cred_get() */
@@ -2165,9 +3125,14 @@ __mac_execve(proc_t p, struct __mac_execve_args *uap, int32_t *retval)
        imgp->ip_vattr = vap;
        imgp->ip_origvattr = origvap;
        imgp->ip_vfs_context = &context;
        imgp->ip_vattr = vap;
        imgp->ip_origvattr = origvap;
        imgp->ip_vfs_context = &context;
-       imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT : IMGPF_NONE);
-       imgp->ip_p_comm = alt_p_comm;           /* for PowerPC */
+       imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT : IMGPF_NONE) | ((p->p_flag & P_DISABLE_ASLR) ? IMGPF_DISABLE_ASLR : IMGPF_NONE);
        imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
        imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
+       imgp->ip_mac_return = 0;
+
+       uthread = get_bsdthread_info(current_thread());
+       if (uthread->uu_flag & UT_VFORK) {
+               imgp->ip_flags |= IMGPF_VFORK_EXEC;
+       }
 
 #if CONFIG_MACF
        if (uap->mac_p != USER_ADDR_NULL) {
 
 #if CONFIG_MACF
        if (uap->mac_p != USER_ADDR_NULL) {
@@ -2193,6 +3158,8 @@ __mac_execve(proc_t p, struct __mac_execve_args *uap, int32_t *retval)
        }       
        if (imgp->ip_vp != NULLVP)
                vnode_put(imgp->ip_vp);
        }       
        if (imgp->ip_vp != NULLVP)
                vnode_put(imgp->ip_vp);
+       if (imgp->ip_scriptvp != NULLVP)
+               vnode_put(imgp->ip_scriptvp);
        if (imgp->ip_strings)
                execargs_free(imgp);
 #if CONFIG_MACF
        if (imgp->ip_strings)
                execargs_free(imgp);
 #if CONFIG_MACF
@@ -2201,17 +3168,43 @@ __mac_execve(proc_t p, struct __mac_execve_args *uap, int32_t *retval)
        if (imgp->ip_scriptlabelp)
                mac_vnode_label_free(imgp->ip_scriptlabelp);
 #endif
        if (imgp->ip_scriptlabelp)
                mac_vnode_label_free(imgp->ip_scriptlabelp);
 #endif
+
        if (!error) {
        if (!error) {
-               struct uthread  *uthread;
+               /*
+                * We need to initialize the bank context behind the protection of
+                * the proc_trans lock to prevent a race with exit. We can't do this during
+                * exec_activate_image because task_bank_init checks entitlements that
+                * aren't loaded until subsequent calls (including exec_resettextvp).
+                */
+               error = proc_transstart(p, 0, 0);
+
+               if (!error) {
+                       task_bank_init(p->task);
+                       proc_transend(p, 0);
+               }
+       }
 
 
+       if (!error) {
                /* Sever any extant thread affinity */
                thread_affinity_exec(current_thread());
 
                /* Sever any extant thread affinity */
                thread_affinity_exec(current_thread());
 
+               thread_t main_thread = (imgp->ip_new_thread != NULL) ? imgp->ip_new_thread : current_thread();
+
+               task_set_main_thread_qos(p->task, main_thread);
+
+               /* reset task importance */
+               task_importance_reset(p->task);
+
                DTRACE_PROC(exec__success);
                DTRACE_PROC(exec__success);
-               uthread = get_bsdthread_info(current_thread());
-               if (uthread->uu_flag & UT_VFORK) {
+
+#if CONFIG_DTRACE
+               if ((dtrace_proc_waitfor_hook = dtrace_proc_waitfor_exec_ptr) != NULL)
+                       (*dtrace_proc_waitfor_hook)(p);
+#endif
+
+               if (imgp->ip_flags & IMGPF_VFORK_EXEC) {
                        vfork_return(p, retval, p->p_pid);
                        vfork_return(p, retval, p->p_pid);
-                       (void)thread_resume(imgp->ip_new_thread);
+                       proc_clear_return_wait(p, imgp->ip_new_thread);
                }
        } else {
                DTRACE_PROC1(exec__failure, int, error);
                }
        } else {
                DTRACE_PROC1(exec__failure, int, error);
@@ -2273,8 +3266,6 @@ copyinptr(user_addr_t froma, user_addr_t *toptr, int ptr_size)
  * Returns:    0                       Success
  *             EFAULT                  Bad 'ua'
  *
  * Returns:    0                       Success
  *             EFAULT                  Bad 'ua'
  *
- * Implicit returns:
- *             *ptr_size               Modified
  */
 static int
 copyoutptr(user_addr_t ua, user_addr_t ptr, int ptr_size)
  */
 static int
 copyoutptr(user_addr_t ua, user_addr_t ptr, int ptr_size)
@@ -2311,85 +3302,156 @@ copyoutptr(user_addr_t ua, user_addr_t ptr, int ptr_size)
  * Note:       The strings segment layout is backward, from the beginning
  *             of the top of the stack to consume the minimal amount of
  *             space possible; the returned stack pointer points to the
  * Note:       The strings segment layout is backward, from the beginning
  *             of the top of the stack to consume the minimal amount of
  *             space possible; the returned stack pointer points to the
- *             end of the area consumed (stacks grow upward).
+ *             end of the area consumed (stacks grow downward).
  *
  *             argc is an int; arg[i] are pointers; env[i] are pointers;
  *
  *             argc is an int; arg[i] are pointers; env[i] are pointers;
- *             exec_path is a pointer; the 0's are (void *)NULL's
+ *             the 0's are (void *)NULL's
  *
  * The stack frame layout is:
  *
  *
  * The stack frame layout is:
  *
- *     +-------------+
- * sp->        |     argc    |
- *     +-------------+
- *     |    arg[0]   |
- *     +-------------+
- *            :
- *            :
- *     +-------------+
- *     | arg[argc-1] |
- *     +-------------+
- *     |      0      |
- *     +-------------+
- *     |    env[0]   |
- *     +-------------+
- *            :
- *            :
- *     +-------------+
- *     |    env[n]   |
- *     +-------------+
- *     |      0      |
- *     +-------------+
- *     |  exec_path  | In MacOS X PR2 Beaker2E the path passed to exec() is
- *     +-------------+ passed on the stack just after the trailing 0 of the
- *     |      0      | the envp[] array as a pointer to a string.
- *     +-------------+
- *     |  PATH AREA  |
- *     +-------------+
- *     | STRING AREA |
- *            :
- *            :
- *     |             | <- p->user_stack
- *     +-------------+
+ *      +-------------+ <- p->user_stack
+ *      |     16b     |
+ *      +-------------+
+ *      | STRING AREA |
+ *      |      :      |
+ *      |      :      |
+ *      |      :      |
+ *      +- -- -- -- --+
+ *      |  PATH AREA  |
+ *      +-------------+
+ *      |      0      |
+ *      +-------------+
+ *      |  applev[n]  |
+ *      +-------------+
+ *             :
+ *             :
+ *      +-------------+
+ *      |  applev[1]  |
+ *      +-------------+
+ *      | exec_path / |
+ *      |  applev[0]  |
+ *      +-------------+
+ *      |      0      |
+ *      +-------------+
+ *      |    env[n]   |
+ *      +-------------+
+ *             :
+ *             :
+ *      +-------------+
+ *      |    env[0]   |
+ *      +-------------+
+ *      |      0      |
+ *      +-------------+
+ *      | arg[argc-1] |
+ *      +-------------+
+ *             :
+ *             :
+ *      +-------------+
+ *      |    arg[0]   |
+ *      +-------------+
+ *      |     argc    |
+ * sp-> +-------------+
  *
  * Although technically a part of the STRING AREA, we treat the PATH AREA as
  * a separate entity.  This allows us to align the beginning of the PATH AREA
  * to a pointer boundary so that the exec_path, env[i], and argv[i] pointers
  * which preceed it on the stack are properly aligned.
  *
  * Although technically a part of the STRING AREA, we treat the PATH AREA as
  * a separate entity.  This allows us to align the beginning of the PATH AREA
  * to a pointer boundary so that the exec_path, env[i], and argv[i] pointers
  * which preceed it on the stack are properly aligned.
- *
- * TODO:       argc copied with suword(), which takes a 64 bit address
  */
  */
+
 static int
 exec_copyout_strings(struct image_params *imgp, user_addr_t *stackp)
 {
        proc_t p = vfs_context_proc(imgp->ip_vfs_context);
        int     ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT) ? 8 : 4;
 static int
 exec_copyout_strings(struct image_params *imgp, user_addr_t *stackp)
 {
        proc_t p = vfs_context_proc(imgp->ip_vfs_context);
        int     ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT) ? 8 : 4;
-       char    *argv = imgp->ip_argv;  /* modifiable copy of argv */
+       int     ptr_area_size;
+       void *ptr_buffer_start, *ptr_buffer;
+       int string_size;
+
        user_addr_t     string_area;    /* *argv[], *env[] */
        user_addr_t     string_area;    /* *argv[], *env[] */
-       user_addr_t     path_area;      /* package launch path */
-       user_addr_t     ptr_area;       /* argv[], env[], exec_path */
+       user_addr_t     ptr_area;       /* argv[], env[], applev[] */
+       user_addr_t argc_area;  /* argc */
        user_addr_t     stack;
        user_addr_t     stack;
-       int     stringc = imgp->ip_argc + imgp->ip_envc;
-       size_t len;
        int error;
        int error;
-       ssize_t strspace;
+
+       unsigned i;
+       struct copyout_desc {
+               char    *start_string;
+               int             count;
+#if CONFIG_DTRACE
+               user_addr_t     *dtrace_cookie;
+#endif
+               boolean_t       null_term;
+       } descriptors[] = {
+               {
+                       .start_string = imgp->ip_startargv,
+                       .count = imgp->ip_argc,
+#if CONFIG_DTRACE
+                       .dtrace_cookie = &p->p_dtrace_argv,
+#endif
+                       .null_term = TRUE
+               },
+               {
+                       .start_string = imgp->ip_endargv,
+                       .count = imgp->ip_envc,
+#if CONFIG_DTRACE
+                       .dtrace_cookie = &p->p_dtrace_envp,
+#endif
+                       .null_term = TRUE
+               },
+               {
+                       .start_string = imgp->ip_strings,
+                       .count = 1,
+#if CONFIG_DTRACE
+                       .dtrace_cookie = NULL,
+#endif
+                       .null_term = FALSE
+               },
+               {
+                       .start_string = imgp->ip_endenvv,
+                       .count = imgp->ip_applec - 1, /* exec_path handled above */
+#if CONFIG_DTRACE
+                       .dtrace_cookie = NULL,
+#endif
+                       .null_term = TRUE
+               }
+       };
 
        stack = *stackp;
 
 
        stack = *stackp;
 
-       size_t patharea_len = imgp->ip_argv - imgp->ip_strings;
-       int envc_add = 0;
-       
        /*
        /*
-        * Set up pointers to the beginning of the string area, the beginning
-        * of the path area, and the beginning of the pointer area (actually,
-        * the location of argc, an int, which may be smaller than a pointer,
-        * but we use ptr_size worth of space for it, for alignment).
+        * All previous contributors to the string area
+        * should have aligned their sub-area
         */
         */
-       string_area = stack - (((imgp->ip_strendp - imgp->ip_strings) + ptr_size-1) & ~(ptr_size-1)) - ptr_size;
-       path_area = string_area - ((patharea_len + ptr_size-1) & ~(ptr_size-1));
-       ptr_area = path_area - ((imgp->ip_argc + imgp->ip_envc + 4 + envc_add) * ptr_size) - ptr_size /*argc*/;
+       if (imgp->ip_strspace % ptr_size != 0) {
+               error = EINVAL;
+               goto bad;
+       }
 
 
-       /* Return the initial stack address: the location of argc */
-       *stackp = ptr_area;
+       /* Grow the stack down for the strings we've been building up */
+       string_size = imgp->ip_strendp - imgp->ip_strings;
+       stack -= string_size;
+       string_area = stack;
+
+       /*
+        * Need room for one pointer for each string, plus
+        * one for the NULLs terminating the argv, envv, and apple areas.
+        */
+       ptr_area_size = (imgp->ip_argc + imgp->ip_envc + imgp->ip_applec + 3) *
+           ptr_size;
+       stack -= ptr_area_size;
+       ptr_area = stack;
+
+       /* We'll construct all the pointer arrays in our string buffer,
+        * which we already know is aligned properly, and ip_argspace
+        * was used to verify we have enough space.
+        */
+       ptr_buffer_start = ptr_buffer = (void *)imgp->ip_strendp;
+
+       /*
+        * Need room for pointer-aligned argc slot.
+        */
+       stack -= ptr_size;
+       argc_area = stack;
 
        /*
         * Record the size of the arguments area so that sysctl_procargs()
 
        /*
         * Record the size of the arguments area so that sysctl_procargs()
@@ -2397,92 +3459,73 @@ exec_copyout_strings(struct image_params *imgp, user_addr_t *stackp)
         */
        proc_lock(p);
        p->p_argc = imgp->ip_argc;
         */
        proc_lock(p);
        p->p_argc = imgp->ip_argc;
-       p->p_argslen = (int)(stack - path_area);
+       p->p_argslen = (int)(*stackp - string_area);
        proc_unlock(p);
 
        proc_unlock(p);
 
+       /* Return the initial stack address: the location of argc */
+       *stackp = stack;
 
        /*
 
        /*
-        * Support for new app package launching for Mac OS X allocates
-        * the "path" at the begining of the imgp->ip_strings buffer.
-        * copy it just before the string area.
+        * Copy out the entire strings area.
         */
         */
-       len = 0;
-       error = copyoutstr(imgp->ip_strings, path_area,
-                                                  patharea_len,
-                                                  &len);
+       error = copyout(imgp->ip_strings, string_area,
+                                                  string_size);
        if (error)
                goto bad;
 
        if (error)
                goto bad;
 
+       for (i = 0; i < sizeof(descriptors)/sizeof(descriptors[0]); i++) {
+               char *cur_string = descriptors[i].start_string;
+               int j;
 
 
-       /* Save a NULL pointer below it */
-       (void)copyoutptr(0LL, path_area - ptr_size, ptr_size);
-
-       /* Save the pointer to "path" just below it */
-       (void)copyoutptr(path_area, path_area - 2*ptr_size, ptr_size);
+#if CONFIG_DTRACE
+               if (descriptors[i].dtrace_cookie) {
+                       proc_lock(p);
+                       *descriptors[i].dtrace_cookie = ptr_area + ((uintptr_t)ptr_buffer - (uintptr_t)ptr_buffer_start); /* dtrace convenience */
+                       proc_unlock(p);
+               }
+#endif /* CONFIG_DTRACE */
 
 
-       /*
-        * ptr_size for 2 NULL one each ofter arg[argc -1] and env[n]
-        * ptr_size for argc
-        * skip over saved path, ptr_size for pointer to path,
-        * and ptr_size for the NULL after pointer to path.
-        */
+               /*
+                * For each segment (argv, envv, applev), copy as many pointers as requested
+                * to our pointer buffer.
+                */
+               for (j = 0; j < descriptors[i].count; j++) {
+                       user_addr_t cur_address = string_area + (cur_string - imgp->ip_strings);
+                       
+                       /* Copy out the pointer to the current string. Alignment has been verified  */
+                       if (ptr_size == 8) {
+                               *(uint64_t *)ptr_buffer = (uint64_t)cur_address;
+                       } else {
+                               *(uint32_t *)ptr_buffer = (uint32_t)cur_address;
+                       }
+                       
+                       ptr_buffer = (void *)((uintptr_t)ptr_buffer + ptr_size);
+                       cur_string += strlen(cur_string) + 1; /* Only a NUL between strings in the same area */
+               }
 
 
-       /* argc (int32, stored in a ptr_size area) */
-       (void)suword(ptr_area, imgp->ip_argc);
-       ptr_area += sizeof(int);
-       /* pad to ptr_size, if 64 bit image, to ensure user stack alignment */
-       if (imgp->ip_flags & IMGPF_IS_64BIT) {
-               (void)suword(ptr_area, 0);      /* int, not long: ignored */
-               ptr_area += sizeof(int);
+               if (descriptors[i].null_term) {
+                       if (ptr_size == 8) {
+                               *(uint64_t *)ptr_buffer = 0ULL;
+                       } else {
+                               *(uint32_t *)ptr_buffer = 0;
+                       }
+                       
+                       ptr_buffer = (void *)((uintptr_t)ptr_buffer + ptr_size);
+               }
        }
 
        }
 
-#if CONFIG_DTRACE
-       p->p_dtrace_argv = ptr_area; /* user_addr_t &argv[0] for dtrace convenience */
-#endif /* CONFIG_DTRACE */
-
        /*
        /*
-        * We use (string_area - path_area) here rather than the more
-        * intuitive (imgp->ip_argv - imgp->ip_strings) because we are
-        * interested in the length of the PATH_AREA in user space,
-        * rather than the actual length of the execution path, since
-        * it includes alignment padding of the PATH_AREA + STRING_AREA
-        * to a ptr_size boundary.
+        * Copy out all our pointer arrays in bulk.
         */
         */
-       strspace = SIZE_IMG_STRSPACE - (string_area - path_area);
-       for (;;) {
-               if (stringc == imgp->ip_envc) {
-                       /* argv[n] = NULL */
-                       (void)copyoutptr(0LL, ptr_area, ptr_size);
-                       ptr_area += ptr_size;
-#if CONFIG_DTRACE
-                       p->p_dtrace_envp = ptr_area; /* user_addr_t &env[0] for dtrace convenience */
-#endif /* CONFIG_DTRACE */
-               }
-               if (--stringc < 0)
-                       break;
-
-               /* pointer: argv[n]/env[n] */
-               (void)copyoutptr(string_area, ptr_area, ptr_size);
+       error = copyout(ptr_buffer_start, ptr_area,
+                                       ptr_area_size);
+       if (error)
+               goto bad;
 
 
-               /* string : argv[n][]/env[n][] */
-               do {
-                       if (strspace <= 0) {
-                               error = E2BIG;
-                               break;
-                       }
-                       error = copyoutstr(argv, string_area,
-                                               strspace,
-                                               &len);
-                       string_area += len;
-                       argv += len;
-                       strspace -= len;
-               } while (error == ENAMETOOLONG);
-               if (error == EFAULT || error == E2BIG)
-                       break;  /* bad stack - user's problem */
-               ptr_area += ptr_size;
-       }
-       /* env[n] = NULL */
-       (void)copyoutptr(0LL, ptr_area, ptr_size);
+       /* argc (int32, stored in a ptr_size area) */
+       error = copyoutptr((user_addr_t)imgp->ip_argc, argc_area, ptr_size);
+       if (error)
+               goto bad;
 
 bad:
        return(error);
 
 bad:
        return(error);
@@ -2495,6 +3538,11 @@ bad:
  * Copy arguments and environment from user space into work area; we may
  * have already copied some early arguments into the work area, and if
  * so, any arguments opied in are appended to those already there.
  * Copy arguments and environment from user space into work area; we may
  * have already copied some early arguments into the work area, and if
  * so, any arguments opied in are appended to those already there.
+ * This function is the primary manipulator of ip_argspace, since
+ * these are the arguments the client of execve(2) knows about. After
+ * each argv[]/envv[] string is copied, we charge the string length
+ * and argv[]/envv[] pointer slot to ip_argspace, so that we can
+ * full preflight the arg list size.
  *
  * Parameters: struct image_params *   the image parameter block
  *
  *
  * Parameters: struct image_params *   the image parameter block
  *
@@ -2504,6 +3552,8 @@ bad:
  * Implicit returns;
  *             (imgp->ip_argc)         Count of arguments, updated
  *             (imgp->ip_envc)         Count of environment strings, updated
  * Implicit returns;
  *             (imgp->ip_argc)         Count of arguments, updated
  *             (imgp->ip_envc)         Count of environment strings, updated
+ *             (imgp->ip_argspace)     Count of remaining of NCARGS
+ *             (imgp->ip_interp_buffer)        Interpreter and args (mutated in place)
  *
  *
  * Note:       The argument and environment vectors are user space pointers
  *
  *
  * Note:       The argument and environment vectors are user space pointers
@@ -2513,110 +3563,360 @@ static int
 exec_extract_strings(struct image_params *imgp)
 {
        int error = 0;
 exec_extract_strings(struct image_params *imgp)
 {
        int error = 0;
-       int strsz = 0;
        int     ptr_size = (imgp->ip_flags & IMGPF_WAS_64BIT) ? 8 : 4;
        int     ptr_size = (imgp->ip_flags & IMGPF_WAS_64BIT) ? 8 : 4;
+       int new_ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT) ? 8 : 4;
        user_addr_t     argv = imgp->ip_user_argv;
        user_addr_t     envv = imgp->ip_user_envv;
 
        user_addr_t     argv = imgp->ip_user_argv;
        user_addr_t     envv = imgp->ip_user_envv;
 
-       /*
-        * If the argument vector is NULL, this is the system startup
-        * bootstrap from load_init_program(), and there's nothing to do
-        */
-       if (imgp->ip_user_argv == 0LL)
-               goto bad;
-
-       /* Now, get rest of arguments */
-
        /*
         * Adjust space reserved for the path name by however much padding it
         * needs. Doing this here since we didn't know if this would be a 32- 
         * or 64-bit process back in exec_save_path.
         */
        /*
         * Adjust space reserved for the path name by however much padding it
         * needs. Doing this here since we didn't know if this would be a 32- 
         * or 64-bit process back in exec_save_path.
         */
-       strsz = strlen(imgp->ip_strings) + 1;
-       imgp->ip_strspace -= ((strsz + ptr_size-1) & ~(ptr_size-1)) - strsz;
+       while (imgp->ip_strspace % new_ptr_size != 0) {
+               *imgp->ip_strendp++ = '\0';
+               imgp->ip_strspace--;
+               /* imgp->ip_argspace--; not counted towards exec args total */
+       }
 
        /*
 
        /*
-        * If we are running an interpreter, replace the av[0] that was
-        * passed to execve() with the fully qualified path name that was
-        * passed to execve() for interpreters which do not use the PATH
-        * to locate their script arguments.
+        * From now on, we start attributing string space to ip_argspace
         */
         */
-       if((imgp->ip_flags & IMGPF_INTERPRET) != 0 && argv != 0LL) {
+       imgp->ip_startargv = imgp->ip_strendp;
+       imgp->ip_argc = 0;
+
+       if((imgp->ip_flags & IMGPF_INTERPRET) != 0) {
+               user_addr_t     arg;
+               char *argstart, *ch;
+
+               /* First, the arguments in the "#!" string are tokenized and extracted. */
+               argstart = imgp->ip_interp_buffer;
+               while (argstart) {
+                       ch = argstart;
+                       while (*ch && !IS_WHITESPACE(*ch)) {
+                               ch++;
+                       }
+
+                       if (*ch == '\0') {
+                               /* last argument, no need to NUL-terminate */
+                               error = exec_add_user_string(imgp, CAST_USER_ADDR_T(argstart), UIO_SYSSPACE, TRUE);
+                               argstart = NULL;
+                       } else {
+                               /* NUL-terminate */
+                               *ch = '\0';
+                               error = exec_add_user_string(imgp, CAST_USER_ADDR_T(argstart), UIO_SYSSPACE, TRUE);
+
+                               /*
+                                * Find the next string. We know spaces at the end of the string have already
+                                * been stripped.
+                                */
+                               argstart = ch + 1;
+                               while (IS_WHITESPACE(*argstart)) {
+                                       argstart++;
+                               }
+                       }
+
+                       /* Error-check, regardless of whether this is the last interpreter arg or not */
+                       if (error)
+                               goto bad;
+                       if (imgp->ip_argspace < new_ptr_size) {
+                               error = E2BIG;
+                               goto bad;
+                       }
+                       imgp->ip_argspace -= new_ptr_size; /* to hold argv[] entry */
+                       imgp->ip_argc++;
+               }
+
+               if (argv != 0LL) {
+                       /*
+                        * If we are running an interpreter, replace the av[0] that was
+                        * passed to execve() with the path name that was
+                        * passed to execve() for interpreters which do not use the PATH
+                        * to locate their script arguments.
+                        */
+                       error = copyinptr(argv, &arg, ptr_size);
+                       if (error)
+                               goto bad;
+                       if (arg != 0LL) {
+                               argv += ptr_size; /* consume without using */
+                       }
+               }
+
+               if (imgp->ip_interp_sugid_fd != -1) {
+                       char temp[19]; /* "/dev/fd/" + 10 digits + NUL */
+                       snprintf(temp, sizeof(temp), "/dev/fd/%d", imgp->ip_interp_sugid_fd);
+                       error = exec_add_user_string(imgp, CAST_USER_ADDR_T(temp), UIO_SYSSPACE, TRUE);
+               } else {
+                       error = exec_add_user_string(imgp, imgp->ip_user_fname, imgp->ip_seg, TRUE);
+               }
+               
+               if (error)
+                       goto bad;
+               if (imgp->ip_argspace < new_ptr_size) {
+                       error = E2BIG;
+                       goto bad;
+               }
+               imgp->ip_argspace -= new_ptr_size; /* to hold argv[] entry */
+               imgp->ip_argc++;
+       }
+
+       while (argv != 0LL) {
                user_addr_t     arg;
 
                error = copyinptr(argv, &arg, ptr_size);
                if (error)
                        goto bad;
                user_addr_t     arg;
 
                error = copyinptr(argv, &arg, ptr_size);
                if (error)
                        goto bad;
-               if (arg != 0LL && arg != (user_addr_t)-1) {
-                       argv += ptr_size;
-                       error = exec_add_string(imgp, imgp->ip_user_fname);
+
+               if (arg == 0LL) {
+                       break;
+               }
+
+               argv += ptr_size;
+
+               /*
+               * av[n...] = arg[n]
+               */
+               error = exec_add_user_string(imgp, arg, imgp->ip_seg, TRUE);
+               if (error)
+                       goto bad;
+               if (imgp->ip_argspace < new_ptr_size) {
+                       error = E2BIG;
+                       goto bad;
+               }
+               imgp->ip_argspace -= new_ptr_size; /* to hold argv[] entry */
+               imgp->ip_argc++;
+       }        
+
+       /* Save space for argv[] NULL terminator */
+       if (imgp->ip_argspace < new_ptr_size) {
+               error = E2BIG;
+               goto bad;
+       }
+       imgp->ip_argspace -= new_ptr_size;
+       
+       /* Note where the args ends and env begins. */
+       imgp->ip_endargv = imgp->ip_strendp;
+       imgp->ip_envc = 0;
+
+       /* Now, get the environment */
+       while (envv != 0LL) {
+               user_addr_t     env;
+
+               error = copyinptr(envv, &env, ptr_size);
+               if (error)
+                       goto bad;
+
+               envv += ptr_size;
+               if (env == 0LL) {
+                       break;
+               }
+               /*
+               * av[n...] = env[n]
+               */
+               error = exec_add_user_string(imgp, env, imgp->ip_seg, TRUE);
+               if (error)
+                       goto bad;
+               if (imgp->ip_argspace < new_ptr_size) {
+                       error = E2BIG;
+                       goto bad;
+               }
+               imgp->ip_argspace -= new_ptr_size; /* to hold envv[] entry */
+               imgp->ip_envc++;
+       }
+
+       /* Save space for envv[] NULL terminator */
+       if (imgp->ip_argspace < new_ptr_size) {
+               error = E2BIG;
+               goto bad;
+       }
+       imgp->ip_argspace -= new_ptr_size;
+
+       /* Align the tail of the combined argv+envv area */
+       while (imgp->ip_strspace % new_ptr_size != 0) {
+               if (imgp->ip_argspace < 1) {
+                       error = E2BIG;
+                       goto bad;
+               }
+               *imgp->ip_strendp++ = '\0';
+               imgp->ip_strspace--;
+               imgp->ip_argspace--;
+       }
+       
+       /* Note where the envv ends and applev begins. */
+       imgp->ip_endenvv = imgp->ip_strendp;
+
+       /*
+        * From now on, we are no longer charging argument
+        * space to ip_argspace.
+        */
+
+bad:
+       return error;
+}
+
+static char *
+random_hex_str(char *str, int len, boolean_t embedNUL)
+{
+       uint64_t low, high, value;
+       int idx;
+       char digit;
+
+       /* A 64-bit value will only take 16 characters, plus '0x' and NULL. */
+       if (len > 19)
+               len = 19;
+
+       /* We need enough room for at least 1 digit */
+       if (len < 4)
+               return (NULL);
+
+       low = random();
+       high = random();
+       value = high << 32 | low;
+
+       if (embedNUL) {
+               /*
+                * Zero a byte to protect against C string vulnerabilities
+                * e.g. for userland __stack_chk_guard.
+                */ 
+               value &= ~(0xffull << 8);
+       }
+
+       str[0] = '0';
+       str[1] = 'x';
+       for (idx = 2; idx < len - 1; idx++) {
+               digit = value & 0xf;
+               value = value >> 4;
+               if (digit < 10)
+                       str[idx] = '0' + digit;
+               else
+                       str[idx] = 'a' + (digit - 10);
+       }
+       str[idx] = '\0';
+       return (str);
+}
+
+/*
+ * Libc has an 8-element array set up for stack guard values.  It only fills
+ * in one of those entries, and both gcc and llvm seem to use only a single
+ * 8-byte guard.  Until somebody needs more than an 8-byte guard value, don't
+ * do the work to construct them.
+ */
+#define        GUARD_VALUES 1
+#define        GUARD_KEY "stack_guard="
+
+/*
+ * System malloc needs some entropy when it is initialized.
+ */
+#define        ENTROPY_VALUES 2
+#define ENTROPY_KEY "malloc_entropy="
+
+/*
+ * System malloc engages nanozone for UIAPP.
+ */
+#define NANO_ENGAGE_KEY "MallocNanoZone=1"
+
+#define PFZ_KEY "pfz="
+extern user32_addr_t commpage_text32_location;
+extern user64_addr_t commpage_text64_location;
+/*
+ * Build up the contents of the apple[] string vector
+ */
+static int
+exec_add_apple_strings(struct image_params *imgp)
+{
+       int i, error;
+       int new_ptr_size=4;
+       char guard[19];
+       char guard_vec[strlen(GUARD_KEY) + 19 * GUARD_VALUES + 1];
+
+       char entropy[19];
+       char entropy_vec[strlen(ENTROPY_KEY) + 19 * ENTROPY_VALUES + 1];
+
+       char pfz_string[strlen(PFZ_KEY) + 16 + 4 +1];
+       
+       if( imgp->ip_flags & IMGPF_IS_64BIT) {
+               new_ptr_size = 8;
+               snprintf(pfz_string, sizeof(pfz_string),PFZ_KEY "0x%llx",commpage_text64_location);
+       } else {
+               snprintf(pfz_string, sizeof(pfz_string),PFZ_KEY "0x%x",commpage_text32_location);
+       }
+
+       /* exec_save_path stored the first string */
+       imgp->ip_applec = 1;
+
+       /* adding the pfz string */
+       error = exec_add_user_string(imgp, CAST_USER_ADDR_T(pfz_string),UIO_SYSSPACE,FALSE);
+       if(error)
+               goto bad;
+       imgp->ip_applec++;
+
+       /* adding the NANO_ENGAGE_KEY key */
+       if (imgp->ip_px_sa) {
+               int proc_flags = (((struct _posix_spawnattr *) imgp->ip_px_sa)->psa_flags);
+
+               if ((proc_flags & _POSIX_SPAWN_NANO_ALLOCATOR) == _POSIX_SPAWN_NANO_ALLOCATOR) {
+                       char uiapp_string[strlen(NANO_ENGAGE_KEY) + 1];
+
+                       snprintf(uiapp_string, sizeof(uiapp_string), NANO_ENGAGE_KEY);
+                       error = exec_add_user_string(imgp, CAST_USER_ADDR_T(uiapp_string),UIO_SYSSPACE,FALSE);
                        if (error)
                                goto bad;
                        if (error)
                                goto bad;
-                       imgp->ip_argc++;
+                       imgp->ip_applec++;
                }
        }
 
                }
        }
 
-       while (argv != 0LL) {
-               user_addr_t     arg;
+       /*
+        * Supply libc with a collection of random values to use when
+        * implementing -fstack-protector.
+        *
+        * (The first random string always contains an embedded NUL so that
+        * __stack_chk_guard also protects against C string vulnerabilities)
+        */
+       (void)strlcpy(guard_vec, GUARD_KEY, sizeof (guard_vec));
+       for (i = 0; i < GUARD_VALUES; i++) {
+               random_hex_str(guard, sizeof (guard), i == 0);
+               if (i)
+                       (void)strlcat(guard_vec, ",", sizeof (guard_vec));
+               (void)strlcat(guard_vec, guard, sizeof (guard_vec));
+       }
 
 
-               error = copyinptr(argv, &arg, ptr_size);
-               if (error)
-                       goto bad;
+       error = exec_add_user_string(imgp, CAST_USER_ADDR_T(guard_vec), UIO_SYSSPACE, FALSE);
+       if (error)
+               goto bad;
+       imgp->ip_applec++;
 
 
-               argv += ptr_size;
-               if (arg == 0LL) {
-                       break;
-               } else if (arg == (user_addr_t)-1) {
-                       /* Um... why would it be -1? */
-                       error = EFAULT;
-                       goto bad;
-               }
-               /*
-               * av[n...] = arg[n]
-               */
-               error = exec_add_string(imgp, arg);
-               if (error)
-                       goto bad;
-               imgp->ip_argc++;
-       }        
+       /*
+        * Supply libc with entropy for system malloc.
+        */
+       (void)strlcpy(entropy_vec, ENTROPY_KEY, sizeof(entropy_vec));
+       for (i = 0; i < ENTROPY_VALUES; i++) {
+               random_hex_str(entropy, sizeof (entropy), FALSE);
+               if (i)
+                       (void)strlcat(entropy_vec, ",", sizeof (entropy_vec));
+               (void)strlcat(entropy_vec, entropy, sizeof (entropy_vec));
+       }
        
        
-       /* Note where the args end and env begins. */
-       imgp->ip_strendargvp = imgp->ip_strendp;
-
-       /* Now, get the environment */
-       while (envv != 0LL) {
-               user_addr_t     env;
-
-               error = copyinptr(envv, &env, ptr_size);
-               if (error)
-                       goto bad;
+       error = exec_add_user_string(imgp, CAST_USER_ADDR_T(entropy_vec), UIO_SYSSPACE, FALSE);
+       if (error)
+               goto bad;
+       imgp->ip_applec++;
 
 
-               envv += ptr_size;
-               if (env == 0LL) {
-                       break;
-               } else if (env == (user_addr_t)-1) {
-                       error = EFAULT;
-                       goto bad;
-               }
-               /*
-               * av[n...] = env[n]
-               */
-               error = exec_add_string(imgp, env);
-               if (error)
-                       goto bad;
-               imgp->ip_envc++;
+       /* Align the tail of the combined applev area */
+       while (imgp->ip_strspace % new_ptr_size != 0) {
+               *imgp->ip_strendp++ = '\0';
+               imgp->ip_strspace--;
        }
        }
+
 bad:
        return error;
 }
 
 bad:
        return error;
 }
 
-
 #define        unix_stack_size(p)      (p->p_rlimit[RLIMIT_STACK].rlim_cur)
 
 /*
  * exec_check_permissions
  *
 #define        unix_stack_size(p)      (p->p_rlimit[RLIMIT_STACK].rlim_cur)
 
 /*
  * exec_check_permissions
  *
- * Decription: Verify that the file that is being attempted to be executed
+ * Description:        Verify that the file that is being attempted to be executed
  *             is in fact allowed to be executed based on it POSIX file
  *             permissions and other access control criteria
  *
  *             is in fact allowed to be executed based on it POSIX file
  *             permissions and other access control criteria
  *
@@ -2658,7 +3958,7 @@ exec_check_permissions(struct image_params *imgp)
         * will always succeed, and we don't want to happen unless the
         * file really is executable.
         */
         * will always succeed, and we don't want to happen unless the
         * file really is executable.
         */
-       if ((vap->va_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0)
+       if (!vfs_authopaque(vnode_mount(vp)) && ((vap->va_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0))
                return (EACCES);
 
        /* Disallow zero length files */
                return (EACCES);
 
        /* Disallow zero length files */
@@ -2672,6 +3972,13 @@ exec_check_permissions(struct image_params *imgp)
        if ((vp->v_mount->mnt_flag & MNT_NOSUID) || (p->p_lflag & P_LTRACED))
                vap->va_mode &= ~(VSUID | VSGID);
 
        if ((vp->v_mount->mnt_flag & MNT_NOSUID) || (p->p_lflag & P_LTRACED))
                vap->va_mode &= ~(VSUID | VSGID);
 
+       /*
+        * Disable _POSIX_SPAWN_ALLOW_DATA_EXEC and _POSIX_SPAWN_DISABLE_ASLR
+        * flags for setuid/setgid binaries.
+        */
+       if (vap->va_mode & (VSUID | VSGID))
+               imgp->ip_flags &= ~(IMGPF_ALLOW_DATA_EXEC | IMGPF_DISABLE_ASLR);
+
 #if CONFIG_MACF
        error = mac_vnode_check_exec(imgp->ip_vfs_context, vp, imgp);
        if (error)
 #if CONFIG_MACF
        error = mac_vnode_check_exec(imgp->ip_vfs_context, vp, imgp);
        if (error)
@@ -2698,18 +4005,6 @@ exec_check_permissions(struct image_params *imgp)
 #endif
 
 
 #endif
 
 
-#ifdef IMGPF_POWERPC
-       /*
-        * If the file we are about to attempt to load is the exec_handler_ppc,
-        * which is determined by matching the vattr fields against previously
-        * cached values, then we set the PowerPC environment flag.
-        */
-       if (vap->va_fsid == exec_archhandler_ppc.fsid &&
-               vap->va_fileid == (uint64_t)((uint32_t)exec_archhandler_ppc.fileid)) {
-               imgp->ip_flags |= IMGPF_POWERPC;
-       }
-#endif /* IMGPF_POWERPC */
-
        /* XXX May want to indicate to underlying FS that vnode is open */
 
        return (error);
        /* XXX May want to indicate to underlying FS that vnode is open */
 
        return (error);
@@ -2749,10 +4044,11 @@ exec_handle_sugid(struct image_params *imgp)
        proc_t                  p = vfs_context_proc(imgp->ip_vfs_context);
        int                     i;
        int                     leave_sugid_clear = 0;
        proc_t                  p = vfs_context_proc(imgp->ip_vfs_context);
        int                     i;
        int                     leave_sugid_clear = 0;
+       int                     mac_reset_ipc = 0;
        int                     error = 0;
        int                     error = 0;
-       struct vnode    *dev_null = NULLVP;
 #if CONFIG_MACF
 #if CONFIG_MACF
-       int                     mac_transition;
+       int                     mac_transition, disjoint_cred = 0;
+       int             label_update_return = 0;
 
        /*
         * Determine whether a call to update the MAC label will result in the
 
        /*
         * Determine whether a call to update the MAC label will result in the
@@ -2766,8 +4062,12 @@ exec_handle_sugid(struct image_params *imgp)
        mac_transition = mac_cred_check_label_update_execve(
                                                        imgp->ip_vfs_context,
                                                        imgp->ip_vp,
        mac_transition = mac_cred_check_label_update_execve(
                                                        imgp->ip_vfs_context,
                                                        imgp->ip_vp,
+                                                       imgp->ip_arch_offset,
+                                                       imgp->ip_scriptvp,
                                                        imgp->ip_scriptlabelp,
                                                        imgp->ip_scriptlabelp,
-                                                       imgp->ip_execlabelp, p);
+                                                       imgp->ip_execlabelp,
+                                                       p,
+                                                       imgp->ip_px_smpx);
 #endif
 
        OSBitAndAtomic(~((uint32_t)P_SUGID), &p->p_flag);
 #endif
 
        OSBitAndAtomic(~((uint32_t)P_SUGID), &p->p_flag);
@@ -2790,7 +4090,7 @@ exec_handle_sugid(struct image_params *imgp)
             kauth_cred_getuid(cred) != imgp->ip_origvattr->va_uid) ||
            ((imgp->ip_origvattr->va_mode & VSGID) != 0 &&
                 ((kauth_cred_ismember_gid(cred, imgp->ip_origvattr->va_gid, &leave_sugid_clear) || !leave_sugid_clear) ||
             kauth_cred_getuid(cred) != imgp->ip_origvattr->va_uid) ||
            ((imgp->ip_origvattr->va_mode & VSGID) != 0 &&
                 ((kauth_cred_ismember_gid(cred, imgp->ip_origvattr->va_gid, &leave_sugid_clear) || !leave_sugid_clear) ||
-                (cred->cr_gid != imgp->ip_origvattr->va_gid)))) {
+                (kauth_cred_getgid(cred) != imgp->ip_origvattr->va_gid)))) {
 
 #if CONFIG_MACF
 /* label for MAC transition and neither VSUID nor VSGID */
 
 #if CONFIG_MACF
 /* label for MAC transition and neither VSUID nor VSGID */
@@ -2815,9 +4115,13 @@ handle_mac_transition:
                 */
                if (imgp->ip_origvattr->va_mode & VSUID) {
                        p->p_ucred  = kauth_cred_setresuid(p->p_ucred, KAUTH_UID_NONE, imgp->ip_origvattr->va_uid, imgp->ip_origvattr->va_uid, KAUTH_UID_NONE);
                 */
                if (imgp->ip_origvattr->va_mode & VSUID) {
                        p->p_ucred  = kauth_cred_setresuid(p->p_ucred, KAUTH_UID_NONE, imgp->ip_origvattr->va_uid, imgp->ip_origvattr->va_uid, KAUTH_UID_NONE);
+                       /* update cred on proc */
+                       PROC_UPDATE_CREDS_ONPROC(p);
                }
                if (imgp->ip_origvattr->va_mode & VSGID) {
                        p->p_ucred = kauth_cred_setresgid(p->p_ucred, KAUTH_GID_NONE, imgp->ip_origvattr->va_gid, imgp->ip_origvattr->va_gid);
                }
                if (imgp->ip_origvattr->va_mode & VSGID) {
                        p->p_ucred = kauth_cred_setresgid(p->p_ucred, KAUTH_GID_NONE, imgp->ip_origvattr->va_gid, imgp->ip_origvattr->va_gid);
+                       /* update cred on proc */
+                       PROC_UPDATE_CREDS_ONPROC(p);
                }
 
 #if CONFIG_MACF
                }
 
 #if CONFIG_MACF
@@ -2828,12 +4132,27 @@ handle_mac_transition:
                 * modifying any others sharing it.
                 */
                if (mac_transition) { 
                 * modifying any others sharing it.
                 */
                if (mac_transition) { 
-                       kauth_cred_t    my_cred;
-                       if (kauth_proc_label_update_execve(p,
+                       /*
+                        * This hook may generate upcalls that require
+                        * importance donation from the kernel.
+                        * (23925818)
+                        */
+                       thread_t thread = current_thread();
+                       thread_enable_send_importance(thread, TRUE);
+                       kauth_proc_label_update_execve(p,
                                                imgp->ip_vfs_context,
                                                imgp->ip_vp, 
                                                imgp->ip_vfs_context,
                                                imgp->ip_vp, 
+                                               imgp->ip_arch_offset,
+                                               imgp->ip_scriptvp,
                                                imgp->ip_scriptlabelp,
                                                imgp->ip_scriptlabelp,
-                                               imgp->ip_execlabelp)) {
+                                               imgp->ip_execlabelp,
+                                               &imgp->ip_csflags,
+                                               imgp->ip_px_smpx,
+                                               &disjoint_cred, /* will be non zero if disjoint */
+                                               &label_update_return);
+                       thread_enable_send_importance(thread, FALSE);
+
+                       if (disjoint_cred) {
                                /*
                                 * If updating the MAC label resulted in a
                                 * disjoint credential, flag that we need to
                                /*
                                 * If updating the MAC label resulted in a
                                 * disjoint credential, flag that we need to
@@ -2845,23 +4164,13 @@ handle_mac_transition:
                                 */
                                leave_sugid_clear = 0;
                        }
                                 */
                                leave_sugid_clear = 0;
                        }
-
-                       my_cred = kauth_cred_proc_ref(p);
-                       mac_task_label_update_cred(my_cred, p->task);
-                       kauth_cred_unref(&my_cred);
+                       
+                       imgp->ip_mac_return = label_update_return;
                }
                }
-#endif /* CONFIG_MACF */
+               
+               mac_reset_ipc = mac_proc_check_inherit_ipc_ports(p, p->p_textvp, p->p_textoff, imgp->ip_vp, imgp->ip_arch_offset, imgp->ip_scriptvp);
 
 
-               /*
-                * Have mach reset the task and thread ports.
-                * We don't want anyone who had the ports before
-                * a setuid exec to be able to access/control the
-                * task/thread after.
-                */
-               if (current_task() == p->task) {
-                       ipc_task_reset(p->task);
-                       ipc_thread_reset(current_thread());
-               }
+#endif /* CONFIG_MACF */
 
                /*
                 * If 'leave_sugid_clear' is non-zero, then we passed the
 
                /*
                 * If 'leave_sugid_clear' is non-zero, then we passed the
@@ -2869,74 +4178,93 @@ handle_mac_transition:
                 * the previous cred was a member of the VSGID group, but
                 * that it was not the default at the time of the execve,
                 * and that the post-labelling credential was not disjoint.
                 * the previous cred was a member of the VSGID group, but
                 * that it was not the default at the time of the execve,
                 * and that the post-labelling credential was not disjoint.
-                * So we don't set the P_SUGID on the basis of simply
-                * running this code.
+                * So we don't set the P_SUGID or reset mach ports and fds 
+                * on the basis of simply running this code.
                 */
                 */
-               if (!leave_sugid_clear)
+               if (mac_reset_ipc || !leave_sugid_clear) {
+                       /*
+                        * Have mach reset the task and thread ports.
+                        * We don't want anyone who had the ports before
+                        * a setuid exec to be able to access/control the
+                        * task/thread after.
+                        */
+                       ipc_task_reset(p->task);
+                       ipc_thread_reset((imgp->ip_new_thread != NULL) ?
+                                        imgp->ip_new_thread : current_thread());
+               }
+
+               if (!leave_sugid_clear) {
+                       /*
+                        * Flag the process as setuid.
+                        */
                        OSBitOrAtomic(P_SUGID, &p->p_flag);
 
                        OSBitOrAtomic(P_SUGID, &p->p_flag);
 
-               /* Cache the vnode for /dev/null the first time around */
-               if (dev_null == NULLVP) {
-                       struct nameidata nd1;
+                       /*
+                        * Radar 2261856; setuid security hole fix
+                        * XXX For setuid processes, attempt to ensure that
+                        * stdin, stdout, and stderr are already allocated.
+                        * We do not want userland to accidentally allocate
+                        * descriptors in this range which has implied meaning
+                        * to libc.
+                        */
+                       for (i = 0; i < 3; i++) {
 
 
-                       NDINIT(&nd1, LOOKUP, FOLLOW, UIO_SYSSPACE,
-                           CAST_USER_ADDR_T("/dev/null"),
-                           imgp->ip_vfs_context);
+                               if (p->p_fd->fd_ofiles[i] != NULL)
+                                       continue;
 
 
-                       if ((error = vn_open(&nd1, FREAD, 0)) == 0) {
-                               dev_null = nd1.ni_vp;
                                /*
                                /*
-                                * vn_open returns with both a use_count
-                                * and an io_count on the found vnode
-                                * drop the io_count, but keep the use_count
+                                * Do the kernel equivalent of
+                                *
+                                *      if i == 0
+                                *              (void) open("/dev/null", O_RDONLY);
+                                *      else 
+                                *              (void) open("/dev/null", O_WRONLY);
                                 */
                                 */
-                               vnode_put(nd1.ni_vp);
-                       }
-               }
 
 
-               /* Radar 2261856; setuid security hole fix */
-               /* Patch from OpenBSD: A. Ramesh */
-               /*
-                * XXX For setuid processes, attempt to ensure that
-                * stdin, stdout, and stderr are already allocated.
-                * We do not want userland to accidentally allocate
-                * descriptors in this range which has implied meaning
-                * to libc.
-                */
-               if (dev_null != NULLVP) {
-                       for (i = 0; i < 3; i++) {
                                struct fileproc *fp;
                                int indx;
                                struct fileproc *fp;
                                int indx;
+                               int flag;
+                               struct nameidata *ndp = NULL;
 
 
-                               if (p->p_fd->fd_ofiles[i] != NULL)
-                                       continue;
+                               if (i == 0)
+                                       flag = FREAD;
+                               else 
+                                       flag = FWRITE;
 
 
-                               if ((error = falloc(p, &fp, &indx, imgp->ip_vfs_context)) != 0)
+                               if ((error = falloc(p,
+                                   &fp, &indx, imgp->ip_vfs_context)) != 0)
                                        continue;
 
                                        continue;
 
-                               if ((error = vnode_ref_ext(dev_null, FREAD)) != 0) {
+                               MALLOC(ndp, struct nameidata *, sizeof(*ndp), M_TEMP, M_WAITOK | M_ZERO);
+                               if (ndp == NULL) {
+                                       error = ENOMEM;
+                                       break;
+                               }
+
+                               NDINIT(ndp, LOOKUP, OP_OPEN, FOLLOW, UIO_SYSSPACE,
+                                   CAST_USER_ADDR_T("/dev/null"),
+                                   imgp->ip_vfs_context);
+
+                               if ((error = vn_open(ndp, flag, 0)) != 0) {
                                        fp_free(p, indx, fp);
                                        break;
                                }
 
                                        fp_free(p, indx, fp);
                                        break;
                                }
 
-                               fp->f_fglob->fg_flag = FREAD;
-                               fp->f_fglob->fg_type = DTYPE_VNODE;
-                               fp->f_fglob->fg_ops = &vnops;
-                               fp->f_fglob->fg_data = (caddr_t)dev_null;
-                               
+                               struct fileglob *fg = fp->f_fglob;
+
+                               fg->fg_flag = flag;
+                               fg->fg_ops = &vnops;
+                               fg->fg_data = ndp->ni_vp;
+
+                               vnode_put(ndp->ni_vp);
+
                                proc_fdlock(p);
                                procfdtbl_releasefd(p, indx, NULL);
                                fp_drop(p, indx, fp, 1);
                                proc_fdunlock(p);
                                proc_fdlock(p);
                                procfdtbl_releasefd(p, indx, NULL);
                                fp_drop(p, indx, fp, 1);
                                proc_fdunlock(p);
+
+                               FREE(ndp, M_TEMP);
                        }
                        }
-                       /*
-                        * for now we need to drop the reference immediately
-                        * since we don't have any mechanism in place to
-                        * release it before starting to unmount "/dev"
-                        * during a reboot/shutdown
-                        */
-                       vnode_rele(dev_null);
-                       dev_null = NULLVP;
                }
        }
 #if CONFIG_MACF
                }
        }
 #if CONFIG_MACF
@@ -2953,13 +4281,16 @@ handle_mac_transition:
                        goto handle_mac_transition;
                }
        }
                        goto handle_mac_transition;
                }
        }
+
 #endif /* CONFIG_MACF */
 
        /*
         * Implement the semantic where the effective user and group become
         * the saved user and group in exec'ed programs.
         */
 #endif /* CONFIG_MACF */
 
        /*
         * Implement the semantic where the effective user and group become
         * the saved user and group in exec'ed programs.
         */
-       p->p_ucred = kauth_cred_setsvuidgid(p->p_ucred, kauth_cred_getuid(p->p_ucred),  p->p_ucred->cr_gid);
+       p->p_ucred = kauth_cred_setsvuidgid(p->p_ucred, kauth_cred_getuid(p->p_ucred),  kauth_cred_getgid(p->p_ucred));
+       /* update cred on proc */
+       PROC_UPDATE_CREDS_ONPROC(p);
        
        /* Update the process' identity version and set the security token */
        p->p_idversion++;
        
        /* Update the process' identity version and set the security token */
        p->p_idversion++;
@@ -2980,129 +4311,146 @@ handle_mac_transition:
  *             limits on stack growth, if they end up being needed.
  *
  * Parameters: p                       Process to set stack on
  *             limits on stack growth, if they end up being needed.
  *
  * Parameters: p                       Process to set stack on
- *             user_stack              Address to set stack for process to
- *             customstack             FALSE if no custom stack in binary
- *             map                     Address map in which to allocate the
- *                                     new stack, if 'customstack' is FALSE
+ *             load_result             Information from mach-o load commands
+ *             map                     Address map in which to allocate the new stack
  *
  * Returns:    KERN_SUCCESS            Stack successfully created
  *             !KERN_SUCCESS           Mach failure code
  */
 static kern_return_t
  *
  * Returns:    KERN_SUCCESS            Stack successfully created
  *             !KERN_SUCCESS           Mach failure code
  */
 static kern_return_t
-create_unix_stack(vm_map_t map, user_addr_t user_stack, int customstack,
+create_unix_stack(vm_map_t map, load_result_t* load_result, 
                        proc_t p)
 {
        mach_vm_size_t          size, prot_size;
        mach_vm_offset_t        addr, prot_addr;
        kern_return_t           kr;
 
                        proc_t p)
 {
        mach_vm_size_t          size, prot_size;
        mach_vm_offset_t        addr, prot_addr;
        kern_return_t           kr;
 
+       mach_vm_address_t       user_stack = load_result->user_stack;
+       
        proc_lock(p);
        p->user_stack = user_stack;
        proc_unlock(p);
 
        proc_lock(p);
        p->user_stack = user_stack;
        proc_unlock(p);
 
-       if (!customstack) {
+       if (!load_result->prog_allocated_stack) {
                /*
                 * Allocate enough space for the maximum stack size we
                 * will ever authorize and an extra page to act as
                /*
                 * Allocate enough space for the maximum stack size we
                 * will ever authorize and an extra page to act as
-                * a guard page for stack overflows.
+                * a guard page for stack overflows. For default stacks,
+                * vm_initial_limit_stack takes care of the extra guard page.
+                * Otherwise we must allocate it ourselves.
                 */
                 */
-               size = mach_vm_round_page(MAXSSIZ);
-#if STACK_GROWTH_UP
-               addr = mach_vm_trunc_page(user_stack);
-#else  /* STACK_GROWTH_UP */
-               addr = mach_vm_trunc_page(user_stack - size);
-#endif /* STACK_GROWTH_UP */
+
+               size = mach_vm_round_page(load_result->user_stack_size);
+               if (load_result->prog_stack_size)
+                       size += PAGE_SIZE;
+               addr = mach_vm_trunc_page(load_result->user_stack - size);
                kr = mach_vm_allocate(map, &addr, size,
                                        VM_MAKE_TAG(VM_MEMORY_STACK) |
                kr = mach_vm_allocate(map, &addr, size,
                                        VM_MAKE_TAG(VM_MEMORY_STACK) |
-                                     VM_FLAGS_FIXED);
+                                       VM_FLAGS_FIXED);
                if (kr != KERN_SUCCESS) {
                if (kr != KERN_SUCCESS) {
-                       return kr;
+                       /* If can't allocate at default location, try anywhere */
+                       addr = 0;
+                       kr = mach_vm_allocate(map, &addr, size,
+                                                                 VM_MAKE_TAG(VM_MEMORY_STACK) |
+                                                                 VM_FLAGS_ANYWHERE);
+                       if (kr != KERN_SUCCESS)
+                               return kr;
+
+                       user_stack = addr + size;
+                       load_result->user_stack = user_stack;
+
+                       proc_lock(p);
+                       p->user_stack = user_stack;
+                       proc_unlock(p);
                }
                }
+
                /*
                 * And prevent access to what's above the current stack
                 * size limit for this process.
                 */
                prot_addr = addr;
                /*
                 * And prevent access to what's above the current stack
                 * size limit for this process.
                 */
                prot_addr = addr;
-#if STACK_GROWTH_UP
-               prot_addr += unix_stack_size(p);
-#endif /* STACK_GROWTH_UP */
-               prot_addr = mach_vm_round_page(prot_addr);
-               prot_size = mach_vm_trunc_page(size - unix_stack_size(p));
+               if (load_result->prog_stack_size)
+                       prot_size = PAGE_SIZE;
+               else
+                       prot_size = mach_vm_trunc_page(size - unix_stack_size(p));
                kr = mach_vm_protect(map,
                kr = mach_vm_protect(map,
-                                    prot_addr,
-                                    prot_size,
-                                    FALSE,
-                                    VM_PROT_NONE);
+                                                        prot_addr,
+                                                        prot_size,
+                                                        FALSE,
+                                                        VM_PROT_NONE);
                if (kr != KERN_SUCCESS) {
                        (void) mach_vm_deallocate(map, addr, size);
                        return kr;
                }
        }
                if (kr != KERN_SUCCESS) {
                        (void) mach_vm_deallocate(map, addr, size);
                        return kr;
                }
        }
+
        return KERN_SUCCESS;
 }
 
 #include <sys/reboot.h>
 
        return KERN_SUCCESS;
 }
 
 #include <sys/reboot.h>
 
-static char            init_program_name[128] = "/sbin/launchd";
-
-struct execve_args     init_exec_args;
-
 /*
 /*
- * load_init_program
+ * load_init_program_at_path
  *
  * Description:        Load the "init" program; in most cases, this will be "launchd"
  *
  * Parameters: p                       Process to call execve() to create
  *                                     the "init" program
  *
  * Description:        Load the "init" program; in most cases, this will be "launchd"
  *
  * Parameters: p                       Process to call execve() to create
  *                                     the "init" program
+ *             scratch_addr            Page in p, scratch space
+ *             path                    NULL terminated path
  *
  *
- * Returns:    (void)
+ * Returns:    KERN_SUCCESS            Success
+ *             !KERN_SUCCESS           See execve/mac_execve for error codes
  *
  * Notes:      The process that is passed in is the first manufactured
  *             process on the system, and gets here via bsd_ast() firing
  *             for the first time.  This is done to ensure that bsd_init()
  *             has run to completion.
  *
  * Notes:      The process that is passed in is the first manufactured
  *             process on the system, and gets here via bsd_ast() firing
  *             for the first time.  This is done to ensure that bsd_init()
  *             has run to completion.
+ *
+ *             The address map of the first manufactured process is 32 bit.
+ *             WHEN this becomes 64b, this code will fail; it needs to be
+ *             made 64b capable.
  */
  */
-void
-load_init_program(proc_t p)
+static int
+load_init_program_at_path(proc_t p, user_addr_t scratch_addr, const char* path)
 {
 {
-       vm_offset_t     init_addr;
-       int             argc = 0;
        uint32_t argv[3];
        uint32_t argv[3];
-       int                     error;
-       int             retval[2];
+       uint32_t argc = 0;
+       int retval[2];
+       struct execve_args init_exec_args;
 
        /*
 
        /*
-        * Copy out program name.
+        * Validate inputs and pre-conditions
         */
         */
+       assert(p);
+       assert(scratch_addr);
+       assert(path);
 
 
-       init_addr = VM_MIN_ADDRESS;
-       (void) vm_allocate(current_map(), &init_addr, PAGE_SIZE,
-                               VM_FLAGS_ANYWHERE);
-       if (init_addr == 0)
-               init_addr++;
+       if (IS_64BIT_PROCESS(p)) {
+               panic("Init against 64b primordial proc not implemented");
+       }
 
 
-       (void) copyout((caddr_t) init_program_name, CAST_USER_ADDR_T(init_addr),
-                       (unsigned) sizeof(init_program_name)+1);
+       /*
+        * Copy out program name.
+        */
+       size_t path_length = strlen(path) + 1;
+       (void) copyout(path, scratch_addr, path_length);
 
 
-       argv[argc++] = (uint32_t)init_addr;
-       init_addr += sizeof(init_program_name);
-       init_addr = (vm_offset_t)ROUND_PTR(char, init_addr);
+       argv[argc++] = (uint32_t)scratch_addr;
+       scratch_addr = USER_ADDR_ALIGN(scratch_addr + path_length, 16);
 
        /*
         * Put out first (and only) argument, similarly.
 
        /*
         * Put out first (and only) argument, similarly.
-        * Assumes everything fits in a page as allocated
-        * above.
+        * Assumes everything fits in a page as allocated above.
         */
        if (boothowto & RB_SINGLE) {
                const char *init_args = "-s";
         */
        if (boothowto & RB_SINGLE) {
                const char *init_args = "-s";
+               size_t init_args_length = strlen(init_args)+1;
 
 
-               copyout(init_args, CAST_USER_ADDR_T(init_addr),
-                       strlen(init_args));
-
-               argv[argc++] = (uint32_t)init_addr;
-               init_addr += strlen(init_args);
-               init_addr = (vm_offset_t)ROUND_PTR(char, init_addr);
+               copyout(init_args, scratch_addr, init_args_length);
 
 
+               argv[argc++] = (uint32_t)scratch_addr;
+               scratch_addr = USER_ADDR_ALIGN(scratch_addr + init_args_length, 16);
        }
 
        /*
        }
 
        /*
@@ -3113,27 +4461,113 @@ load_init_program(proc_t p)
        /*
         * Copy out the argument list.
         */
        /*
         * Copy out the argument list.
         */
-       
-       (void) copyout((caddr_t) argv, CAST_USER_ADDR_T(init_addr),
-                       (unsigned) sizeof(argv));
+       (void) copyout(argv, scratch_addr, sizeof(argv));
 
        /*
         * Set up argument block for fake call to execve.
         */
 
        /*
         * Set up argument block for fake call to execve.
         */
-
        init_exec_args.fname = CAST_USER_ADDR_T(argv[0]);
        init_exec_args.fname = CAST_USER_ADDR_T(argv[0]);
-       init_exec_args.argp = CAST_USER_ADDR_T((char **)init_addr);
-       init_exec_args.envp = CAST_USER_ADDR_T(0);
-       
+       init_exec_args.argp = scratch_addr;
+       init_exec_args.envp = USER_ADDR_NULL;
+
        /*
        /*
-        * So that mach_init task is set with uid,gid 0 token 
+        * So that init task is set with uid,gid 0 token
         */
        set_security_token(p);
 
         */
        set_security_token(p);
 
-       error = execve(p,&init_exec_args,retval);
-       if (error)
-               panic("Process 1 exec of %s failed, errno %d\n",
-                     init_program_name, error);
+       return execve(p, &init_exec_args, retval);
+}
+
+static const char * init_programs[] = {
+#if DEBUG
+       "/usr/local/sbin/launchd.debug",
+#endif
+#if DEVELOPMENT || DEBUG
+       /* Remove DEBUG conditional when <rdar://problem/17931977> is fixed */
+       "/usr/local/sbin/launchd.development",
+#endif
+       "/sbin/launchd",
+};
+
+/*
+ * load_init_program
+ *
+ * Description:        Load the "init" program; in most cases, this will be "launchd"
+ *
+ * Parameters: p                       Process to call execve() to create
+ *                                     the "init" program
+ *
+ * Returns:    (void)
+ *
+ * Notes:      The process that is passed in is the first manufactured
+ *             process on the system, and gets here via bsd_ast() firing
+ *             for the first time.  This is done to ensure that bsd_init()
+ *             has run to completion.
+ *
+ *             In DEBUG & DEVELOPMENT builds, the launchdsuffix boot-arg
+ *             may be used to select a specific launchd executable. As with
+ *             the kcsuffix boot-arg, setting launchdsuffix to "" or "release"
+ *             will force /sbin/launchd to be selected.
+ *
+ *             The DEBUG kernel will continue to check for a .development
+ *             version until <rdar://problem/17931977> is fixed.
+ *
+ *              Search order by build:
+ *
+ * DEBUG       DEVELOPMENT     RELEASE         PATH
+ * ----------------------------------------------------------------------------------
+ * 1           1               NA              /usr/local/sbin/launchd.$LAUNCHDSUFFIX
+ * 2           NA              NA              /usr/local/sbin/launchd.debug
+ * 3           2               NA              /usr/local/sbin/launchd.development
+ * 4           3               1               /sbin/launchd
+ */
+void
+load_init_program(proc_t p)
+{
+       uint32_t i;
+       int error;
+       vm_offset_t scratch_addr = VM_MIN_ADDRESS;
+
+       (void) vm_allocate(current_map(), &scratch_addr, PAGE_SIZE, VM_FLAGS_ANYWHERE);
+#if CONFIG_MEMORYSTATUS && CONFIG_JETSAM
+       (void) memorystatus_init_at_boot_snapshot();
+#endif /* CONFIG_MEMORYSTATUS && CONFIG_JETSAM */
+
+#if DEBUG || DEVELOPMENT
+       /* Check for boot-arg suffix first */
+       char launchd_suffix[64];
+       if (PE_parse_boot_argn("launchdsuffix", launchd_suffix, sizeof(launchd_suffix))) {
+               char launchd_path[128];
+               boolean_t is_release_suffix = ((launchd_suffix[0] == 0) ||
+                                              (strcmp(launchd_suffix, "release") == 0));
+
+               if (is_release_suffix) {
+                       error = load_init_program_at_path(p, CAST_USER_ADDR_T(scratch_addr), "/sbin/launchd");
+                       if (!error)
+                               return;
+
+                       panic("Process 1 exec of launchd.release failed, errno %d", error);
+               } else {
+                       strlcpy(launchd_path, "/usr/local/sbin/launchd.", sizeof(launchd_path));
+                       strlcat(launchd_path, launchd_suffix, sizeof(launchd_path));
+
+                       /* All the error data is lost in the loop below, don't
+                        * attempt to save it. */
+                       if (!load_init_program_at_path(p, CAST_USER_ADDR_T(scratch_addr), launchd_path)) {
+                               return;
+                       }
+               }
+       }
+#endif
+
+       error = ENOENT;
+       for (i = 0; i < sizeof(init_programs)/sizeof(init_programs[0]); i++) {
+               error = load_init_program_at_path(p, CAST_USER_ADDR_T(scratch_addr), init_programs[i]);
+               if (!error)
+                       return;
+       }
+
+       panic("Process 1 exec of %s failed, errno %d", ((i == 0) ? "<null>" : init_programs[i-1]), error);
 }
 
 /*
 }
 
 /*
@@ -3177,6 +4611,7 @@ load_return_to_errno(load_return_t lrtn)
        case LOAD_IOERROR:
                return EIO;
        case LOAD_FAILURE:
        case LOAD_IOERROR:
                return EIO;
        case LOAD_FAILURE:
+       case LOAD_DECRYPTFAIL:
        default:
                return EBADEXEC;
        }
        default:
                return EBADEXEC;
        }
@@ -3189,8 +4624,6 @@ load_return_to_errno(load_return_t lrtn)
 #include <kern/clock.h>
 #include <mach/kern_return.h>
 
 #include <kern/clock.h>
 #include <mach/kern_return.h>
 
-extern semaphore_t execve_semaphore;
-
 /*
  * execargs_alloc
  *
 /*
  * execargs_alloc
  *
@@ -3238,14 +4671,14 @@ execargs_lock_unlock(void) {
        lck_mtx_unlock(execargs_cache_lock);
 }
 
        lck_mtx_unlock(execargs_cache_lock);
 }
 
-static void
+static wait_result_t
 execargs_lock_sleep(void) {
 execargs_lock_sleep(void) {
-       lck_mtx_sleep(execargs_cache_lock, LCK_SLEEP_DEFAULT, &execargs_free_count, THREAD_UNINT);
+       return(lck_mtx_sleep(execargs_cache_lock, LCK_SLEEP_DEFAULT, &execargs_free_count, THREAD_INTERRUPTIBLE));
 }
 
 static kern_return_t
 execargs_purgeable_allocate(char **execarg_address) {
 }
 
 static kern_return_t
 execargs_purgeable_allocate(char **execarg_address) {
-       kern_return_t kr = vm_allocate(bsd_pageable_map, (vm_offset_t *)execarg_address, NCARGS + PAGE_SIZE, VM_FLAGS_ANYWHERE | VM_FLAGS_PURGABLE);
+       kern_return_t kr = vm_allocate(bsd_pageable_map, (vm_offset_t *)execarg_address, BSD_PAGEABLE_SIZE_PER_EXEC, VM_FLAGS_ANYWHERE | VM_FLAGS_PURGABLE);
        assert(kr == KERN_SUCCESS);
        return kr;
 }
        assert(kr == KERN_SUCCESS);
        return kr;
 }
@@ -3279,14 +4712,19 @@ static int
 execargs_alloc(struct image_params *imgp)
 {
        kern_return_t kret;
 execargs_alloc(struct image_params *imgp)
 {
        kern_return_t kret;
+       wait_result_t res;
        int i, cache_index = -1;
 
        execargs_lock_lock();
 
        while (execargs_free_count == 0) {
                execargs_waiters++;
        int i, cache_index = -1;
 
        execargs_lock_lock();
 
        while (execargs_free_count == 0) {
                execargs_waiters++;
-               execargs_lock_sleep();
+               res = execargs_lock_sleep();
                execargs_waiters--;
                execargs_waiters--;
+               if (res != THREAD_AWAKENED) {
+                       execargs_lock_unlock();
+                       return (EINTR);
+               }
        }
 
        execargs_free_count--;
        }
 
        execargs_free_count--;
@@ -3316,7 +4754,11 @@ execargs_alloc(struct image_params *imgp)
                return (ENOMEM);
        }
 
                return (ENOMEM);
        }
 
-       imgp->ip_vdata = imgp->ip_strings + NCARGS;
+       /* last page used to read in file headers */
+       imgp->ip_vdata = imgp->ip_strings + ( NCARGS + PAGE_SIZE );
+       imgp->ip_strendp = imgp->ip_strings;
+       imgp->ip_argspace = NCARGS;
+       imgp->ip_strspace = ( NCARGS + PAGE_SIZE );
 
        return (0);
 }
 
        return (0);
 }
@@ -3402,12 +4844,85 @@ exec_resettextvp(proc_t p, struct image_params *imgp)
 
 }
 
 
 }
 
-static int 
+/*
+ * If the process is not signed or if it contains entitlements, we
+ * need to communicate through the task_access_port to taskgated.
+ *
+ * taskgated will provide a detached code signature if present, and
+ * will enforce any restrictions on entitlements.
+ */
+
+static boolean_t
+taskgated_required(proc_t p, boolean_t *require_success)
+{
+       size_t length;
+       void *blob;
+       int error;
+
+       if (cs_debug > 2)
+               csvnode_print_debug(p->p_textvp);
+
+       const int can_skip_taskgated = csproc_get_platform_binary(p) && !csproc_get_platform_path(p);
+       if (can_skip_taskgated) {
+               if (cs_debug) printf("taskgated not required for: %s\n", p->p_name);
+               *require_success = FALSE;
+               return FALSE;
+       }
+
+       if ((p->p_csflags & CS_VALID) == 0) {
+               *require_success = FALSE;
+               return TRUE;
+       }
+
+       error = cs_entitlements_blob_get(p, &blob, &length);
+       if (error == 0 && blob != NULL) {
+               /*
+                * fatal on the desktop when entitlements are present,
+                * unless we started in single-user mode 
+                */
+               if ((boothowto & RB_SINGLE) == 0)
+                       *require_success = TRUE;
+               /*
+                * Allow initproc to run without causing taskgated to launch
+                */
+               if (p == initproc) {
+                       *require_success = FALSE;
+                       return FALSE;
+               }
+
+               if (cs_debug) printf("taskgated required for: %s\n", p->p_name);
+
+               return TRUE;
+       }
+
+       *require_success = FALSE;
+       return FALSE;
+}
+
+/*
+ * __EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__
+ * 
+ * Description: Waits for the userspace daemon to respond to the request
+ *             we made. Function declared non inline to be visible in
+ *             stackshots and spindumps as well as debugging.
+ */
+__attribute__((noinline)) int 
+__EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__(mach_port_t task_access_port, int32_t new_pid)
+{
+       return find_code_signature(task_access_port, new_pid);
+}
+
+static int
 check_for_signature(proc_t p, struct image_params *imgp)
 {
        mach_port_t port = NULL;
 check_for_signature(proc_t p, struct image_params *imgp)
 {
        mach_port_t port = NULL;
-       kern_return_t error = 0;
+       kern_return_t kr = KERN_FAILURE;
+       int error = EACCES;
+       boolean_t unexpected_failure = FALSE;
        unsigned char hash[SHA1_RESULTLEN];
        unsigned char hash[SHA1_RESULTLEN];
+       boolean_t require_success = FALSE;
+       int spawn = (imgp->ip_flags & IMGPF_SPAWN);
+       int vfexec = (imgp->ip_flags & IMGPF_VFORK_EXEC);
 
        /*
         * Override inherited code signing flags with the
 
        /*
         * Override inherited code signing flags with the
@@ -3422,36 +4937,214 @@ check_for_signature(proc_t p, struct image_params *imgp)
        if(p->p_csflags & (CS_HARD|CS_KILL)) {
                vm_map_switch_protect(get_task_map(p->task), TRUE);
        }
        if(p->p_csflags & (CS_HARD|CS_KILL)) {
                vm_map_switch_protect(get_task_map(p->task), TRUE);
        }
+       
+       /*
+        * image activation may be failed due to policy
+        * which is unexpected but security framework does not
+        * approve of exec, kill and return immediately.
+        */
+       if (imgp->ip_mac_return != 0) {
+               error = imgp->ip_mac_return;
+               unexpected_failure = TRUE;
+               goto done;
+       }
+
+       /* check if callout to taskgated is needed */
+       if (!taskgated_required(p, &require_success)) {
+               error = 0;
+               goto done;
+       }
+
+       kr = task_get_task_access_port(p->task, &port);
+       if (KERN_SUCCESS != kr || !IPC_PORT_VALID(port)) {
+               error = 0;
+               if (require_success)
+                       error = EACCES;
+               goto done;
+       }
 
        /*
 
        /*
-        * If the task_access_port is set and the proc isn't signed,
-        * ask for a code signature from user space. Fail the exec
-        * if permission is denied.
+        * taskgated returns KERN_SUCCESS if it has completed its work
+        * and the exec should continue, KERN_FAILURE if the exec should 
+        * fail, or it may error out with different error code in an 
+        * event of mig failure (e.g. process was signalled during the 
+        * rpc call, taskgated died, mig server died etc.).
         */
         */
-       error = task_get_task_access_port(p->task, &port);
-       if (error == 0 && IPC_PORT_VALID(port) && !(p->p_csflags & CS_VALID)) {
-               error = find_code_signature(port, p->p_pid);
-               if (error == KERN_FAILURE) {
-                       /* Make very sure execution fails */
+
+       kr = __EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__(port, p->p_pid);
+       switch (kr) {
+       case KERN_SUCCESS:
+               error = 0;
+               break;
+       case KERN_FAILURE:
+               error = EACCES;
+               goto done;
+       default:
+               error = EACCES;
+               unexpected_failure = TRUE;
+               goto done;
+       }
+
+       /* Only do this if exec_resettextvp() did not fail */
+       if (p->p_textvp != NULLVP) {
+               /*
+                * If there's a new code directory, mark this process
+                * as signed.
+                */
+               if (0 == ubc_cs_getcdhash(p->p_textvp, p->p_textoff, hash)) {
+                       proc_lock(p);
+                       p->p_csflags |= CS_VALID;
+                       proc_unlock(p);
+               }
+       }
+
+done:
+       if (0 != error) {
+               if (!unexpected_failure)
+                       p->p_csflags |= CS_KILLED;
+               /* make very sure execution fails */
+               if (vfexec || spawn) {
+                       psignal_vfork(p, p->task, imgp->ip_new_thread, SIGKILL);
+                       error = 0;
+               } else {
                        psignal(p, SIGKILL);
                        psignal(p, SIGKILL);
-                       return EACCES;
                }
                }
+       }
+       return error;
+}
+
+/*
+ * Typically as soon as we start executing this process, the
+ * first instruction will trigger a VM fault to bring the text
+ * pages (as executable) into the address space, followed soon
+ * thereafter by dyld data structures (for dynamic executable).
+ * To optimize this, as well as improve support for hardware
+ * debuggers that can only access resident pages present
+ * in the process' page tables, we prefault some pages if
+ * possible. Errors are non-fatal.
+ */
+static void exec_prefault_data(proc_t p __unused, struct image_params *imgp, load_result_t *load_result)
+{
+       int ret;
+       size_t expected_all_image_infos_size;
+
+       /*
+        * Prefault executable or dyld entry point.
+        */
+       vm_fault(current_map(),
+                vm_map_trunc_page(load_result->entry_point,
+                                  vm_map_page_mask(current_map())),
+                VM_PROT_READ | VM_PROT_EXECUTE,
+                FALSE,
+                THREAD_UNINT, NULL, 0);
+       
+       if (imgp->ip_flags & IMGPF_IS_64BIT) {
+               expected_all_image_infos_size = sizeof(struct user64_dyld_all_image_infos);
+       } else {
+               expected_all_image_infos_size = sizeof(struct user32_dyld_all_image_infos);
+       }
+
+       /* Decode dyld anchor structure from <mach-o/dyld_images.h> */
+       if (load_result->dynlinker &&
+               load_result->all_image_info_addr &&
+               load_result->all_image_info_size >= expected_all_image_infos_size) {
+               union {
+                       struct user64_dyld_all_image_infos      infos64;
+                       struct user32_dyld_all_image_infos      infos32;
+               } all_image_infos;
+
+               /*
+                * Pre-fault to avoid copyin() going through the trap handler
+                * and recovery path.
+                */
+               vm_fault(current_map(),
+                        vm_map_trunc_page(load_result->all_image_info_addr,
+                                          vm_map_page_mask(current_map())),
+                        VM_PROT_READ | VM_PROT_WRITE,
+                        FALSE,
+                        THREAD_UNINT, NULL, 0);
+               if ((load_result->all_image_info_addr & PAGE_MASK) + expected_all_image_infos_size > PAGE_SIZE) {
+                       /* all_image_infos straddles a page */
+                       vm_fault(current_map(),
+                                vm_map_trunc_page(load_result->all_image_info_addr + expected_all_image_infos_size - 1,
+                                                  vm_map_page_mask(current_map())),
+                                VM_PROT_READ | VM_PROT_WRITE,
+                                FALSE,
+                                THREAD_UNINT, NULL, 0);
+               }
+
+               ret = copyin(load_result->all_image_info_addr,
+                                        &all_image_infos,
+                                        expected_all_image_infos_size);
+               if (ret == 0 && all_image_infos.infos32.version >= 9) {
+
+                       user_addr_t notification_address;
+                       user_addr_t dyld_image_address;
+                       user_addr_t dyld_version_address;
+                       user_addr_t dyld_all_image_infos_address;
+                       user_addr_t dyld_slide_amount;
+
+                       if (imgp->ip_flags & IMGPF_IS_64BIT) {
+                               notification_address = all_image_infos.infos64.notification;
+                               dyld_image_address = all_image_infos.infos64.dyldImageLoadAddress;
+                               dyld_version_address = all_image_infos.infos64.dyldVersion;
+                               dyld_all_image_infos_address = all_image_infos.infos64.dyldAllImageInfosAddress;
+                       } else {
+                               notification_address = all_image_infos.infos32.notification;
+                               dyld_image_address = all_image_infos.infos32.dyldImageLoadAddress;
+                               dyld_version_address = all_image_infos.infos32.dyldVersion;
+                               dyld_all_image_infos_address = all_image_infos.infos32.dyldAllImageInfosAddress;
+                       }
 
 
-               /* Only do this if exec_resettextvp() did not fail */
-               if (p->p_textvp != NULLVP) {
                        /*
                        /*
-                        * If there's a new code directory, mark this process
-                        * as signed.
+                        * dyld statically sets up the all_image_infos in its Mach-O
+                        * binary at static link time, with pointers relative to its default
+                        * load address. Since ASLR might slide dyld before its first
+                        * instruction is executed, "dyld_slide_amount" tells us how far
+                        * dyld was loaded compared to its default expected load address.
+                        * All other pointers into dyld's image should be adjusted by this
+                        * amount. At some point later, dyld will fix up pointers to take
+                        * into account the slide, at which point the all_image_infos_address
+                        * field in the structure will match the runtime load address, and
+                        * "dyld_slide_amount" will be 0, if we were to consult it again.
                         */
                         */
-                       error = ubc_cs_getcdhash(p->p_textvp, p->p_textoff, hash); 
-                       if (error == 0) {
-                               proc_lock(p);
-                               p->p_csflags |= CS_VALID;
-                               proc_unlock(p);
-                       }
+
+                       dyld_slide_amount = load_result->all_image_info_addr - dyld_all_image_infos_address;
+
+#if 0
+                       kprintf("exec_prefault: 0x%016llx 0x%08x 0x%016llx 0x%016llx 0x%016llx 0x%016llx\n",
+                                       (uint64_t)load_result->all_image_info_addr,
+                                       all_image_infos.infos32.version,
+                                       (uint64_t)notification_address,
+                                       (uint64_t)dyld_image_address,
+                                       (uint64_t)dyld_version_address,
+                                       (uint64_t)dyld_all_image_infos_address);
+#endif
+
+                       vm_fault(current_map(),
+                                vm_map_trunc_page(notification_address + dyld_slide_amount,
+                                                  vm_map_page_mask(current_map())),
+                                VM_PROT_READ | VM_PROT_EXECUTE,
+                                FALSE,
+                                THREAD_UNINT, NULL, 0);
+                       vm_fault(current_map(),
+                                vm_map_trunc_page(dyld_image_address + dyld_slide_amount,
+                                                  vm_map_page_mask(current_map())),
+                                VM_PROT_READ | VM_PROT_EXECUTE,
+                                FALSE,
+                                THREAD_UNINT, NULL, 0);
+                       vm_fault(current_map(),
+                                vm_map_trunc_page(dyld_version_address + dyld_slide_amount,
+                                                  vm_map_page_mask(current_map())),
+                                VM_PROT_READ,
+                                FALSE,
+                                THREAD_UNINT, NULL, 0);
+                       vm_fault(current_map(),
+                                vm_map_trunc_page(dyld_all_image_infos_address + dyld_slide_amount,
+                                                  vm_map_page_mask(current_map())),
+                                VM_PROT_READ | VM_PROT_WRITE,
+                                FALSE,
+                                THREAD_UNINT, NULL, 0);
                }
        }
                }
        }
-
-       return KERN_SUCCESS;
 }
 }
-
mirror of XNU