xnu-6153.101.6.tar.gz

[apple/xnu.git] / bsd / kern / kern_exec.c
diff --git a/bsd/kern/kern_exec.c b/bsd/kern/kern_exec.c

index e4ec2a210cfd21515ac62a02a6df46116f19108c..afa0cb8207ebcedde2c8b7568af9133b50bbda1b 100644 (file)
--- a/bsd/kern/kern_exec.c
+++ b/bsd/kern/kern_exec.c
@@ -1863,6 +1863,7 @@ exec_handle_port_actions(struct image_params *imgp,
         kern_return_t kr;
         boolean_t task_has_watchport_boost = task_has_watchports(current_task());
         boolean_t in_exec = (imgp->ip_flags & IMGPF_EXEC);
         kern_return_t kr;
         boolean_t task_has_watchport_boost = task_has_watchports(current_task());
         boolean_t in_exec = (imgp->ip_flags & IMGPF_EXEC);
+       boolean_t suid_cred_specified = FALSE;
  
         for (i = 0; i < pacts->pspa_count; i++) {
                 act = &pacts->pspa_actions[i];
  
         for (i = 0; i < pacts->pspa_count; i++) {
                 act = &pacts->pspa_actions[i];
@@ -1886,6 +1887,16 @@ exec_handle_port_actions(struct image_params *imgp,
                                 goto done;
                         }
                         break;
                                 goto done;
                         }
                         break;
+
+               case PSPA_SUID_CRED:
+                       /* Only a single suid credential can be specified. */
+                       if (suid_cred_specified) {
+                               ret = EINVAL;
+                               goto done;
+                       }
+                       suid_cred_specified = TRUE;
+                       break;
+
                 default:
                         ret = EINVAL;
                         goto done;
                 default:
                         ret = EINVAL;
                         goto done;
@@ -1973,6 +1984,11 @@ exec_handle_port_actions(struct image_params *imgp,
                         /* hold on to this till end of spawn */
                         actions->registered_array[registered_i++] = port;
                         break;
                         /* hold on to this till end of spawn */
                         actions->registered_array[registered_i++] = port;
                         break;
+
+               case PSPA_SUID_CRED:
+                       imgp->ip_sc_port = port;
+                       break;
+
                 default:
                         ret = EINVAL;
                         break;
                 default:
                         ret = EINVAL;
                         break;
@@ -3748,6 +3764,10 @@ bad:
                         imgp->ip_cs_error = OS_REASON_NULL;
                 }
  #endif
                         imgp->ip_cs_error = OS_REASON_NULL;
                 }
  #endif
+               if (imgp->ip_sc_port != NULL) {
+                       ipc_port_release_send(imgp->ip_sc_port);
+                       imgp->ip_sc_port = NULL;
+               }
         }
  
  #if CONFIG_DTRACE
         }
  
  #if CONFIG_DTRACE
@@ -5381,7 +5401,8 @@ exec_handle_sugid(struct image_params *imgp)
             kauth_cred_getuid(cred) != imgp->ip_origvattr->va_uid) ||
             ((imgp->ip_origvattr->va_mode & VSGID) != 0 &&
             ((kauth_cred_ismember_gid(cred, imgp->ip_origvattr->va_gid, &leave_sugid_clear) || !leave_sugid_clear) ||
             kauth_cred_getuid(cred) != imgp->ip_origvattr->va_uid) ||
             ((imgp->ip_origvattr->va_mode & VSGID) != 0 &&
             ((kauth_cred_ismember_gid(cred, imgp->ip_origvattr->va_gid, &leave_sugid_clear) || !leave_sugid_clear) ||
-           (kauth_cred_getgid(cred) != imgp->ip_origvattr->va_gid)))) {
+           (kauth_cred_getgid(cred) != imgp->ip_origvattr->va_gid))) ||
+           (imgp->ip_sc_port != NULL)) {
  #if CONFIG_MACF
  /* label for MAC transition and neither VSUID nor VSGID */
  handle_mac_transition:
  #if CONFIG_MACF
  /* label for MAC transition and neither VSUID nor VSGID */
  handle_mac_transition:
@@ -5408,6 +5429,33 @@ handle_mac_transition:
                  * proc's ucred lock. This prevents others from accessing
                  * a garbage credential.
                  */
                  * proc's ucred lock. This prevents others from accessing
                  * a garbage credential.
                  */
+
+               if (imgp->ip_sc_port != NULL) {
+                       extern int suid_cred_verify(ipc_port_t, vnode_t, uint32_t *);
+                       int ret = -1;
+                       uid_t uid = UINT32_MAX;
+
+                       /*
+                        * Check that the vnodes match. If a script is being
+                        * executed check the script's vnode rather than the
+                        * interpreter's.
+                        */
+                       struct vnode *vp = imgp->ip_scriptvp != NULL ? imgp->ip_scriptvp : imgp->ip_vp;
+
+                       ret = suid_cred_verify(imgp->ip_sc_port, vp, &uid);
+                       if (ret == 0) {
+                               apply_kauth_cred_update(p, ^kauth_cred_t (kauth_cred_t my_cred) {
+                                       return kauth_cred_setresuid(my_cred,
+                                       KAUTH_UID_NONE,
+                                       uid,
+                                       uid,
+                                       KAUTH_UID_NONE);
+                               });
+                       } else {
+                               error = EPERM;
+                       }
+               }
+
                 if (imgp->ip_origvattr->va_mode & VSUID) {
                         apply_kauth_cred_update(p, ^kauth_cred_t (kauth_cred_t my_cred) {
                                 return kauth_cred_setresuid(my_cred,
                 if (imgp->ip_origvattr->va_mode & VSUID) {
                         apply_kauth_cred_update(p, ^kauth_cred_t (kauth_cred_t my_cred) {
                                 return kauth_cred_setresuid(my_cred,