X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/d1ecb069dfe24481e4a83f44cb5217a2b06746d7..c7d2c2c6ee645e10cbccdd01c6191873ec77239d:/bsd/kern/kern_exec.c diff --git a/bsd/kern/kern_exec.c b/bsd/kern/kern_exec.c index 722415a70..e2e7d1526 100644 --- a/bsd/kern/kern_exec.c +++ b/bsd/kern/kern_exec.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000-2007 Apple Inc. All rights reserved. + * Copyright (c) 2000-2011 Apple Inc. All rights reserved. * * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ * @@ -33,8 +33,6 @@ * the terms and conditions for use and redistribution. */ -#include - /*- * Copyright (c) 1982, 1986, 1991, 1993 * The Regents of the University of California. All rights reserved. @@ -81,6 +79,7 @@ * Version 2.0. */ #include +#include #include #include @@ -109,9 +108,12 @@ #include /* ubc_map() */ #include #include +#include #include #include +#include + #include #include @@ -128,6 +130,8 @@ #include /* thread_wakeup() */ #include #include +#include +#include #if CONFIG_MACF #include @@ -138,23 +142,39 @@ #include #include #include +#include +#include + +#include +#include + +#include + +#if CONFIG_MEMORYSTATUS +#include +#endif #if CONFIG_DTRACE /* Do not include dtrace.h, it redefines kmem_[alloc/free] */ extern void (*dtrace_fasttrap_exec_ptr)(proc_t); +extern void (*dtrace_proc_waitfor_exec_ptr)(proc_t); extern void (*dtrace_helpers_cleanup)(proc_t); extern void dtrace_lazy_dofs_destroy(proc_t); +/* + * Since dtrace_proc_waitfor_exec_ptr can be added/removed in dtrace_subr.c, + * we will store its value before actually calling it. + */ +static void (*dtrace_proc_waitfor_hook)(proc_t) = NULL; + #include #endif /* support for child creation in exec after vfork */ -thread_t fork_create_child(task_t parent_task, proc_t child_proc, int inherit_memory, int is64bit); +thread_t fork_create_child(task_t parent_task, coalition_t *parent_coalition, proc_t child_proc, int inherit_memory, int is64bit); void vfork_exit(proc_t p, int rv); -int setsigvec(proc_t, thread_t, int, struct __kern_sigaction *, boolean_t in_sigstart); -void workqueue_exit(struct proc *); - +extern void proc_apply_task_networkbg_internal(proc_t, thread_t); /* * Mach things for which prototypes are unavailable from Mach headers @@ -170,8 +190,13 @@ kern_return_t ipc_object_copyin( ipc_object_t *objectp); void ipc_port_release_send(ipc_port_t); +#if DEVELOPMENT || DEBUG +void task_importance_update_owner_info(task_t); +#endif + extern struct savearea *get_user_regs(thread_t); +__attribute__((noinline)) int __EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__(mach_port_t task_access_port, int32_t new_pid); #include #include @@ -186,29 +211,25 @@ extern struct savearea *get_user_regs(thread_t); #include -/* - * SIZE_MAXPTR The maximum size of a user space pointer, in bytes - * SIZE_IMG_STRSPACE The available string space, minus two pointers; we - * define it interms of the maximum, since we don't - * know the pointer size going in, until after we've - * parsed the executable image. - */ -#define SIZE_MAXPTR 8 /* 64 bits */ -#define SIZE_IMG_STRSPACE (NCARGS - 2 * SIZE_MAXPTR) - /* * EAI_ITERLIMIT The maximum number of times to iterate an image * activator in exec_activate_image() before treating * it as malformed/corrupt. */ -#define EAI_ITERLIMIT 10 +#define EAI_ITERLIMIT 3 + +/* + * For #! interpreter parsing + */ +#define IS_WHITESPACE(ch) ((ch == ' ') || (ch == '\t')) +#define IS_EOL(ch) ((ch == '#') || (ch == '\n')) extern vm_map_t bsd_pageable_map; -extern struct fileops vnops; +extern const struct fileops vnops; -#define ROUND_PTR(type, addr) \ - (type *)( ( (uintptr_t)(addr) + 16 - 1) \ - & ~(16 - 1) ) +#define USER_ADDR_ALIGN(addr, val) \ + ( ( (user_addr_t)(addr) + (val) - 1) \ + & ~((val) - 1) ) struct image_params; /* Forward */ static int exec_activate_image(struct image_params *imgp); @@ -218,26 +239,28 @@ static int execargs_alloc(struct image_params *imgp); static int execargs_free(struct image_params *imgp); static int exec_check_permissions(struct image_params *imgp); static int exec_extract_strings(struct image_params *imgp); +static int exec_add_apple_strings(struct image_params *imgp); static int exec_handle_sugid(struct image_params *imgp); static int sugid_scripts = 0; -SYSCTL_INT (_kern, OID_AUTO, sugid_scripts, CTLFLAG_RW, &sugid_scripts, 0, ""); -static kern_return_t create_unix_stack(vm_map_t map, user_addr_t user_stack, - int customstack, proc_t p); +SYSCTL_INT (_kern, OID_AUTO, sugid_scripts, CTLFLAG_RW | CTLFLAG_LOCKED, &sugid_scripts, 0, ""); +static kern_return_t create_unix_stack(vm_map_t map, load_result_t* load_result, proc_t p); static int copyoutptr(user_addr_t ua, user_addr_t ptr, int ptr_size); static void exec_resettextvp(proc_t, struct image_params *); static int check_for_signature(proc_t, struct image_params *); - -/* We don't want this one exported */ -__private_extern__ -int open1(vfs_context_t, struct nameidata *, int, struct vnode_attr *, int32_t *); +static void exec_prefault_data(proc_t, struct image_params *, load_result_t *); +static errno_t exec_handle_port_actions(struct image_params *imgp, short psa_flags, boolean_t * portwatch_present, ipc_port_t * portwatch_ports); +static errno_t exec_handle_spawnattr_policy(proc_t p, int psa_apptype, uint64_t psa_qos_clamp, uint64_t psa_darwin_role, + ipc_port_t * portwatch_ports, int portwatch_count); /* - * exec_add_string + * exec_add_user_string * * Add the requested string to the string space area. * * Parameters; struct image_params * image parameter block * user_addr_t string to add to strings area + * int segment from which string comes + * boolean_t TRUE if string contributes to NCARGS * * Returns: 0 Success * !0 Failure errno from copyinstr() @@ -245,43 +268,60 @@ int open1(vfs_context_t, struct nameidata *, int, struct vnode_attr *, int32_t * Implicit returns: * (imgp->ip_strendp) updated location of next add, if any * (imgp->ip_strspace) updated byte count of space remaining + * (imgp->ip_argspace) updated byte count of space in NCARGS */ static int -exec_add_string(struct image_params *imgp, user_addr_t str) +exec_add_user_string(struct image_params *imgp, user_addr_t str, int seg, boolean_t is_ncargs) { - int error = 0; - - do { - size_t len = 0; - if (imgp->ip_strspace <= 0) { + int error = 0; + + do { + size_t len = 0; + int space; + + if (is_ncargs) + space = imgp->ip_argspace; /* by definition smaller than ip_strspace */ + else + space = imgp->ip_strspace; + + if (space <= 0) { error = E2BIG; break; } - if (!UIO_SEG_IS_USER_SPACE(imgp->ip_seg)) { + + if (!UIO_SEG_IS_USER_SPACE(seg)) { char *kstr = CAST_DOWN(char *,str); /* SAFE */ - error = copystr(kstr, imgp->ip_strendp, imgp->ip_strspace, &len); + error = copystr(kstr, imgp->ip_strendp, space, &len); } else { - error = copyinstr(str, imgp->ip_strendp, imgp->ip_strspace, - &len); + error = copyinstr(str, imgp->ip_strendp, space, &len); } + imgp->ip_strendp += len; imgp->ip_strspace -= len; + if (is_ncargs) + imgp->ip_argspace -= len; + } while (error == ENAMETOOLONG); - + return error; } +/* + * dyld is now passed the executable path as a getenv-like variable + * in the same fashion as the stack_guard and malloc_entropy keys. + */ +#define EXECUTABLE_KEY "executable_path=" + /* * exec_save_path * * To support new app package launching for Mac OS X, the dyld needs the * first argument to execve() stored on the user stack. * - * Save the executable path name at the top of the strings area and set + * Save the executable path name at the bottom of the strings area and set * the argument vector pointer to the location following that to indicate * the start of the argument and environment tuples, setting the remaining - * string space count to the size of the string area minus the path length - * and a reserve for two pointers. + * string space count to the size of the string area minus the path length. * * Parameters; struct image_params * image parameter block * char * path used to invoke program @@ -295,8 +335,9 @@ exec_add_string(struct image_params *imgp, user_addr_t str) * Implicit returns: * (imgp->ip_strings) saved path * (imgp->ip_strspace) space remaining in ip_strings - * (imgp->ip_argv) beginning of argument list * (imgp->ip_strendp) start of remaining copy area + * (imgp->ip_argspace) space remaining of NCARGS + * (imgp->ip_applec) Initial applev[0] * * Note: We have to do this before the initial namei() since in the * path contains symbolic links, namei() will overwrite the @@ -306,24 +347,26 @@ exec_add_string(struct image_params *imgp, user_addr_t str) * unacceptable for dyld. */ static int -exec_save_path(struct image_params *imgp, user_addr_t path, int seg) +exec_save_path(struct image_params *imgp, user_addr_t path, int seg, const char **excpath) { int error; - size_t len; - char *kpath = CAST_DOWN(char *,path); /* SAFE */ + size_t len; + char *kpath; - imgp->ip_strendp = imgp->ip_strings; - imgp->ip_strspace = SIZE_IMG_STRSPACE; + // imgp->ip_strings can come out of a cache, so we need to obliterate the + // old path. + memset(imgp->ip_strings, '\0', strlen(EXECUTABLE_KEY) + MAXPATHLEN); len = MIN(MAXPATHLEN, imgp->ip_strspace); switch(seg) { case UIO_USERSPACE32: case UIO_USERSPACE64: /* Same for copyin()... */ - error = copyinstr(path, imgp->ip_strings, len, &len); + error = copyinstr(path, imgp->ip_strings + strlen(EXECUTABLE_KEY), len, &len); break; case UIO_SYSSPACE: - error = copystr(kpath, imgp->ip_strings, len, &len); + kpath = CAST_DOWN(char *,path); /* SAFE */ + error = copystr(kpath, imgp->ip_strings + strlen(EXECUTABLE_KEY), len, &len); break; default: error = EFAULT; @@ -331,111 +374,58 @@ exec_save_path(struct image_params *imgp, user_addr_t path, int seg) } if (!error) { + bcopy(EXECUTABLE_KEY, imgp->ip_strings, strlen(EXECUTABLE_KEY)); + len += strlen(EXECUTABLE_KEY); + imgp->ip_strendp += len; imgp->ip_strspace -= len; - imgp->ip_argv = imgp->ip_strendp; + + if (excpath) { + *excpath = imgp->ip_strings + strlen(EXECUTABLE_KEY); + } } return(error); } -#ifdef IMGPF_POWERPC /* - * exec_powerpc32_imgact + * exec_reset_save_path * - * Implicitly invoke the PowerPC handler for a byte-swapped image magic - * number. This may happen either as a result of an attempt to invoke a - * PowerPC image directly, or indirectly as the interpreter used in an - * interpreter script. - * - * Parameters; struct image_params * image parameter block + * If we detect a shell script, we need to reset the string area + * state so that the interpreter can be saved onto the stack. + + * Parameters; struct image_params * image parameter block * - * Returns: -1 not an PowerPC image (keep looking) - * -3 Success: exec_archhandler_ppc: relookup - * >0 Failure: exec_archhandler_ppc: error number + * Returns: int 0 Success * - * Note: This image activator does not handle the case of a direct - * invocation of the exec_archhandler_ppc, since in that case, the - * exec_archhandler_ppc itself is not a PowerPC binary; instead, - * binary image activators must recognize the exec_archhandler_ppc; - * This is managed in exec_check_permissions(). + * Implicit returns: + * (imgp->ip_strings) saved path + * (imgp->ip_strspace) space remaining in ip_strings + * (imgp->ip_strendp) start of remaining copy area + * (imgp->ip_argspace) space remaining of NCARGS * - * Note: This image activator is limited to 32 bit powerpc images; - * if support for 64 bit powerpc images is desired, it would - * be more in line with this design to write a separate 64 bit - * image activator. */ static int -exec_powerpc32_imgact(struct image_params *imgp) +exec_reset_save_path(struct image_params *imgp) { - struct mach_header *mach_header = (struct mach_header *)imgp->ip_vdata; - int error; - size_t len = 0; - - /* - * Make sure it's a PowerPC binary. If we've already redirected - * from an interpreted file once, don't do it again. - */ - if (mach_header->magic != MH_CIGAM) { - /* - * If it's a cross-architecture 64 bit binary, then claim - * it, but refuse to run it. - */ - if (mach_header->magic == MH_CIGAM_64) - return (EBADARCH); - return (-1); - } - - /* If there is no exec_archhandler_ppc, we can't run it */ - if (exec_archhandler_ppc.path[0] == 0) - return (EBADARCH); - - /* Remember the type of the original file for later grading */ - if (!imgp->ip_origcputype) { - imgp->ip_origcputype = - OSSwapBigToHostInt32(mach_header->cputype); - imgp->ip_origcpusubtype = - OSSwapBigToHostInt32(mach_header->cpusubtype); - } - - /* - * The PowerPC flag will be set by the exec_check_permissions() - * call anyway; however, we set this flag here so that the relookup - * in execve() does not follow symbolic links, as a side effect. - */ - imgp->ip_flags |= IMGPF_POWERPC; - - /* impute an interpreter */ - error = copystr(exec_archhandler_ppc.path, imgp->ip_interp_name, - IMG_SHSIZE, &len); - if (error) - return (error); - - /* - * provide a replacement string for p->p_comm; we have to use an - * alternate buffer for this, rather than replacing it directly, - * since the exec may fail and return to the parent. In that case, - * we would have erroneously changed the parent p->p_comm instead. - */ - strlcpy(imgp->ip_p_comm, imgp->ip_ndp->ni_cnd.cn_nameptr, MAXCOMLEN+1); - /* +1 to allow MAXCOMLEN characters to be copied */ + imgp->ip_strendp = imgp->ip_strings; + imgp->ip_argspace = NCARGS; + imgp->ip_strspace = ( NCARGS + PAGE_SIZE ); - return (-3); + return (0); } -#endif /* IMGPF_POWERPC */ - /* * exec_shell_imgact * - * Image activator for interpreter scripts. If the image begins with the - * characters "#!", then it is an interpreter script. Verify that we are - * not already executing in PowerPC mode, and that the length of the script - * line indicating the interpreter is not in excess of the maximum allowed - * size. If this is the case, then break out the arguments, if any, which - * are separated by white space, and copy them into the argument save area - * as if they were provided on the command line before all other arguments. - * The line ends when we encounter a comment character ('#') or newline. + * Image activator for interpreter scripts. If the image begins with + * the characters "#!", then it is an interpreter script. Verify the + * length of the script line indicating the interpreter is not in + * excess of the maximum allowed size. If this is the case, then + * break out the arguments, if any, which are separated by white + * space, and copy them into the argument save area as if they were + * provided on the command line before all other arguments. The line + * ends when we encounter a comment character ('#') or newline. * * Parameters; struct image_params * image parameter block * @@ -451,22 +441,16 @@ exec_shell_imgact(struct image_params *imgp) { char *vdata = imgp->ip_vdata; char *ihp; - char *line_endp; + char *line_startp, *line_endp; char *interp; - char temp[16]; proc_t p; struct fileproc *fp; int fd; int error; - size_t len; /* * Make sure it's a shell script. If we've already redirected * from an interpreted file once, don't do it again. - * - * Note: We disallow PowerPC, since the expectation is that we - * may run a PowerPC interpreter, but not an interpret a PowerPC - * image. This is consistent with historical behaviour. */ if (vdata[0] != '#' || vdata[1] != '!' || @@ -474,71 +458,88 @@ exec_shell_imgact(struct image_params *imgp) return (-1); } -#ifdef IMGPF_POWERPC - if ((imgp->ip_flags & IMGPF_POWERPC) != 0) - return (EBADARCH); -#endif /* IMGPF_POWERPC */ + if (imgp->ip_origcputype != 0) { + /* Fat header previously matched, don't allow shell script inside */ + return (-1); + } imgp->ip_flags |= IMGPF_INTERPRET; + imgp->ip_interp_sugid_fd = -1; + imgp->ip_interp_buffer[0] = '\0'; - /* Check to see if SUGID scripts are permitted. If they aren't then + /* Check to see if SUGID scripts are permitted. If they aren't then * clear the SUGID bits. * imgp->ip_vattr is known to be valid. - */ - if (sugid_scripts == 0) { - imgp->ip_origvattr->va_mode &= ~(VSUID | VSGID); + */ + if (sugid_scripts == 0) { + imgp->ip_origvattr->va_mode &= ~(VSUID | VSGID); } - /* Find the nominal end of the interpreter line */ - for( ihp = &vdata[2]; *ihp != '\n' && *ihp != '#'; ihp++) { - if (ihp >= &vdata[IMG_SHSIZE]) + /* Try to find the first non-whitespace character */ + for( ihp = &vdata[2]; ihp < &vdata[IMG_SHSIZE]; ihp++ ) { + if (IS_EOL(*ihp)) { + /* Did not find interpreter, "#!\n" */ return (ENOEXEC); + } else if (IS_WHITESPACE(*ihp)) { + /* Whitespace, like "#! /bin/sh\n", keep going. */ + } else { + /* Found start of interpreter */ + break; + } } - line_endp = ihp; - ihp = &vdata[2]; - /* Skip over leading spaces - until the interpreter name */ - while ( ihp < line_endp && ((*ihp == ' ') || (*ihp == '\t'))) - ihp++; + if (ihp == &vdata[IMG_SHSIZE]) { + /* All whitespace, like "#! " */ + return (ENOEXEC); + } - /* - * Find the last non-whitespace character before the end of line or - * the beginning of a comment; this is our new end of line. - */ - for (;line_endp > ihp && ((*line_endp == ' ') || (*line_endp == '\t')); line_endp--) - continue; + line_startp = ihp; + + /* Try to find the end of the interpreter+args string */ + for ( ; ihp < &vdata[IMG_SHSIZE]; ihp++ ) { + if (IS_EOL(*ihp)) { + /* Got it */ + break; + } else { + /* Still part of interpreter or args */ + } + } - /* Empty? */ - if (line_endp == ihp) + if (ihp == &vdata[IMG_SHSIZE]) { + /* A long line, like "#! blah blah blah" without end */ return (ENOEXEC); + } - /* copy the interpreter name */ - interp = imgp->ip_interp_name; - while ((ihp < line_endp) && (*ihp != ' ') && (*ihp != '\t')) - *interp++ = *ihp++; - *interp = '\0'; + /* Backtrack until we find the last non-whitespace */ + while (IS_EOL(*ihp) || IS_WHITESPACE(*ihp)) { + ihp--; + } - exec_save_path(imgp, CAST_USER_ADDR_T(imgp->ip_interp_name), - UIO_SYSSPACE); + /* The character after the last non-whitespace is our logical end of line */ + line_endp = ihp + 1; + + /* + * Now we have pointers to the usable part of: + * + * "#! /usr/bin/int first second third \n" + * ^ line_startp ^ line_endp + */ - ihp = &vdata[2]; - while (ihp < line_endp) { - /* Skip leading whitespace before each argument */ - while ((*ihp == ' ') || (*ihp == '\t')) - ihp++; + /* copy the interpreter name */ + interp = imgp->ip_interp_buffer; + for ( ihp = line_startp; (ihp < line_endp) && !IS_WHITESPACE(*ihp); ihp++) + *interp++ = *ihp; + *interp = '\0'; - if (ihp >= line_endp) - break; + exec_reset_save_path(imgp); + exec_save_path(imgp, CAST_USER_ADDR_T(imgp->ip_interp_buffer), + UIO_SYSSPACE, NULL); - /* We have an argument; copy it */ - while ((ihp < line_endp) && (*ihp != ' ') && (*ihp != '\t')) { - *imgp->ip_strendp++ = *ihp++; - imgp->ip_strspace--; - } - *imgp->ip_strendp++ = 0; - imgp->ip_strspace--; - imgp->ip_argc++; - } + /* Copy the entire interpreter + args for later processing into argv[] */ + interp = imgp->ip_interp_buffer; + for ( ihp = line_startp; (ihp < line_endp); ihp++) + *interp++ = *ihp; + *interp = '\0'; /* * If we have a SUID oder SGID script, create a file descriptor @@ -552,7 +553,6 @@ exec_shell_imgact(struct image_params *imgp) return(error); fp->f_fglob->fg_flag = FREAD; - fp->f_fglob->fg_type = DTYPE_VNODE; fp->f_fglob->fg_ops = &vnops; fp->f_fglob->fg_data = (caddr_t)imgp->ip_vp; @@ -562,10 +562,7 @@ exec_shell_imgact(struct image_params *imgp) proc_fdunlock(p); vnode_ref(imgp->ip_vp); - snprintf(temp, sizeof(temp), "/dev/fd/%d", fd); - error = copyoutstr(temp, imgp->ip_user_fname, sizeof(temp), &len); - if (error) - return(error); + imgp->ip_interp_sugid_fd = fd; } return (-3); @@ -610,20 +607,29 @@ exec_fat_imgact(struct image_params *imgp) int resid, error; load_return_t lret; + if (imgp->ip_origcputype != 0) { + /* Fat header previously matched, don't allow another fat file inside */ + return (-1); + } + /* Make sure it's a fat binary */ - if ((fat_header->magic != FAT_MAGIC) && - (fat_header->magic != FAT_CIGAM)) { - error = -1; + if (OSSwapBigToHostInt32(fat_header->magic) != FAT_MAGIC) { + error = -1; /* not claimed */ + goto bad; + } + + /* imgp->ip_vdata has PAGE_SIZE, zerofilled if the file is smaller */ + lret = fatfile_validate_fatarches((vm_offset_t)fat_header, PAGE_SIZE); + if (lret != LOAD_SUCCESS) { + error = load_return_to_errno(lret); goto bad; } /* If posix_spawn binprefs exist, respect those prefs. */ psa = (struct _posix_spawnattr *) imgp->ip_px_sa; if (psa != NULL && psa->psa_binprefs[0] != 0) { - struct fat_arch *arches = (struct fat_arch *) (fat_header + 1); - int nfat_arch = 0, pr = 0, f = 0; + uint32_t pr = 0; - nfat_arch = OSSwapBigToHostInt32(fat_header->nfat_arch); /* Check each preference listed against all arches in header */ for (pr = 0; pr < NBINPREFS; pr++) { cpu_type_t pref = psa->psa_binprefs[pr]; @@ -635,36 +641,28 @@ exec_fat_imgact(struct image_params *imgp) if (pref == CPU_TYPE_ANY) { /* Fall through to regular grading */ - break; + goto regular_grading; } - for (f = 0; f < nfat_arch; f++) { - cpu_type_t archtype = OSSwapBigToHostInt32( - arches[f].cputype); - cpu_type_t archsubtype = OSSwapBigToHostInt32( - arches[f].cpusubtype) & ~CPU_SUBTYPE_MASK; - if (pref == archtype && - grade_binary(archtype, archsubtype)) { - /* We have a winner! */ - fat_arch.cputype = archtype; - fat_arch.cpusubtype = archsubtype; - fat_arch.offset = OSSwapBigToHostInt32( - arches[f].offset); - fat_arch.size = OSSwapBigToHostInt32( - arches[f].size); - fat_arch.align = OSSwapBigToHostInt32( - arches[f].align); - goto use_arch; - } + lret = fatfile_getbestarch_for_cputype(pref, + (vm_offset_t)fat_header, + PAGE_SIZE, + &fat_arch); + if (lret == LOAD_SUCCESS) { + goto use_arch; } } + + /* Requested binary preference was not honored */ + error = EBADEXEC; + goto bad; } +regular_grading: /* Look up our preferred architecture in the fat file. */ - lret = fatfile_getarch_affinity(imgp->ip_vp, - (vm_offset_t)fat_header, - &fat_arch, - (p->p_flag & P_AFFINITY)); + lret = fatfile_getbestarch((vm_offset_t)fat_header, + PAGE_SIZE, + &fat_arch); if (lret != LOAD_SUCCESS) { error = load_return_to_errno(lret); goto bad; @@ -680,16 +678,16 @@ use_arch: goto bad; } - /* Did we read a complete header? */ if (resid) { - error = EBADEXEC; - goto bad; + memset(imgp->ip_vdata + (PAGE_SIZE - resid), 0x0, resid); } /* Success. Indicate we have identified an encapsulated binary */ error = -2; imgp->ip_arch_offset = (user_size_t)fat_arch.offset; imgp->ip_arch_size = (user_size_t)fat_arch.size; + imgp->ip_origcputype = fat_arch.cputype; + imgp->ip_origcpusubtype = fat_arch.cpusubtype; bad: kauth_cred_unref(&cred); @@ -725,7 +723,6 @@ exec_mach_imgact(struct image_params *imgp) struct mach_header *mach_header = (struct mach_header *)imgp->ip_vdata; proc_t p = vfs_context_proc(imgp->ip_vfs_context); int error = 0; - int vfexec = 0; task_t task; task_t new_task = NULL; /* protected by vfexec */ thread_t thread; @@ -735,27 +732,41 @@ exec_mach_imgact(struct image_params *imgp) load_return_t lret; load_result_t load_result; struct _posix_spawnattr *psa = NULL; - int spawn = (imgp->ip_flags & IMGPF_SPAWN); + int spawn = (imgp->ip_flags & IMGPF_SPAWN); + int vfexec = (imgp->ip_flags & IMGPF_VFORK_EXEC); + int p_name_len; /* * make sure it's a Mach-O 1.0 or Mach-O 2.0 binary; the difference * is a reserved field on the end, so for the most part, we can - * treat them as if they were identical. - */ + * treat them as if they were identical. Reverse-endian Mach-O + * binaries are recognized but not compatible. + */ + if ((mach_header->magic == MH_CIGAM) || + (mach_header->magic == MH_CIGAM_64)) { + error = EBADARCH; + goto bad; + } + if ((mach_header->magic != MH_MAGIC) && (mach_header->magic != MH_MAGIC_64)) { error = -1; goto bad; } - switch (mach_header->filetype) { - case MH_DYLIB: - case MH_BUNDLE: + if (mach_header->filetype != MH_EXECUTE) { error = -1; goto bad; } - if (!imgp->ip_origcputype) { + if (imgp->ip_origcputype != 0) { + /* Fat header previously had an idea about this thin file */ + if (imgp->ip_origcputype != mach_header->cputype || + imgp->ip_origcpusubtype != mach_header->cpusubtype) { + error = EBADARCH; + goto bad; + } + } else { imgp->ip_origcputype = mach_header->cputype; imgp->ip_origcpusubtype = mach_header->cpusubtype; } @@ -764,15 +775,6 @@ exec_mach_imgact(struct image_params *imgp) thread = current_thread(); uthread = get_bsdthread_info(thread); - /* - * Save off the vfexec state up front; we have to do this, because - * we need to know if we were in this state initally subsequent to - * creating the backing task, thread, and uthread for the child - * process (from the vfs_context_t from in img_parms). - */ - if (uthread->uu_flag & UT_VFORK) - vfexec = 1; /* Mark in exec */ - if ((mach_header->cputype & CPU_ARCH_ABI64) == CPU_ARCH_ABI64) imgp->ip_flags |= IMGPF_IS_64BIT; @@ -802,8 +804,7 @@ exec_mach_imgact(struct image_params *imgp) goto bad; } grade: - if (!grade_binary(imgp->ip_origcputype & ~CPU_SUBTYPE_LIB64, - imgp->ip_origcpusubtype & ~CPU_SUBTYPE_MASK)) { + if (!grade_binary(imgp->ip_origcputype, imgp->ip_origcpusubtype & ~CPU_SUBTYPE_MASK)) { error = EBADARCH; goto bad; } @@ -813,46 +814,25 @@ grade: if (error) goto bad; - AUDIT_ARG(argv, imgp->ip_argv, imgp->ip_argc, - imgp->ip_strendargvp - imgp->ip_argv); - AUDIT_ARG(envv, imgp->ip_strendargvp, imgp->ip_envc, - imgp->ip_strendp - imgp->ip_strendargvp); - - /* - * Hack for binary compatability; put three NULs on the end of the - * string area, and round it up to the next word boundary. This - * ensures padding with NULs to the boundary. - */ - imgp->ip_strendp[0] = 0; - imgp->ip_strendp[1] = 0; - imgp->ip_strendp[2] = 0; - imgp->ip_strendp += (((imgp->ip_strendp - imgp->ip_strings) + NBPW-1) & ~(NBPW-1)); + error = exec_add_apple_strings(imgp); + if (error) + goto bad; -#ifdef IMGPF_POWERPC - /* - * XXX - * - * Should be factored out; this is here because we might be getting - * invoked this way as the result of a shell script, and the check - * in exec_check_permissions() is not interior to the jump back up - * to the "encapsulated_binary:" label in exec_activate_image(). - */ - if (imgp->ip_vattr->va_fsid == exec_archhandler_ppc.fsid && - imgp->ip_vattr->va_fileid == (uint64_t)((u_long)exec_archhandler_ppc.fileid)) { - imgp->ip_flags |= IMGPF_POWERPC; - } -#endif /* IMGPF_POWERPC */ + AUDIT_ARG(argv, imgp->ip_startargv, imgp->ip_argc, + imgp->ip_endargv - imgp->ip_startargv); + AUDIT_ARG(envv, imgp->ip_endargv, imgp->ip_envc, + imgp->ip_endenvv - imgp->ip_endargv); /* * We are being called to activate an image subsequent to a vfork() * operation; in this case, we know that our task, thread, and - * uthread are actualy those of our parent, and our proc, which we + * uthread are actually those of our parent, and our proc, which we * obtained indirectly from the image_params vfs_context_t, is the * new child process. */ if (vfexec || spawn) { if (vfexec) { - imgp->ip_new_thread = fork_create_child(task, p, FALSE, (imgp->ip_flags & IMGPF_IS_64BIT)); + imgp->ip_new_thread = fork_create_child(task, NULL, p, FALSE, (imgp->ip_flags & IMGPF_IS_64BIT)); if (imgp->ip_new_thread == NULL) { error = ENOMEM; goto bad; @@ -885,8 +865,12 @@ grade: * Load the Mach-O file. * * NOTE: An error after this point indicates we have potentially - * destroyed or overwrote some process state while attempting an + * destroyed or overwritten some process state while attempting an * execve() following a vfork(), which is an unrecoverable condition. + * We send the new process an immediate SIGKILL to avoid it executing + * any instructions in the mutated address space. For true spawns, + * this is not the case, and "too late" is still not too late to + * return an error code to the parent process. */ /* @@ -899,6 +883,11 @@ grade: goto badtoolate; } + proc_lock(p); + p->p_cputype = imgp->ip_origcputype; + p->p_cpusubtype = imgp->ip_origcpusubtype; + proc_unlock(p); + vm_map_set_user_wire_limit(get_task_map(task), p->p_rlimit[RLIMIT_MEMLOCK].rlim_cur); /* @@ -906,9 +895,10 @@ grade: * requested them on exec. */ if (load_result.csflags & CS_VALID) { - imgp->ip_csflags |= load_result.csflags & + imgp->ip_csflags |= load_result.csflags & (CS_VALID| - CS_HARD|CS_KILL|CS_EXEC_SET_HARD|CS_EXEC_SET_KILL); + CS_HARD|CS_KILL|CS_RESTRICT|CS_ENFORCEMENT|CS_REQUIRE_LV|CS_DYLD_PLATFORM| + CS_EXEC_SET_HARD|CS_EXEC_SET_KILL|CS_EXEC_SET_ENFORCEMENT); } else { imgp->ip_csflags &= ~CS_VALID; } @@ -917,6 +907,10 @@ grade: imgp->ip_csflags |= CS_HARD; if (p->p_csflags & CS_EXEC_SET_KILL) imgp->ip_csflags |= CS_KILL; + if (p->p_csflags & CS_EXEC_SET_ENFORCEMENT) + imgp->ip_csflags |= CS_ENFORCEMENT; + if (p->p_csflags & CS_EXEC_SET_INSTALLER) + imgp->ip_csflags |= CS_INSTALLER; /* @@ -925,48 +919,39 @@ grade: vm_map_exec(get_task_map(task), task, (void *) p->p_fd->fd_rdir, -#ifdef IMGPF_POWERPC - imgp->ip_flags & IMGPF_POWERPC ? - CPU_TYPE_POWERPC : -#endif cpu_type()); /* - * Close file descriptors - * which specify close-on-exec. + * Close file descriptors which specify close-on-exec. */ - fdexec(p); + fdexec(p, psa != NULL ? psa->psa_flags : 0); /* * deal with set[ug]id. */ error = exec_handle_sugid(imgp); + if (error) { + goto badtoolate; + } + + /* + * deal with voucher on exec-calling thread. + */ + if (imgp->ip_new_thread == NULL) + thread_set_mach_voucher(current_thread(), IPC_VOUCHER_NULL); /* Make sure we won't interrupt ourself signalling a partial process */ if (!vfexec && !spawn && (p->p_lflag & P_LTRACED)) psignal(p, SIGTRAP); - if (error) { - goto badtoolate; - } - if (load_result.unixproc && create_unix_stack(get_task_map(task), - load_result.user_stack, - load_result.customstack, + &load_result, p) != KERN_SUCCESS) { error = load_return_to_errno(LOAD_NOSPACE); goto badtoolate; } - /* - * There is no continuing workq context during - * vfork exec. So no need to reset then. Otherwise - * clear the workqueue context. - */ - if (vfexec == 0 && spawn == 0) { - (void)workqueue_exit(p); - } if (vfexec || spawn) { old_map = vm_map_switch(get_task_map(task)); } @@ -991,24 +976,24 @@ grade: if (load_result.dynlinker) { uint64_t ap; + int new_ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT) ? 8 : 4; /* Adjust the stack */ - if (imgp->ip_flags & IMGPF_IS_64BIT) { - ap = thread_adjuserstack(thread, -8); - error = copyoutptr(load_result.mach_header, ap, 8); - } else { - ap = thread_adjuserstack(thread, -4); - error = suword(ap, load_result.mach_header); - } + ap = thread_adjuserstack(thread, -new_ptr_size); + error = copyoutptr(load_result.mach_header, ap, new_ptr_size); + if (error) { - if (vfexec || spawn) - vm_map_switch(old_map); + if (vfexec || spawn) + vm_map_switch(old_map); goto badtoolate; } task_set_dyld_info(task, load_result.all_image_info_addr, load_result.all_image_info_size); } + /* Avoid immediate VM faults back into kernel */ + exec_prefault_data(p, imgp, &load_result); + if (vfexec || spawn) { vm_map_switch(old_map); } @@ -1043,20 +1028,31 @@ grade: * Remember file name for accounting. */ p->p_acflag &= ~AFORK; - /* If the translated name isn't NULL, then we want to use - * that translated name as the name we show as the "real" name. - * Otherwise, use the name passed into exec. + + /* + * Set p->p_comm and p->p_name to the name passed to exec */ - if (0 != imgp->ip_p_comm[0]) { - bcopy((caddr_t)imgp->ip_p_comm, (caddr_t)p->p_comm, - sizeof(p->p_comm)); - } else { - if (imgp->ip_ndp->ni_cnd.cn_namelen > MAXCOMLEN) - imgp->ip_ndp->ni_cnd.cn_namelen = MAXCOMLEN; - bcopy((caddr_t)imgp->ip_ndp->ni_cnd.cn_nameptr, (caddr_t)p->p_comm, - (unsigned)imgp->ip_ndp->ni_cnd.cn_namelen); - p->p_comm[imgp->ip_ndp->ni_cnd.cn_namelen] = '\0'; - } + p_name_len = sizeof(p->p_name) - 1; + if(imgp->ip_ndp->ni_cnd.cn_namelen > p_name_len) + imgp->ip_ndp->ni_cnd.cn_namelen = p_name_len; + bcopy((caddr_t)imgp->ip_ndp->ni_cnd.cn_nameptr, (caddr_t)p->p_name, + (unsigned)imgp->ip_ndp->ni_cnd.cn_namelen); + p->p_name[imgp->ip_ndp->ni_cnd.cn_namelen] = '\0'; + + if (imgp->ip_ndp->ni_cnd.cn_namelen > MAXCOMLEN) + imgp->ip_ndp->ni_cnd.cn_namelen = MAXCOMLEN; + bcopy((caddr_t)imgp->ip_ndp->ni_cnd.cn_nameptr, (caddr_t)p->p_comm, + (unsigned)imgp->ip_ndp->ni_cnd.cn_namelen); + p->p_comm[imgp->ip_ndp->ni_cnd.cn_namelen] = '\0'; + + pal_dbg_set_task_name( p->task ); + +#if DEVELOPMENT || DEBUG + /* + * Update the pid an proc name for importance base if any + */ + task_importance_update_owner_info(p->task); +#endif memcpy(&p->p_uuid[0], &load_result.uuid[0], sizeof(p->p_uuid)); @@ -1092,8 +1088,8 @@ grade: */ proc_lock(p); if (p->p_dtrace_probes && dtrace_fasttrap_exec_ptr) { - (*dtrace_fasttrap_exec_ptr)(p); - } + (*dtrace_fasttrap_exec_ptr)(p); + } proc_unlock(p); #endif @@ -1106,31 +1102,18 @@ grade: kdbg_trace_string(p, &dbg_arg1, &dbg_arg2, &dbg_arg3, &dbg_arg4); if (vfexec || spawn) { - KERNEL_DEBUG_CONSTANT1((TRACEDBG_CODE(DBG_TRACE_DATA, 2)) | DBG_FUNC_NONE, + KERNEL_DEBUG_CONSTANT1(TRACE_DATA_EXEC | DBG_FUNC_NONE, p->p_pid ,0,0,0, (uintptr_t)thread_tid(thread)); - KERNEL_DEBUG_CONSTANT1((TRACEDBG_CODE(DBG_TRACE_STRING, 2)) | DBG_FUNC_NONE, + KERNEL_DEBUG_CONSTANT1(TRACE_STRING_EXEC | DBG_FUNC_NONE, dbg_arg1, dbg_arg2, dbg_arg3, dbg_arg4, (uintptr_t)thread_tid(thread)); } else { - KERNEL_DEBUG_CONSTANT((TRACEDBG_CODE(DBG_TRACE_DATA, 2)) | DBG_FUNC_NONE, + KERNEL_DEBUG_CONSTANT(TRACE_DATA_EXEC | DBG_FUNC_NONE, p->p_pid ,0,0,0,0); - KERNEL_DEBUG_CONSTANT((TRACEDBG_CODE(DBG_TRACE_STRING, 2)) | DBG_FUNC_NONE, + KERNEL_DEBUG_CONSTANT(TRACE_STRING_EXEC | DBG_FUNC_NONE, dbg_arg1, dbg_arg2, dbg_arg3, dbg_arg4, 0); } } -#ifdef IMGPF_POWERPC - /* - * Mark the process as powerpc or not. If powerpc, set the affinity - * flag, which will be used for grading binaries in future exec's - * from the process. - */ - if (((imgp->ip_flags & IMGPF_POWERPC) != 0)) - OSBitOrAtomic(P_TRANSLATED, &p->p_flag); - else -#endif /* IMGPF_POWERPC */ - OSBitAndAtomic(~((uint32_t)P_TRANSLATED), &p->p_flag); - OSBitAndAtomic(~((uint32_t)P_AFFINITY), &p->p_flag); - /* * If posix_spawned with the START_SUSPENDED flag, stop the * process before it runs. @@ -1141,7 +1124,7 @@ grade: proc_lock(p); p->p_stat = SSTOP; proc_unlock(p); - (void) task_suspend(p->task); + (void) task_suspend_internal(p->task); } } @@ -1166,15 +1149,32 @@ grade: psignal_vfork(p, new_task, thread, SIGTRAP); } + goto done; + badtoolate: -if (!spawn) - proc_knote(p, NOTE_EXEC); + /* Don't allow child process to execute any instructions */ + if (!spawn) { + if (vfexec) { + psignal_vfork(p, new_task, thread, SIGKILL); + } else { + psignal(p, SIGKILL); + } - if (vfexec || spawn) { + /* We can't stop this system call at this point, so just pretend we succeeded */ + error = 0; + } + +done: + if (!spawn) { + /* notify only if it has not failed due to FP Key error */ + if ((p->p_lflag & P_LTERM_DECRYPTFAIL) == 0) + proc_knote(p, NOTE_EXEC); + } + + /* Drop extra references for cases where we don't expect the caller to clean up */ + if (vfexec || (spawn && error == 0)) { task_deallocate(new_task); thread_deallocate(thread); - if (error) - error = 0; } bad: @@ -1197,9 +1197,6 @@ struct execsw { } execsw[] = { { exec_mach_imgact, "Mach-o Binary" }, { exec_fat_imgact, "Fat Binary" }, -#ifdef IMGPF_POWERPC - { exec_powerpc32_imgact, "PowerPC binary" }, -#endif /* IMGPF_POWERPC */ { exec_shell_imgact, "Interpreter Script" }, { NULL, NULL} }; @@ -1233,42 +1230,57 @@ struct execsw { static int exec_activate_image(struct image_params *imgp) { - struct nameidata nd; + struct nameidata *ndp = NULL; + const char *excpath; int error; int resid; int once = 1; /* save SGUID-ness for interpreted files */ int i; - int iterlimit = EAI_ITERLIMIT; + int itercount = 0; proc_t p = vfs_context_proc(imgp->ip_vfs_context); error = execargs_alloc(imgp); if (error) - goto bad; + goto bad_notrans; - /* - * XXXAUDIT: Note: the double copyin introduces an audit - * race. To correct this race, we must use a single - * copyin(), e.g. by passing a flag to namei to indicate an - * external path buffer is being used. - */ - error = exec_save_path(imgp, imgp->ip_user_fname, imgp->ip_seg); + error = exec_save_path(imgp, imgp->ip_user_fname, imgp->ip_seg, &excpath); if (error) { goto bad_notrans; } - DTRACE_PROC1(exec, uintptr_t, imgp->ip_strings); + /* Use excpath, which contains the copyin-ed exec path */ + DTRACE_PROC1(exec, uintptr_t, excpath); + + MALLOC(ndp, struct nameidata *, sizeof(*ndp), M_TEMP, M_WAITOK | M_ZERO); + if (ndp == NULL) { + error = ENOMEM; + goto bad_notrans; + } - NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNPATH1, - imgp->ip_seg, imgp->ip_user_fname, imgp->ip_vfs_context); + NDINIT(ndp, LOOKUP, OP_LOOKUP, FOLLOW | LOCKLEAF | AUDITVNPATH1, + UIO_SYSSPACE, CAST_USER_ADDR_T(excpath), imgp->ip_vfs_context); again: - error = namei(&nd); + error = namei(ndp); if (error) goto bad_notrans; - imgp->ip_ndp = &nd; /* successful namei(); call nameidone() later */ - imgp->ip_vp = nd.ni_vp; /* if set, need to vnode_put() at some point */ + imgp->ip_ndp = ndp; /* successful namei(); call nameidone() later */ + imgp->ip_vp = ndp->ni_vp; /* if set, need to vnode_put() at some point */ - error = proc_transstart(p, 0); + /* + * Before we start the transition from binary A to binary B, make + * sure another thread hasn't started exiting the process. We grab + * the proc lock to check p_lflag initially, and the transition + * mechanism ensures that the value doesn't change after we release + * the lock. + */ + proc_lock(p); + if (p->p_lflag & P_LEXIT) { + proc_unlock(p); + goto bad_notrans; + } + error = proc_transstart(p, 1, 0); + proc_unlock(p); if (error) goto bad_notrans; @@ -1288,10 +1300,14 @@ again: &resid, vfs_context_proc(imgp->ip_vfs_context)); if (error) goto bad; - + + if (resid) { + memset(imgp->ip_vdata + (PAGE_SIZE - resid), 0x0, resid); + } + encapsulated_binary: /* Limit the number of iterations we will attempt on each binary */ - if (--iterlimit == 0) { + if (++itercount > EAI_ITERLIMIT) { error = EBADEXEC; goto bad; } @@ -1302,7 +1318,7 @@ encapsulated_binary: switch (error) { /* case -1: not claimed: continue */ - case -2: /* Encapsulated binary */ + case -2: /* Encapsulated binary, imgp->ip_XXX set for next iteration */ goto encapsulated_binary; case -3: /* Interpreter */ @@ -1321,22 +1337,25 @@ encapsulated_binary: } mac_vnode_label_copy(imgp->ip_vp->v_label, imgp->ip_scriptlabelp); + + /* + * Take a ref of the script vnode for later use. + */ + if (imgp->ip_scriptvp) + vnode_put(imgp->ip_scriptvp); + if (vnode_getwithref(imgp->ip_vp) == 0) + imgp->ip_scriptvp = imgp->ip_vp; #endif + + nameidone(ndp); + vnode_put(imgp->ip_vp); imgp->ip_vp = NULL; /* already put */ - - NDINIT(&nd, LOOKUP, (nd.ni_cnd.cn_flags & HASBUF) | (FOLLOW | LOCKLEAF), - UIO_SYSSPACE, CAST_USER_ADDR_T(imgp->ip_interp_name), imgp->ip_vfs_context); + imgp->ip_ndp = NULL; /* already nameidone */ -#ifdef IMGPF_POWERPC - /* - * PowerPC does not follow symlinks because the - * code which sets exec_archhandler_ppc.fsid and - * exec_archhandler_ppc.fileid doesn't follow them. - */ - if (imgp->ip_flags & IMGPF_POWERPC) - nd.ni_cnd.cn_flags &= ~FOLLOW; -#endif /* IMGPF_POWERPC */ + /* Use excpath, which exec_shell_imgact reset to the interpreter */ + NDINIT(ndp, LOOKUP, OP_LOOKUP, FOLLOW | LOCKLEAF, + UIO_SYSSPACE, CAST_USER_ADDR_T(excpath), imgp->ip_vfs_context); proc_transend(p, 0); goto again; @@ -1353,7 +1372,7 @@ encapsulated_binary: if (error == 0 && kauth_authorize_fileop_has_listeners()) { kauth_authorize_fileop(vfs_context_ucred(imgp->ip_vfs_context), KAUTH_FILEOP_EXEC, - (uintptr_t)nd.ni_vp, 0); + (uintptr_t)ndp->ni_vp, 0); } bad: @@ -1364,10 +1383,93 @@ bad_notrans: execargs_free(imgp); if (imgp->ip_ndp) nameidone(imgp->ip_ndp); + if (ndp) + FREE(ndp, M_TEMP); return (error); } + +/* + * exec_handle_spawnattr_policy + * + * Description: Decode and apply the posix_spawn apptype, qos clamp, and watchport ports to the task. + * + * Parameters: proc_t p process to apply attributes to + * int psa_apptype posix spawn attribute apptype + * + * Returns: 0 Success + */ +static errno_t +exec_handle_spawnattr_policy(proc_t p, int psa_apptype, uint64_t psa_qos_clamp, uint64_t psa_darwin_role, + ipc_port_t * portwatch_ports, int portwatch_count) +{ + int apptype = TASK_APPTYPE_NONE; + int qos_clamp = THREAD_QOS_UNSPECIFIED; + int role = TASK_UNSPECIFIED; + + if ((psa_apptype & POSIX_SPAWN_PROC_TYPE_MASK) != 0) { + int proctype = psa_apptype & POSIX_SPAWN_PROC_TYPE_MASK; + + switch(proctype) { + case POSIX_SPAWN_PROC_TYPE_DAEMON_INTERACTIVE: + apptype = TASK_APPTYPE_DAEMON_INTERACTIVE; + break; + case POSIX_SPAWN_PROC_TYPE_DAEMON_STANDARD: + apptype = TASK_APPTYPE_DAEMON_STANDARD; + break; + case POSIX_SPAWN_PROC_TYPE_DAEMON_ADAPTIVE: + apptype = TASK_APPTYPE_DAEMON_ADAPTIVE; + break; + case POSIX_SPAWN_PROC_TYPE_DAEMON_BACKGROUND: + apptype = TASK_APPTYPE_DAEMON_BACKGROUND; + break; + case POSIX_SPAWN_PROC_TYPE_APP_DEFAULT: + apptype = TASK_APPTYPE_APP_DEFAULT; + break; + case POSIX_SPAWN_PROC_TYPE_APP_TAL: + apptype = TASK_APPTYPE_APP_TAL; + break; + default: + apptype = TASK_APPTYPE_NONE; + /* TODO: Should an invalid value here fail the spawn? */ + break; + } + } + + if (psa_qos_clamp != POSIX_SPAWN_PROC_CLAMP_NONE) { + switch (psa_qos_clamp) { + case POSIX_SPAWN_PROC_CLAMP_UTILITY: + qos_clamp = THREAD_QOS_UTILITY; + break; + case POSIX_SPAWN_PROC_CLAMP_BACKGROUND: + qos_clamp = THREAD_QOS_BACKGROUND; + break; + case POSIX_SPAWN_PROC_CLAMP_MAINTENANCE: + qos_clamp = THREAD_QOS_MAINTENANCE; + break; + default: + qos_clamp = THREAD_QOS_UNSPECIFIED; + /* TODO: Should an invalid value here fail the spawn? */ + break; + } + } + + if (psa_darwin_role != PRIO_DARWIN_ROLE_DEFAULT) { + proc_darwin_role_to_task_role(psa_darwin_role, &role); + } + + if (apptype != TASK_APPTYPE_NONE || + qos_clamp != THREAD_QOS_UNSPECIFIED || + role != TASK_UNSPECIFIED) { + proc_set_task_spawnpolicy(p->task, apptype, qos_clamp, role, + portwatch_ports, portwatch_count); + } + + return (0); +} + + /* * exec_handle_port_actions * @@ -1379,67 +1481,82 @@ bad_notrans: * short psa_flags posix spawn attribute flags * * Returns: 0 Success - * KERN_FAILURE Failure + * EINVAL Failure * ENOTSUP Illegal posix_spawn attr flag was set */ -static int -exec_handle_port_actions(struct image_params *imgp, short psa_flags) +static errno_t +exec_handle_port_actions(struct image_params *imgp, short psa_flags, boolean_t * portwatch_present, ipc_port_t * portwatch_ports) { _posix_spawn_port_actions_t pacts = imgp->ip_px_spa; proc_t p = vfs_context_proc(imgp->ip_vfs_context); _ps_port_action_t *act = NULL; task_t task = p->task; ipc_port_t port = NULL; - kern_return_t ret = KERN_SUCCESS; + errno_t ret = 0; int i; + *portwatch_present = FALSE; + for (i = 0; i < pacts->pspa_count; i++) { act = &pacts->pspa_actions[i]; - ret = ipc_object_copyin(get_task_ipcspace(current_task()), - CAST_MACH_PORT_TO_NAME(act->new_port), - MACH_MSG_TYPE_COPY_SEND, - (ipc_object_t *) &port); - - if (ret) - return ret; + if (ipc_object_copyin(get_task_ipcspace(current_task()), + act->new_port, MACH_MSG_TYPE_COPY_SEND, + (ipc_object_t *) &port) != KERN_SUCCESS) { + ret = EINVAL; + goto done; + } switch (act->port_type) { - case PSPA_SPECIAL: - /* Only allowed when not under vfork */ - if (!(psa_flags & POSIX_SPAWN_SETEXEC)) - return ENOTSUP; - ret = task_set_special_port(task, - act->which, - port); - break; - case PSPA_EXCEPTION: - /* Only allowed when not under vfork */ - if (!(psa_flags & POSIX_SPAWN_SETEXEC)) - return ENOTSUP; - ret = task_set_exception_ports(task, - act->mask, - port, - act->behavior, - act->flavor); - break; + case PSPA_SPECIAL: + /* Only allowed when not under vfork */ + if (!(psa_flags & POSIX_SPAWN_SETEXEC)) + ret = ENOTSUP; + else if (task_set_special_port(task, + act->which, port) != KERN_SUCCESS) + ret = EINVAL; + break; + + case PSPA_EXCEPTION: + /* Only allowed when not under vfork */ + if (!(psa_flags & POSIX_SPAWN_SETEXEC)) + ret = ENOTSUP; + else if (task_set_exception_ports(task, + act->mask, port, act->behavior, + act->flavor) != KERN_SUCCESS) + ret = EINVAL; + break; #if CONFIG_AUDIT - case PSPA_AU_SESSION: - ret = audit_session_spawnjoin(p, - port); - break; + case PSPA_AU_SESSION: + ret = audit_session_spawnjoin(p, port); + break; #endif - default: - ret = KERN_FAILURE; + case PSPA_IMP_WATCHPORTS: + if (portwatch_ports != NULL) { + *portwatch_present = TRUE; + /* hold on to this till end of spawn */ + portwatch_ports[i] = port; + ret = 0; + } else + ipc_port_release_send(port); + break; + default: + ret = EINVAL; + break; } + /* action failed, so release port resources */ + if (ret) { ipc_port_release_send(port); - return ret; + break; } } - return ret; +done: + if (0 != ret) + DTRACE_PROC1(spawn__port__failure, mach_port_name_t, act->new_port); + return (ret); } /* @@ -1461,7 +1578,7 @@ exec_handle_port_actions(struct image_params *imgp, short psa_flags) * normally permitted to perform. */ static int -exec_handle_file_actions(struct image_params *imgp) +exec_handle_file_actions(struct image_params *imgp, short psa_flags) { int error = 0; int action; @@ -1479,35 +1596,48 @@ exec_handle_file_actions(struct image_params *imgp) * a path argument, which is normally copied in from * user space; because of this, we have to support an * open from kernel space that passes an address space - * context oof UIO_SYSSPACE, and casts the address + * context of UIO_SYSSPACE, and casts the address * argument to a user_addr_t. */ - struct vnode_attr va; - struct nameidata nd; + char *bufp = NULL; + struct vnode_attr *vap; + struct nameidata *ndp; int mode = psfa->psfaa_openargs.psfao_mode; struct dup2_args dup2a; struct close_nocancel_args ca; int origfd; - VATTR_INIT(&va); + MALLOC(bufp, char *, sizeof(*vap) + sizeof(*ndp), M_TEMP, M_WAITOK | M_ZERO); + if (bufp == NULL) { + error = ENOMEM; + break; + } + + vap = (struct vnode_attr *) bufp; + ndp = (struct nameidata *) (bufp + sizeof(*vap)); + + VATTR_INIT(vap); /* Mask off all but regular access permissions */ mode = ((mode &~ p->p_fd->fd_cmask) & ALLPERMS) & ~S_ISTXT; - VATTR_SET(&va, va_mode, mode & ACCESSPERMS); + VATTR_SET(vap, va_mode, mode & ACCESSPERMS); - NDINIT(&nd, LOOKUP, FOLLOW | AUDITVNPATH1, UIO_SYSSPACE, + NDINIT(ndp, LOOKUP, OP_OPEN, FOLLOW | AUDITVNPATH1, UIO_SYSSPACE, CAST_USER_ADDR_T(psfa->psfaa_openargs.psfao_path), imgp->ip_vfs_context); error = open1(imgp->ip_vfs_context, - &nd, + ndp, psfa->psfaa_openargs.psfao_oflag, - &va, + vap, + fileproc_alloc_init, NULL, ival); + FREE(bufp, M_TEMP); + /* * If there's an error, or we get the right fd by - * accident, then drop out here. This is easier that - * rearchitecting all the open code to preallocate fd + * accident, then drop out here. This is easier than + * reworking all the open code to preallocate fd * slots, and internally taking one as an argument. */ if (error || ival[0] == psfa->psfaa_filedes) @@ -1566,18 +1696,236 @@ exec_handle_file_actions(struct image_params *imgp) } break; + case PSFA_INHERIT: { + struct fcntl_nocancel_args fcntla; + + /* + * Check to see if the descriptor exists, and + * ensure it's -not- marked as close-on-exec. + * + * Attempting to "inherit" a guarded fd will + * result in a error. + */ + fcntla.fd = psfa->psfaa_filedes; + fcntla.cmd = F_GETFD; + if ((error = fcntl_nocancel(p, &fcntla, ival)) != 0) + break; + + if ((ival[0] & FD_CLOEXEC) == FD_CLOEXEC) { + fcntla.fd = psfa->psfaa_filedes; + fcntla.cmd = F_SETFD; + fcntla.arg = ival[0] & ~FD_CLOEXEC; + error = fcntl_nocancel(p, &fcntla, ival); + } + + } + break; + default: error = EINVAL; break; } + /* All file actions failures are considered fatal, per POSIX */ - if (error) + + if (error) { + if (PSFA_OPEN == psfa->psfaa_type) { + DTRACE_PROC1(spawn__open__failure, uintptr_t, + psfa->psfaa_openargs.psfao_path); + } else { + DTRACE_PROC1(spawn__fd__failure, int, psfa->psfaa_filedes); + } break; + } } - return (error); + if (error != 0 || (psa_flags & POSIX_SPAWN_CLOEXEC_DEFAULT) == 0) + return (error); + + /* + * If POSIX_SPAWN_CLOEXEC_DEFAULT is set, behave (during + * this spawn only) as if "close on exec" is the default + * disposition of all pre-existing file descriptors. In this case, + * the list of file descriptors mentioned in the file actions + * are the only ones that can be inherited, so mark them now. + * + * The actual closing part comes later, in fdexec(). + */ + proc_fdlock(p); + for (action = 0; action < px_sfap->psfa_act_count; action++) { + _psfa_action_t *psfa = &px_sfap->psfa_act_acts[action]; + int fd = psfa->psfaa_filedes; + + switch (psfa->psfaa_type) { + case PSFA_DUP2: + fd = psfa->psfaa_openargs.psfao_oflag; + /*FALLTHROUGH*/ + case PSFA_OPEN: + case PSFA_INHERIT: + *fdflags(p, fd) |= UF_INHERIT; + break; + + case PSFA_CLOSE: + break; + } + } + proc_fdunlock(p); + + return (0); +} + +#if CONFIG_MACF +/* + * exec_spawnattr_getmacpolicyinfo + */ +void * +exec_spawnattr_getmacpolicyinfo(const void *macextensions, const char *policyname, size_t *lenp) +{ + const struct _posix_spawn_mac_policy_extensions *psmx = macextensions; + int i; + + if (psmx == NULL) + return NULL; + + for (i = 0; i < psmx->psmx_count; i++) { + const _ps_mac_policy_extension_t *extension = &psmx->psmx_extensions[i]; + if (strncmp(extension->policyname, policyname, sizeof(extension->policyname)) == 0) { + if (lenp != NULL) + *lenp = extension->datalen; + return extension->datap; + } + } + + if (lenp != NULL) + *lenp = 0; + return NULL; +} + +static int +spawn_copyin_macpolicyinfo(const struct user__posix_spawn_args_desc *px_args, _posix_spawn_mac_policy_extensions_t *psmxp) +{ + _posix_spawn_mac_policy_extensions_t psmx = NULL; + int error = 0; + int copycnt = 0; + int i = 0; + + *psmxp = NULL; + + if (px_args->mac_extensions_size < PS_MAC_EXTENSIONS_SIZE(1) || + px_args->mac_extensions_size > PAGE_SIZE) { + error = EINVAL; + goto bad; + } + + MALLOC(psmx, _posix_spawn_mac_policy_extensions_t, px_args->mac_extensions_size, M_TEMP, M_WAITOK); + if ((error = copyin(px_args->mac_extensions, psmx, px_args->mac_extensions_size)) != 0) + goto bad; + + if (PS_MAC_EXTENSIONS_SIZE(psmx->psmx_count) > px_args->mac_extensions_size) { + error = EINVAL; + goto bad; + } + + for (i = 0; i < psmx->psmx_count; i++) { + _ps_mac_policy_extension_t *extension = &psmx->psmx_extensions[i]; + if (extension->datalen == 0 || extension->datalen > PAGE_SIZE) { + error = EINVAL; + goto bad; + } + } + + for (copycnt = 0; copycnt < psmx->psmx_count; copycnt++) { + _ps_mac_policy_extension_t *extension = &psmx->psmx_extensions[copycnt]; + void *data = NULL; + + MALLOC(data, void *, extension->datalen, M_TEMP, M_WAITOK); + if ((error = copyin(extension->data, data, extension->datalen)) != 0) { + FREE(data, M_TEMP); + goto bad; + } + extension->datap = data; + } + + *psmxp = psmx; + return 0; + +bad: + if (psmx != NULL) { + for (i = 0; i < copycnt; i++) + FREE(psmx->psmx_extensions[i].datap, M_TEMP); + FREE(psmx, M_TEMP); + } + return error; +} + +static void +spawn_free_macpolicyinfo(_posix_spawn_mac_policy_extensions_t psmx) +{ + int i; + + if (psmx == NULL) + return; + for (i = 0; i < psmx->psmx_count; i++) + FREE(psmx->psmx_extensions[i].datap, M_TEMP); + FREE(psmx, M_TEMP); } +#endif /* CONFIG_MACF */ + +#if CONFIG_COALITIONS +static inline void spawn_coalitions_release_all(coalition_t coal[COALITION_NUM_TYPES]) +{ + for (int c = 0; c < COALITION_NUM_TYPES; c++) { + if (coal[c]) { + coalition_remove_active(coal[c]); + coalition_release(coal[c]); + } + } +} +#endif + +void +proc_set_return_wait(proc_t p) +{ + proc_lock(p); + p->p_lflag |= P_LRETURNWAIT; + proc_unlock(p); +} + +void +proc_clear_return_wait(proc_t p, thread_t child_thread) +{ + proc_lock(p); + + p->p_lflag &= ~P_LRETURNWAIT; + if (p->p_lflag & P_LRETURNWAITER) { + wakeup(&p->p_lflag); + } + + proc_unlock(p); + + (void)thread_resume(child_thread); +} + +void +proc_wait_to_return() +{ + proc_t p; + + p = current_proc(); + proc_lock(p); + if (p->p_lflag & P_LRETURNWAIT) { + p->p_lflag |= P_LRETURNWAITER; + do { + msleep(&p->p_lflag, &p->p_mlock, 0, + "thread_check_setup_complete", NULL); + } while (p->p_lflag & P_LRETURNWAIT); + p->p_lflag &= ~P_LRETURNWAITER; + } + + proc_unlock(p); + thread_bootstrap_return(); +} /* * posix_spawn @@ -1619,7 +1967,6 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval) struct vnode_attr *origvap; struct uthread *uthread = 0; /* compiler complains if not set to 0*/ int error, sig; - char alt_p_comm[sizeof(p->p_comm)] = {0}; /* for PowerPC */ int is_64 = IS_64BIT_PROCESS(p); struct vfs_context context; struct user__posix_spawn_args_desc px_args; @@ -1628,10 +1975,15 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval) _posix_spawn_port_actions_t px_spap = NULL; struct __kern_sigaction vec; boolean_t spawn_no_exec = FALSE; + boolean_t proc_transit_set = TRUE; + boolean_t exec_done = FALSE; + int portwatch_count = 0; + ipc_port_t * portwatch_ports = NULL; + vm_size_t px_sa_offset = offsetof(struct _posix_spawnattr, psa_ports); /* * Allocate a big chunk for locals instead of using stack since these - * structures a pretty big. + * structures are pretty big. */ MALLOC(bufp, char *, (sizeof(*imgp) + sizeof(*vap) + sizeof(*origvap)), M_TEMP, M_WAITOK | M_ZERO); imgp = (struct image_params *) bufp; @@ -1650,8 +2002,9 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval) imgp->ip_origvattr = origvap; imgp->ip_vfs_context = &context; imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT : IMGPF_NONE); - imgp->ip_p_comm = alt_p_comm; /* for PowerPC */ imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32); + imgp->ip_mac_return = 0; + imgp->ip_reserved = NULL; if (uap->adesc != USER_ADDR_NULL) { if(is_64) { @@ -1671,17 +2024,27 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval) px_args.file_actions = CAST_USER_ADDR_T(px_args32.file_actions); px_args.port_actions_size = px_args32.port_actions_size; px_args.port_actions = CAST_USER_ADDR_T(px_args32.port_actions); + px_args.mac_extensions_size = px_args32.mac_extensions_size; + px_args.mac_extensions = CAST_USER_ADDR_T(px_args32.mac_extensions); + px_args.coal_info_size = px_args32.coal_info_size; + px_args.coal_info = CAST_USER_ADDR_T(px_args32.coal_info); + px_args.reserved = 0; + px_args.reserved_size = 0; } if (error) goto bad; if (px_args.attr_size != 0) { /* - * This could lose some of the port_actions pointer, - * but we already have it from px_args. + * We are not copying the port_actions pointer, + * because we already have it from px_args. + * This is a bit fragile: */ - if ((error = copyin(px_args.attrp, &px_sa, sizeof(px_sa))) != 0) + + if ((error = copyin(px_args.attrp, &px_sa, px_sa_offset) != 0)) goto bad; + + bzero( (void *)( (unsigned long) &px_sa + px_sa_offset), sizeof(px_sa) - px_sa_offset ); imgp->ip_px_sa = &px_sa; } @@ -1703,6 +2066,12 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval) if ((error = copyin(px_args.file_actions, px_sfap, px_args.file_actions_size)) != 0) goto bad; + + /* Verify that the action count matches the struct size */ + if (PSF_ACTIONS_SIZE(px_sfap->psfa_act_count) != px_args.file_actions_size) { + error = EINVAL; + goto bad; + } } if (px_args.port_actions_size != 0) { /* Limit port_actions to one page of data */ @@ -1723,7 +2092,20 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval) if ((error = copyin(px_args.port_actions, px_spap, px_args.port_actions_size)) != 0) goto bad; + + /* Verify that the action count matches the struct size */ + if (PS_PORT_ACTIONS_SIZE(px_spap->pspa_count) != px_args.port_actions_size) { + error = EINVAL; + goto bad; + } + } + +#if CONFIG_MACF + if (px_args.mac_extensions_size != 0) { + if ((error = spawn_copyin_macpolicyinfo(&px_args, (_posix_spawn_mac_policy_extensions_t *)&imgp->ip_px_smpx)) != 0) + goto bad; } +#endif /* CONFIG_MACF */ } /* set uthread to parent */ @@ -1740,22 +2122,131 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval) } /* - * If we don't have the extention flag that turns "posix_spawn()" + * If we don't have the extension flag that turns "posix_spawn()" * into "execve() with options", then we will be creating a new * process which does not inherit memory from the parent process, * which is one of the most expensive things about using fork() * and execve(). */ if (imgp->ip_px_sa == NULL || !(px_sa.psa_flags & POSIX_SPAWN_SETEXEC)){ - if ((error = fork1(p, &imgp->ip_new_thread, PROC_CREATE_SPAWN)) != 0) + + /* Set the new task's coalition, if it is requested. */ + coalition_t coal[COALITION_NUM_TYPES] = { COALITION_NULL }; +#if CONFIG_COALITIONS + int i, ncoals; + kern_return_t kr = KERN_SUCCESS; + struct _posix_spawn_coalition_info coal_info; + int coal_role[COALITION_NUM_TYPES]; + + if (imgp->ip_px_sa == NULL || !px_args.coal_info) + goto do_fork1; + + memset(&coal_info, 0, sizeof(coal_info)); + + if (px_args.coal_info_size > sizeof(coal_info)) + px_args.coal_info_size = sizeof(coal_info); + error = copyin(px_args.coal_info, + &coal_info, px_args.coal_info_size); + if (error != 0) + goto bad; + + ncoals = 0; + for (i = 0; i < COALITION_NUM_TYPES; i++) { + uint64_t cid = coal_info.psci_info[i].psci_id; + if (cid != 0) { + /* + * don't allow tasks which are not in a + * privileged coalition to spawn processes + * into coalitions other than their own + */ + if (!task_is_in_privileged_coalition(p->task, i)) { + coal_dbg("ERROR: %d not in privilegd " + "coalition of type %d", + p->p_pid, i); + spawn_coalitions_release_all(coal); + error = EPERM; + goto bad; + } + + coal_dbg("searching for coalition id:%llu", cid); + /* + * take a reference and activation on the + * coalition to guard against free-while-spawn + * races + */ + coal[i] = coalition_find_and_activate_by_id(cid); + if (coal[i] == COALITION_NULL) { + coal_dbg("could not find coalition id:%llu " + "(perhaps it has been terminated or reaped)", cid); + /* + * release any other coalition's we + * may have a reference to + */ + spawn_coalitions_release_all(coal); + error = ESRCH; + goto bad; + } + if (coalition_type(coal[i]) != i) { + coal_dbg("coalition with id:%lld is not of type:%d" + " (it's type:%d)", cid, i, coalition_type(coal[i])); + error = ESRCH; + goto bad; + } + coal_role[i] = coal_info.psci_info[i].psci_role; + ncoals++; + } + } + if (ncoals < COALITION_NUM_TYPES) { + /* + * If the user is attempting to spawn into a subset of + * the known coalition types, then make sure they have + * _at_least_ specified a resource coalition. If not, + * the following fork1() call will implicitly force an + * inheritance from 'p' and won't actually spawn the + * new task into the coalitions the user specified. + * (also the call to coalitions_set_roles will panic) + */ + if (coal[COALITION_TYPE_RESOURCE] == COALITION_NULL) { + spawn_coalitions_release_all(coal); + error = EINVAL; + goto bad; + } + } +do_fork1: +#endif /* CONFIG_COALITIONS */ + + error = fork1(p, &imgp->ip_new_thread, PROC_CREATE_SPAWN, coal); + +#if CONFIG_COALITIONS + /* set the roles of this task within each given coalition */ + if (error == 0) { + kr = coalitions_set_roles(coal, get_threadtask(imgp->ip_new_thread), coal_role); + if (kr != KERN_SUCCESS) + error = EINVAL; + } + + /* drop our references and activations - fork1() now holds them */ + spawn_coalitions_release_all(coal); +#endif /* CONFIG_COALITIONS */ + if (error != 0) { goto bad; + } imgp->ip_flags |= IMGPF_SPAWN; /* spawn w/o exec */ spawn_no_exec = TRUE; /* used in later tests */ + } - if (spawn_no_exec) + if (spawn_no_exec) { p = (proc_t)get_bsdthreadtask_info(imgp->ip_new_thread); - + + /* + * We had to wait until this point before firing the + * proc:::create probe, otherwise p would not point to the + * child process. + */ + DTRACE_PROC1(create, proc_t, p); + } + assert(p != NULL); /* By default, the thread everyone plays with is the parent */ context.vc_thread = current_thread(); @@ -1768,27 +2259,54 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval) if (spawn_no_exec) context.vc_thread = imgp->ip_new_thread; - /* * Post fdcopy(), pre exec_handle_sugid() - this is where we want * to handle the file_actions. Since vfork() also ends up setting * us into the parent process group, and saved off the signal flags, * this is also where we want to handle the spawn flags. */ + /* Has spawn file actions? */ - if (imgp->ip_px_sfa != NULL && - (error = exec_handle_file_actions(imgp)) != 0) { - goto bad; + if (imgp->ip_px_sfa != NULL) { + /* + * The POSIX_SPAWN_CLOEXEC_DEFAULT flag + * is handled in exec_handle_file_actions(). + */ + if ((error = exec_handle_file_actions(imgp, + imgp->ip_px_sa != NULL ? px_sa.psa_flags : 0)) != 0) + goto bad; } /* Has spawn port actions? */ - if (imgp->ip_px_spa != NULL) { - /* - * The check for the POSIX_SPAWN_SETEXEC flag is done in - * exec_handle_port_actions(). + if (imgp->ip_px_spa != NULL) { + boolean_t is_adaptive = FALSE; + boolean_t portwatch_present = FALSE; + + /* Will this process become adaptive? The apptype isn't ready yet, so we can't look there. */ + if (imgp->ip_px_sa != NULL && px_sa.psa_apptype == POSIX_SPAWN_PROC_TYPE_DAEMON_ADAPTIVE) + is_adaptive = TRUE; + + /* + * portwatch only: + * Allocate a place to store the ports we want to bind to the new task + * We can't bind them until after the apptype is set. */ - if((error = exec_handle_port_actions(imgp, px_sa.psa_flags)) != 0) + if (px_spap->pspa_count != 0 && is_adaptive) { + portwatch_count = px_spap->pspa_count; + MALLOC(portwatch_ports, ipc_port_t *, (sizeof(ipc_port_t) * portwatch_count), M_TEMP, M_WAITOK | M_ZERO); + } else { + portwatch_ports = NULL; + } + + if ((error = exec_handle_port_actions(imgp, + imgp->ip_px_sa != NULL ? px_sa.psa_flags : 0, &portwatch_present, portwatch_ports)) != 0) goto bad; + + if (portwatch_present == FALSE && portwatch_ports != NULL) { + FREE(portwatch_ports, M_TEMP); + portwatch_ports = NULL; + portwatch_count = 0; + } } /* Has spawn attr? */ @@ -1824,12 +2342,45 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval) */ if (px_sa.psa_flags & POSIX_SPAWN_RESETIDS) { kauth_cred_t my_cred = p->p_ucred; - kauth_cred_t my_new_cred = kauth_cred_setuidgid(my_cred, my_cred->cr_ruid, my_cred->cr_rgid); - if (my_new_cred != my_cred) + kauth_cred_t my_new_cred = kauth_cred_setuidgid(my_cred, kauth_cred_getruid(my_cred), kauth_cred_getrgid(my_cred)); + if (my_new_cred != my_cred) { p->p_ucred = my_new_cred; + /* update cred on proc */ + PROC_UPDATE_CREDS_ONPROC(p); + } } + +#if !SECURE_KERNEL + /* + * Disable ASLR for the spawned process. + * + * But only do so if we are not embedded + RELEASE. + * While embedded allows for a boot-arg (-disable_aslr) + * to deal with this (which itself is only honored on + * DEVELOPMENT or DEBUG builds of xnu), it is often + * useful or necessary to disable ASLR on a per-process + * basis for unit testing and debugging. + */ + if (px_sa.psa_flags & _POSIX_SPAWN_DISABLE_ASLR) + OSBitOrAtomic(P_DISABLE_ASLR, &p->p_flag); +#endif /* !SECURE_KERNEL */ + + /* + * Forcibly disallow execution from data pages for the spawned process + * even if it would otherwise be permitted by the architecture default. + */ + if (px_sa.psa_flags & _POSIX_SPAWN_ALLOW_DATA_EXEC) + imgp->ip_flags |= IMGPF_ALLOW_DATA_EXEC; } + /* + * Disable ASLR during image activation. This occurs either if the + * _POSIX_SPAWN_DISABLE_ASLR attribute was found above or if + * P_DISABLE_ASLR was inherited from the parent process. + */ + if (p->p_flag & P_DISABLE_ASLR) + imgp->ip_flags |= IMGPF_DISABLE_ASLR; + /* * Clear transition flag so we won't hang if exec_activate_image() causes * an automount (and launchd does a proc sysctl to service it). @@ -1838,6 +2389,7 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval) */ if (spawn_no_exec) { proc_transend(p, 0); + proc_transit_set = 0; } #if MAC_SPAWN /* XXX */ @@ -1852,10 +2404,14 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval) * Activate the image */ error = exec_activate_image(imgp); - - /* Image not claimed by any activator? */ - if (error == -1) + + if (error == 0) { + /* process completed the exec */ + exec_done = TRUE; + } else if (error == -1) { + /* Image not claimed by any activator? */ error = ENOEXEC; + } /* * If we have a spawn attr, and it contains signal related flags, @@ -1904,10 +2460,34 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval) error = setsigvec(p, child_thread, sig + 1, &vec, spawn_no_exec); } } + + /* + * Activate the CPU usage monitor, if requested. This is done via a task-wide, per-thread CPU + * usage limit, which will generate a resource exceeded exception if any one thread exceeds the + * limit. + * + * Userland gives us interval in seconds, and the kernel SPI expects nanoseconds. + */ + if (px_sa.psa_cpumonitor_percent != 0) { + /* + * Always treat a CPU monitor activation coming from spawn as entitled. Requiring + * an entitlement to configure the monitor a certain way seems silly, since + * whomever is turning it on could just as easily choose not to do so. + */ + error = proc_set_task_ruse_cpu(p->task, + TASK_POLICY_RESOURCE_ATTRIBUTE_NOTIFY_EXC, + px_sa.psa_cpumonitor_percent, + px_sa.psa_cpumonitor_interval * NSEC_PER_SEC, + 0, TRUE); + } } bad: + if (error == 0) { + /* reset delay idle sleep status if set */ + if ((p->p_flag & P_DELAYIDLESLEEP) == P_DELAYIDLESLEEP) + OSBitAndAtomic(~((uint32_t)P_DELAYIDLESLEEP), &p->p_flag); /* upon successful spawn, re/set the proc control state */ if (imgp->ip_px_sa != NULL) { switch (px_sa.psa_pcontrol) { @@ -1927,6 +2507,40 @@ bad: }; } exec_resettextvp(p, imgp); + +#if CONFIG_MEMORYSTATUS && CONFIG_JETSAM + /* Has jetsam attributes? */ + if (imgp->ip_px_sa != NULL && (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_SET)) { + /* + * With 2-level high-water-mark support, POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND is no + * longer relevant, as background limits are described via the inactive limit slots. + * At the kernel layer, the flag is ignored. + * + * That said, however, if the POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND is passed in, + * we attempt to mimic previous behavior by forcing the BG limit data into the + * inactive/non-fatal mode and force the active slots to hold system_wide/fatal mode. + * The kernel layer will flag this mapping. + */ + if (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND) { + memorystatus_update(p, px_sa.psa_priority, 0, + (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_USE_EFFECTIVE_PRIORITY), + TRUE, + -1, TRUE, + px_sa.psa_memlimit_inactive, FALSE, + (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND)); + } else { + memorystatus_update(p, px_sa.psa_priority, 0, + (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_USE_EFFECTIVE_PRIORITY), + TRUE, + px_sa.psa_memlimit_active, + (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_MEMLIMIT_ACTIVE_FATAL), + px_sa.psa_memlimit_inactive, + (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_MEMLIMIT_INACTIVE_FATAL), + (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND)); + } + + } +#endif /* CONFIG_MEMORYSTATUS && CONFIG_JETSAM*/ } /* @@ -1938,6 +2552,9 @@ bad: * before check_for_signature(), which uses psignal. */ if (spawn_no_exec) { + if (proc_transit_set) + proc_transend(p, 0); + /* * Drop the signal lock on the child which was taken on our * behalf by forkproc()/cloneproc() to prevent signals being @@ -1948,8 +2565,54 @@ bad: /* flag the 'fork' has occurred */ proc_knote(p->p_pptr, NOTE_FORK | p->p_pid); /* then flag exec has occurred */ - proc_knote(p, NOTE_EXEC); - DTRACE_PROC1(create, proc_t, p); + /* notify only if it has not failed due to FP Key error */ + if ((p->p_lflag & P_LTERM_DECRYPTFAIL) == 0) + proc_knote(p, NOTE_EXEC); + } else if (error == 0) { + /* reset the importance attribute from our previous life */ + task_importance_reset(p->task); + + /* reset atm context from task */ + task_atm_reset(p->task); + } + + /* + * Apply the spawnattr policy, apptype (which primes the task for importance donation), + * and bind any portwatch ports to the new task. + * This must be done after the exec so that the child's thread is ready, + * and after the in transit state has been released, because priority is + * dropped here so we need to be prepared for a potentially long preemption interval + * + * TODO: Consider splitting this up into separate phases + */ + if (error == 0 && imgp->ip_px_sa != NULL) { + struct _posix_spawnattr *psa = (struct _posix_spawnattr *) imgp->ip_px_sa; + + exec_handle_spawnattr_policy(p, psa->psa_apptype, psa->psa_qos_clamp, psa->psa_darwin_role, + portwatch_ports, portwatch_count); + } + + /* Apply the main thread qos */ + if (error == 0) { + thread_t main_thread = (imgp->ip_new_thread != NULL) ? imgp->ip_new_thread : current_thread(); + + task_set_main_thread_qos(p->task, main_thread); + } + + /* + * Release any ports we kept around for binding to the new task + * We need to release the rights even if the posix_spawn has failed. + */ + if (portwatch_ports != NULL) { + for (int i = 0; i < portwatch_count; i++) { + ipc_port_t port = NULL; + if ((port = portwatch_ports[i]) != NULL) { + ipc_port_release_send(port); + } + } + FREE(portwatch_ports, M_TEMP); + portwatch_ports = NULL; + portwatch_count = 0; } /* @@ -1974,14 +2637,17 @@ bad: if (imgp != NULL) { if (imgp->ip_vp) vnode_put(imgp->ip_vp); + if (imgp->ip_scriptvp) + vnode_put(imgp->ip_scriptvp); if (imgp->ip_strings) execargs_free(imgp); if (imgp->ip_px_sfa != NULL) FREE(imgp->ip_px_sfa, M_TEMP); if (imgp->ip_px_spa != NULL) FREE(imgp->ip_px_spa, M_TEMP); - #if CONFIG_MACF + if (imgp->ip_px_smpx != NULL) + spawn_free_macpolicyinfo(imgp->ip_px_smpx); if (imgp->ip_execlabelp) mac_cred_label_free(imgp->ip_execlabelp); if (imgp->ip_scriptlabelp) @@ -1989,34 +2655,48 @@ bad: #endif } - if (error) { - DTRACE_PROC1(exec__failure, int, error); +#if CONFIG_DTRACE + if (spawn_no_exec) { + /* + * In the original DTrace reference implementation, + * posix_spawn() was a libc routine that just + * did vfork(2) then exec(2). Thus the proc::: probes + * are very fork/exec oriented. The details of this + * in-kernel implementation of posix_spawn() is different + * (while producing the same process-observable effects) + * particularly w.r.t. errors, and which thread/process + * is constructing what on behalf of whom. + */ + if (error) { + DTRACE_PROC1(spawn__failure, int, error); + } else { + DTRACE_PROC(spawn__success); + /* + * Some DTrace scripts, e.g. newproc.d in + * /usr/bin, rely on the the 'exec-success' + * probe being fired in the child after the + * new process image has been constructed + * in order to determine the associated pid. + * + * So, even though the parent built the image + * here, for compatibility, mark the new thread + * so 'exec-success' fires on it as it leaves + * the kernel. + */ + dtrace_thread_didexec(imgp->ip_new_thread); + } } else { - /* - * temporary - so dtrace call to current_proc() - * returns the child process instead of the parent. - */ - if (imgp != NULL && imgp->ip_flags & IMGPF_SPAWN) { - p->p_lflag |= P_LINVFORK; - p->p_vforkact = current_thread(); - uthread->uu_proc = p; - uthread->uu_flag |= UT_VFORK; - } - - DTRACE_PROC(exec__success); - - /* - * temporary - so dtrace call to current_proc() - * returns the child process instead of the parent. - */ - if (imgp != NULL && imgp->ip_flags & IMGPF_SPAWN) { - p->p_lflag &= ~P_LINVFORK; - p->p_vforkact = NULL; - uthread->uu_proc = PROC_NULL; - uthread->uu_flag &= ~UT_VFORK; - } + if (error) { + DTRACE_PROC1(exec__failure, int, error); + } else { + DTRACE_PROC(exec__success); + } } + if ((dtrace_proc_waitfor_hook = dtrace_proc_waitfor_exec_ptr) != NULL) + (*dtrace_proc_waitfor_hook)(p); +#endif + /* Return to both the parent and the child? */ if (imgp != NULL && spawn_no_exec) { /* @@ -2040,16 +2720,20 @@ bad: p->exit_thread = current_thread(); proc_unlock(p); exit1(p, 1, (int *)NULL); - task_deallocate(get_threadtask(imgp->ip_new_thread)); - thread_deallocate(imgp->ip_new_thread); + proc_clear_return_wait(p, imgp->ip_new_thread); + if (exec_done == FALSE) { + task_deallocate(get_threadtask(imgp->ip_new_thread)); + thread_deallocate(imgp->ip_new_thread); + } } else { /* someone is doing it for us; just skip it */ proc_unlock(p); + proc_clear_return_wait(p, imgp->ip_new_thread); } } else { /* - * Return" to the child + * Return to the child * * Note: the image activator earlier dropped the * task/thread references to the newly spawned @@ -2057,7 +2741,7 @@ bad: * queue references on them, so we should be fine * with the delayed resume of the thread here. */ - (void)thread_resume(imgp->ip_new_thread); + proc_clear_return_wait(p, imgp->ip_new_thread); } } if (bufp != NULL) { @@ -2096,6 +2780,8 @@ execve(proc_t p, struct execve_args *uap, int32_t *retval) struct __mac_execve_args muap; int err; + memoryshot(VM_EXECVE, DBG_FUNC_NONE); + muap.fname = uap->fname; muap.argp = uap->argp; muap.envp = uap->envp; @@ -2139,9 +2825,9 @@ __mac_execve(proc_t p, struct __mac_execve_args *uap, int32_t *retval) struct vnode_attr *vap; struct vnode_attr *origvap; int error; - char alt_p_comm[sizeof(p->p_comm)] = {0}; /* for PowerPC */ int is_64 = IS_64BIT_PROCESS(p); struct vfs_context context; + struct uthread *uthread; context.vc_thread = current_thread(); context.vc_ucred = kauth_cred_proc_ref(p); /* XXX must NOT be kauth_cred_get() */ @@ -2165,9 +2851,14 @@ __mac_execve(proc_t p, struct __mac_execve_args *uap, int32_t *retval) imgp->ip_vattr = vap; imgp->ip_origvattr = origvap; imgp->ip_vfs_context = &context; - imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT : IMGPF_NONE); - imgp->ip_p_comm = alt_p_comm; /* for PowerPC */ + imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT : IMGPF_NONE) | ((p->p_flag & P_DISABLE_ASLR) ? IMGPF_DISABLE_ASLR : IMGPF_NONE); imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32); + imgp->ip_mac_return = 0; + + uthread = get_bsdthread_info(current_thread()); + if (uthread->uu_flag & UT_VFORK) { + imgp->ip_flags |= IMGPF_VFORK_EXEC; + } #if CONFIG_MACF if (uap->mac_p != USER_ADDR_NULL) { @@ -2193,6 +2884,8 @@ __mac_execve(proc_t p, struct __mac_execve_args *uap, int32_t *retval) } if (imgp->ip_vp != NULLVP) vnode_put(imgp->ip_vp); + if (imgp->ip_scriptvp != NULLVP) + vnode_put(imgp->ip_scriptvp); if (imgp->ip_strings) execargs_free(imgp); #if CONFIG_MACF @@ -2202,16 +2895,29 @@ __mac_execve(proc_t p, struct __mac_execve_args *uap, int32_t *retval) mac_vnode_label_free(imgp->ip_scriptlabelp); #endif if (!error) { - struct uthread *uthread; - /* Sever any extant thread affinity */ thread_affinity_exec(current_thread()); + thread_t main_thread = (imgp->ip_new_thread != NULL) ? imgp->ip_new_thread : current_thread(); + + task_set_main_thread_qos(p->task, main_thread); + + /* reset task importance */ + task_importance_reset(p->task); + + /* reset atm context from task */ + task_atm_reset(p->task); + DTRACE_PROC(exec__success); - uthread = get_bsdthread_info(current_thread()); - if (uthread->uu_flag & UT_VFORK) { + +#if CONFIG_DTRACE + if ((dtrace_proc_waitfor_hook = dtrace_proc_waitfor_exec_ptr) != NULL) + (*dtrace_proc_waitfor_hook)(p); +#endif + + if (imgp->ip_flags & IMGPF_VFORK_EXEC) { vfork_return(p, retval, p->p_pid); - (void)thread_resume(imgp->ip_new_thread); + proc_clear_return_wait(p, imgp->ip_new_thread); } } else { DTRACE_PROC1(exec__failure, int, error); @@ -2273,8 +2979,6 @@ copyinptr(user_addr_t froma, user_addr_t *toptr, int ptr_size) * Returns: 0 Success * EFAULT Bad 'ua' * - * Implicit returns: - * *ptr_size Modified */ static int copyoutptr(user_addr_t ua, user_addr_t ptr, int ptr_size) @@ -2311,85 +3015,156 @@ copyoutptr(user_addr_t ua, user_addr_t ptr, int ptr_size) * Note: The strings segment layout is backward, from the beginning * of the top of the stack to consume the minimal amount of * space possible; the returned stack pointer points to the - * end of the area consumed (stacks grow upward). + * end of the area consumed (stacks grow downward). * * argc is an int; arg[i] are pointers; env[i] are pointers; - * exec_path is a pointer; the 0's are (void *)NULL's + * the 0's are (void *)NULL's * * The stack frame layout is: * - * +-------------+ - * sp-> | argc | - * +-------------+ - * | arg[0] | - * +-------------+ - * : - * : - * +-------------+ - * | arg[argc-1] | - * +-------------+ - * | 0 | - * +-------------+ - * | env[0] | - * +-------------+ - * : - * : - * +-------------+ - * | env[n] | - * +-------------+ - * | 0 | - * +-------------+ - * | exec_path | In MacOS X PR2 Beaker2E the path passed to exec() is - * +-------------+ passed on the stack just after the trailing 0 of the - * | 0 | the envp[] array as a pointer to a string. - * +-------------+ - * | PATH AREA | - * +-------------+ - * | STRING AREA | - * : - * : - * | | <- p->user_stack - * +-------------+ + * +-------------+ <- p->user_stack + * | 16b | + * +-------------+ + * | STRING AREA | + * | : | + * | : | + * | : | + * +- -- -- -- --+ + * | PATH AREA | + * +-------------+ + * | 0 | + * +-------------+ + * | applev[n] | + * +-------------+ + * : + * : + * +-------------+ + * | applev[1] | + * +-------------+ + * | exec_path / | + * | applev[0] | + * +-------------+ + * | 0 | + * +-------------+ + * | env[n] | + * +-------------+ + * : + * : + * +-------------+ + * | env[0] | + * +-------------+ + * | 0 | + * +-------------+ + * | arg[argc-1] | + * +-------------+ + * : + * : + * +-------------+ + * | arg[0] | + * +-------------+ + * | argc | + * sp-> +-------------+ * * Although technically a part of the STRING AREA, we treat the PATH AREA as * a separate entity. This allows us to align the beginning of the PATH AREA * to a pointer boundary so that the exec_path, env[i], and argv[i] pointers * which preceed it on the stack are properly aligned. - * - * TODO: argc copied with suword(), which takes a 64 bit address */ + static int exec_copyout_strings(struct image_params *imgp, user_addr_t *stackp) { proc_t p = vfs_context_proc(imgp->ip_vfs_context); int ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT) ? 8 : 4; - char *argv = imgp->ip_argv; /* modifiable copy of argv */ + int ptr_area_size; + void *ptr_buffer_start, *ptr_buffer; + int string_size; + user_addr_t string_area; /* *argv[], *env[] */ - user_addr_t path_area; /* package launch path */ - user_addr_t ptr_area; /* argv[], env[], exec_path */ + user_addr_t ptr_area; /* argv[], env[], applev[] */ + user_addr_t argc_area; /* argc */ user_addr_t stack; - int stringc = imgp->ip_argc + imgp->ip_envc; - size_t len; int error; - ssize_t strspace; + + unsigned i; + struct copyout_desc { + char *start_string; + int count; +#if CONFIG_DTRACE + user_addr_t *dtrace_cookie; +#endif + boolean_t null_term; + } descriptors[] = { + { + .start_string = imgp->ip_startargv, + .count = imgp->ip_argc, +#if CONFIG_DTRACE + .dtrace_cookie = &p->p_dtrace_argv, +#endif + .null_term = TRUE + }, + { + .start_string = imgp->ip_endargv, + .count = imgp->ip_envc, +#if CONFIG_DTRACE + .dtrace_cookie = &p->p_dtrace_envp, +#endif + .null_term = TRUE + }, + { + .start_string = imgp->ip_strings, + .count = 1, +#if CONFIG_DTRACE + .dtrace_cookie = NULL, +#endif + .null_term = FALSE + }, + { + .start_string = imgp->ip_endenvv, + .count = imgp->ip_applec - 1, /* exec_path handled above */ +#if CONFIG_DTRACE + .dtrace_cookie = NULL, +#endif + .null_term = TRUE + } + }; stack = *stackp; - size_t patharea_len = imgp->ip_argv - imgp->ip_strings; - int envc_add = 0; - /* - * Set up pointers to the beginning of the string area, the beginning - * of the path area, and the beginning of the pointer area (actually, - * the location of argc, an int, which may be smaller than a pointer, - * but we use ptr_size worth of space for it, for alignment). + * All previous contributors to the string area + * should have aligned their sub-area */ - string_area = stack - (((imgp->ip_strendp - imgp->ip_strings) + ptr_size-1) & ~(ptr_size-1)) - ptr_size; - path_area = string_area - ((patharea_len + ptr_size-1) & ~(ptr_size-1)); - ptr_area = path_area - ((imgp->ip_argc + imgp->ip_envc + 4 + envc_add) * ptr_size) - ptr_size /*argc*/; + if (imgp->ip_strspace % ptr_size != 0) { + error = EINVAL; + goto bad; + } - /* Return the initial stack address: the location of argc */ - *stackp = ptr_area; + /* Grow the stack down for the strings we've been building up */ + string_size = imgp->ip_strendp - imgp->ip_strings; + stack -= string_size; + string_area = stack; + + /* + * Need room for one pointer for each string, plus + * one for the NULLs terminating the argv, envv, and apple areas. + */ + ptr_area_size = (imgp->ip_argc + imgp->ip_envc + imgp->ip_applec + 3) * + ptr_size; + stack -= ptr_area_size; + ptr_area = stack; + + /* We'll construct all the pointer arrays in our string buffer, + * which we already know is aligned properly, and ip_argspace + * was used to verify we have enough space. + */ + ptr_buffer_start = ptr_buffer = (void *)imgp->ip_strendp; + + /* + * Need room for pointer-aligned argc slot. + */ + stack -= ptr_size; + argc_area = stack; /* * Record the size of the arguments area so that sysctl_procargs() @@ -2397,92 +3172,73 @@ exec_copyout_strings(struct image_params *imgp, user_addr_t *stackp) */ proc_lock(p); p->p_argc = imgp->ip_argc; - p->p_argslen = (int)(stack - path_area); + p->p_argslen = (int)(*stackp - string_area); proc_unlock(p); + /* Return the initial stack address: the location of argc */ + *stackp = stack; /* - * Support for new app package launching for Mac OS X allocates - * the "path" at the begining of the imgp->ip_strings buffer. - * copy it just before the string area. + * Copy out the entire strings area. */ - len = 0; - error = copyoutstr(imgp->ip_strings, path_area, - patharea_len, - &len); + error = copyout(imgp->ip_strings, string_area, + string_size); if (error) goto bad; + for (i = 0; i < sizeof(descriptors)/sizeof(descriptors[0]); i++) { + char *cur_string = descriptors[i].start_string; + int j; - /* Save a NULL pointer below it */ - (void)copyoutptr(0LL, path_area - ptr_size, ptr_size); - - /* Save the pointer to "path" just below it */ - (void)copyoutptr(path_area, path_area - 2*ptr_size, ptr_size); +#if CONFIG_DTRACE + if (descriptors[i].dtrace_cookie) { + proc_lock(p); + *descriptors[i].dtrace_cookie = ptr_area + ((uintptr_t)ptr_buffer - (uintptr_t)ptr_buffer_start); /* dtrace convenience */ + proc_unlock(p); + } +#endif /* CONFIG_DTRACE */ - /* - * ptr_size for 2 NULL one each ofter arg[argc -1] and env[n] - * ptr_size for argc - * skip over saved path, ptr_size for pointer to path, - * and ptr_size for the NULL after pointer to path. - */ + /* + * For each segment (argv, envv, applev), copy as many pointers as requested + * to our pointer buffer. + */ + for (j = 0; j < descriptors[i].count; j++) { + user_addr_t cur_address = string_area + (cur_string - imgp->ip_strings); + + /* Copy out the pointer to the current string. Alignment has been verified */ + if (ptr_size == 8) { + *(uint64_t *)ptr_buffer = (uint64_t)cur_address; + } else { + *(uint32_t *)ptr_buffer = (uint32_t)cur_address; + } + + ptr_buffer = (void *)((uintptr_t)ptr_buffer + ptr_size); + cur_string += strlen(cur_string) + 1; /* Only a NUL between strings in the same area */ + } - /* argc (int32, stored in a ptr_size area) */ - (void)suword(ptr_area, imgp->ip_argc); - ptr_area += sizeof(int); - /* pad to ptr_size, if 64 bit image, to ensure user stack alignment */ - if (imgp->ip_flags & IMGPF_IS_64BIT) { - (void)suword(ptr_area, 0); /* int, not long: ignored */ - ptr_area += sizeof(int); + if (descriptors[i].null_term) { + if (ptr_size == 8) { + *(uint64_t *)ptr_buffer = 0ULL; + } else { + *(uint32_t *)ptr_buffer = 0; + } + + ptr_buffer = (void *)((uintptr_t)ptr_buffer + ptr_size); + } } -#if CONFIG_DTRACE - p->p_dtrace_argv = ptr_area; /* user_addr_t &argv[0] for dtrace convenience */ -#endif /* CONFIG_DTRACE */ - /* - * We use (string_area - path_area) here rather than the more - * intuitive (imgp->ip_argv - imgp->ip_strings) because we are - * interested in the length of the PATH_AREA in user space, - * rather than the actual length of the execution path, since - * it includes alignment padding of the PATH_AREA + STRING_AREA - * to a ptr_size boundary. + * Copy out all our pointer arrays in bulk. */ - strspace = SIZE_IMG_STRSPACE - (string_area - path_area); - for (;;) { - if (stringc == imgp->ip_envc) { - /* argv[n] = NULL */ - (void)copyoutptr(0LL, ptr_area, ptr_size); - ptr_area += ptr_size; -#if CONFIG_DTRACE - p->p_dtrace_envp = ptr_area; /* user_addr_t &env[0] for dtrace convenience */ -#endif /* CONFIG_DTRACE */ - } - if (--stringc < 0) - break; - - /* pointer: argv[n]/env[n] */ - (void)copyoutptr(string_area, ptr_area, ptr_size); + error = copyout(ptr_buffer_start, ptr_area, + ptr_area_size); + if (error) + goto bad; - /* string : argv[n][]/env[n][] */ - do { - if (strspace <= 0) { - error = E2BIG; - break; - } - error = copyoutstr(argv, string_area, - strspace, - &len); - string_area += len; - argv += len; - strspace -= len; - } while (error == ENAMETOOLONG); - if (error == EFAULT || error == E2BIG) - break; /* bad stack - user's problem */ - ptr_area += ptr_size; - } - /* env[n] = NULL */ - (void)copyoutptr(0LL, ptr_area, ptr_size); + /* argc (int32, stored in a ptr_size area) */ + error = copyoutptr((user_addr_t)imgp->ip_argc, argc_area, ptr_size); + if (error) + goto bad; bad: return(error); @@ -2495,6 +3251,11 @@ bad: * Copy arguments and environment from user space into work area; we may * have already copied some early arguments into the work area, and if * so, any arguments opied in are appended to those already there. + * This function is the primary manipulator of ip_argspace, since + * these are the arguments the client of execve(2) knows about. After + * each argv[]/envv[] string is copied, we charge the string length + * and argv[]/envv[] pointer slot to ip_argspace, so that we can + * full preflight the arg list size. * * Parameters: struct image_params * the image parameter block * @@ -2504,6 +3265,8 @@ bad: * Implicit returns; * (imgp->ip_argc) Count of arguments, updated * (imgp->ip_envc) Count of environment strings, updated + * (imgp->ip_argspace) Count of remaining of NCARGS + * (imgp->ip_interp_buffer) Interpreter and args (mutated in place) * * * Note: The argument and environment vectors are user space pointers @@ -2513,110 +3276,360 @@ static int exec_extract_strings(struct image_params *imgp) { int error = 0; - int strsz = 0; int ptr_size = (imgp->ip_flags & IMGPF_WAS_64BIT) ? 8 : 4; + int new_ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT) ? 8 : 4; user_addr_t argv = imgp->ip_user_argv; user_addr_t envv = imgp->ip_user_envv; - /* - * If the argument vector is NULL, this is the system startup - * bootstrap from load_init_program(), and there's nothing to do - */ - if (imgp->ip_user_argv == 0LL) - goto bad; - - /* Now, get rest of arguments */ - /* * Adjust space reserved for the path name by however much padding it * needs. Doing this here since we didn't know if this would be a 32- * or 64-bit process back in exec_save_path. */ - strsz = strlen(imgp->ip_strings) + 1; - imgp->ip_strspace -= ((strsz + ptr_size-1) & ~(ptr_size-1)) - strsz; + while (imgp->ip_strspace % new_ptr_size != 0) { + *imgp->ip_strendp++ = '\0'; + imgp->ip_strspace--; + /* imgp->ip_argspace--; not counted towards exec args total */ + } /* - * If we are running an interpreter, replace the av[0] that was - * passed to execve() with the fully qualified path name that was - * passed to execve() for interpreters which do not use the PATH - * to locate their script arguments. + * From now on, we start attributing string space to ip_argspace */ - if((imgp->ip_flags & IMGPF_INTERPRET) != 0 && argv != 0LL) { + imgp->ip_startargv = imgp->ip_strendp; + imgp->ip_argc = 0; + + if((imgp->ip_flags & IMGPF_INTERPRET) != 0) { user_addr_t arg; + char *argstart, *ch; + + /* First, the arguments in the "#!" string are tokenized and extracted. */ + argstart = imgp->ip_interp_buffer; + while (argstart) { + ch = argstart; + while (*ch && !IS_WHITESPACE(*ch)) { + ch++; + } + + if (*ch == '\0') { + /* last argument, no need to NUL-terminate */ + error = exec_add_user_string(imgp, CAST_USER_ADDR_T(argstart), UIO_SYSSPACE, TRUE); + argstart = NULL; + } else { + /* NUL-terminate */ + *ch = '\0'; + error = exec_add_user_string(imgp, CAST_USER_ADDR_T(argstart), UIO_SYSSPACE, TRUE); + + /* + * Find the next string. We know spaces at the end of the string have already + * been stripped. + */ + argstart = ch + 1; + while (IS_WHITESPACE(*argstart)) { + argstart++; + } + } + + /* Error-check, regardless of whether this is the last interpreter arg or not */ + if (error) + goto bad; + if (imgp->ip_argspace < new_ptr_size) { + error = E2BIG; + goto bad; + } + imgp->ip_argspace -= new_ptr_size; /* to hold argv[] entry */ + imgp->ip_argc++; + } + + if (argv != 0LL) { + /* + * If we are running an interpreter, replace the av[0] that was + * passed to execve() with the path name that was + * passed to execve() for interpreters which do not use the PATH + * to locate their script arguments. + */ + error = copyinptr(argv, &arg, ptr_size); + if (error) + goto bad; + if (arg != 0LL) { + argv += ptr_size; /* consume without using */ + } + } + + if (imgp->ip_interp_sugid_fd != -1) { + char temp[19]; /* "/dev/fd/" + 10 digits + NUL */ + snprintf(temp, sizeof(temp), "/dev/fd/%d", imgp->ip_interp_sugid_fd); + error = exec_add_user_string(imgp, CAST_USER_ADDR_T(temp), UIO_SYSSPACE, TRUE); + } else { + error = exec_add_user_string(imgp, imgp->ip_user_fname, imgp->ip_seg, TRUE); + } + + if (error) + goto bad; + if (imgp->ip_argspace < new_ptr_size) { + error = E2BIG; + goto bad; + } + imgp->ip_argspace -= new_ptr_size; /* to hold argv[] entry */ + imgp->ip_argc++; + } + + while (argv != 0LL) { + user_addr_t arg; + + error = copyinptr(argv, &arg, ptr_size); + if (error) + goto bad; + + if (arg == 0LL) { + break; + } + + argv += ptr_size; + + /* + * av[n...] = arg[n] + */ + error = exec_add_user_string(imgp, arg, imgp->ip_seg, TRUE); + if (error) + goto bad; + if (imgp->ip_argspace < new_ptr_size) { + error = E2BIG; + goto bad; + } + imgp->ip_argspace -= new_ptr_size; /* to hold argv[] entry */ + imgp->ip_argc++; + } + + /* Save space for argv[] NULL terminator */ + if (imgp->ip_argspace < new_ptr_size) { + error = E2BIG; + goto bad; + } + imgp->ip_argspace -= new_ptr_size; + + /* Note where the args ends and env begins. */ + imgp->ip_endargv = imgp->ip_strendp; + imgp->ip_envc = 0; + + /* Now, get the environment */ + while (envv != 0LL) { + user_addr_t env; + + error = copyinptr(envv, &env, ptr_size); + if (error) + goto bad; + + envv += ptr_size; + if (env == 0LL) { + break; + } + /* + * av[n...] = env[n] + */ + error = exec_add_user_string(imgp, env, imgp->ip_seg, TRUE); + if (error) + goto bad; + if (imgp->ip_argspace < new_ptr_size) { + error = E2BIG; + goto bad; + } + imgp->ip_argspace -= new_ptr_size; /* to hold envv[] entry */ + imgp->ip_envc++; + } + + /* Save space for envv[] NULL terminator */ + if (imgp->ip_argspace < new_ptr_size) { + error = E2BIG; + goto bad; + } + imgp->ip_argspace -= new_ptr_size; + + /* Align the tail of the combined argv+envv area */ + while (imgp->ip_strspace % new_ptr_size != 0) { + if (imgp->ip_argspace < 1) { + error = E2BIG; + goto bad; + } + *imgp->ip_strendp++ = '\0'; + imgp->ip_strspace--; + imgp->ip_argspace--; + } + + /* Note where the envv ends and applev begins. */ + imgp->ip_endenvv = imgp->ip_strendp; + + /* + * From now on, we are no longer charging argument + * space to ip_argspace. + */ + +bad: + return error; +} + +static char * +random_hex_str(char *str, int len, boolean_t embedNUL) +{ + uint64_t low, high, value; + int idx; + char digit; + + /* A 64-bit value will only take 16 characters, plus '0x' and NULL. */ + if (len > 19) + len = 19; + + /* We need enough room for at least 1 digit */ + if (len < 4) + return (NULL); + + low = random(); + high = random(); + value = high << 32 | low; + + if (embedNUL) { + /* + * Zero a byte to protect against C string vulnerabilities + * e.g. for userland __stack_chk_guard. + */ + value &= ~(0xffull << 8); + } + + str[0] = '0'; + str[1] = 'x'; + for (idx = 2; idx < len - 1; idx++) { + digit = value & 0xf; + value = value >> 4; + if (digit < 10) + str[idx] = '0' + digit; + else + str[idx] = 'a' + (digit - 10); + } + str[idx] = '\0'; + return (str); +} + +/* + * Libc has an 8-element array set up for stack guard values. It only fills + * in one of those entries, and both gcc and llvm seem to use only a single + * 8-byte guard. Until somebody needs more than an 8-byte guard value, don't + * do the work to construct them. + */ +#define GUARD_VALUES 1 +#define GUARD_KEY "stack_guard=" + +/* + * System malloc needs some entropy when it is initialized. + */ +#define ENTROPY_VALUES 2 +#define ENTROPY_KEY "malloc_entropy=" + +/* + * System malloc engages nanozone for UIAPP. + */ +#define NANO_ENGAGE_KEY "MallocNanoZone=1" + +#define PFZ_KEY "pfz=" +extern user32_addr_t commpage_text32_location; +extern user64_addr_t commpage_text64_location; +/* + * Build up the contents of the apple[] string vector + */ +static int +exec_add_apple_strings(struct image_params *imgp) +{ + int i, error; + int new_ptr_size=4; + char guard[19]; + char guard_vec[strlen(GUARD_KEY) + 19 * GUARD_VALUES + 1]; + + char entropy[19]; + char entropy_vec[strlen(ENTROPY_KEY) + 19 * ENTROPY_VALUES + 1]; + + char pfz_string[strlen(PFZ_KEY) + 16 + 4 +1]; + + if( imgp->ip_flags & IMGPF_IS_64BIT) { + new_ptr_size = 8; + snprintf(pfz_string, sizeof(pfz_string),PFZ_KEY "0x%llx",commpage_text64_location); + } else { + snprintf(pfz_string, sizeof(pfz_string),PFZ_KEY "0x%x",commpage_text32_location); + } + + /* exec_save_path stored the first string */ + imgp->ip_applec = 1; + + /* adding the pfz string */ + error = exec_add_user_string(imgp, CAST_USER_ADDR_T(pfz_string),UIO_SYSSPACE,FALSE); + if(error) + goto bad; + imgp->ip_applec++; + + /* adding the NANO_ENGAGE_KEY key */ + if (imgp->ip_px_sa) { + int proc_flags = (((struct _posix_spawnattr *) imgp->ip_px_sa)->psa_flags); - error = copyinptr(argv, &arg, ptr_size); - if (error) - goto bad; - if (arg != 0LL && arg != (user_addr_t)-1) { - argv += ptr_size; - error = exec_add_string(imgp, imgp->ip_user_fname); + if ((proc_flags & _POSIX_SPAWN_NANO_ALLOCATOR) == _POSIX_SPAWN_NANO_ALLOCATOR) { + char uiapp_string[strlen(NANO_ENGAGE_KEY) + 1]; + + snprintf(uiapp_string, sizeof(uiapp_string), NANO_ENGAGE_KEY); + error = exec_add_user_string(imgp, CAST_USER_ADDR_T(uiapp_string),UIO_SYSSPACE,FALSE); if (error) goto bad; - imgp->ip_argc++; + imgp->ip_applec++; } } - while (argv != 0LL) { - user_addr_t arg; + /* + * Supply libc with a collection of random values to use when + * implementing -fstack-protector. + * + * (The first random string always contains an embedded NUL so that + * __stack_chk_guard also protects against C string vulnerabilities) + */ + (void)strlcpy(guard_vec, GUARD_KEY, sizeof (guard_vec)); + for (i = 0; i < GUARD_VALUES; i++) { + random_hex_str(guard, sizeof (guard), i == 0); + if (i) + (void)strlcat(guard_vec, ",", sizeof (guard_vec)); + (void)strlcat(guard_vec, guard, sizeof (guard_vec)); + } - error = copyinptr(argv, &arg, ptr_size); - if (error) - goto bad; + error = exec_add_user_string(imgp, CAST_USER_ADDR_T(guard_vec), UIO_SYSSPACE, FALSE); + if (error) + goto bad; + imgp->ip_applec++; - argv += ptr_size; - if (arg == 0LL) { - break; - } else if (arg == (user_addr_t)-1) { - /* Um... why would it be -1? */ - error = EFAULT; - goto bad; - } - /* - * av[n...] = arg[n] - */ - error = exec_add_string(imgp, arg); - if (error) - goto bad; - imgp->ip_argc++; - } + /* + * Supply libc with entropy for system malloc. + */ + (void)strlcpy(entropy_vec, ENTROPY_KEY, sizeof(entropy_vec)); + for (i = 0; i < ENTROPY_VALUES; i++) { + random_hex_str(entropy, sizeof (entropy), FALSE); + if (i) + (void)strlcat(entropy_vec, ",", sizeof (entropy_vec)); + (void)strlcat(entropy_vec, entropy, sizeof (entropy_vec)); + } - /* Note where the args end and env begins. */ - imgp->ip_strendargvp = imgp->ip_strendp; - - /* Now, get the environment */ - while (envv != 0LL) { - user_addr_t env; - - error = copyinptr(envv, &env, ptr_size); - if (error) - goto bad; + error = exec_add_user_string(imgp, CAST_USER_ADDR_T(entropy_vec), UIO_SYSSPACE, FALSE); + if (error) + goto bad; + imgp->ip_applec++; - envv += ptr_size; - if (env == 0LL) { - break; - } else if (env == (user_addr_t)-1) { - error = EFAULT; - goto bad; - } - /* - * av[n...] = env[n] - */ - error = exec_add_string(imgp, env); - if (error) - goto bad; - imgp->ip_envc++; + /* Align the tail of the combined applev area */ + while (imgp->ip_strspace % new_ptr_size != 0) { + *imgp->ip_strendp++ = '\0'; + imgp->ip_strspace--; } + bad: return error; } - #define unix_stack_size(p) (p->p_rlimit[RLIMIT_STACK].rlim_cur) /* * exec_check_permissions * - * Decription: Verify that the file that is being attempted to be executed + * Description: Verify that the file that is being attempted to be executed * is in fact allowed to be executed based on it POSIX file * permissions and other access control criteria * @@ -2658,7 +3671,7 @@ exec_check_permissions(struct image_params *imgp) * will always succeed, and we don't want to happen unless the * file really is executable. */ - if ((vap->va_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0) + if (!vfs_authopaque(vnode_mount(vp)) && ((vap->va_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0)) return (EACCES); /* Disallow zero length files */ @@ -2672,6 +3685,13 @@ exec_check_permissions(struct image_params *imgp) if ((vp->v_mount->mnt_flag & MNT_NOSUID) || (p->p_lflag & P_LTRACED)) vap->va_mode &= ~(VSUID | VSGID); + /* + * Disable _POSIX_SPAWN_ALLOW_DATA_EXEC and _POSIX_SPAWN_DISABLE_ASLR + * flags for setuid/setgid binaries. + */ + if (vap->va_mode & (VSUID | VSGID)) + imgp->ip_flags &= ~(IMGPF_ALLOW_DATA_EXEC | IMGPF_DISABLE_ASLR); + #if CONFIG_MACF error = mac_vnode_check_exec(imgp->ip_vfs_context, vp, imgp); if (error) @@ -2698,18 +3718,6 @@ exec_check_permissions(struct image_params *imgp) #endif -#ifdef IMGPF_POWERPC - /* - * If the file we are about to attempt to load is the exec_handler_ppc, - * which is determined by matching the vattr fields against previously - * cached values, then we set the PowerPC environment flag. - */ - if (vap->va_fsid == exec_archhandler_ppc.fsid && - vap->va_fileid == (uint64_t)((uint32_t)exec_archhandler_ppc.fileid)) { - imgp->ip_flags |= IMGPF_POWERPC; - } -#endif /* IMGPF_POWERPC */ - /* XXX May want to indicate to underlying FS that vnode is open */ return (error); @@ -2749,10 +3757,11 @@ exec_handle_sugid(struct image_params *imgp) proc_t p = vfs_context_proc(imgp->ip_vfs_context); int i; int leave_sugid_clear = 0; + int mac_reset_ipc = 0; int error = 0; - struct vnode *dev_null = NULLVP; #if CONFIG_MACF - int mac_transition; + int mac_transition, disjoint_cred = 0; + int label_update_return = 0; /* * Determine whether a call to update the MAC label will result in the @@ -2766,8 +3775,12 @@ exec_handle_sugid(struct image_params *imgp) mac_transition = mac_cred_check_label_update_execve( imgp->ip_vfs_context, imgp->ip_vp, + imgp->ip_arch_offset, + imgp->ip_scriptvp, imgp->ip_scriptlabelp, - imgp->ip_execlabelp, p); + imgp->ip_execlabelp, + p, + imgp->ip_px_smpx); #endif OSBitAndAtomic(~((uint32_t)P_SUGID), &p->p_flag); @@ -2790,7 +3803,7 @@ exec_handle_sugid(struct image_params *imgp) kauth_cred_getuid(cred) != imgp->ip_origvattr->va_uid) || ((imgp->ip_origvattr->va_mode & VSGID) != 0 && ((kauth_cred_ismember_gid(cred, imgp->ip_origvattr->va_gid, &leave_sugid_clear) || !leave_sugid_clear) || - (cred->cr_gid != imgp->ip_origvattr->va_gid)))) { + (kauth_cred_getgid(cred) != imgp->ip_origvattr->va_gid)))) { #if CONFIG_MACF /* label for MAC transition and neither VSUID nor VSGID */ @@ -2815,9 +3828,13 @@ handle_mac_transition: */ if (imgp->ip_origvattr->va_mode & VSUID) { p->p_ucred = kauth_cred_setresuid(p->p_ucred, KAUTH_UID_NONE, imgp->ip_origvattr->va_uid, imgp->ip_origvattr->va_uid, KAUTH_UID_NONE); + /* update cred on proc */ + PROC_UPDATE_CREDS_ONPROC(p); } if (imgp->ip_origvattr->va_mode & VSGID) { p->p_ucred = kauth_cred_setresgid(p->p_ucred, KAUTH_GID_NONE, imgp->ip_origvattr->va_gid, imgp->ip_origvattr->va_gid); + /* update cred on proc */ + PROC_UPDATE_CREDS_ONPROC(p); } #if CONFIG_MACF @@ -2828,12 +3845,19 @@ handle_mac_transition: * modifying any others sharing it. */ if (mac_transition) { - kauth_cred_t my_cred; - if (kauth_proc_label_update_execve(p, + kauth_proc_label_update_execve(p, imgp->ip_vfs_context, imgp->ip_vp, + imgp->ip_arch_offset, + imgp->ip_scriptvp, imgp->ip_scriptlabelp, - imgp->ip_execlabelp)) { + imgp->ip_execlabelp, + &imgp->ip_csflags, + imgp->ip_px_smpx, + &disjoint_cred, /* will be non zero if disjoint */ + &label_update_return); + + if (disjoint_cred) { /* * If updating the MAC label resulted in a * disjoint credential, flag that we need to @@ -2845,22 +3869,13 @@ handle_mac_transition: */ leave_sugid_clear = 0; } - - my_cred = kauth_cred_proc_ref(p); - mac_task_label_update_cred(my_cred, p->task); - kauth_cred_unref(&my_cred); + + imgp->ip_mac_return = label_update_return; } -#endif /* CONFIG_MACF */ + + mac_reset_ipc = mac_proc_check_inherit_ipc_ports(p, p->p_textvp, p->p_textoff, imgp->ip_vp, imgp->ip_arch_offset, imgp->ip_scriptvp); - /* - * Have mach reset the task and thread ports. - * We don't want anyone who had the ports before - * a setuid exec to be able to access/control the - * task/thread after. - */ - ipc_task_reset(p->task); - ipc_thread_reset((imgp->ip_new_thread != NULL) ? - imgp->ip_new_thread : current_thread()); +#endif /* CONFIG_MACF */ /* * If 'leave_sugid_clear' is non-zero, then we passed the @@ -2868,74 +3883,93 @@ handle_mac_transition: * the previous cred was a member of the VSGID group, but * that it was not the default at the time of the execve, * and that the post-labelling credential was not disjoint. - * So we don't set the P_SUGID on the basis of simply - * running this code. + * So we don't set the P_SUGID or reset mach ports and fds + * on the basis of simply running this code. */ - if (!leave_sugid_clear) + if (mac_reset_ipc || !leave_sugid_clear) { + /* + * Have mach reset the task and thread ports. + * We don't want anyone who had the ports before + * a setuid exec to be able to access/control the + * task/thread after. + */ + ipc_task_reset(p->task); + ipc_thread_reset((imgp->ip_new_thread != NULL) ? + imgp->ip_new_thread : current_thread()); + } + + if (!leave_sugid_clear) { + /* + * Flag the process as setuid. + */ OSBitOrAtomic(P_SUGID, &p->p_flag); - /* Cache the vnode for /dev/null the first time around */ - if (dev_null == NULLVP) { - struct nameidata nd1; + /* + * Radar 2261856; setuid security hole fix + * XXX For setuid processes, attempt to ensure that + * stdin, stdout, and stderr are already allocated. + * We do not want userland to accidentally allocate + * descriptors in this range which has implied meaning + * to libc. + */ + for (i = 0; i < 3; i++) { - NDINIT(&nd1, LOOKUP, FOLLOW, UIO_SYSSPACE, - CAST_USER_ADDR_T("/dev/null"), - imgp->ip_vfs_context); + if (p->p_fd->fd_ofiles[i] != NULL) + continue; - if ((error = vn_open(&nd1, FREAD, 0)) == 0) { - dev_null = nd1.ni_vp; /* - * vn_open returns with both a use_count - * and an io_count on the found vnode - * drop the io_count, but keep the use_count + * Do the kernel equivalent of + * + * if i == 0 + * (void) open("/dev/null", O_RDONLY); + * else + * (void) open("/dev/null", O_WRONLY); */ - vnode_put(nd1.ni_vp); - } - } - /* Radar 2261856; setuid security hole fix */ - /* Patch from OpenBSD: A. Ramesh */ - /* - * XXX For setuid processes, attempt to ensure that - * stdin, stdout, and stderr are already allocated. - * We do not want userland to accidentally allocate - * descriptors in this range which has implied meaning - * to libc. - */ - if (dev_null != NULLVP) { - for (i = 0; i < 3; i++) { struct fileproc *fp; int indx; + int flag; + struct nameidata *ndp = NULL; - if (p->p_fd->fd_ofiles[i] != NULL) - continue; + if (i == 0) + flag = FREAD; + else + flag = FWRITE; - if ((error = falloc(p, &fp, &indx, imgp->ip_vfs_context)) != 0) + if ((error = falloc(p, + &fp, &indx, imgp->ip_vfs_context)) != 0) continue; - if ((error = vnode_ref_ext(dev_null, FREAD)) != 0) { + MALLOC(ndp, struct nameidata *, sizeof(*ndp), M_TEMP, M_WAITOK | M_ZERO); + if (ndp == NULL) { + error = ENOMEM; + break; + } + + NDINIT(ndp, LOOKUP, OP_OPEN, FOLLOW, UIO_SYSSPACE, + CAST_USER_ADDR_T("/dev/null"), + imgp->ip_vfs_context); + + if ((error = vn_open(ndp, flag, 0)) != 0) { fp_free(p, indx, fp); break; } - fp->f_fglob->fg_flag = FREAD; - fp->f_fglob->fg_type = DTYPE_VNODE; - fp->f_fglob->fg_ops = &vnops; - fp->f_fglob->fg_data = (caddr_t)dev_null; - + struct fileglob *fg = fp->f_fglob; + + fg->fg_flag = flag; + fg->fg_ops = &vnops; + fg->fg_data = ndp->ni_vp; + + vnode_put(ndp->ni_vp); + proc_fdlock(p); procfdtbl_releasefd(p, indx, NULL); fp_drop(p, indx, fp, 1); proc_fdunlock(p); + + FREE(ndp, M_TEMP); } - /* - * for now we need to drop the reference immediately - * since we don't have any mechanism in place to - * release it before starting to unmount "/dev" - * during a reboot/shutdown - */ - vnode_rele(dev_null); - dev_null = NULLVP; } } #if CONFIG_MACF @@ -2952,13 +3986,16 @@ handle_mac_transition: goto handle_mac_transition; } } + #endif /* CONFIG_MACF */ /* * Implement the semantic where the effective user and group become * the saved user and group in exec'ed programs. */ - p->p_ucred = kauth_cred_setsvuidgid(p->p_ucred, kauth_cred_getuid(p->p_ucred), p->p_ucred->cr_gid); + p->p_ucred = kauth_cred_setsvuidgid(p->p_ucred, kauth_cred_getuid(p->p_ucred), kauth_cred_getgid(p->p_ucred)); + /* update cred on proc */ + PROC_UPDATE_CREDS_ONPROC(p); /* Update the process' identity version and set the security token */ p->p_idversion++; @@ -2979,129 +4016,146 @@ handle_mac_transition: * limits on stack growth, if they end up being needed. * * Parameters: p Process to set stack on - * user_stack Address to set stack for process to - * customstack FALSE if no custom stack in binary - * map Address map in which to allocate the - * new stack, if 'customstack' is FALSE + * load_result Information from mach-o load commands + * map Address map in which to allocate the new stack * * Returns: KERN_SUCCESS Stack successfully created * !KERN_SUCCESS Mach failure code */ static kern_return_t -create_unix_stack(vm_map_t map, user_addr_t user_stack, int customstack, +create_unix_stack(vm_map_t map, load_result_t* load_result, proc_t p) { mach_vm_size_t size, prot_size; mach_vm_offset_t addr, prot_addr; kern_return_t kr; + mach_vm_address_t user_stack = load_result->user_stack; + proc_lock(p); p->user_stack = user_stack; proc_unlock(p); - if (!customstack) { + if (!load_result->prog_allocated_stack) { /* * Allocate enough space for the maximum stack size we * will ever authorize and an extra page to act as - * a guard page for stack overflows. + * a guard page for stack overflows. For default stacks, + * vm_initial_limit_stack takes care of the extra guard page. + * Otherwise we must allocate it ourselves. */ - size = mach_vm_round_page(MAXSSIZ); -#if STACK_GROWTH_UP - addr = mach_vm_trunc_page(user_stack); -#else /* STACK_GROWTH_UP */ - addr = mach_vm_trunc_page(user_stack - size); -#endif /* STACK_GROWTH_UP */ + + size = mach_vm_round_page(load_result->user_stack_size); + if (load_result->prog_stack_size) + size += PAGE_SIZE; + addr = mach_vm_trunc_page(load_result->user_stack - size); kr = mach_vm_allocate(map, &addr, size, VM_MAKE_TAG(VM_MEMORY_STACK) | - VM_FLAGS_FIXED); + VM_FLAGS_FIXED); if (kr != KERN_SUCCESS) { - return kr; + /* If can't allocate at default location, try anywhere */ + addr = 0; + kr = mach_vm_allocate(map, &addr, size, + VM_MAKE_TAG(VM_MEMORY_STACK) | + VM_FLAGS_ANYWHERE); + if (kr != KERN_SUCCESS) + return kr; + + user_stack = addr + size; + load_result->user_stack = user_stack; + + proc_lock(p); + p->user_stack = user_stack; + proc_unlock(p); } + /* * And prevent access to what's above the current stack * size limit for this process. */ prot_addr = addr; -#if STACK_GROWTH_UP - prot_addr += unix_stack_size(p); -#endif /* STACK_GROWTH_UP */ - prot_addr = mach_vm_round_page(prot_addr); - prot_size = mach_vm_trunc_page(size - unix_stack_size(p)); + if (load_result->prog_stack_size) + prot_size = PAGE_SIZE; + else + prot_size = mach_vm_trunc_page(size - unix_stack_size(p)); kr = mach_vm_protect(map, - prot_addr, - prot_size, - FALSE, - VM_PROT_NONE); + prot_addr, + prot_size, + FALSE, + VM_PROT_NONE); if (kr != KERN_SUCCESS) { (void) mach_vm_deallocate(map, addr, size); return kr; } } + return KERN_SUCCESS; } #include -static char init_program_name[128] = "/sbin/launchd"; - -struct execve_args init_exec_args; - /* - * load_init_program + * load_init_program_at_path * * Description: Load the "init" program; in most cases, this will be "launchd" * * Parameters: p Process to call execve() to create * the "init" program + * scratch_addr Page in p, scratch space + * path NULL terminated path * - * Returns: (void) + * Returns: KERN_SUCCESS Success + * !KERN_SUCCESS See execve/mac_execve for error codes * * Notes: The process that is passed in is the first manufactured * process on the system, and gets here via bsd_ast() firing * for the first time. This is done to ensure that bsd_init() * has run to completion. + * + * The address map of the first manufactured process is 32 bit. + * WHEN this becomes 64b, this code will fail; it needs to be + * made 64b capable. */ -void -load_init_program(proc_t p) +static int +load_init_program_at_path(proc_t p, user_addr_t scratch_addr, const char* path) { - vm_offset_t init_addr; - int argc = 0; uint32_t argv[3]; - int error; - int retval[2]; + uint32_t argc = 0; + int retval[2]; + struct execve_args init_exec_args; /* - * Copy out program name. + * Validate inputs and pre-conditions */ + assert(p); + assert(scratch_addr); + assert(path); - init_addr = VM_MIN_ADDRESS; - (void) vm_allocate(current_map(), &init_addr, PAGE_SIZE, - VM_FLAGS_ANYWHERE); - if (init_addr == 0) - init_addr++; + if (IS_64BIT_PROCESS(p)) { + panic("Init against 64b primordial proc not implemented"); + } - (void) copyout((caddr_t) init_program_name, CAST_USER_ADDR_T(init_addr), - (unsigned) sizeof(init_program_name)+1); + /* + * Copy out program name. + */ + size_t path_length = strlen(path) + 1; + (void) copyout(path, scratch_addr, path_length); - argv[argc++] = (uint32_t)init_addr; - init_addr += sizeof(init_program_name); - init_addr = (vm_offset_t)ROUND_PTR(char, init_addr); + argv[argc++] = (uint32_t)scratch_addr; + scratch_addr = USER_ADDR_ALIGN(scratch_addr + path_length, 16); /* * Put out first (and only) argument, similarly. - * Assumes everything fits in a page as allocated - * above. + * Assumes everything fits in a page as allocated above. */ if (boothowto & RB_SINGLE) { const char *init_args = "-s"; + size_t init_args_length = strlen(init_args)+1; - copyout(init_args, CAST_USER_ADDR_T(init_addr), - strlen(init_args)); - - argv[argc++] = (uint32_t)init_addr; - init_addr += strlen(init_args); - init_addr = (vm_offset_t)ROUND_PTR(char, init_addr); + copyout(init_args, scratch_addr, init_args_length); + argv[argc++] = (uint32_t)scratch_addr; + scratch_addr = USER_ADDR_ALIGN(scratch_addr + init_args_length, 16); } /* @@ -3112,27 +4166,113 @@ load_init_program(proc_t p) /* * Copy out the argument list. */ - - (void) copyout((caddr_t) argv, CAST_USER_ADDR_T(init_addr), - (unsigned) sizeof(argv)); + (void) copyout(argv, scratch_addr, sizeof(argv)); /* * Set up argument block for fake call to execve. */ - init_exec_args.fname = CAST_USER_ADDR_T(argv[0]); - init_exec_args.argp = CAST_USER_ADDR_T((char **)init_addr); - init_exec_args.envp = CAST_USER_ADDR_T(0); - + init_exec_args.argp = scratch_addr; + init_exec_args.envp = USER_ADDR_NULL; + /* - * So that mach_init task is set with uid,gid 0 token + * So that init task is set with uid,gid 0 token */ set_security_token(p); - error = execve(p,&init_exec_args,retval); - if (error) - panic("Process 1 exec of %s failed, errno %d\n", - init_program_name, error); + return execve(p, &init_exec_args, retval); +} + +static const char * init_programs[] = { +#if DEBUG + "/usr/local/sbin/launchd.debug", +#endif +#if DEVELOPMENT || DEBUG + /* Remove DEBUG conditional when is fixed */ + "/usr/local/sbin/launchd.development", +#endif + "/sbin/launchd", +}; + +/* + * load_init_program + * + * Description: Load the "init" program; in most cases, this will be "launchd" + * + * Parameters: p Process to call execve() to create + * the "init" program + * + * Returns: (void) + * + * Notes: The process that is passed in is the first manufactured + * process on the system, and gets here via bsd_ast() firing + * for the first time. This is done to ensure that bsd_init() + * has run to completion. + * + * In DEBUG & DEVELOPMENT builds, the launchdsuffix boot-arg + * may be used to select a specific launchd executable. As with + * the kcsuffix boot-arg, setting launchdsuffix to "" or "release" + * will force /sbin/launchd to be selected. + * + * The DEBUG kernel will continue to check for a .development + * version until is fixed. + * + * Search order by build: + * + * DEBUG DEVELOPMENT RELEASE PATH + * ---------------------------------------------------------------------------------- + * 1 1 NA /usr/local/sbin/launchd.$LAUNCHDSUFFIX + * 2 NA NA /usr/local/sbin/launchd.debug + * 3 2 NA /usr/local/sbin/launchd.development + * 4 3 1 /sbin/launchd + */ +void +load_init_program(proc_t p) +{ + uint32_t i; + int error; + vm_offset_t scratch_addr = VM_MIN_ADDRESS; + + (void) vm_allocate(current_map(), &scratch_addr, PAGE_SIZE, VM_FLAGS_ANYWHERE); +#if CONFIG_MEMORYSTATUS && CONFIG_JETSAM + (void) memorystatus_init_at_boot_snapshot(); +#endif /* CONFIG_MEMORYSTATUS && CONFIG_JETSAM */ + +#if DEBUG || DEVELOPMENT + /* Check for boot-arg suffix first */ + char launchd_suffix[64]; + if (PE_parse_boot_argn("launchdsuffix", launchd_suffix, sizeof(launchd_suffix))) { + char launchd_path[128]; + boolean_t is_release_suffix = ((launchd_suffix[0] == 0) || + (strcmp(launchd_suffix, "release") == 0)); + + if (is_release_suffix) { + error = load_init_program_at_path(p, CAST_USER_ADDR_T(scratch_addr), "/sbin/launchd"); + if (!error) + return; + + panic("Process 1 exec of launchd.release failed, errno %d", error); + } else { + strlcpy(launchd_path, "/usr/local/sbin/launchd.", sizeof(launchd_path)); + strlcat(launchd_path, launchd_suffix, sizeof(launchd_path)); + + /* All the error data is lost in the loop below, don't + * attempt to save it. */ + if (!load_init_program_at_path(p, CAST_USER_ADDR_T(scratch_addr), launchd_path)) { + return; + } + } + } +#endif + + error = ENOENT; + for (i = 0; i < sizeof(init_programs)/sizeof(init_programs[0]); i++) { + error = load_init_program_at_path(p, CAST_USER_ADDR_T(scratch_addr), init_programs[i]); + if (!error) + return; + } + + panic("Process 1 exec of %s failed, errno %d", ((i == 0) ? "" : init_programs[i-1]), error); } /* @@ -3176,6 +4316,7 @@ load_return_to_errno(load_return_t lrtn) case LOAD_IOERROR: return EIO; case LOAD_FAILURE: + case LOAD_DECRYPTFAIL: default: return EBADEXEC; } @@ -3188,8 +4329,6 @@ load_return_to_errno(load_return_t lrtn) #include #include -extern semaphore_t execve_semaphore; - /* * execargs_alloc * @@ -3237,14 +4376,14 @@ execargs_lock_unlock(void) { lck_mtx_unlock(execargs_cache_lock); } -static void +static wait_result_t execargs_lock_sleep(void) { - lck_mtx_sleep(execargs_cache_lock, LCK_SLEEP_DEFAULT, &execargs_free_count, THREAD_UNINT); + return(lck_mtx_sleep(execargs_cache_lock, LCK_SLEEP_DEFAULT, &execargs_free_count, THREAD_INTERRUPTIBLE)); } static kern_return_t execargs_purgeable_allocate(char **execarg_address) { - kern_return_t kr = vm_allocate(bsd_pageable_map, (vm_offset_t *)execarg_address, NCARGS + PAGE_SIZE, VM_FLAGS_ANYWHERE | VM_FLAGS_PURGABLE); + kern_return_t kr = vm_allocate(bsd_pageable_map, (vm_offset_t *)execarg_address, BSD_PAGEABLE_SIZE_PER_EXEC, VM_FLAGS_ANYWHERE | VM_FLAGS_PURGABLE); assert(kr == KERN_SUCCESS); return kr; } @@ -3278,14 +4417,19 @@ static int execargs_alloc(struct image_params *imgp) { kern_return_t kret; + wait_result_t res; int i, cache_index = -1; execargs_lock_lock(); while (execargs_free_count == 0) { execargs_waiters++; - execargs_lock_sleep(); + res = execargs_lock_sleep(); execargs_waiters--; + if (res != THREAD_AWAKENED) { + execargs_lock_unlock(); + return (EINTR); + } } execargs_free_count--; @@ -3315,7 +4459,11 @@ execargs_alloc(struct image_params *imgp) return (ENOMEM); } - imgp->ip_vdata = imgp->ip_strings + NCARGS; + /* last page used to read in file headers */ + imgp->ip_vdata = imgp->ip_strings + ( NCARGS + PAGE_SIZE ); + imgp->ip_strendp = imgp->ip_strings; + imgp->ip_argspace = NCARGS; + imgp->ip_strspace = ( NCARGS + PAGE_SIZE ); return (0); } @@ -3401,12 +4549,85 @@ exec_resettextvp(proc_t p, struct image_params *imgp) } -static int +/* + * If the process is not signed or if it contains entitlements, we + * need to communicate through the task_access_port to taskgated. + * + * taskgated will provide a detached code signature if present, and + * will enforce any restrictions on entitlements. + */ + +static boolean_t +taskgated_required(proc_t p, boolean_t *require_success) +{ + size_t length; + void *blob; + int error; + + if (cs_debug > 2) + csvnode_print_debug(p->p_textvp); + + const int can_skip_taskgated = csproc_get_platform_binary(p) && !csproc_get_platform_path(p); + if (can_skip_taskgated) { + if (cs_debug) printf("taskgated not required for: %s\n", p->p_name); + *require_success = FALSE; + return FALSE; + } + + if ((p->p_csflags & CS_VALID) == 0) { + *require_success = FALSE; + return TRUE; + } + + error = cs_entitlements_blob_get(p, &blob, &length); + if (error == 0 && blob != NULL) { + /* + * fatal on the desktop when entitlements are present, + * unless we started in single-user mode + */ + if ((boothowto & RB_SINGLE) == 0) + *require_success = TRUE; + /* + * Allow initproc to run without causing taskgated to launch + */ + if (p == initproc) { + *require_success = FALSE; + return FALSE; + } + + if (cs_debug) printf("taskgated required for: %s\n", p->p_name); + + return TRUE; + } + + *require_success = FALSE; + return FALSE; +} + +/* + * __EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__ + * + * Description: Waits for the userspace daemon to respond to the request + * we made. Function declared non inline to be visible in + * stackshots and spindumps as well as debugging. + */ +__attribute__((noinline)) int +__EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__(mach_port_t task_access_port, int32_t new_pid) +{ + return find_code_signature(task_access_port, new_pid); +} + +static int check_for_signature(proc_t p, struct image_params *imgp) { mach_port_t port = NULL; - kern_return_t error = 0; + kern_return_t kr = KERN_FAILURE; + int error = EACCES; + boolean_t unexpected_failure = FALSE; unsigned char hash[SHA1_RESULTLEN]; + boolean_t require_success = FALSE; + int spawn = (imgp->ip_flags & IMGPF_SPAWN); + int vfexec = (imgp->ip_flags & IMGPF_VFORK_EXEC); /* * Override inherited code signing flags with the @@ -3421,36 +4642,214 @@ check_for_signature(proc_t p, struct image_params *imgp) if(p->p_csflags & (CS_HARD|CS_KILL)) { vm_map_switch_protect(get_task_map(p->task), TRUE); } + + /* + * image activation may be failed due to policy + * which is unexpected but security framework does not + * approve of exec, kill and return immediately. + */ + if (imgp->ip_mac_return != 0) { + error = imgp->ip_mac_return; + unexpected_failure = TRUE; + goto done; + } + + /* check if callout to taskgated is needed */ + if (!taskgated_required(p, &require_success)) { + error = 0; + goto done; + } + + kr = task_get_task_access_port(p->task, &port); + if (KERN_SUCCESS != kr || !IPC_PORT_VALID(port)) { + error = 0; + if (require_success) + error = EACCES; + goto done; + } /* - * If the task_access_port is set and the proc isn't signed, - * ask for a code signature from user space. Fail the exec - * if permission is denied. + * taskgated returns KERN_SUCCESS if it has completed its work + * and the exec should continue, KERN_FAILURE if the exec should + * fail, or it may error out with different error code in an + * event of mig failure (e.g. process was signalled during the + * rpc call, taskgated died, mig server died etc.). */ - error = task_get_task_access_port(p->task, &port); - if (error == 0 && IPC_PORT_VALID(port) && !(p->p_csflags & CS_VALID)) { - error = find_code_signature(port, p->p_pid); - if (error == KERN_FAILURE) { - /* Make very sure execution fails */ + + kr = __EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__(port, p->p_pid); + switch (kr) { + case KERN_SUCCESS: + error = 0; + break; + case KERN_FAILURE: + error = EACCES; + goto done; + default: + error = EACCES; + unexpected_failure = TRUE; + goto done; + } + + /* Only do this if exec_resettextvp() did not fail */ + if (p->p_textvp != NULLVP) { + /* + * If there's a new code directory, mark this process + * as signed. + */ + if (0 == ubc_cs_getcdhash(p->p_textvp, p->p_textoff, hash)) { + proc_lock(p); + p->p_csflags |= CS_VALID; + proc_unlock(p); + } + } + +done: + if (0 != error) { + if (!unexpected_failure) + p->p_csflags |= CS_KILLED; + /* make very sure execution fails */ + if (vfexec || spawn) { + psignal_vfork(p, p->task, imgp->ip_new_thread, SIGKILL); + error = 0; + } else { psignal(p, SIGKILL); - return EACCES; } + } + return error; +} + +/* + * Typically as soon as we start executing this process, the + * first instruction will trigger a VM fault to bring the text + * pages (as executable) into the address space, followed soon + * thereafter by dyld data structures (for dynamic executable). + * To optimize this, as well as improve support for hardware + * debuggers that can only access resident pages present + * in the process' page tables, we prefault some pages if + * possible. Errors are non-fatal. + */ +static void exec_prefault_data(proc_t p __unused, struct image_params *imgp, load_result_t *load_result) +{ + int ret; + size_t expected_all_image_infos_size; + + /* + * Prefault executable or dyld entry point. + */ + vm_fault(current_map(), + vm_map_trunc_page(load_result->entry_point, + vm_map_page_mask(current_map())), + VM_PROT_READ | VM_PROT_EXECUTE, + FALSE, + THREAD_UNINT, NULL, 0); + + if (imgp->ip_flags & IMGPF_IS_64BIT) { + expected_all_image_infos_size = sizeof(struct user64_dyld_all_image_infos); + } else { + expected_all_image_infos_size = sizeof(struct user32_dyld_all_image_infos); + } + + /* Decode dyld anchor structure from */ + if (load_result->dynlinker && + load_result->all_image_info_addr && + load_result->all_image_info_size >= expected_all_image_infos_size) { + union { + struct user64_dyld_all_image_infos infos64; + struct user32_dyld_all_image_infos infos32; + } all_image_infos; + + /* + * Pre-fault to avoid copyin() going through the trap handler + * and recovery path. + */ + vm_fault(current_map(), + vm_map_trunc_page(load_result->all_image_info_addr, + vm_map_page_mask(current_map())), + VM_PROT_READ | VM_PROT_WRITE, + FALSE, + THREAD_UNINT, NULL, 0); + if ((load_result->all_image_info_addr & PAGE_MASK) + expected_all_image_infos_size > PAGE_SIZE) { + /* all_image_infos straddles a page */ + vm_fault(current_map(), + vm_map_trunc_page(load_result->all_image_info_addr + expected_all_image_infos_size - 1, + vm_map_page_mask(current_map())), + VM_PROT_READ | VM_PROT_WRITE, + FALSE, + THREAD_UNINT, NULL, 0); + } + + ret = copyin(load_result->all_image_info_addr, + &all_image_infos, + expected_all_image_infos_size); + if (ret == 0 && all_image_infos.infos32.version >= 9) { + + user_addr_t notification_address; + user_addr_t dyld_image_address; + user_addr_t dyld_version_address; + user_addr_t dyld_all_image_infos_address; + user_addr_t dyld_slide_amount; + + if (imgp->ip_flags & IMGPF_IS_64BIT) { + notification_address = all_image_infos.infos64.notification; + dyld_image_address = all_image_infos.infos64.dyldImageLoadAddress; + dyld_version_address = all_image_infos.infos64.dyldVersion; + dyld_all_image_infos_address = all_image_infos.infos64.dyldAllImageInfosAddress; + } else { + notification_address = all_image_infos.infos32.notification; + dyld_image_address = all_image_infos.infos32.dyldImageLoadAddress; + dyld_version_address = all_image_infos.infos32.dyldVersion; + dyld_all_image_infos_address = all_image_infos.infos32.dyldAllImageInfosAddress; + } - /* Only do this if exec_resettextvp() did not fail */ - if (p->p_textvp != NULLVP) { /* - * If there's a new code directory, mark this process - * as signed. + * dyld statically sets up the all_image_infos in its Mach-O + * binary at static link time, with pointers relative to its default + * load address. Since ASLR might slide dyld before its first + * instruction is executed, "dyld_slide_amount" tells us how far + * dyld was loaded compared to its default expected load address. + * All other pointers into dyld's image should be adjusted by this + * amount. At some point later, dyld will fix up pointers to take + * into account the slide, at which point the all_image_infos_address + * field in the structure will match the runtime load address, and + * "dyld_slide_amount" will be 0, if we were to consult it again. */ - error = ubc_cs_getcdhash(p->p_textvp, p->p_textoff, hash); - if (error == 0) { - proc_lock(p); - p->p_csflags |= CS_VALID; - proc_unlock(p); - } + + dyld_slide_amount = load_result->all_image_info_addr - dyld_all_image_infos_address; + +#if 0 + kprintf("exec_prefault: 0x%016llx 0x%08x 0x%016llx 0x%016llx 0x%016llx 0x%016llx\n", + (uint64_t)load_result->all_image_info_addr, + all_image_infos.infos32.version, + (uint64_t)notification_address, + (uint64_t)dyld_image_address, + (uint64_t)dyld_version_address, + (uint64_t)dyld_all_image_infos_address); +#endif + + vm_fault(current_map(), + vm_map_trunc_page(notification_address + dyld_slide_amount, + vm_map_page_mask(current_map())), + VM_PROT_READ | VM_PROT_EXECUTE, + FALSE, + THREAD_UNINT, NULL, 0); + vm_fault(current_map(), + vm_map_trunc_page(dyld_image_address + dyld_slide_amount, + vm_map_page_mask(current_map())), + VM_PROT_READ | VM_PROT_EXECUTE, + FALSE, + THREAD_UNINT, NULL, 0); + vm_fault(current_map(), + vm_map_trunc_page(dyld_version_address + dyld_slide_amount, + vm_map_page_mask(current_map())), + VM_PROT_READ, + FALSE, + THREAD_UNINT, NULL, 0); + vm_fault(current_map(), + vm_map_trunc_page(dyld_all_image_infos_address + dyld_slide_amount, + vm_map_page_mask(current_map())), + VM_PROT_READ | VM_PROT_WRITE, + FALSE, + THREAD_UNINT, NULL, 0); } } - - return KERN_SUCCESS; } -