FreeBSD/Linux Kernel Cross Reference
sys/kern/kern_exec.c
1 /*-
2 * Copyright (c) 1993, David Greenman
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD: releng/10.2/sys/kern/kern_exec.c 283359 2015-05-24 07:32:02Z kib $");
29
30 #include "opt_capsicum.h"
31 #include "opt_hwpmc_hooks.h"
32 #include "opt_kdtrace.h"
33 #include "opt_ktrace.h"
34 #include "opt_vm.h"
35
36 #include <sys/param.h>
37 #include <sys/capsicum.h>
38 #include <sys/systm.h>
39 #include <sys/capsicum.h>
40 #include <sys/eventhandler.h>
41 #include <sys/lock.h>
42 #include <sys/mutex.h>
43 #include <sys/sysproto.h>
44 #include <sys/signalvar.h>
45 #include <sys/kernel.h>
46 #include <sys/mount.h>
47 #include <sys/filedesc.h>
48 #include <sys/fcntl.h>
49 #include <sys/acct.h>
50 #include <sys/exec.h>
51 #include <sys/imgact.h>
52 #include <sys/imgact_elf.h>
53 #include <sys/wait.h>
54 #include <sys/malloc.h>
55 #include <sys/priv.h>
56 #include <sys/proc.h>
57 #include <sys/pioctl.h>
58 #include <sys/namei.h>
59 #include <sys/resourcevar.h>
60 #include <sys/rwlock.h>
61 #include <sys/sched.h>
62 #include <sys/sdt.h>
63 #include <sys/sf_buf.h>
64 #include <sys/syscallsubr.h>
65 #include <sys/sysent.h>
66 #include <sys/shm.h>
67 #include <sys/sysctl.h>
68 #include <sys/vnode.h>
69 #include <sys/stat.h>
70 #ifdef KTRACE
71 #include <sys/ktrace.h>
72 #endif
73
74 #include <vm/vm.h>
75 #include <vm/vm_param.h>
76 #include <vm/pmap.h>
77 #include <vm/vm_page.h>
78 #include <vm/vm_map.h>
79 #include <vm/vm_kern.h>
80 #include <vm/vm_extern.h>
81 #include <vm/vm_object.h>
82 #include <vm/vm_pager.h>
83
84 #ifdef HWPMC_HOOKS
85 #include <sys/pmckern.h>
86 #endif
87
88 #include <machine/reg.h>
89
90 #include <security/audit/audit.h>
91 #include <security/mac/mac_framework.h>
92
93 #ifdef KDTRACE_HOOKS
94 #include <sys/dtrace_bsd.h>
95 dtrace_execexit_func_t dtrace_fasttrap_exec;
96 #endif
97
98 SDT_PROVIDER_DECLARE(proc);
99 SDT_PROBE_DEFINE1(proc, kernel, , exec, "char *");
100 SDT_PROBE_DEFINE1(proc, kernel, , exec__failure, "int");
101 SDT_PROBE_DEFINE1(proc, kernel, , exec__success, "char *");
102
103 MALLOC_DEFINE(M_PARGS, "proc-args", "Process arguments");
104
105 static int sysctl_kern_ps_strings(SYSCTL_HANDLER_ARGS);
106 static int sysctl_kern_usrstack(SYSCTL_HANDLER_ARGS);
107 static int sysctl_kern_stackprot(SYSCTL_HANDLER_ARGS);
108 static int do_execve(struct thread *td, struct image_args *args,
109 struct mac *mac_p);
110
111 /* XXX This should be vm_size_t. */
112 SYSCTL_PROC(_kern, KERN_PS_STRINGS, ps_strings, CTLTYPE_ULONG|CTLFLAG_RD,
113 NULL, 0, sysctl_kern_ps_strings, "LU", "");
114
115 /* XXX This should be vm_size_t. */
116 SYSCTL_PROC(_kern, KERN_USRSTACK, usrstack, CTLTYPE_ULONG|CTLFLAG_RD|
117 CTLFLAG_CAPRD, NULL, 0, sysctl_kern_usrstack, "LU", "");
118
119 SYSCTL_PROC(_kern, OID_AUTO, stackprot, CTLTYPE_INT|CTLFLAG_RD,
120 NULL, 0, sysctl_kern_stackprot, "I", "");
121
122 u_long ps_arg_cache_limit = PAGE_SIZE / 16;
123 SYSCTL_ULONG(_kern, OID_AUTO, ps_arg_cache_limit, CTLFLAG_RW,
124 &ps_arg_cache_limit, 0, "");
125
126 static int disallow_high_osrel;
127 SYSCTL_INT(_kern, OID_AUTO, disallow_high_osrel, CTLFLAG_RW,
128 &disallow_high_osrel, 0,
129 "Disallow execution of binaries built for higher version of the world");
130
131 static int map_at_zero = 0;
132 TUNABLE_INT("security.bsd.map_at_zero", &map_at_zero);
133 SYSCTL_INT(_security_bsd, OID_AUTO, map_at_zero, CTLFLAG_RW, &map_at_zero, 0,
134 "Permit processes to map an object at virtual address 0.");
135
136 static int
137 sysctl_kern_ps_strings(SYSCTL_HANDLER_ARGS)
138 {
139 struct proc *p;
140 int error;
141
142 p = curproc;
143 #ifdef SCTL_MASK32
144 if (req->flags & SCTL_MASK32) {
145 unsigned int val;
146 val = (unsigned int)p->p_sysent->sv_psstrings;
147 error = SYSCTL_OUT(req, &val, sizeof(val));
148 } else
149 #endif
150 error = SYSCTL_OUT(req, &p->p_sysent->sv_psstrings,
151 sizeof(p->p_sysent->sv_psstrings));
152 return error;
153 }
154
155 static int
156 sysctl_kern_usrstack(SYSCTL_HANDLER_ARGS)
157 {
158 struct proc *p;
159 int error;
160
161 p = curproc;
162 #ifdef SCTL_MASK32
163 if (req->flags & SCTL_MASK32) {
164 unsigned int val;
165 val = (unsigned int)p->p_sysent->sv_usrstack;
166 error = SYSCTL_OUT(req, &val, sizeof(val));
167 } else
168 #endif
169 error = SYSCTL_OUT(req, &p->p_sysent->sv_usrstack,
170 sizeof(p->p_sysent->sv_usrstack));
171 return error;
172 }
173
174 static int
175 sysctl_kern_stackprot(SYSCTL_HANDLER_ARGS)
176 {
177 struct proc *p;
178
179 p = curproc;
180 return (SYSCTL_OUT(req, &p->p_sysent->sv_stackprot,
181 sizeof(p->p_sysent->sv_stackprot)));
182 }
183
184 /*
185 * Each of the items is a pointer to a `const struct execsw', hence the
186 * double pointer here.
187 */
188 static const struct execsw **execsw;
189
190 #ifndef _SYS_SYSPROTO_H_
191 struct execve_args {
192 char *fname;
193 char **argv;
194 char **envv;
195 };
196 #endif
197
198 int
199 sys_execve(struct thread *td, struct execve_args *uap)
200 {
201 struct image_args args;
202 struct vmspace *oldvmspace;
203 int error;
204
205 error = pre_execve(td, &oldvmspace);
206 if (error != 0)
207 return (error);
208 error = exec_copyin_args(&args, uap->fname, UIO_USERSPACE,
209 uap->argv, uap->envv);
210 if (error == 0)
211 error = kern_execve(td, &args, NULL);
212 post_execve(td, error, oldvmspace);
213 return (error);
214 }
215
216 #ifndef _SYS_SYSPROTO_H_
217 struct fexecve_args {
218 int fd;
219 char **argv;
220 char **envv;
221 }
222 #endif
223 int
224 sys_fexecve(struct thread *td, struct fexecve_args *uap)
225 {
226 struct image_args args;
227 struct vmspace *oldvmspace;
228 int error;
229
230 error = pre_execve(td, &oldvmspace);
231 if (error != 0)
232 return (error);
233 error = exec_copyin_args(&args, NULL, UIO_SYSSPACE,
234 uap->argv, uap->envv);
235 if (error == 0) {
236 args.fd = uap->fd;
237 error = kern_execve(td, &args, NULL);
238 }
239 post_execve(td, error, oldvmspace);
240 return (error);
241 }
242
243 #ifndef _SYS_SYSPROTO_H_
244 struct __mac_execve_args {
245 char *fname;
246 char **argv;
247 char **envv;
248 struct mac *mac_p;
249 };
250 #endif
251
252 int
253 sys___mac_execve(struct thread *td, struct __mac_execve_args *uap)
254 {
255 #ifdef MAC
256 struct image_args args;
257 struct vmspace *oldvmspace;
258 int error;
259
260 error = pre_execve(td, &oldvmspace);
261 if (error != 0)
262 return (error);
263 error = exec_copyin_args(&args, uap->fname, UIO_USERSPACE,
264 uap->argv, uap->envv);
265 if (error == 0)
266 error = kern_execve(td, &args, uap->mac_p);
267 post_execve(td, error, oldvmspace);
268 return (error);
269 #else
270 return (ENOSYS);
271 #endif
272 }
273
274 int
275 pre_execve(struct thread *td, struct vmspace **oldvmspace)
276 {
277 struct proc *p;
278 int error;
279
280 KASSERT(td == curthread, ("non-current thread %p", td));
281 error = 0;
282 p = td->td_proc;
283 if ((p->p_flag & P_HADTHREADS) != 0) {
284 PROC_LOCK(p);
285 if (thread_single(p, SINGLE_BOUNDARY) != 0)
286 error = ERESTART;
287 PROC_UNLOCK(p);
288 }
289 KASSERT(error != 0 || (td->td_pflags & TDP_EXECVMSPC) == 0,
290 ("nested execve"));
291 *oldvmspace = p->p_vmspace;
292 return (error);
293 }
294
295 void
296 post_execve(struct thread *td, int error, struct vmspace *oldvmspace)
297 {
298 struct proc *p;
299
300 KASSERT(td == curthread, ("non-current thread %p", td));
301 p = td->td_proc;
302 if ((p->p_flag & P_HADTHREADS) != 0) {
303 PROC_LOCK(p);
304 /*
305 * If success, we upgrade to SINGLE_EXIT state to
306 * force other threads to suicide.
307 */
308 if (error == 0)
309 thread_single(p, SINGLE_EXIT);
310 else
311 thread_single_end(p, SINGLE_BOUNDARY);
312 PROC_UNLOCK(p);
313 }
314 if ((td->td_pflags & TDP_EXECVMSPC) != 0) {
315 KASSERT(p->p_vmspace != oldvmspace,
316 ("oldvmspace still used"));
317 vmspace_free(oldvmspace);
318 td->td_pflags &= ~TDP_EXECVMSPC;
319 }
320 }
321
322 /*
323 * XXX: kern_execve has the astonishing property of not always returning to
324 * the caller. If sufficiently bad things happen during the call to
325 * do_execve(), it can end up calling exit1(); as a result, callers must
326 * avoid doing anything which they might need to undo (e.g., allocating
327 * memory).
328 */
329 int
330 kern_execve(struct thread *td, struct image_args *args, struct mac *mac_p)
331 {
332
333 AUDIT_ARG_ARGV(args->begin_argv, args->argc,
334 args->begin_envv - args->begin_argv);
335 AUDIT_ARG_ENVV(args->begin_envv, args->envc,
336 args->endp - args->begin_envv);
337 return (do_execve(td, args, mac_p));
338 }
339
340 /*
341 * In-kernel implementation of execve(). All arguments are assumed to be
342 * userspace pointers from the passed thread.
343 */
344 static int
345 do_execve(td, args, mac_p)
346 struct thread *td;
347 struct image_args *args;
348 struct mac *mac_p;
349 {
350 struct proc *p = td->td_proc;
351 struct nameidata nd;
352 struct ucred *newcred = NULL, *oldcred;
353 struct uidinfo *euip = NULL;
354 register_t *stack_base;
355 int error, i;
356 struct image_params image_params, *imgp;
357 struct vattr attr;
358 int (*img_first)(struct image_params *);
359 struct pargs *oldargs = NULL, *newargs = NULL;
360 struct sigacts *oldsigacts, *newsigacts;
361 #ifdef KTRACE
362 struct vnode *tracevp = NULL;
363 struct ucred *tracecred = NULL;
364 #endif
365 struct vnode *textvp = NULL, *binvp = NULL;
366 cap_rights_t rights;
367 int credential_changing;
368 int textset;
369 #ifdef MAC
370 struct label *interpvplabel = NULL;
371 int will_transition;
372 #endif
373 #ifdef HWPMC_HOOKS
374 struct pmckern_procexec pe;
375 #endif
376 static const char fexecv_proc_title[] = "(fexecv)";
377
378 imgp = &image_params;
379
380 /*
381 * Lock the process and set the P_INEXEC flag to indicate that
382 * it should be left alone until we're done here. This is
383 * necessary to avoid race conditions - e.g. in ptrace() -
384 * that might allow a local user to illicitly obtain elevated
385 * privileges.
386 */
387 PROC_LOCK(p);
388 KASSERT((p->p_flag & P_INEXEC) == 0,
389 ("%s(): process already has P_INEXEC flag", __func__));
390 p->p_flag |= P_INEXEC;
391 PROC_UNLOCK(p);
392
393 /*
394 * Initialize part of the common data
395 */
396 bzero(imgp, sizeof(*imgp));
397 imgp->proc = p;
398 imgp->attr = &attr;
399 imgp->args = args;
400
401 #ifdef MAC
402 error = mac_execve_enter(imgp, mac_p);
403 if (error)
404 goto exec_fail;
405 #endif
406
407 /*
408 * Translate the file name. namei() returns a vnode pointer
409 * in ni_vp amoung other things.
410 *
411 * XXXAUDIT: It would be desirable to also audit the name of the
412 * interpreter if this is an interpreted binary.
413 */
414 if (args->fname != NULL) {
415 NDINIT(&nd, LOOKUP, ISOPEN | LOCKLEAF | FOLLOW | SAVENAME
416 | AUDITVNODE1, UIO_SYSSPACE, args->fname, td);
417 }
418
419 SDT_PROBE(proc, kernel, , exec, args->fname, 0, 0, 0, 0 );
420
421 interpret:
422 if (args->fname != NULL) {
423 #ifdef CAPABILITY_MODE
424 /*
425 * While capability mode can't reach this point via direct
426 * path arguments to execve(), we also don't allow
427 * interpreters to be used in capability mode (for now).
428 * Catch indirect lookups and return a permissions error.
429 */
430 if (IN_CAPABILITY_MODE(td)) {
431 error = ECAPMODE;
432 goto exec_fail;
433 }
434 #endif
435 error = namei(&nd);
436 if (error)
437 goto exec_fail;
438
439 binvp = nd.ni_vp;
440 imgp->vp = binvp;
441 } else {
442 AUDIT_ARG_FD(args->fd);
443 /*
444 * Descriptors opened only with O_EXEC or O_RDONLY are allowed.
445 */
446 error = fgetvp_exec(td, args->fd,
447 cap_rights_init(&rights, CAP_FEXECVE), &binvp);
448 if (error)
449 goto exec_fail;
450 vn_lock(binvp, LK_EXCLUSIVE | LK_RETRY);
451 AUDIT_ARG_VNODE1(binvp);
452 imgp->vp = binvp;
453 }
454
455 /*
456 * Check file permissions (also 'opens' file)
457 */
458 error = exec_check_permissions(imgp);
459 if (error)
460 goto exec_fail_dealloc;
461
462 imgp->object = imgp->vp->v_object;
463 if (imgp->object != NULL)
464 vm_object_reference(imgp->object);
465
466 /*
467 * Set VV_TEXT now so no one can write to the executable while we're
468 * activating it.
469 *
470 * Remember if this was set before and unset it in case this is not
471 * actually an executable image.
472 */
473 textset = VOP_IS_TEXT(imgp->vp);
474 VOP_SET_TEXT(imgp->vp);
475
476 error = exec_map_first_page(imgp);
477 if (error)
478 goto exec_fail_dealloc;
479
480 imgp->proc->p_osrel = 0;
481 /*
482 * If the current process has a special image activator it
483 * wants to try first, call it. For example, emulating shell
484 * scripts differently.
485 */
486 error = -1;
487 if ((img_first = imgp->proc->p_sysent->sv_imgact_try) != NULL)
488 error = img_first(imgp);
489
490 /*
491 * Loop through the list of image activators, calling each one.
492 * An activator returns -1 if there is no match, 0 on success,
493 * and an error otherwise.
494 */
495 for (i = 0; error == -1 && execsw[i]; ++i) {
496 if (execsw[i]->ex_imgact == NULL ||
497 execsw[i]->ex_imgact == img_first) {
498 continue;
499 }
500 error = (*execsw[i]->ex_imgact)(imgp);
501 }
502
503 if (error) {
504 if (error == -1) {
505 if (textset == 0)
506 VOP_UNSET_TEXT(imgp->vp);
507 error = ENOEXEC;
508 }
509 goto exec_fail_dealloc;
510 }
511
512 /*
513 * Special interpreter operation, cleanup and loop up to try to
514 * activate the interpreter.
515 */
516 if (imgp->interpreted) {
517 exec_unmap_first_page(imgp);
518 /*
519 * VV_TEXT needs to be unset for scripts. There is a short
520 * period before we determine that something is a script where
521 * VV_TEXT will be set. The vnode lock is held over this
522 * entire period so nothing should illegitimately be blocked.
523 */
524 VOP_UNSET_TEXT(imgp->vp);
525 /* free name buffer and old vnode */
526 if (args->fname != NULL)
527 NDFREE(&nd, NDF_ONLY_PNBUF);
528 #ifdef MAC
529 mac_execve_interpreter_enter(binvp, &interpvplabel);
530 #endif
531 if (imgp->opened) {
532 VOP_CLOSE(binvp, FREAD, td->td_ucred, td);
533 imgp->opened = 0;
534 }
535 vput(binvp);
536 vm_object_deallocate(imgp->object);
537 imgp->object = NULL;
538 /* set new name to that of the interpreter */
539 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW | SAVENAME,
540 UIO_SYSSPACE, imgp->interpreter_name, td);
541 args->fname = imgp->interpreter_name;
542 goto interpret;
543 }
544
545 /*
546 * NB: We unlock the vnode here because it is believed that none
547 * of the sv_copyout_strings/sv_fixup operations require the vnode.
548 */
549 VOP_UNLOCK(imgp->vp, 0);
550
551 /*
552 * Do the best to calculate the full path to the image file.
553 */
554 if (imgp->auxargs != NULL &&
555 ((args->fname != NULL && args->fname[0] == '/') ||
556 vn_fullpath(td, imgp->vp, &imgp->execpath, &imgp->freepath) != 0))
557 imgp->execpath = args->fname;
558
559 if (disallow_high_osrel &&
560 P_OSREL_MAJOR(p->p_osrel) > P_OSREL_MAJOR(__FreeBSD_version)) {
561 error = ENOEXEC;
562 uprintf("Osrel %d for image %s too high\n", p->p_osrel,
563 imgp->execpath != NULL ? imgp->execpath : "<unresolved>");
564 vn_lock(imgp->vp, LK_SHARED | LK_RETRY);
565 goto exec_fail_dealloc;
566 }
567
568 /*
569 * Copy out strings (args and env) and initialize stack base
570 */
571 if (p->p_sysent->sv_copyout_strings)
572 stack_base = (*p->p_sysent->sv_copyout_strings)(imgp);
573 else
574 stack_base = exec_copyout_strings(imgp);
575
576 /*
577 * If custom stack fixup routine present for this process
578 * let it do the stack setup.
579 * Else stuff argument count as first item on stack
580 */
581 if (p->p_sysent->sv_fixup != NULL)
582 (*p->p_sysent->sv_fixup)(&stack_base, imgp);
583 else
584 suword(--stack_base, imgp->args->argc);
585
586 /*
587 * For security and other reasons, the file descriptor table cannot
588 * be shared after an exec.
589 */
590 fdunshare(td);
591 /* close files on exec */
592 fdcloseexec(td);
593
594 /*
595 * Malloc things before we need locks.
596 */
597 i = imgp->args->begin_envv - imgp->args->begin_argv;
598 /* Cache arguments if they fit inside our allowance */
599 if (ps_arg_cache_limit >= i + sizeof(struct pargs)) {
600 newargs = pargs_alloc(i);
601 bcopy(imgp->args->begin_argv, newargs->ar_args, i);
602 }
603
604 vn_lock(imgp->vp, LK_SHARED | LK_RETRY);
605
606 /* Get a reference to the vnode prior to locking the proc */
607 VREF(binvp);
608
609 /*
610 * For security and other reasons, signal handlers cannot
611 * be shared after an exec. The new process gets a copy of the old
612 * handlers. In execsigs(), the new process will have its signals
613 * reset.
614 */
615 if (sigacts_shared(p->p_sigacts)) {
616 oldsigacts = p->p_sigacts;
617 newsigacts = sigacts_alloc();
618 sigacts_copy(newsigacts, oldsigacts);
619 } else {
620 oldsigacts = NULL;
621 newsigacts = NULL; /* satisfy gcc */
622 }
623
624 PROC_LOCK(p);
625 if (oldsigacts)
626 p->p_sigacts = newsigacts;
627 oldcred = p->p_ucred;
628 /* Stop profiling */
629 stopprofclock(p);
630
631 /* reset caught signals */
632 execsigs(p);
633
634 /* name this process - nameiexec(p, ndp) */
635 bzero(p->p_comm, sizeof(p->p_comm));
636 if (args->fname)
637 bcopy(nd.ni_cnd.cn_nameptr, p->p_comm,
638 min(nd.ni_cnd.cn_namelen, MAXCOMLEN));
639 else if (vn_commname(binvp, p->p_comm, sizeof(p->p_comm)) != 0)
640 bcopy(fexecv_proc_title, p->p_comm, sizeof(fexecv_proc_title));
641 bcopy(p->p_comm, td->td_name, sizeof(td->td_name));
642 #ifdef KTR
643 sched_clear_tdname(td);
644 #endif
645
646 /*
647 * mark as execed, wakeup the process that vforked (if any) and tell
648 * it that it now has its own resources back
649 */
650 p->p_flag |= P_EXEC;
651 if ((p->p_flag2 & P2_NOTRACE_EXEC) == 0)
652 p->p_flag2 &= ~P2_NOTRACE;
653 if (p->p_flag & P_PPWAIT) {
654 p->p_flag &= ~(P_PPWAIT | P_PPTRACE);
655 cv_broadcast(&p->p_pwait);
656 }
657
658 /*
659 * Implement image setuid/setgid.
660 *
661 * Don't honor setuid/setgid if the filesystem prohibits it or if
662 * the process is being traced.
663 *
664 * We disable setuid/setgid/etc in compatibility mode on the basis
665 * that most setugid applications are not written with that
666 * environment in mind, and will therefore almost certainly operate
667 * incorrectly. In principle there's no reason that setugid
668 * applications might not be useful in capability mode, so we may want
669 * to reconsider this conservative design choice in the future.
670 *
671 * XXXMAC: For the time being, use NOSUID to also prohibit
672 * transitions on the file system.
673 */
674 credential_changing = 0;
675 credential_changing |= (attr.va_mode & S_ISUID) && oldcred->cr_uid !=
676 attr.va_uid;
677 credential_changing |= (attr.va_mode & S_ISGID) && oldcred->cr_gid !=
678 attr.va_gid;
679 #ifdef MAC
680 will_transition = mac_vnode_execve_will_transition(oldcred, imgp->vp,
681 interpvplabel, imgp);
682 credential_changing |= will_transition;
683 #endif
684
685 if (credential_changing &&
686 #ifdef CAPABILITY_MODE
687 ((oldcred->cr_flags & CRED_FLAG_CAPMODE) == 0) &&
688 #endif
689 (imgp->vp->v_mount->mnt_flag & MNT_NOSUID) == 0 &&
690 (p->p_flag & P_TRACED) == 0) {
691 /*
692 * Turn off syscall tracing for set-id programs, except for
693 * root. Record any set-id flags first to make sure that
694 * we do not regain any tracing during a possible block.
695 */
696 setsugid(p);
697
698 #ifdef KTRACE
699 if (p->p_tracecred != NULL &&
700 priv_check_cred(p->p_tracecred, PRIV_DEBUG_DIFFCRED, 0))
701 ktrprocexec(p, &tracecred, &tracevp);
702 #endif
703 /*
704 * Close any file descriptors 0..2 that reference procfs,
705 * then make sure file descriptors 0..2 are in use.
706 *
707 * setugidsafety() may call closef() and then pfind()
708 * which may grab the process lock.
709 * fdcheckstd() may call falloc() which may block to
710 * allocate memory, so temporarily drop the process lock.
711 */
712 PROC_UNLOCK(p);
713 VOP_UNLOCK(imgp->vp, 0);
714 setugidsafety(td);
715 error = fdcheckstd(td);
716 if (error != 0)
717 goto done1;
718 newcred = crdup(oldcred);
719 euip = uifind(attr.va_uid);
720 vn_lock(imgp->vp, LK_SHARED | LK_RETRY);
721 PROC_LOCK(p);
722 /*
723 * Set the new credentials.
724 */
725 if (attr.va_mode & S_ISUID)
726 change_euid(newcred, euip);
727 if (attr.va_mode & S_ISGID)
728 change_egid(newcred, attr.va_gid);
729 #ifdef MAC
730 if (will_transition) {
731 mac_vnode_execve_transition(oldcred, newcred, imgp->vp,
732 interpvplabel, imgp);
733 }
734 #endif
735 /*
736 * Implement correct POSIX saved-id behavior.
737 *
738 * XXXMAC: Note that the current logic will save the
739 * uid and gid if a MAC domain transition occurs, even
740 * though maybe it shouldn't.
741 */
742 change_svuid(newcred, newcred->cr_uid);
743 change_svgid(newcred, newcred->cr_gid);
744 p->p_ucred = newcred;
745 } else {
746 if (oldcred->cr_uid == oldcred->cr_ruid &&
747 oldcred->cr_gid == oldcred->cr_rgid)
748 p->p_flag &= ~P_SUGID;
749 /*
750 * Implement correct POSIX saved-id behavior.
751 *
752 * XXX: It's not clear that the existing behavior is
753 * POSIX-compliant. A number of sources indicate that the
754 * saved uid/gid should only be updated if the new ruid is
755 * not equal to the old ruid, or the new euid is not equal
756 * to the old euid and the new euid is not equal to the old
757 * ruid. The FreeBSD code always updates the saved uid/gid.
758 * Also, this code uses the new (replaced) euid and egid as
759 * the source, which may or may not be the right ones to use.
760 */
761 if (oldcred->cr_svuid != oldcred->cr_uid ||
762 oldcred->cr_svgid != oldcred->cr_gid) {
763 PROC_UNLOCK(p);
764 VOP_UNLOCK(imgp->vp, 0);
765 newcred = crdup(oldcred);
766 vn_lock(imgp->vp, LK_SHARED | LK_RETRY);
767 PROC_LOCK(p);
768 change_svuid(newcred, newcred->cr_uid);
769 change_svgid(newcred, newcred->cr_gid);
770 p->p_ucred = newcred;
771 }
772 }
773
774 /*
775 * Store the vp for use in procfs. This vnode was referenced prior
776 * to locking the proc lock.
777 */
778 textvp = p->p_textvp;
779 p->p_textvp = binvp;
780
781 #ifdef KDTRACE_HOOKS
782 /*
783 * Tell the DTrace fasttrap provider about the exec if it
784 * has declared an interest.
785 */
786 if (dtrace_fasttrap_exec)
787 dtrace_fasttrap_exec(p);
788 #endif
789
790 /*
791 * Notify others that we exec'd, and clear the P_INEXEC flag
792 * as we're now a bona fide freshly-execed process.
793 */
794 KNOTE_LOCKED(&p->p_klist, NOTE_EXEC);
795 p->p_flag &= ~P_INEXEC;
796
797 /* clear "fork but no exec" flag, as we _are_ execing */
798 p->p_acflag &= ~AFORK;
799
800 /*
801 * Free any previous argument cache and replace it with
802 * the new argument cache, if any.
803 */
804 oldargs = p->p_args;
805 p->p_args = newargs;
806 newargs = NULL;
807
808 #ifdef HWPMC_HOOKS
809 /*
810 * Check if system-wide sampling is in effect or if the
811 * current process is using PMCs. If so, do exec() time
812 * processing. This processing needs to happen AFTER the
813 * P_INEXEC flag is cleared.
814 *
815 * The proc lock needs to be released before taking the PMC
816 * SX.
817 */
818 if (PMC_SYSTEM_SAMPLING_ACTIVE() || PMC_PROC_IS_USING_PMCS(p)) {
819 PROC_UNLOCK(p);
820 VOP_UNLOCK(imgp->vp, 0);
821 pe.pm_credentialschanged = credential_changing;
822 pe.pm_entryaddr = imgp->entry_addr;
823
824 PMC_CALL_HOOK_X(td, PMC_FN_PROCESS_EXEC, (void *) &pe);
825 vn_lock(imgp->vp, LK_SHARED | LK_RETRY);
826 } else
827 PROC_UNLOCK(p);
828 #else /* !HWPMC_HOOKS */
829 PROC_UNLOCK(p);
830 #endif
831
832 /* Set values passed into the program in registers. */
833 if (p->p_sysent->sv_setregs)
834 (*p->p_sysent->sv_setregs)(td, imgp,
835 (u_long)(uintptr_t)stack_base);
836 else
837 exec_setregs(td, imgp, (u_long)(uintptr_t)stack_base);
838
839 vfs_mark_atime(imgp->vp, td->td_ucred);
840
841 SDT_PROBE(proc, kernel, , exec__success, args->fname, 0, 0, 0, 0);
842
843 VOP_UNLOCK(imgp->vp, 0);
844 done1:
845 /*
846 * Free any resources malloc'd earlier that we didn't use.
847 */
848 if (euip != NULL)
849 uifree(euip);
850 if (newcred != NULL)
851 crfree(oldcred);
852
853 /*
854 * Handle deferred decrement of ref counts.
855 */
856 if (textvp != NULL)
857 vrele(textvp);
858 if (binvp && error != 0)
859 vrele(binvp);
860 #ifdef KTRACE
861 if (tracevp != NULL)
862 vrele(tracevp);
863 if (tracecred != NULL)
864 crfree(tracecred);
865 #endif
866 vn_lock(imgp->vp, LK_SHARED | LK_RETRY);
867 pargs_drop(oldargs);
868 pargs_drop(newargs);
869 if (oldsigacts != NULL)
870 sigacts_free(oldsigacts);
871
872 exec_fail_dealloc:
873
874 /*
875 * free various allocated resources
876 */
877 if (imgp->firstpage != NULL)
878 exec_unmap_first_page(imgp);
879
880 if (imgp->vp != NULL) {
881 if (args->fname)
882 NDFREE(&nd, NDF_ONLY_PNBUF);
883 if (imgp->opened)
884 VOP_CLOSE(imgp->vp, FREAD, td->td_ucred, td);
885 vput(imgp->vp);
886 }
887
888 if (imgp->object != NULL)
889 vm_object_deallocate(imgp->object);
890
891 free(imgp->freepath, M_TEMP);
892
893 if (error == 0) {
894 PROC_LOCK(p);
895 td->td_dbgflags |= TDB_EXEC;
896 PROC_UNLOCK(p);
897
898 /*
899 * Stop the process here if its stop event mask has
900 * the S_EXEC bit set.
901 */
902 STOPEVENT(p, S_EXEC, 0);
903 goto done2;
904 }
905
906 exec_fail:
907 /* we're done here, clear P_INEXEC */
908 PROC_LOCK(p);
909 p->p_flag &= ~P_INEXEC;
910 PROC_UNLOCK(p);
911
912 SDT_PROBE(proc, kernel, , exec__failure, error, 0, 0, 0, 0);
913
914 done2:
915 #ifdef MAC
916 mac_execve_exit(imgp);
917 mac_execve_interpreter_exit(interpvplabel);
918 #endif
919 exec_free_args(args);
920
921 if (error && imgp->vmspace_destroyed) {
922 /* sorry, no more process anymore. exit gracefully */
923 exit1(td, W_EXITCODE(0, SIGABRT));
924 /* NOT REACHED */
925 }
926
927 #ifdef KTRACE
928 if (error == 0)
929 ktrprocctor(p);
930 #endif
931
932 return (error);
933 }
934
935 int
936 exec_map_first_page(imgp)
937 struct image_params *imgp;
938 {
939 int rv, i;
940 int initial_pagein;
941 vm_page_t ma[VM_INITIAL_PAGEIN];
942 vm_object_t object;
943
944 if (imgp->firstpage != NULL)
945 exec_unmap_first_page(imgp);
946
947 object = imgp->vp->v_object;
948 if (object == NULL)
949 return (EACCES);
950 VM_OBJECT_WLOCK(object);
951 #if VM_NRESERVLEVEL > 0
952 if ((object->flags & OBJ_COLORED) == 0) {
953 object->flags |= OBJ_COLORED;
954 object->pg_color = 0;
955 }
956 #endif
957 ma[0] = vm_page_grab(object, 0, VM_ALLOC_NORMAL);
958 if (ma[0]->valid != VM_PAGE_BITS_ALL) {
959 initial_pagein = VM_INITIAL_PAGEIN;
960 if (initial_pagein > object->size)
961 initial_pagein = object->size;
962 for (i = 1; i < initial_pagein; i++) {
963 if ((ma[i] = vm_page_next(ma[i - 1])) != NULL) {
964 if (ma[i]->valid)
965 break;
966 if (vm_page_tryxbusy(ma[i]))
967 break;
968 } else {
969 ma[i] = vm_page_alloc(object, i,
970 VM_ALLOC_NORMAL | VM_ALLOC_IFNOTCACHED);
971 if (ma[i] == NULL)
972 break;
973 }
974 }
975 initial_pagein = i;
976 rv = vm_pager_get_pages(object, ma, initial_pagein, 0);
977 ma[0] = vm_page_lookup(object, 0);
978 if ((rv != VM_PAGER_OK) || (ma[0] == NULL)) {
979 if (ma[0] != NULL) {
980 vm_page_lock(ma[0]);
981 vm_page_free(ma[0]);
982 vm_page_unlock(ma[0]);
983 }
984 VM_OBJECT_WUNLOCK(object);
985 return (EIO);
986 }
987 }
988 vm_page_xunbusy(ma[0]);
989 vm_page_lock(ma[0]);
990 vm_page_hold(ma[0]);
991 vm_page_activate(ma[0]);
992 vm_page_unlock(ma[0]);
993 VM_OBJECT_WUNLOCK(object);
994
995 imgp->firstpage = sf_buf_alloc(ma[0], 0);
996 imgp->image_header = (char *)sf_buf_kva(imgp->firstpage);
997
998 return (0);
999 }
1000
1001 void
1002 exec_unmap_first_page(imgp)
1003 struct image_params *imgp;
1004 {
1005 vm_page_t m;
1006
1007 if (imgp->firstpage != NULL) {
1008 m = sf_buf_page(imgp->firstpage);
1009 sf_buf_free(imgp->firstpage);
1010 imgp->firstpage = NULL;
1011 vm_page_lock(m);
1012 vm_page_unhold(m);
1013 vm_page_unlock(m);
1014 }
1015 }
1016
1017 /*
1018 * Destroy old address space, and allocate a new stack
1019 * The new stack is only SGROWSIZ large because it is grown
1020 * automatically in trap.c.
1021 */
1022 int
1023 exec_new_vmspace(imgp, sv)
1024 struct image_params *imgp;
1025 struct sysentvec *sv;
1026 {
1027 int error;
1028 struct proc *p = imgp->proc;
1029 struct vmspace *vmspace = p->p_vmspace;
1030 vm_object_t obj;
1031 struct rlimit rlim_stack;
1032 vm_offset_t sv_minuser, stack_addr;
1033 vm_map_t map;
1034 u_long ssiz;
1035
1036 imgp->vmspace_destroyed = 1;
1037 imgp->sysent = sv;
1038
1039 /* May be called with Giant held */
1040 EVENTHANDLER_INVOKE(process_exec, p, imgp);
1041
1042 /*
1043 * Blow away entire process VM, if address space not shared,
1044 * otherwise, create a new VM space so that other threads are
1045 * not disrupted
1046 */
1047 map = &vmspace->vm_map;
1048 if (map_at_zero)
1049 sv_minuser = sv->sv_minuser;
1050 else
1051 sv_minuser = MAX(sv->sv_minuser, PAGE_SIZE);
1052 if (vmspace->vm_refcnt == 1 && vm_map_min(map) == sv_minuser &&
1053 vm_map_max(map) == sv->sv_maxuser) {
1054 shmexit(vmspace);
1055 pmap_remove_pages(vmspace_pmap(vmspace));
1056 vm_map_remove(map, vm_map_min(map), vm_map_max(map));
1057 } else {
1058 error = vmspace_exec(p, sv_minuser, sv->sv_maxuser);
1059 if (error)
1060 return (error);
1061 vmspace = p->p_vmspace;
1062 map = &vmspace->vm_map;
1063 }
1064
1065 /* Map a shared page */
1066 obj = sv->sv_shared_page_obj;
1067 if (obj != NULL) {
1068 vm_object_reference(obj);
1069 error = vm_map_fixed(map, obj, 0,
1070 sv->sv_shared_page_base, sv->sv_shared_page_len,
1071 VM_PROT_READ | VM_PROT_EXECUTE,
1072 VM_PROT_READ | VM_PROT_EXECUTE,
1073 MAP_INHERIT_SHARE | MAP_ACC_NO_CHARGE);
1074 if (error) {
1075 vm_object_deallocate(obj);
1076 return (error);
1077 }
1078 }
1079
1080 /* Allocate a new stack */
1081 if (imgp->stack_sz != 0) {
1082 ssiz = trunc_page(imgp->stack_sz);
1083 PROC_LOCK(p);
1084 lim_rlimit(p, RLIMIT_STACK, &rlim_stack);
1085 PROC_UNLOCK(p);
1086 if (ssiz > rlim_stack.rlim_max)
1087 ssiz = rlim_stack.rlim_max;
1088 if (ssiz > rlim_stack.rlim_cur) {
1089 rlim_stack.rlim_cur = ssiz;
1090 kern_setrlimit(curthread, RLIMIT_STACK, &rlim_stack);
1091 }
1092 } else if (sv->sv_maxssiz != NULL) {
1093 ssiz = *sv->sv_maxssiz;
1094 } else {
1095 ssiz = maxssiz;
1096 }
1097 stack_addr = sv->sv_usrstack - ssiz;
1098 error = vm_map_stack(map, stack_addr, (vm_size_t)ssiz,
1099 obj != NULL && imgp->stack_prot != 0 ? imgp->stack_prot :
1100 sv->sv_stackprot,
1101 VM_PROT_ALL, MAP_STACK_GROWS_DOWN);
1102 if (error)
1103 return (error);
1104
1105 #ifdef __ia64__
1106 /* Allocate a new register stack */
1107 stack_addr = IA64_BACKINGSTORE;
1108 error = vm_map_stack(map, stack_addr, (vm_size_t)ssiz,
1109 sv->sv_stackprot, VM_PROT_ALL, MAP_STACK_GROWS_UP);
1110 if (error)
1111 return (error);
1112 #endif
1113
1114 /* vm_ssize and vm_maxsaddr are somewhat antiquated concepts in the
1115 * VM_STACK case, but they are still used to monitor the size of the
1116 * process stack so we can check the stack rlimit.
1117 */
1118 vmspace->vm_ssize = sgrowsiz >> PAGE_SHIFT;
1119 vmspace->vm_maxsaddr = (char *)sv->sv_usrstack - ssiz;
1120
1121 return (0);
1122 }
1123
1124 /*
1125 * Copy out argument and environment strings from the old process address
1126 * space into the temporary string buffer.
1127 */
1128 int
1129 exec_copyin_args(struct image_args *args, char *fname,
1130 enum uio_seg segflg, char **argv, char **envv)
1131 {
1132 u_long argp, envp;
1133 int error;
1134 size_t length;
1135
1136 bzero(args, sizeof(*args));
1137 if (argv == NULL)
1138 return (EFAULT);
1139
1140 /*
1141 * Allocate demand-paged memory for the file name, argument, and
1142 * environment strings.
1143 */
1144 error = exec_alloc_args(args);
1145 if (error != 0)
1146 return (error);
1147
1148 /*
1149 * Copy the file name.
1150 */
1151 if (fname != NULL) {
1152 args->fname = args->buf;
1153 error = (segflg == UIO_SYSSPACE) ?
1154 copystr(fname, args->fname, PATH_MAX, &length) :
1155 copyinstr(fname, args->fname, PATH_MAX, &length);
1156 if (error != 0)
1157 goto err_exit;
1158 } else
1159 length = 0;
1160
1161 args->begin_argv = args->buf + length;
1162 args->endp = args->begin_argv;
1163 args->stringspace = ARG_MAX;
1164
1165 /*
1166 * extract arguments first
1167 */
1168 for (;;) {
1169 error = fueword(argv++, &argp);
1170 if (error == -1) {
1171 error = EFAULT;
1172 goto err_exit;
1173 }
1174 if (argp == 0)
1175 break;
1176 error = copyinstr((void *)(uintptr_t)argp, args->endp,
1177 args->stringspace, &length);
1178 if (error != 0) {
1179 if (error == ENAMETOOLONG)
1180 error = E2BIG;
1181 goto err_exit;
1182 }
1183 args->stringspace -= length;
1184 args->endp += length;
1185 args->argc++;
1186 }
1187
1188 args->begin_envv = args->endp;
1189
1190 /*
1191 * extract environment strings
1192 */
1193 if (envv) {
1194 for (;;) {
1195 error = fueword(envv++, &envp);
1196 if (error == -1) {
1197 error = EFAULT;
1198 goto err_exit;
1199 }
1200 if (envp == 0)
1201 break;
1202 error = copyinstr((void *)(uintptr_t)envp,
1203 args->endp, args->stringspace, &length);
1204 if (error != 0) {
1205 if (error == ENAMETOOLONG)
1206 error = E2BIG;
1207 goto err_exit;
1208 }
1209 args->stringspace -= length;
1210 args->endp += length;
1211 args->envc++;
1212 }
1213 }
1214
1215 return (0);
1216
1217 err_exit:
1218 exec_free_args(args);
1219 return (error);
1220 }
1221
1222 /*
1223 * Allocate temporary demand-paged, zero-filled memory for the file name,
1224 * argument, and environment strings. Returns zero if the allocation succeeds
1225 * and ENOMEM otherwise.
1226 */
1227 int
1228 exec_alloc_args(struct image_args *args)
1229 {
1230
1231 args->buf = (char *)kmap_alloc_wait(exec_map, PATH_MAX + ARG_MAX);
1232 return (args->buf != NULL ? 0 : ENOMEM);
1233 }
1234
1235 void
1236 exec_free_args(struct image_args *args)
1237 {
1238
1239 if (args->buf != NULL) {
1240 kmap_free_wakeup(exec_map, (vm_offset_t)args->buf,
1241 PATH_MAX + ARG_MAX);
1242 args->buf = NULL;
1243 }
1244 if (args->fname_buf != NULL) {
1245 free(args->fname_buf, M_TEMP);
1246 args->fname_buf = NULL;
1247 }
1248 }
1249
1250 /*
1251 * Copy strings out to the new process address space, constructing new arg
1252 * and env vector tables. Return a pointer to the base so that it can be used
1253 * as the initial stack pointer.
1254 */
1255 register_t *
1256 exec_copyout_strings(imgp)
1257 struct image_params *imgp;
1258 {
1259 int argc, envc;
1260 char **vectp;
1261 char *stringp;
1262 uintptr_t destp;
1263 register_t *stack_base;
1264 struct ps_strings *arginfo;
1265 struct proc *p;
1266 size_t execpath_len;
1267 int szsigcode, szps;
1268 char canary[sizeof(long) * 8];
1269
1270 szps = sizeof(pagesizes[0]) * MAXPAGESIZES;
1271 /*
1272 * Calculate string base and vector table pointers.
1273 * Also deal with signal trampoline code for this exec type.
1274 */
1275 if (imgp->execpath != NULL && imgp->auxargs != NULL)
1276 execpath_len = strlen(imgp->execpath) + 1;
1277 else
1278 execpath_len = 0;
1279 p = imgp->proc;
1280 szsigcode = 0;
1281 arginfo = (struct ps_strings *)p->p_sysent->sv_psstrings;
1282 if (p->p_sysent->sv_sigcode_base == 0) {
1283 if (p->p_sysent->sv_szsigcode != NULL)
1284 szsigcode = *(p->p_sysent->sv_szsigcode);
1285 }
1286 destp = (uintptr_t)arginfo;
1287
1288 /*
1289 * install sigcode
1290 */
1291 if (szsigcode != 0) {
1292 destp -= szsigcode;
1293 destp = rounddown2(destp, sizeof(void *));
1294 copyout(p->p_sysent->sv_sigcode, (void *)destp, szsigcode);
1295 }
1296
1297 /*
1298 * Copy the image path for the rtld.
1299 */
1300 if (execpath_len != 0) {
1301 destp -= execpath_len;
1302 imgp->execpathp = destp;
1303 copyout(imgp->execpath, (void *)destp, execpath_len);
1304 }
1305
1306 /*
1307 * Prepare the canary for SSP.
1308 */
1309 arc4rand(canary, sizeof(canary), 0);
1310 destp -= sizeof(canary);
1311 imgp->canary = destp;
1312 copyout(canary, (void *)destp, sizeof(canary));
1313 imgp->canarylen = sizeof(canary);
1314
1315 /*
1316 * Prepare the pagesizes array.
1317 */
1318 destp -= szps;
1319 destp = rounddown2(destp, sizeof(void *));
1320 imgp->pagesizes = destp;
1321 copyout(pagesizes, (void *)destp, szps);
1322 imgp->pagesizeslen = szps;
1323
1324 destp -= ARG_MAX - imgp->args->stringspace;
1325 destp = rounddown2(destp, sizeof(void *));
1326
1327 /*
1328 * If we have a valid auxargs ptr, prepare some room
1329 * on the stack.
1330 */
1331 if (imgp->auxargs) {
1332 /*
1333 * 'AT_COUNT*2' is size for the ELF Auxargs data. This is for
1334 * lower compatibility.
1335 */
1336 imgp->auxarg_size = (imgp->auxarg_size) ? imgp->auxarg_size :
1337 (AT_COUNT * 2);
1338 /*
1339 * The '+ 2' is for the null pointers at the end of each of
1340 * the arg and env vector sets,and imgp->auxarg_size is room
1341 * for argument of Runtime loader.
1342 */
1343 vectp = (char **)(destp - (imgp->args->argc +
1344 imgp->args->envc + 2 + imgp->auxarg_size)
1345 * sizeof(char *));
1346 } else {
1347 /*
1348 * The '+ 2' is for the null pointers at the end of each of
1349 * the arg and env vector sets
1350 */
1351 vectp = (char **)(destp - (imgp->args->argc + imgp->args->envc
1352 + 2) * sizeof(char *));
1353 }
1354
1355 /*
1356 * vectp also becomes our initial stack base
1357 */
1358 stack_base = (register_t *)vectp;
1359
1360 stringp = imgp->args->begin_argv;
1361 argc = imgp->args->argc;
1362 envc = imgp->args->envc;
1363
1364 /*
1365 * Copy out strings - arguments and environment.
1366 */
1367 copyout(stringp, (void *)destp, ARG_MAX - imgp->args->stringspace);
1368
1369 /*
1370 * Fill in "ps_strings" struct for ps, w, etc.
1371 */
1372 suword(&arginfo->ps_argvstr, (long)(intptr_t)vectp);
1373 suword32(&arginfo->ps_nargvstr, argc);
1374
1375 /*
1376 * Fill in argument portion of vector table.
1377 */
1378 for (; argc > 0; --argc) {
1379 suword(vectp++, (long)(intptr_t)destp);
1380 while (*stringp++ != 0)
1381 destp++;
1382 destp++;
1383 }
1384
1385 /* a null vector table pointer separates the argp's from the envp's */
1386 suword(vectp++, 0);
1387
1388 suword(&arginfo->ps_envstr, (long)(intptr_t)vectp);
1389 suword32(&arginfo->ps_nenvstr, envc);
1390
1391 /*
1392 * Fill in environment portion of vector table.
1393 */
1394 for (; envc > 0; --envc) {
1395 suword(vectp++, (long)(intptr_t)destp);
1396 while (*stringp++ != 0)
1397 destp++;
1398 destp++;
1399 }
1400
1401 /* end of vector table is a null pointer */
1402 suword(vectp, 0);
1403
1404 return (stack_base);
1405 }
1406
1407 /*
1408 * Check permissions of file to execute.
1409 * Called with imgp->vp locked.
1410 * Return 0 for success or error code on failure.
1411 */
1412 int
1413 exec_check_permissions(imgp)
1414 struct image_params *imgp;
1415 {
1416 struct vnode *vp = imgp->vp;
1417 struct vattr *attr = imgp->attr;
1418 struct thread *td;
1419 int error, writecount;
1420
1421 td = curthread;
1422
1423 /* Get file attributes */
1424 error = VOP_GETATTR(vp, attr, td->td_ucred);
1425 if (error)
1426 return (error);
1427
1428 #ifdef MAC
1429 error = mac_vnode_check_exec(td->td_ucred, imgp->vp, imgp);
1430 if (error)
1431 return (error);
1432 #endif
1433
1434 /*
1435 * 1) Check if file execution is disabled for the filesystem that
1436 * this file resides on.
1437 * 2) Ensure that at least one execute bit is on. Otherwise, a
1438 * privileged user will always succeed, and we don't want this
1439 * to happen unless the file really is executable.
1440 * 3) Ensure that the file is a regular file.
1441 */
1442 if ((vp->v_mount->mnt_flag & MNT_NOEXEC) ||
1443 (attr->va_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0 ||
1444 (attr->va_type != VREG))
1445 return (EACCES);
1446
1447 /*
1448 * Zero length files can't be exec'd
1449 */
1450 if (attr->va_size == 0)
1451 return (ENOEXEC);
1452
1453 /*
1454 * Check for execute permission to file based on current credentials.
1455 */
1456 error = VOP_ACCESS(vp, VEXEC, td->td_ucred, td);
1457 if (error)
1458 return (error);
1459
1460 /*
1461 * Check number of open-for-writes on the file and deny execution
1462 * if there are any.
1463 */
1464 error = VOP_GET_WRITECOUNT(vp, &writecount);
1465 if (error != 0)
1466 return (error);
1467 if (writecount != 0)
1468 return (ETXTBSY);
1469
1470 /*
1471 * Call filesystem specific open routine (which does nothing in the
1472 * general case).
1473 */
1474 error = VOP_OPEN(vp, FREAD, td->td_ucred, td, NULL);
1475 if (error == 0)
1476 imgp->opened = 1;
1477 return (error);
1478 }
1479
1480 /*
1481 * Exec handler registration
1482 */
1483 int
1484 exec_register(execsw_arg)
1485 const struct execsw *execsw_arg;
1486 {
1487 const struct execsw **es, **xs, **newexecsw;
1488 int count = 2; /* New slot and trailing NULL */
1489
1490 if (execsw)
1491 for (es = execsw; *es; es++)
1492 count++;
1493 newexecsw = malloc(count * sizeof(*es), M_TEMP, M_WAITOK);
1494 if (newexecsw == NULL)
1495 return (ENOMEM);
1496 xs = newexecsw;
1497 if (execsw)
1498 for (es = execsw; *es; es++)
1499 *xs++ = *es;
1500 *xs++ = execsw_arg;
1501 *xs = NULL;
1502 if (execsw)
1503 free(execsw, M_TEMP);
1504 execsw = newexecsw;
1505 return (0);
1506 }
1507
1508 int
1509 exec_unregister(execsw_arg)
1510 const struct execsw *execsw_arg;
1511 {
1512 const struct execsw **es, **xs, **newexecsw;
1513 int count = 1;
1514
1515 if (execsw == NULL)
1516 panic("unregister with no handlers left?\n");
1517
1518 for (es = execsw; *es; es++) {
1519 if (*es == execsw_arg)
1520 break;
1521 }
1522 if (*es == NULL)
1523 return (ENOENT);
1524 for (es = execsw; *es; es++)
1525 if (*es != execsw_arg)
1526 count++;
1527 newexecsw = malloc(count * sizeof(*es), M_TEMP, M_WAITOK);
1528 if (newexecsw == NULL)
1529 return (ENOMEM);
1530 xs = newexecsw;
1531 for (es = execsw; *es; es++)
1532 if (*es != execsw_arg)
1533 *xs++ = *es;
1534 *xs = NULL;
1535 if (execsw)
1536 free(execsw, M_TEMP);
1537 execsw = newexecsw;
1538 return (0);
1539 }
Cache object: 53d7784b35fe9d31eb517a843086da44
|