1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26 /* Copyright (c) 1988 AT&T */
27 /* All Rights Reserved */
28 /*
29 * Copyright 2015, Joyent, Inc. All rights reserved.
30 */
31
32 #include <sys/types.h>
33 #include <sys/param.h>
34 #include <sys/sysmacros.h>
35 #include <sys/systm.h>
36 #include <sys/signal.h>
37 #include <sys/cred_impl.h>
38 #include <sys/policy.h>
39 #include <sys/user.h>
40 #include <sys/errno.h>
41 #include <sys/file.h>
42 #include <sys/vfs.h>
43 #include <sys/vnode.h>
44 #include <sys/mman.h>
45 #include <sys/acct.h>
46 #include <sys/cpuvar.h>
47 #include <sys/proc.h>
48 #include <sys/cmn_err.h>
49 #include <sys/debug.h>
50 #include <sys/pathname.h>
51 #include <sys/vm.h>
52 #include <sys/lgrp.h>
53 #include <sys/vtrace.h>
54 #include <sys/exec.h>
55 #include <sys/exechdr.h>
56 #include <sys/kmem.h>
57 #include <sys/prsystm.h>
58 #include <sys/modctl.h>
59 #include <sys/vmparam.h>
60 #include <sys/door.h>
61 #include <sys/schedctl.h>
62 #include <sys/utrap.h>
63 #include <sys/systeminfo.h>
64 #include <sys/stack.h>
65 #include <sys/rctl.h>
66 #include <sys/dtrace.h>
67 #include <sys/lwpchan_impl.h>
68 #include <sys/pool.h>
69 #include <sys/sdt.h>
70 #include <sys/brand.h>
71 #include <sys/klpd.h>
72 #include <sys/random.h>
73
74 #include <c2/audit.h>
75
76 #include <vm/hat.h>
77 #include <vm/anon.h>
78 #include <vm/as.h>
79 #include <vm/seg.h>
80 #include <vm/seg_vn.h>
81
82 #define PRIV_RESET 0x01 /* needs to reset privs */
83 #define PRIV_SETID 0x02 /* needs to change uids */
84 #define PRIV_SETUGID 0x04 /* is setuid/setgid/forced privs */
85 #define PRIV_INCREASE 0x08 /* child runs with more privs */
86 #define MAC_FLAGS 0x10 /* need to adjust MAC flags */
87 #define PRIV_FORCED 0x20 /* has forced privileges */
88
89 static int execsetid(struct vnode *, struct vattr *, uid_t *, uid_t *,
90 priv_set_t *, cred_t *, const char *);
91 static int hold_execsw(struct execsw *);
92
93 uint_t auxv_hwcap = 0; /* auxv AT_SUN_HWCAP value; determined on the fly */
94 uint_t auxv_hwcap_2 = 0; /* AT_SUN_HWCAP2 */
95 #if defined(_SYSCALL32_IMPL)
96 uint_t auxv_hwcap32 = 0; /* 32-bit version of auxv_hwcap */
97 uint_t auxv_hwcap32_2 = 0; /* 32-bit version of auxv_hwcap2 */
98 #endif
99
100 #define PSUIDFLAGS (SNOCD|SUGID)
101 #define RANDOM_LEN 16 /* 16 bytes for AT_RANDOM aux entry */
102
103 /*
104 * exece() - system call wrapper around exec_common()
105 */
106 int
107 exece(const char *fname, const char **argp, const char **envp)
108 {
109 int error;
110
111 error = exec_common(fname, argp, envp, EBA_NONE);
112 return (error ? (set_errno(error)) : 0);
113 }
114
115 int
116 exec_common(const char *fname, const char **argp, const char **envp,
117 int brand_action)
118 {
119 vnode_t *vp = NULL, *dir = NULL, *tmpvp = NULL;
120 proc_t *p = ttoproc(curthread);
121 klwp_t *lwp = ttolwp(curthread);
122 struct user *up = PTOU(p);
123 long execsz; /* temporary count of exec size */
124 int i;
125 int error;
126 char exec_file[MAXCOMLEN+1];
127 struct pathname pn;
128 struct pathname resolvepn;
129 struct uarg args;
130 struct execa ua;
131 k_sigset_t savedmask;
132 lwpdir_t *lwpdir = NULL;
133 tidhash_t *tidhash;
134 lwpdir_t *old_lwpdir = NULL;
135 uint_t old_lwpdir_sz;
136 tidhash_t *old_tidhash;
137 uint_t old_tidhash_sz;
138 ret_tidhash_t *ret_tidhash;
139 lwpent_t *lep;
140 boolean_t brandme = B_FALSE;
141
142 /*
143 * exec() is not supported for the /proc agent lwp.
144 */
145 if (curthread == p->p_agenttp)
146 return (ENOTSUP);
147
148 if (brand_action != EBA_NONE) {
149 /*
150 * Brand actions are not supported for processes that are not
151 * running in a branded zone.
152 */
153 if (!ZONE_IS_BRANDED(p->p_zone))
154 return (ENOTSUP);
155
156 if (brand_action == EBA_NATIVE) {
157 /* Only branded processes can be unbranded */
158 if (!PROC_IS_BRANDED(p))
159 return (ENOTSUP);
160 } else {
161 /* Only unbranded processes can be branded */
162 if (PROC_IS_BRANDED(p))
163 return (ENOTSUP);
164 brandme = B_TRUE;
165 }
166 } else {
167 /*
168 * If this is a native zone, or if the process is already
169 * branded, then we don't need to do anything. If this is
170 * a native process in a branded zone, we need to brand the
171 * process as it exec()s the new binary.
172 */
173 if (ZONE_IS_BRANDED(p->p_zone) && !PROC_IS_BRANDED(p))
174 brandme = B_TRUE;
175 }
176
177 /*
178 * Inform /proc that an exec() has started.
179 * Hold signals that are ignored by default so that we will
180 * not be interrupted by a signal that will be ignored after
181 * successful completion of gexec().
182 */
183 mutex_enter(&p->p_lock);
184 prexecstart();
185 schedctl_finish_sigblock(curthread);
186 savedmask = curthread->t_hold;
187 sigorset(&curthread->t_hold, &ignoredefault);
188 mutex_exit(&p->p_lock);
189
190 /*
191 * Look up path name and remember last component for later.
192 * To help coreadm expand its %d token, we attempt to save
193 * the directory containing the executable in p_execdir. The
194 * first call to lookuppn() may fail and return EINVAL because
195 * dirvpp is non-NULL. In that case, we make a second call to
196 * lookuppn() with dirvpp set to NULL; p_execdir will be NULL,
197 * but coreadm is allowed to expand %d to the empty string and
198 * there are other cases in which that failure may occur.
199 */
200 if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
201 goto out;
202 pn_alloc(&resolvepn);
203 if ((error = lookuppn(&pn, &resolvepn, FOLLOW, &dir, &vp)) != 0) {
204 pn_free(&resolvepn);
205 pn_free(&pn);
206 if (error != EINVAL)
207 goto out;
208
209 dir = NULL;
210 if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
211 goto out;
212 pn_alloc(&resolvepn);
213 if ((error = lookuppn(&pn, &resolvepn, FOLLOW, NULLVPP,
214 &vp)) != 0) {
215 pn_free(&resolvepn);
216 pn_free(&pn);
217 goto out;
218 }
219 }
220 if (vp == NULL) {
221 if (dir != NULL)
222 VN_RELE(dir);
223 error = ENOENT;
224 pn_free(&resolvepn);
225 pn_free(&pn);
226 goto out;
227 }
228
229 if ((error = secpolicy_basic_exec(CRED(), vp)) != 0) {
230 if (dir != NULL)
231 VN_RELE(dir);
232 pn_free(&resolvepn);
233 pn_free(&pn);
234 VN_RELE(vp);
235 goto out;
236 }
237
238 /*
239 * We do not allow executing files in attribute directories.
240 * We test this by determining whether the resolved path
241 * contains a "/" when we're in an attribute directory;
242 * only if the pathname does not contain a "/" the resolved path
243 * points to a file in the current working (attribute) directory.
244 */
245 if ((p->p_user.u_cdir->v_flag & V_XATTRDIR) != 0 &&
246 strchr(resolvepn.pn_path, '/') == NULL) {
247 if (dir != NULL)
248 VN_RELE(dir);
249 error = EACCES;
250 pn_free(&resolvepn);
251 pn_free(&pn);
252 VN_RELE(vp);
253 goto out;
254 }
255
256 bzero(exec_file, MAXCOMLEN+1);
257 (void) strncpy(exec_file, pn.pn_path, MAXCOMLEN);
258 bzero(&args, sizeof (args));
259 args.pathname = resolvepn.pn_path;
260 /* don't free resolvepn until we are done with args */
261 pn_free(&pn);
262
263 /*
264 * If we're running in a profile shell, then call pfexecd.
265 */
266 if ((CR_FLAGS(p->p_cred) & PRIV_PFEXEC) != 0) {
267 error = pfexec_call(p->p_cred, &resolvepn, &args.pfcred,
268 &args.scrubenv);
269
270 /* Returning errno in case we're not allowed to execute. */
271 if (error > 0) {
272 if (dir != NULL)
273 VN_RELE(dir);
274 pn_free(&resolvepn);
275 VN_RELE(vp);
276 goto out;
277 }
278
279 /* Don't change the credentials when using old ptrace. */
280 if (args.pfcred != NULL &&
281 (p->p_proc_flag & P_PR_PTRACE) != 0) {
282 crfree(args.pfcred);
283 args.pfcred = NULL;
284 args.scrubenv = B_FALSE;
285 }
286 }
287
288 /*
289 * Specific exec handlers, or policies determined via
290 * /etc/system may override the historical default.
291 */
292 args.stk_prot = PROT_ZFOD;
293 args.dat_prot = PROT_ZFOD;
294
295 CPU_STATS_ADD_K(sys, sysexec, 1);
296 DTRACE_PROC1(exec, char *, args.pathname);
297
298 ua.fname = fname;
299 ua.argp = argp;
300 ua.envp = envp;
301
302 /* If necessary, brand this process/lwp before we start the exec. */
303 if (brandme) {
304 void *brand_data = NULL;
305
306 /*
307 * Process branding may fail if multiple LWPs are present and
308 * holdlwps() cannot complete successfully.
309 */
310 error = brand_setbrand(p, B_TRUE);
311
312 if (error == 0 && BROP(p)->b_lwpdata_alloc != NULL) {
313 brand_data = BROP(p)->b_lwpdata_alloc(p);
314 if (brand_data == NULL) {
315 error = 1;
316 }
317 }
318
319 if (error == 0) {
320 mutex_enter(&p->p_lock);
321 BROP(p)->b_initlwp(lwp, brand_data);
322 mutex_exit(&p->p_lock);
323 } else {
324 VN_RELE(vp);
325 if (dir != NULL) {
326 VN_RELE(dir);
327 }
328 pn_free(&resolvepn);
329 goto fail;
330 }
331 }
332
333 if ((error = gexec(&vp, &ua, &args, NULL, 0, &execsz,
334 exec_file, p->p_cred, &brand_action)) != 0) {
335 if (brandme) {
336 BROP(p)->b_freelwp(lwp);
337 brand_clearbrand(p, B_TRUE);
338 }
339 VN_RELE(vp);
340 if (dir != NULL)
341 VN_RELE(dir);
342 pn_free(&resolvepn);
343 goto fail;
344 }
345
346 /*
347 * Free floating point registers (sun4u only)
348 */
349 ASSERT(lwp != NULL);
350 lwp_freeregs(lwp, 1);
351
352 /*
353 * Free thread and process context ops.
354 */
355 if (curthread->t_ctx)
356 freectx(curthread, 1);
357 if (p->p_pctx)
358 freepctx(p, 1);
359
360 /*
361 * Remember file name for accounting; clear any cached DTrace predicate.
362 */
363 up->u_acflag &= ~AFORK;
364 bcopy(exec_file, up->u_comm, MAXCOMLEN+1);
365 curthread->t_predcache = NULL;
366
367 /*
368 * Clear contract template state
369 */
370 lwp_ctmpl_clear(lwp, B_TRUE);
371
372 /*
373 * Save the directory in which we found the executable for expanding
374 * the %d token used in core file patterns.
375 */
376 mutex_enter(&p->p_lock);
377 tmpvp = p->p_execdir;
378 p->p_execdir = dir;
379 if (p->p_execdir != NULL)
380 VN_HOLD(p->p_execdir);
381 mutex_exit(&p->p_lock);
382
383 if (tmpvp != NULL)
384 VN_RELE(tmpvp);
385
386 /*
387 * Reset stack state to the user stack, clear set of signals
388 * caught on the signal stack, and reset list of signals that
389 * restart system calls; the new program's environment should
390 * not be affected by detritus from the old program. Any
391 * pending held signals remain held, so don't clear t_hold.
392 */
393 mutex_enter(&p->p_lock);
394 DTRACE_PROBE3(oldcontext__set, klwp_t *, lwp,
395 uintptr_t, lwp->lwp_oldcontext, uintptr_t, 0);
396 lwp->lwp_oldcontext = 0;
397 lwp->lwp_ustack = 0;
398 lwp->lwp_old_stk_ctl = 0;
399 sigemptyset(&up->u_signodefer);
400 sigemptyset(&up->u_sigonstack);
401 sigemptyset(&up->u_sigresethand);
402 lwp->lwp_sigaltstack.ss_sp = 0;
403 lwp->lwp_sigaltstack.ss_size = 0;
404 lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
405
406 /*
407 * Make saved resource limit == current resource limit.
408 */
409 for (i = 0; i < RLIM_NLIMITS; i++) {
410 /*CONSTCOND*/
411 if (RLIM_SAVED(i)) {
412 (void) rctl_rlimit_get(rctlproc_legacy[i], p,
413 &up->u_saved_rlimit[i]);
414 }
415 }
416
417 /*
418 * If the action was to catch the signal, then the action
419 * must be reset to SIG_DFL.
420 */
421 sigdefault(p);
422 p->p_flag &= ~(SNOWAIT|SJCTL);
423 p->p_flag |= (SEXECED|SMSACCT|SMSFORK);
424 up->u_signal[SIGCLD - 1] = SIG_DFL;
425
426 /*
427 * Delete the dot4 sigqueues/signotifies.
428 */
429 sigqfree(p);
430
431 mutex_exit(&p->p_lock);
432
433 mutex_enter(&p->p_pflock);
434 p->p_prof.pr_base = NULL;
435 p->p_prof.pr_size = 0;
436 p->p_prof.pr_off = 0;
437 p->p_prof.pr_scale = 0;
438 p->p_prof.pr_samples = 0;
439 mutex_exit(&p->p_pflock);
440
441 ASSERT(curthread->t_schedctl == NULL);
442
443 #if defined(__sparc)
444 if (p->p_utraps != NULL)
445 utrap_free(p);
446 #endif /* __sparc */
447
448 /*
449 * Close all close-on-exec files.
450 */
451 close_exec(P_FINFO(p));
452 TRACE_2(TR_FAC_PROC, TR_PROC_EXEC, "proc_exec:p %p up %p", p, up);
453
454 /* Unbrand ourself if necessary. */
455 if (PROC_IS_BRANDED(p) && (brand_action == EBA_NATIVE)) {
456 BROP(p)->b_freelwp(lwp);
457 brand_clearbrand(p, B_FALSE);
458 }
459
460 setregs(&args);
461
462 /* Mark this as an executable vnode */
463 mutex_enter(&vp->v_lock);
464 vp->v_flag |= VVMEXEC;
465 mutex_exit(&vp->v_lock);
466
467 VN_RELE(vp);
468 if (dir != NULL)
469 VN_RELE(dir);
470 pn_free(&resolvepn);
471
472 /*
473 * Allocate a new lwp directory and lwpid hash table if necessary.
474 */
475 if (curthread->t_tid != 1 || p->p_lwpdir_sz != 2) {
476 lwpdir = kmem_zalloc(2 * sizeof (lwpdir_t), KM_SLEEP);
477 lwpdir->ld_next = lwpdir + 1;
478 tidhash = kmem_zalloc(2 * sizeof (tidhash_t), KM_SLEEP);
479 if (p->p_lwpdir != NULL)
480 lep = p->p_lwpdir[curthread->t_dslot].ld_entry;
481 else
482 lep = kmem_zalloc(sizeof (*lep), KM_SLEEP);
483 }
484
485 if (PROC_IS_BRANDED(p))
486 BROP(p)->b_exec();
487
488 mutex_enter(&p->p_lock);
489 prbarrier(p);
490
491 /*
492 * Reset lwp id to the default value of 1.
493 * This is a single-threaded process now
494 * and lwp #1 is lwp_wait()able by default.
495 * The t_unpark flag should not be inherited.
496 */
497 ASSERT(p->p_lwpcnt == 1 && p->p_zombcnt == 0);
498 curthread->t_tid = 1;
499 kpreempt_disable();
500 ASSERT(curthread->t_lpl != NULL);
501 p->p_t1_lgrpid = curthread->t_lpl->lpl_lgrpid;
502 kpreempt_enable();
503 if (p->p_tr_lgrpid != LGRP_NONE && p->p_tr_lgrpid != p->p_t1_lgrpid) {
504 lgrp_update_trthr_migrations(1);
505 }
506 curthread->t_unpark = 0;
507 curthread->t_proc_flag |= TP_TWAIT;
508 curthread->t_proc_flag &= ~TP_DAEMON; /* daemons shouldn't exec */
509 p->p_lwpdaemon = 0; /* but oh well ... */
510 p->p_lwpid = 1;
511
512 /*
513 * Install the newly-allocated lwp directory and lwpid hash table
514 * and insert the current thread into the new hash table.
515 */
516 if (lwpdir != NULL) {
517 old_lwpdir = p->p_lwpdir;
518 old_lwpdir_sz = p->p_lwpdir_sz;
519 old_tidhash = p->p_tidhash;
520 old_tidhash_sz = p->p_tidhash_sz;
521 p->p_lwpdir = p->p_lwpfree = lwpdir;
522 p->p_lwpdir_sz = 2;
523 lep->le_thread = curthread;
524 lep->le_lwpid = curthread->t_tid;
525 lep->le_start = curthread->t_start;
526 lwp_hash_in(p, lep, tidhash, 2, 0);
527 p->p_tidhash = tidhash;
528 p->p_tidhash_sz = 2;
529 }
530 ret_tidhash = p->p_ret_tidhash;
531 p->p_ret_tidhash = NULL;
532
533 /*
534 * Restore the saved signal mask and
535 * inform /proc that the exec() has finished.
536 */
537 curthread->t_hold = savedmask;
538 prexecend();
539 mutex_exit(&p->p_lock);
540 if (old_lwpdir) {
541 kmem_free(old_lwpdir, old_lwpdir_sz * sizeof (lwpdir_t));
542 kmem_free(old_tidhash, old_tidhash_sz * sizeof (tidhash_t));
543 }
544 while (ret_tidhash != NULL) {
545 ret_tidhash_t *next = ret_tidhash->rth_next;
546 kmem_free(ret_tidhash->rth_tidhash,
547 ret_tidhash->rth_tidhash_sz * sizeof (tidhash_t));
548 kmem_free(ret_tidhash, sizeof (*ret_tidhash));
549 ret_tidhash = next;
550 }
551
552 ASSERT(error == 0);
553 DTRACE_PROC(exec__success);
554 return (0);
555
556 fail:
557 DTRACE_PROC1(exec__failure, int, error);
558 out: /* error return */
559 mutex_enter(&p->p_lock);
560 curthread->t_hold = savedmask;
561 prexecend();
562 mutex_exit(&p->p_lock);
563 ASSERT(error != 0);
564 return (error);
565 }
566
567
568 /*
569 * Perform generic exec duties and switchout to object-file specific
570 * handler.
571 */
572 int
573 gexec(
574 struct vnode **vpp,
575 struct execa *uap,
576 struct uarg *args,
577 struct intpdata *idatap,
578 int level,
579 long *execsz,
580 caddr_t exec_file,
581 struct cred *cred,
582 int *brand_action)
583 {
584 struct vnode *vp, *execvp = NULL;
585 proc_t *pp = ttoproc(curthread);
586 struct execsw *eswp;
587 int error = 0;
588 int suidflags = 0;
589 ssize_t resid;
590 uid_t uid, gid;
591 struct vattr vattr;
592 char magbuf[MAGIC_BYTES];
593 int setid;
594 cred_t *oldcred, *newcred = NULL;
595 int privflags = 0;
596 int setidfl;
597 priv_set_t fset;
598
599 /*
600 * If the SNOCD or SUGID flag is set, turn it off and remember the
601 * previous setting so we can restore it if we encounter an error.
602 */
603 if (level == 0 && (pp->p_flag & PSUIDFLAGS)) {
604 mutex_enter(&pp->p_lock);
605 suidflags = pp->p_flag & PSUIDFLAGS;
606 pp->p_flag &= ~PSUIDFLAGS;
607 mutex_exit(&pp->p_lock);
608 }
609
610 if ((error = execpermissions(*vpp, &vattr, args)) != 0)
611 goto bad_noclose;
612
613 /* need to open vnode for stateful file systems */
614 if ((error = VOP_OPEN(vpp, FREAD, CRED(), NULL)) != 0)
615 goto bad_noclose;
616 vp = *vpp;
617
618 /*
619 * Note: to support binary compatibility with SunOS a.out
620 * executables, we read in the first four bytes, as the
621 * magic number is in bytes 2-3.
622 */
623 if (error = vn_rdwr(UIO_READ, vp, magbuf, sizeof (magbuf),
624 (offset_t)0, UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid))
625 goto bad;
626 if (resid != 0)
627 goto bad;
628
629 if ((eswp = findexec_by_hdr(magbuf)) == NULL)
630 goto bad;
631
632 if (level == 0 &&
633 (privflags = execsetid(vp, &vattr, &uid, &gid, &fset,
634 args->pfcred == NULL ? cred : args->pfcred, args->pathname)) != 0) {
635
636 /* Pfcred is a credential with a ref count of 1 */
637
638 if (args->pfcred != NULL) {
639 privflags |= PRIV_INCREASE|PRIV_RESET;
640 newcred = cred = args->pfcred;
641 } else {
642 newcred = cred = crdup(cred);
643 }
644
645 /* If we can, drop the PA bit */
646 if ((privflags & PRIV_RESET) != 0)
647 priv_adjust_PA(cred);
648
649 if (privflags & PRIV_SETID) {
650 cred->cr_uid = uid;
651 cred->cr_gid = gid;
652 cred->cr_suid = uid;
653 cred->cr_sgid = gid;
654 }
655
656 if (privflags & MAC_FLAGS) {
657 if (!(CR_FLAGS(cred) & NET_MAC_AWARE_INHERIT))
658 CR_FLAGS(cred) &= ~NET_MAC_AWARE;
659 CR_FLAGS(cred) &= ~NET_MAC_AWARE_INHERIT;
660 }
661
662 /*
663 * Implement the privilege updates:
664 *
665 * Restrict with L:
666 *
667 * I' = I & L
668 *
669 * E' = P' = (I' + F) & A
670 *
671 * But if running under ptrace, we cap I and F with P.
672 */
673 if ((privflags & (PRIV_RESET|PRIV_FORCED)) != 0) {
674 if ((privflags & PRIV_INCREASE) != 0 &&
675 (pp->p_proc_flag & P_PR_PTRACE) != 0) {
676 priv_intersect(&CR_OPPRIV(cred),
677 &CR_IPRIV(cred));
678 priv_intersect(&CR_OPPRIV(cred), &fset);
679 }
680 priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
681 CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
682 if (privflags & PRIV_FORCED) {
683 priv_set_PA(cred);
684 priv_union(&fset, &CR_EPRIV(cred));
685 priv_union(&fset, &CR_PPRIV(cred));
686 }
687 priv_adjust_PA(cred);
688 }
689 } else if (level == 0 && args->pfcred != NULL) {
690 newcred = cred = args->pfcred;
691 privflags |= PRIV_INCREASE;
692 /* pfcred is not forced to adhere to these settings */
693 priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
694 CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
695 priv_adjust_PA(cred);
696 }
697
698 /* SunOS 4.x buy-back */
699 if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) &&
700 (vattr.va_mode & (VSUID|VSGID))) {
701 char path[MAXNAMELEN];
702 refstr_t *mntpt = NULL;
703 int ret = -1;
704
705 bzero(path, sizeof (path));
706 zone_hold(pp->p_zone);
707
708 ret = vnodetopath(pp->p_zone->zone_rootvp, vp, path,
709 sizeof (path), cred);
710
711 /* fallback to mountpoint if a path can't be found */
712 if ((ret != 0) || (ret == 0 && path[0] == '\0'))
713 mntpt = vfs_getmntpoint(vp->v_vfsp);
714
715 if (mntpt == NULL)
716 zcmn_err(pp->p_zone->zone_id, CE_NOTE,
717 "!uid %d: setuid execution not allowed, "
718 "file=%s", cred->cr_uid, path);
719 else
720 zcmn_err(pp->p_zone->zone_id, CE_NOTE,
721 "!uid %d: setuid execution not allowed, "
722 "fs=%s, file=%s", cred->cr_uid,
723 ZONE_PATH_TRANSLATE(refstr_value(mntpt),
724 pp->p_zone), exec_file);
725
726 if (!INGLOBALZONE(pp)) {
727 /* zone_rootpath always has trailing / */
728 if (mntpt == NULL)
729 cmn_err(CE_NOTE, "!zone: %s, uid: %d "
730 "setuid execution not allowed, file=%s%s",
731 pp->p_zone->zone_name, cred->cr_uid,
732 pp->p_zone->zone_rootpath, path + 1);
733 else
734 cmn_err(CE_NOTE, "!zone: %s, uid: %d "
735 "setuid execution not allowed, fs=%s, "
736 "file=%s", pp->p_zone->zone_name,
737 cred->cr_uid, refstr_value(mntpt),
738 exec_file);
739 }
740
741 if (mntpt != NULL)
742 refstr_rele(mntpt);
743
744 zone_rele(pp->p_zone);
745 }
746
747 /*
748 * execsetid() told us whether or not we had to change the
749 * credentials of the process. In privflags, it told us
750 * whether we gained any privileges or executed a set-uid executable.
751 */
752 setid = (privflags & (PRIV_SETUGID|PRIV_INCREASE|PRIV_FORCED));
753
754 /*
755 * Use /etc/system variable to determine if the stack
756 * should be marked as executable by default.
757 */
758 if (noexec_user_stack)
759 args->stk_prot &= ~PROT_EXEC;
760
761 args->execswp = eswp; /* Save execsw pointer in uarg for exec_func */
762 args->ex_vp = vp;
763
764 /*
765 * Traditionally, the setid flags told the sub processes whether
766 * the file just executed was set-uid or set-gid; this caused
767 * some confusion as the 'setid' flag did not match the SUGID
768 * process flag which is only set when the uids/gids do not match.
769 * A script set-gid/set-uid to the real uid/gid would start with
770 * /dev/fd/X but an executable would happily trust LD_LIBRARY_PATH.
771 * Now we flag those cases where the calling process cannot
772 * be trusted to influence the newly exec'ed process, either
773 * because it runs with more privileges or when the uids/gids
774 * do in fact not match.
775 * This also makes the runtime linker agree with the on exec
776 * values of SNOCD and SUGID.
777 */
778 setidfl = 0;
779 if (cred->cr_uid != cred->cr_ruid || (cred->cr_rgid != cred->cr_gid &&
780 !supgroupmember(cred->cr_gid, cred))) {
781 setidfl |= EXECSETID_UGIDS;
782 }
783 if (setid & PRIV_SETUGID)
784 setidfl |= EXECSETID_SETID;
785 if (setid & PRIV_FORCED)
786 setidfl |= EXECSETID_PRIVS;
787
788 execvp = pp->p_exec;
789 if (execvp)
790 VN_HOLD(execvp);
791
792 error = (*eswp->exec_func)(vp, uap, args, idatap, level, execsz,
793 setidfl, exec_file, cred, brand_action);
794 rw_exit(eswp->exec_lock);
795 if (error != 0) {
796 if (execvp)
797 VN_RELE(execvp);
798 /*
799 * If this process's p_exec has been set to the vp of
800 * the executable by exec_func, we will return without
801 * calling VOP_CLOSE because proc_exit will close it
802 * on exit.
803 */
804 if (pp->p_exec == vp)
805 goto bad_noclose;
806 else
807 goto bad;
808 }
809
810 if (level == 0) {
811 uid_t oruid;
812
813 if (execvp != NULL) {
814 /*
815 * Close the previous executable only if we are
816 * at level 0.
817 */
818 (void) VOP_CLOSE(execvp, FREAD, 1, (offset_t)0,
819 cred, NULL);
820 }
821
822 mutex_enter(&pp->p_crlock);
823
824 oruid = pp->p_cred->cr_ruid;
825
826 if (newcred != NULL) {
827 /*
828 * Free the old credentials, and set the new ones.
829 * Do this for both the process and the (single) thread.
830 */
831 crfree(pp->p_cred);
832 pp->p_cred = cred; /* cred already held for proc */
833 crhold(cred); /* hold new cred for thread */
834 /*
835 * DTrace accesses t_cred in probe context. t_cred
836 * must always be either NULL, or point to a valid,
837 * allocated cred structure.
838 */
839 oldcred = curthread->t_cred;
840 curthread->t_cred = cred;
841 crfree(oldcred);
842
843 if (priv_basic_test >= 0 &&
844 !PRIV_ISASSERT(&CR_IPRIV(newcred),
845 priv_basic_test)) {
846 pid_t pid = pp->p_pid;
847 char *fn = PTOU(pp)->u_comm;
848
849 cmn_err(CE_WARN, "%s[%d]: exec: basic_test "
850 "privilege removed from E/I", fn, pid);
851 }
852 }
853 /*
854 * On emerging from a successful exec(), the saved
855 * uid and gid equal the effective uid and gid.
856 */
857 cred->cr_suid = cred->cr_uid;
858 cred->cr_sgid = cred->cr_gid;
859
860 /*
861 * If the real and effective ids do not match, this
862 * is a setuid process that should not dump core.
863 * The group comparison is tricky; we prevent the code
864 * from flagging SNOCD when executing with an effective gid
865 * which is a supplementary group.
866 */
867 if (cred->cr_ruid != cred->cr_uid ||
868 (cred->cr_rgid != cred->cr_gid &&
869 !supgroupmember(cred->cr_gid, cred)) ||
870 (privflags & PRIV_INCREASE) != 0)
871 suidflags = PSUIDFLAGS;
872 else
873 suidflags = 0;
874
875 mutex_exit(&pp->p_crlock);
876 if (newcred != NULL && oruid != newcred->cr_ruid) {
877 /* Note that the process remains in the same zone. */
878 mutex_enter(&pidlock);
879 upcount_dec(oruid, crgetzoneid(newcred));
880 upcount_inc(newcred->cr_ruid, crgetzoneid(newcred));
881 mutex_exit(&pidlock);
882 }
883 if (suidflags) {
884 mutex_enter(&pp->p_lock);
885 pp->p_flag |= suidflags;
886 mutex_exit(&pp->p_lock);
887 }
888 if (setid && (pp->p_proc_flag & P_PR_PTRACE) == 0) {
889 /*
890 * If process is traced via /proc, arrange to
891 * invalidate the associated /proc vnode.
892 */
893 if (pp->p_plist || (pp->p_proc_flag & P_PR_TRACE))
894 args->traceinval = 1;
895 }
896
897 /*
898 * If legacy ptrace is enabled, generate the SIGTRAP.
899 */
900 if (pp->p_proc_flag & P_PR_PTRACE) {
901 psignal(pp, SIGTRAP);
902 }
903
904 if (args->traceinval)
905 prinvalidate(&pp->p_user);
906 }
907 if (execvp)
908 VN_RELE(execvp);
909 return (0);
910
911 bad:
912 (void) VOP_CLOSE(vp, FREAD, 1, (offset_t)0, cred, NULL);
913
914 bad_noclose:
915 if (newcred != NULL)
916 crfree(newcred);
917 if (error == 0)
918 error = ENOEXEC;
919
920 if (suidflags) {
921 mutex_enter(&pp->p_lock);
922 pp->p_flag |= suidflags;
923 mutex_exit(&pp->p_lock);
924 }
925 return (error);
926 }
927
928 extern char *execswnames[];
929
930 struct execsw *
931 allocate_execsw(char *name, char *magic, size_t magic_size)
932 {
933 int i, j;
934 char *ename;
935 char *magicp;
936
937 mutex_enter(&execsw_lock);
938 for (i = 0; i < nexectype; i++) {
939 if (execswnames[i] == NULL) {
940 ename = kmem_alloc(strlen(name) + 1, KM_SLEEP);
941 (void) strcpy(ename, name);
942 execswnames[i] = ename;
943 /*
944 * Set the magic number last so that we
945 * don't need to hold the execsw_lock in
946 * findexectype().
947 */
948 magicp = kmem_alloc(magic_size, KM_SLEEP);
949 for (j = 0; j < magic_size; j++)
950 magicp[j] = magic[j];
951 execsw[i].exec_magic = magicp;
952 mutex_exit(&execsw_lock);
953 return (&execsw[i]);
954 }
955 }
956 mutex_exit(&execsw_lock);
957 return (NULL);
958 }
959
960 /*
961 * Find the exec switch table entry with the corresponding magic string.
962 */
963 struct execsw *
964 findexecsw(char *magic)
965 {
966 struct execsw *eswp;
967
968 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
969 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
970 if (magic && eswp->exec_maglen != 0 &&
971 bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0)
972 return (eswp);
973 }
974 return (NULL);
975 }
976
977 /*
978 * Find the execsw[] index for the given exec header string by looking for the
979 * magic string at a specified offset and length for each kind of executable
980 * file format until one matches. If no execsw[] entry is found, try to
981 * autoload a module for this magic string.
982 */
983 struct execsw *
984 findexec_by_hdr(char *header)
985 {
986 struct execsw *eswp;
987
988 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
989 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
990 if (header && eswp->exec_maglen != 0 &&
991 bcmp(&header[eswp->exec_magoff], eswp->exec_magic,
992 eswp->exec_maglen) == 0) {
993 if (hold_execsw(eswp) != 0)
994 return (NULL);
995 return (eswp);
996 }
997 }
998 return (NULL); /* couldn't find the type */
999 }
1000
1001 /*
1002 * Find the execsw[] index for the given magic string. If no execsw[] entry
1003 * is found, try to autoload a module for this magic string.
1004 */
1005 struct execsw *
1006 findexec_by_magic(char *magic)
1007 {
1008 struct execsw *eswp;
1009
1010 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
1011 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
1012 if (magic && eswp->exec_maglen != 0 &&
1013 bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0) {
1014 if (hold_execsw(eswp) != 0)
1015 return (NULL);
1016 return (eswp);
1017 }
1018 }
1019 return (NULL); /* couldn't find the type */
1020 }
1021
1022 static int
1023 hold_execsw(struct execsw *eswp)
1024 {
1025 char *name;
1026
1027 rw_enter(eswp->exec_lock, RW_READER);
1028 while (!LOADED_EXEC(eswp)) {
1029 rw_exit(eswp->exec_lock);
1030 name = execswnames[eswp-execsw];
1031 ASSERT(name);
1032 if (modload("exec", name) == -1)
1033 return (-1);
1034 rw_enter(eswp->exec_lock, RW_READER);
1035 }
1036 return (0);
1037 }
1038
1039 static int
1040 execsetid(struct vnode *vp, struct vattr *vattrp, uid_t *uidp, uid_t *gidp,
1041 priv_set_t *fset, cred_t *cr, const char *pathname)
1042 {
1043 proc_t *pp = ttoproc(curthread);
1044 uid_t uid, gid;
1045 int privflags = 0;
1046
1047 /*
1048 * Remember credentials.
1049 */
1050 uid = cr->cr_uid;
1051 gid = cr->cr_gid;
1052
1053 /* Will try to reset the PRIV_AWARE bit later. */
1054 if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_INHERIT)) == PRIV_AWARE)
1055 privflags |= PRIV_RESET;
1056
1057 if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) == 0) {
1058 /*
1059 * If it's a set-uid root program we perform the
1060 * forced privilege look-aside. This has three possible
1061 * outcomes:
1062 * no look aside information -> treat as before
1063 * look aside in Limit set -> apply forced privs
1064 * look aside not in Limit set -> ignore set-uid root
1065 *
1066 * Ordinary set-uid root execution only allowed if the limit
1067 * set holds all unsafe privileges.
1068 */
1069 if (vattrp->va_mode & VSUID) {
1070 if (vattrp->va_uid == 0) {
1071 int res = get_forced_privs(cr, pathname, fset);
1072
1073 switch (res) {
1074 case -1:
1075 if (priv_issubset(&priv_unsafe,
1076 &CR_LPRIV(cr))) {
1077 uid = vattrp->va_uid;
1078 privflags |= PRIV_SETUGID;
1079 }
1080 break;
1081 case 0:
1082 privflags |= PRIV_FORCED|PRIV_INCREASE;
1083 break;
1084 default:
1085 break;
1086 }
1087 } else {
1088 uid = vattrp->va_uid;
1089 privflags |= PRIV_SETUGID;
1090 }
1091 }
1092 if (vattrp->va_mode & VSGID) {
1093 gid = vattrp->va_gid;
1094 privflags |= PRIV_SETUGID;
1095 }
1096 }
1097
1098 /*
1099 * Do we need to change our credential anyway?
1100 * This is the case when E != I or P != I, as
1101 * we need to do the assignments (with F empty and A full)
1102 * Or when I is not a subset of L; in that case we need to
1103 * enforce L.
1104 *
1105 * I' = L & I
1106 *
1107 * E' = P' = (I' + F) & A
1108 * or
1109 * E' = P' = I'
1110 */
1111 if (!priv_isequalset(&CR_EPRIV(cr), &CR_IPRIV(cr)) ||
1112 !priv_issubset(&CR_IPRIV(cr), &CR_LPRIV(cr)) ||
1113 !priv_isequalset(&CR_PPRIV(cr), &CR_IPRIV(cr)))
1114 privflags |= PRIV_RESET;
1115
1116 /* Child has more privileges than parent */
1117 if (!priv_issubset(&CR_IPRIV(cr), &CR_PPRIV(cr)))
1118 privflags |= PRIV_INCREASE;
1119
1120 /* If MAC-aware flag(s) are on, need to update cred to remove. */
1121 if ((CR_FLAGS(cr) & NET_MAC_AWARE) ||
1122 (CR_FLAGS(cr) & NET_MAC_AWARE_INHERIT))
1123 privflags |= MAC_FLAGS;
1124 /*
1125 * Set setuid/setgid protections if no ptrace() compatibility.
1126 * For privileged processes, honor setuid/setgid even in
1127 * the presence of ptrace() compatibility.
1128 */
1129 if (((pp->p_proc_flag & P_PR_PTRACE) == 0 ||
1130 PRIV_POLICY_ONLY(cr, PRIV_PROC_OWNER, (uid == 0))) &&
1131 (cr->cr_uid != uid ||
1132 cr->cr_gid != gid ||
1133 cr->cr_suid != uid ||
1134 cr->cr_sgid != gid)) {
1135 *uidp = uid;
1136 *gidp = gid;
1137 privflags |= PRIV_SETID;
1138 }
1139 return (privflags);
1140 }
1141
1142 int
1143 execpermissions(struct vnode *vp, struct vattr *vattrp, struct uarg *args)
1144 {
1145 int error;
1146 proc_t *p = ttoproc(curthread);
1147
1148 vattrp->va_mask = AT_MODE | AT_UID | AT_GID | AT_SIZE;
1149 if (error = VOP_GETATTR(vp, vattrp, ATTR_EXEC, p->p_cred, NULL))
1150 return (error);
1151 /*
1152 * Check the access mode.
1153 * If VPROC, ask /proc if the file is an object file.
1154 */
1155 if ((error = VOP_ACCESS(vp, VEXEC, 0, p->p_cred, NULL)) != 0 ||
1156 !(vp->v_type == VREG || (vp->v_type == VPROC && pr_isobject(vp))) ||
1157 (vp->v_vfsp->vfs_flag & VFS_NOEXEC) != 0 ||
1158 (vattrp->va_mode & (VEXEC|(VEXEC>>3)|(VEXEC>>6))) == 0) {
1159 if (error == 0)
1160 error = EACCES;
1161 return (error);
1162 }
1163
1164 if ((p->p_plist || (p->p_proc_flag & (P_PR_PTRACE|P_PR_TRACE))) &&
1165 (error = VOP_ACCESS(vp, VREAD, 0, p->p_cred, NULL))) {
1166 /*
1167 * If process is under ptrace(2) compatibility,
1168 * fail the exec(2).
1169 */
1170 if (p->p_proc_flag & P_PR_PTRACE)
1171 goto bad;
1172 /*
1173 * Process is traced via /proc.
1174 * Arrange to invalidate the /proc vnode.
1175 */
1176 args->traceinval = 1;
1177 }
1178 return (0);
1179 bad:
1180 if (error == 0)
1181 error = ENOEXEC;
1182 return (error);
1183 }
1184
1185 /*
1186 * Map a section of an executable file into the user's
1187 * address space.
1188 */
1189 int
1190 execmap(struct vnode *vp, caddr_t addr, size_t len, size_t zfodlen,
1191 off_t offset, int prot, int page, uint_t szc)
1192 {
1193 int error = 0;
1194 off_t oldoffset;
1195 caddr_t zfodbase, oldaddr;
1196 size_t end, oldlen;
1197 size_t zfoddiff;
1198 label_t ljb;
1199 proc_t *p = ttoproc(curthread);
1200
1201 oldaddr = addr;
1202 addr = (caddr_t)((uintptr_t)addr & (uintptr_t)PAGEMASK);
1203 if (len) {
1204 oldlen = len;
1205 len += ((size_t)oldaddr - (size_t)addr);
1206 oldoffset = offset;
1207 offset = (off_t)((uintptr_t)offset & PAGEMASK);
1208 if (page) {
1209 spgcnt_t prefltmem, availm, npages;
1210 int preread;
1211 uint_t mflag = MAP_PRIVATE | MAP_FIXED;
1212
1213 if ((prot & (PROT_WRITE | PROT_EXEC)) == PROT_EXEC) {
1214 mflag |= MAP_TEXT;
1215 } else {
1216 mflag |= MAP_INITDATA;
1217 }
1218
1219 if (valid_usr_range(addr, len, prot, p->p_as,
1220 p->p_as->a_userlimit) != RANGE_OKAY) {
1221 error = ENOMEM;
1222 goto bad;
1223 }
1224 if (error = VOP_MAP(vp, (offset_t)offset,
1225 p->p_as, &addr, len, prot, PROT_ALL,
1226 mflag, CRED(), NULL))
1227 goto bad;
1228
1229 /*
1230 * If the segment can fit, then we prefault
1231 * the entire segment in. This is based on the
1232 * model that says the best working set of a
1233 * small program is all of its pages.
1234 */
1235 npages = (spgcnt_t)btopr(len);
1236 prefltmem = freemem - desfree;
1237 preread =
1238 (npages < prefltmem && len < PGTHRESH) ? 1 : 0;
1239
1240 /*
1241 * If we aren't prefaulting the segment,
1242 * increment "deficit", if necessary to ensure
1243 * that pages will become available when this
1244 * process starts executing.
1245 */
1246 availm = freemem - lotsfree;
1247 if (preread == 0 && npages > availm &&
1248 deficit < lotsfree) {
1249 deficit += MIN((pgcnt_t)(npages - availm),
1250 lotsfree - deficit);
1251 }
1252
1253 if (preread) {
1254 TRACE_2(TR_FAC_PROC, TR_EXECMAP_PREREAD,
1255 "execmap preread:freemem %d size %lu",
1256 freemem, len);
1257 (void) as_fault(p->p_as->a_hat, p->p_as,
1258 (caddr_t)addr, len, F_INVAL, S_READ);
1259 }
1260 } else {
1261 if (valid_usr_range(addr, len, prot, p->p_as,
1262 p->p_as->a_userlimit) != RANGE_OKAY) {
1263 error = ENOMEM;
1264 goto bad;
1265 }
1266
1267 if (error = as_map(p->p_as, addr, len,
1268 segvn_create, zfod_argsp))
1269 goto bad;
1270 /*
1271 * Read in the segment in one big chunk.
1272 */
1273 if (error = vn_rdwr(UIO_READ, vp, (caddr_t)oldaddr,
1274 oldlen, (offset_t)oldoffset, UIO_USERSPACE, 0,
1275 (rlim64_t)0, CRED(), (ssize_t *)0))
1276 goto bad;
1277 /*
1278 * Now set protections.
1279 */
1280 if (prot != PROT_ZFOD) {
1281 (void) as_setprot(p->p_as, (caddr_t)addr,
1282 len, prot);
1283 }
1284 }
1285 }
1286
1287 if (zfodlen) {
1288 struct as *as = curproc->p_as;
1289 struct seg *seg;
1290 uint_t zprot = 0;
1291
1292 end = (size_t)addr + len;
1293 zfodbase = (caddr_t)roundup(end, PAGESIZE);
1294 zfoddiff = (uintptr_t)zfodbase - end;
1295 if (zfoddiff) {
1296 /*
1297 * Before we go to zero the remaining space on the last
1298 * page, make sure we have write permission.
1299 *
1300 * Normal illumos binaries don't even hit the case
1301 * where we have to change permission on the last page
1302 * since their protection is typically either
1303 * PROT_USER | PROT_WRITE | PROT_READ
1304 * or
1305 * PROT_ZFOD (same as PROT_ALL).
1306 *
1307 * We need to be careful how we zero-fill the last page
1308 * if the segment protection does not include
1309 * PROT_WRITE. Using as_setprot() can cause the VM
1310 * segment code to call segvn_vpage(), which must
1311 * allocate a page struct for each page in the segment.
1312 * If we have a very large segment, this may fail, so
1313 * we have to check for that, even though we ignore
1314 * other return values from as_setprot.
1315 */
1316
1317 AS_LOCK_ENTER(as, RW_READER);
1318 seg = as_segat(curproc->p_as, (caddr_t)end);
1319 if (seg != NULL)
1320 SEGOP_GETPROT(seg, (caddr_t)end, zfoddiff - 1,
1321 &zprot);
1322 AS_LOCK_EXIT(as);
1323
1324 if (seg != NULL && (zprot & PROT_WRITE) == 0) {
1325 if (as_setprot(as, (caddr_t)end, zfoddiff - 1,
1326 zprot | PROT_WRITE) == ENOMEM) {
1327 error = ENOMEM;
1328 goto bad;
1329 }
1330 }
1331
1332 if (on_fault(&ljb)) {
1333 no_fault();
1334 if (seg != NULL && (zprot & PROT_WRITE) == 0)
1335 (void) as_setprot(as, (caddr_t)end,
1336 zfoddiff - 1, zprot);
1337 error = EFAULT;
1338 goto bad;
1339 }
1340 uzero((void *)end, zfoddiff);
1341 no_fault();
1342 if (seg != NULL && (zprot & PROT_WRITE) == 0)
1343 (void) as_setprot(as, (caddr_t)end,
1344 zfoddiff - 1, zprot);
1345 }
1346 if (zfodlen > zfoddiff) {
1347 struct segvn_crargs crargs =
1348 SEGVN_ZFOD_ARGS(PROT_ZFOD, PROT_ALL);
1349
1350 zfodlen -= zfoddiff;
1351 if (valid_usr_range(zfodbase, zfodlen, prot, p->p_as,
1352 p->p_as->a_userlimit) != RANGE_OKAY) {
1353 error = ENOMEM;
1354 goto bad;
1355 }
1356 if (szc > 0) {
1357 /*
1358 * ASSERT alignment because the mapelfexec()
1359 * caller for the szc > 0 case extended zfod
1360 * so it's end is pgsz aligned.
1361 */
1362 size_t pgsz = page_get_pagesize(szc);
1363 ASSERT(IS_P2ALIGNED(zfodbase + zfodlen, pgsz));
1364
1365 if (IS_P2ALIGNED(zfodbase, pgsz)) {
1366 crargs.szc = szc;
1367 } else {
1368 crargs.szc = AS_MAP_HEAP;
1369 }
1370 } else {
1371 crargs.szc = AS_MAP_NO_LPOOB;
1372 }
1373 if (error = as_map(p->p_as, (caddr_t)zfodbase,
1374 zfodlen, segvn_create, &crargs))
1375 goto bad;
1376 if (prot != PROT_ZFOD) {
1377 (void) as_setprot(p->p_as, (caddr_t)zfodbase,
1378 zfodlen, prot);
1379 }
1380 }
1381 }
1382 return (0);
1383 bad:
1384 return (error);
1385 }
1386
1387 void
1388 setexecenv(struct execenv *ep)
1389 {
1390 proc_t *p = ttoproc(curthread);
1391 klwp_t *lwp = ttolwp(curthread);
1392 struct vnode *vp;
1393
1394 p->p_bssbase = ep->ex_bssbase;
1395 p->p_brkbase = ep->ex_brkbase;
1396 p->p_brksize = ep->ex_brksize;
1397 if (p->p_exec)
1398 VN_RELE(p->p_exec); /* out with the old */
1399 vp = p->p_exec = ep->ex_vp;
1400 if (vp != NULL)
1401 VN_HOLD(vp); /* in with the new */
1402
1403 lwp->lwp_sigaltstack.ss_sp = 0;
1404 lwp->lwp_sigaltstack.ss_size = 0;
1405 lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
1406 }
1407
1408 int
1409 execopen(struct vnode **vpp, int *fdp)
1410 {
1411 struct vnode *vp = *vpp;
1412 file_t *fp;
1413 int error = 0;
1414 int filemode = FREAD;
1415
1416 VN_HOLD(vp); /* open reference */
1417 if (error = falloc(NULL, filemode, &fp, fdp)) {
1418 VN_RELE(vp);
1419 *fdp = -1; /* just in case falloc changed value */
1420 return (error);
1421 }
1422 if (error = VOP_OPEN(&vp, filemode, CRED(), NULL)) {
1423 VN_RELE(vp);
1424 setf(*fdp, NULL);
1425 unfalloc(fp);
1426 *fdp = -1;
1427 return (error);
1428 }
1429 *vpp = vp; /* vnode should not have changed */
1430 fp->f_vnode = vp;
1431 mutex_exit(&fp->f_tlock);
1432 setf(*fdp, fp);
1433 return (0);
1434 }
1435
1436 int
1437 execclose(int fd)
1438 {
1439 return (closeandsetf(fd, NULL));
1440 }
1441
1442
1443 /*
1444 * noexec stub function.
1445 */
1446 /*ARGSUSED*/
1447 int
1448 noexec(
1449 struct vnode *vp,
1450 struct execa *uap,
1451 struct uarg *args,
1452 struct intpdata *idatap,
1453 int level,
1454 long *execsz,
1455 int setid,
1456 caddr_t exec_file,
1457 struct cred *cred)
1458 {
1459 cmn_err(CE_WARN, "missing exec capability for %s", uap->fname);
1460 return (ENOEXEC);
1461 }
1462
1463 /*
1464 * Support routines for building a user stack.
1465 *
1466 * execve(path, argv, envp) must construct a new stack with the specified
1467 * arguments and environment variables (see exec_args() for a description
1468 * of the user stack layout). To do this, we copy the arguments and
1469 * environment variables from the old user address space into the kernel,
1470 * free the old as, create the new as, and copy our buffered information
1471 * to the new stack. Our kernel buffer has the following structure:
1472 *
1473 * +-----------------------+ <--- stk_base + stk_size
1474 * | string offsets |
1475 * +-----------------------+ <--- stk_offp
1476 * | |
1477 * | STK_AVAIL() space |
1478 * | |
1479 * +-----------------------+ <--- stk_strp
1480 * | strings |
1481 * +-----------------------+ <--- stk_base
1482 *
1483 * When we add a string, we store the string's contents (including the null
1484 * terminator) at stk_strp, and we store the offset of the string relative to
1485 * stk_base at --stk_offp. At strings are added, stk_strp increases and
1486 * stk_offp decreases. The amount of space remaining, STK_AVAIL(), is just
1487 * the difference between these pointers. If we run out of space, we return
1488 * an error and exec_args() starts all over again with a buffer twice as large.
1489 * When we're all done, the kernel buffer looks like this:
1490 *
1491 * +-----------------------+ <--- stk_base + stk_size
1492 * | argv[0] offset |
1493 * +-----------------------+
1494 * | ... |
1495 * +-----------------------+
1496 * | argv[argc-1] offset |
1497 * +-----------------------+
1498 * | envp[0] offset |
1499 * +-----------------------+
1500 * | ... |
1501 * +-----------------------+
1502 * | envp[envc-1] offset |
1503 * +-----------------------+
1504 * | AT_SUN_PLATFORM offset|
1505 * +-----------------------+
1506 * | AT_SUN_EXECNAME offset|
1507 * +-----------------------+ <--- stk_offp
1508 * | |
1509 * | STK_AVAIL() space |
1510 * | |
1511 * +-----------------------+ <--- stk_strp
1512 * | AT_SUN_EXECNAME offset|
1513 * +-----------------------+
1514 * | AT_SUN_PLATFORM offset|
1515 * +-----------------------+
1516 * | envp[envc-1] string |
1517 * +-----------------------+
1518 * | ... |
1519 * +-----------------------+
1520 * | envp[0] string |
1521 * +-----------------------+
1522 * | argv[argc-1] string |
1523 * +-----------------------+
1524 * | ... |
1525 * +-----------------------+
1526 * | argv[0] string |
1527 * +-----------------------+ <--- stk_base
1528 */
1529
1530 #define STK_AVAIL(args) ((char *)(args)->stk_offp - (args)->stk_strp)
1531
1532 /*
1533 * Add a string to the stack.
1534 */
1535 static int
1536 stk_add(uarg_t *args, const char *sp, enum uio_seg segflg)
1537 {
1538 int error;
1539 size_t len;
1540
1541 if (STK_AVAIL(args) < sizeof (int))
1542 return (E2BIG);
1543 *--args->stk_offp = args->stk_strp - args->stk_base;
1544
1545 if (segflg == UIO_USERSPACE) {
1546 error = copyinstr(sp, args->stk_strp, STK_AVAIL(args), &len);
1547 if (error != 0)
1548 return (error);
1549 } else {
1550 len = strlen(sp) + 1;
1551 if (len > STK_AVAIL(args))
1552 return (E2BIG);
1553 bcopy(sp, args->stk_strp, len);
1554 }
1555
1556 args->stk_strp += len;
1557
1558 return (0);
1559 }
1560
1561 /*
1562 * Add a fixed size byte array to the stack (only from kernel space).
1563 */
1564 static int
1565 stk_byte_add(uarg_t *args, const uint8_t *sp, size_t len)
1566 {
1567 int error;
1568
1569 if (STK_AVAIL(args) < sizeof (int))
1570 return (E2BIG);
1571 *--args->stk_offp = args->stk_strp - args->stk_base;
1572
1573 if (len > STK_AVAIL(args))
1574 return (E2BIG);
1575 bcopy(sp, args->stk_strp, len);
1576
1577 args->stk_strp += len;
1578
1579 return (0);
1580 }
1581
1582 static int
1583 stk_getptr(uarg_t *args, char *src, char **dst)
1584 {
1585 int error;
1586
1587 if (args->from_model == DATAMODEL_NATIVE) {
1588 ulong_t ptr;
1589 error = fulword(src, &ptr);
1590 *dst = (caddr_t)ptr;
1591 } else {
1592 uint32_t ptr;
1593 error = fuword32(src, &ptr);
1594 *dst = (caddr_t)(uintptr_t)ptr;
1595 }
1596 return (error);
1597 }
1598
1599 static int
1600 stk_putptr(uarg_t *args, char *addr, char *value)
1601 {
1602 if (args->to_model == DATAMODEL_NATIVE)
1603 return (sulword(addr, (ulong_t)value));
1604 else
1605 return (suword32(addr, (uint32_t)(uintptr_t)value));
1606 }
1607
1608 static int
1609 stk_copyin(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1610 {
1611 char *sp;
1612 int argc, error;
1613 int argv_empty = 0;
1614 size_t ptrsize = args->from_ptrsize;
1615 size_t size, pad;
1616 char *argv = (char *)uap->argp;
1617 char *envp = (char *)uap->envp;
1618 uint8_t rdata[RANDOM_LEN];
1619
1620 /*
1621 * Copy interpreter's name and argument to argv[0] and argv[1].
1622 * In the rare case that we have nested interpreters then those names
1623 * and arguments are also copied to the subsequent slots in argv.
1624 */
1625 if (intp != NULL && intp->intp_name[0] != NULL) {
1626 int i;
1627
1628 for (i = 0; i < INTP_MAXDEPTH; i++) {
1629 if (intp->intp_name[i] == NULL)
1630 break;
1631 error = stk_add(args, intp->intp_name[i], UIO_SYSSPACE);
1632 if (error != 0)
1633 return (error);
1634 if (intp->intp_arg[i] != NULL) {
1635 error = stk_add(args, intp->intp_arg[i],
1636 UIO_SYSSPACE);
1637 if (error != 0)
1638 return (error);
1639 }
1640 }
1641
1642 if (args->fname != NULL)
1643 error = stk_add(args, args->fname, UIO_SYSSPACE);
1644 else
1645 error = stk_add(args, uap->fname, UIO_USERSPACE);
1646 if (error)
1647 return (error);
1648
1649 /*
1650 * Check for an empty argv[].
1651 */
1652 if (stk_getptr(args, argv, &sp))
1653 return (EFAULT);
1654 if (sp == NULL)
1655 argv_empty = 1;
1656
1657 argv += ptrsize; /* ignore original argv[0] */
1658 }
1659
1660 if (argv_empty == 0) {
1661 /*
1662 * Add argv[] strings to the stack.
1663 */
1664 for (;;) {
1665 if (stk_getptr(args, argv, &sp))
1666 return (EFAULT);
1667 if (sp == NULL)
1668 break;
1669 if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1670 return (error);
1671 argv += ptrsize;
1672 }
1673 }
1674 argc = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1675 args->arglen = args->stk_strp - args->stk_base;
1676
1677 /*
1678 * Add environ[] strings to the stack.
1679 */
1680 if (envp != NULL) {
1681 for (;;) {
1682 char *tmp = args->stk_strp;
1683 if (stk_getptr(args, envp, &sp))
1684 return (EFAULT);
1685 if (sp == NULL)
1686 break;
1687 if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1688 return (error);
1689 if (args->scrubenv && strncmp(tmp, "LD_", 3) == 0) {
1690 /* Undo the copied string */
1691 args->stk_strp = tmp;
1692 *(args->stk_offp++) = NULL;
1693 }
1694 envp += ptrsize;
1695 }
1696 }
1697 args->na = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1698 args->ne = args->na - argc;
1699
1700 /*
1701 * Add AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME,
1702 * AT_SUN_BRAND_NROOT, and AT_SUN_EMULATOR strings, as well as AT_RANDOM
1703 * array, to the stack.
1704 */
1705 if (auxvpp != NULL && *auxvpp != NULL) {
1706 if ((error = stk_add(args, platform, UIO_SYSSPACE)) != 0)
1707 return (error);
1708 if ((error = stk_add(args, args->pathname, UIO_SYSSPACE)) != 0)
1709 return (error);
1710 if (args->brandname != NULL &&
1711 (error = stk_add(args, args->brandname, UIO_SYSSPACE)) != 0)
1712 return (error);
1713 if (args->emulator != NULL &&
1714 (error = stk_add(args, args->emulator, UIO_SYSSPACE)) != 0)
1715 return (error);
1716
1717 /*
1718 * For the AT_RANDOM aux vector we provide 16 bytes of random
1719 * data.
1720 */
1721 (void) random_get_pseudo_bytes(rdata, sizeof (rdata));
1722
1723 if ((error = stk_byte_add(args, rdata, sizeof (rdata))) != 0)
1724 return (error);
1725
1726 if (args->brand_nroot != NULL &&
1727 (error = stk_add(args, args->brand_nroot,
1728 UIO_SYSSPACE)) != 0)
1729 return (error);
1730 }
1731
1732 /*
1733 * Compute the size of the stack. This includes all the pointers,
1734 * the space reserved for the aux vector, and all the strings.
1735 * The total number of pointers is args->na (which is argc + envc)
1736 * plus 4 more: (1) a pointer's worth of space for argc; (2) the NULL
1737 * after the last argument (i.e. argv[argc]); (3) the NULL after the
1738 * last environment variable (i.e. envp[envc]); and (4) the NULL after
1739 * all the strings, at the very top of the stack.
1740 */
1741 size = (args->na + 4) * args->to_ptrsize + args->auxsize +
1742 (args->stk_strp - args->stk_base);
1743
1744 /*
1745 * Pad the string section with zeroes to align the stack size.
1746 */
1747 pad = P2NPHASE(size, args->stk_align);
1748
1749 if (STK_AVAIL(args) < pad)
1750 return (E2BIG);
1751
1752 args->usrstack_size = size + pad;
1753
1754 while (pad-- != 0)
1755 *args->stk_strp++ = 0;
1756
1757 args->nc = args->stk_strp - args->stk_base;
1758
1759 return (0);
1760 }
1761
1762 static int
1763 stk_copyout(uarg_t *args, char *usrstack, void **auxvpp, user_t *up)
1764 {
1765 size_t ptrsize = args->to_ptrsize;
1766 ssize_t pslen;
1767 char *kstrp = args->stk_base;
1768 char *ustrp = usrstack - args->nc - ptrsize;
1769 char *usp = usrstack - args->usrstack_size;
1770 int *offp = (int *)(args->stk_base + args->stk_size);
1771 int envc = args->ne;
1772 int argc = args->na - envc;
1773 int i;
1774
1775 /*
1776 * Record argc for /proc.
1777 */
1778 up->u_argc = argc;
1779
1780 /*
1781 * Put argc on the stack. Note that even though it's an int,
1782 * it always consumes ptrsize bytes (for alignment).
1783 */
1784 if (stk_putptr(args, usp, (char *)(uintptr_t)argc))
1785 return (-1);
1786
1787 /*
1788 * Add argc space (ptrsize) to usp and record argv for /proc.
1789 */
1790 up->u_argv = (uintptr_t)(usp += ptrsize);
1791
1792 /*
1793 * Put the argv[] pointers on the stack.
1794 */
1795 for (i = 0; i < argc; i++, usp += ptrsize)
1796 if (stk_putptr(args, usp, &ustrp[*--offp]))
1797 return (-1);
1798
1799 /*
1800 * Copy arguments to u_psargs.
1801 */
1802 pslen = MIN(args->arglen, PSARGSZ) - 1;
1803 for (i = 0; i < pslen; i++)
1804 up->u_psargs[i] = (kstrp[i] == '\0' ? ' ' : kstrp[i]);
1805 while (i < PSARGSZ)
1806 up->u_psargs[i++] = '\0';
1807
1808 /*
1809 * Add space for argv[]'s NULL terminator (ptrsize) to usp and
1810 * record envp for /proc.
1811 */
1812 up->u_envp = (uintptr_t)(usp += ptrsize);
1813
1814 /*
1815 * Put the envp[] pointers on the stack.
1816 */
1817 for (i = 0; i < envc; i++, usp += ptrsize)
1818 if (stk_putptr(args, usp, &ustrp[*--offp]))
1819 return (-1);
1820
1821 /*
1822 * Add space for envp[]'s NULL terminator (ptrsize) to usp and
1823 * remember where the stack ends, which is also where auxv begins.
1824 */
1825 args->stackend = usp += ptrsize;
1826
1827 /*
1828 * Put all the argv[], envp[], and auxv strings on the stack.
1829 */
1830 if (copyout(args->stk_base, ustrp, args->nc))
1831 return (-1);
1832
1833 /*
1834 * Fill in the aux vector now that we know the user stack addresses
1835 * for the AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME and
1836 * AT_SUN_EMULATOR strings, as well as the AT_RANDOM array.
1837 */
1838 if (auxvpp != NULL && *auxvpp != NULL) {
1839 if (args->to_model == DATAMODEL_NATIVE) {
1840 auxv_t **a = (auxv_t **)auxvpp;
1841 ADDAUX(*a, AT_SUN_PLATFORM, (long)&ustrp[*--offp])
1842 ADDAUX(*a, AT_SUN_EXECNAME, (long)&ustrp[*--offp])
1843 if (args->brandname != NULL)
1844 ADDAUX(*a,
1845 AT_SUN_BRANDNAME, (long)&ustrp[*--offp])
1846 if (args->emulator != NULL)
1847 ADDAUX(*a,
1848 AT_SUN_EMULATOR, (long)&ustrp[*--offp])
1849 ADDAUX(*a, AT_RANDOM, (long)&ustrp[*--offp])
1850 if (args->brand_nroot != NULL) {
1851 ADDAUX(*a,
1852 AT_SUN_BRAND_NROOT, (long)&ustrp[*--offp])
1853 }
1854 } else {
1855 auxv32_t **a = (auxv32_t **)auxvpp;
1856 ADDAUX(*a,
1857 AT_SUN_PLATFORM, (int)(uintptr_t)&ustrp[*--offp])
1858 ADDAUX(*a,
1859 AT_SUN_EXECNAME, (int)(uintptr_t)&ustrp[*--offp])
1860 if (args->brandname != NULL)
1861 ADDAUX(*a, AT_SUN_BRANDNAME,
1862 (int)(uintptr_t)&ustrp[*--offp])
1863 if (args->emulator != NULL)
1864 ADDAUX(*a, AT_SUN_EMULATOR,
1865 (int)(uintptr_t)&ustrp[*--offp])
1866 ADDAUX(*a, AT_RANDOM, (int)(uintptr_t)&ustrp[*--offp])
1867 if (args->brand_nroot != NULL) {
1868 ADDAUX(*a, AT_SUN_BRAND_NROOT,
1869 (int)(uintptr_t)&ustrp[*--offp])
1870 }
1871 }
1872 }
1873
1874 return (0);
1875 }
1876
1877 /*
1878 * Initialize a new user stack with the specified arguments and environment.
1879 * The initial user stack layout is as follows:
1880 *
1881 * User Stack
1882 * +---------------+ <--- curproc->p_usrstack
1883 * | |
1884 * | slew |
1885 * | |
1886 * +---------------+
1887 * | NULL |
1888 * +---------------+
1889 * | |
1890 * | auxv strings |
1891 * | |
1892 * +---------------+
1893 * | |
1894 * | envp strings |
1895 * | |
1896 * +---------------+
1897 * | |
1898 * | argv strings |
1899 * | |
1900 * +---------------+ <--- ustrp
1901 * | |
1902 * | aux vector |
1903 * | |
1904 * +---------------+ <--- auxv
1905 * | NULL |
1906 * +---------------+
1907 * | envp[envc-1] |
1908 * +---------------+
1909 * | ... |
1910 * +---------------+
1911 * | envp[0] |
1912 * +---------------+ <--- envp[]
1913 * | NULL |
1914 * +---------------+
1915 * | argv[argc-1] |
1916 * +---------------+
1917 * | ... |
1918 * +---------------+
1919 * | argv[0] |
1920 * +---------------+ <--- argv[]
1921 * | argc |
1922 * +---------------+ <--- stack base
1923 */
1924 int
1925 exec_args(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1926 {
1927 size_t size;
1928 int error;
1929 proc_t *p = ttoproc(curthread);
1930 user_t *up = PTOU(p);
1931 char *usrstack;
1932 rctl_entity_p_t e;
1933 struct as *as;
1934 extern int use_stk_lpg;
1935 size_t sp_slew;
1936
1937 args->from_model = p->p_model;
1938 if (p->p_model == DATAMODEL_NATIVE) {
1939 args->from_ptrsize = sizeof (long);
1940 } else {
1941 args->from_ptrsize = sizeof (int32_t);
1942 }
1943
1944 if (args->to_model == DATAMODEL_NATIVE) {
1945 args->to_ptrsize = sizeof (long);
1946 args->ncargs = NCARGS;
1947 args->stk_align = STACK_ALIGN;
1948 if (args->addr32)
1949 usrstack = (char *)USRSTACK64_32;
1950 else
1951 usrstack = (char *)USRSTACK;
1952 } else {
1953 args->to_ptrsize = sizeof (int32_t);
1954 args->ncargs = NCARGS32;
1955 args->stk_align = STACK_ALIGN32;
1956 usrstack = (char *)USRSTACK32;
1957 }
1958
1959 if (args->maxstack != 0 && (uintptr_t)usrstack > args->maxstack)
1960 usrstack = (char *)args->maxstack;
1961
1962 ASSERT(P2PHASE((uintptr_t)usrstack, args->stk_align) == 0);
1963
1964 #if defined(__sparc)
1965 /*
1966 * Make sure user register windows are empty before
1967 * attempting to make a new stack.
1968 */
1969 (void) flush_user_windows_to_stack(NULL);
1970 #endif
1971
1972 for (size = PAGESIZE; ; size *= 2) {
1973 args->stk_size = size;
1974 args->stk_base = kmem_alloc(size, KM_SLEEP);
1975 args->stk_strp = args->stk_base;
1976 args->stk_offp = (int *)(args->stk_base + size);
1977 error = stk_copyin(uap, args, intp, auxvpp);
1978 if (error == 0)
1979 break;
1980 kmem_free(args->stk_base, size);
1981 if (error != E2BIG && error != ENAMETOOLONG)
1982 return (error);
1983 if (size >= args->ncargs)
1984 return (E2BIG);
1985 }
1986
1987 size = args->usrstack_size;
1988
1989 ASSERT(error == 0);
1990 ASSERT(P2PHASE(size, args->stk_align) == 0);
1991 ASSERT((ssize_t)STK_AVAIL(args) >= 0);
1992
1993 if (size > args->ncargs) {
1994 kmem_free(args->stk_base, args->stk_size);
1995 return (E2BIG);
1996 }
1997
1998 /*
1999 * Leave only the current lwp and force the other lwps to exit.
2000 * If another lwp beat us to the punch by calling exit(), bail out.
2001 */
2002 if ((error = exitlwps(0)) != 0) {
2003 kmem_free(args->stk_base, args->stk_size);
2004 return (error);
2005 }
2006
2007 /*
2008 * Revoke any doors created by the process.
2009 */
2010 if (p->p_door_list)
2011 door_exit();
2012
2013 /*
2014 * Release schedctl data structures.
2015 */
2016 if (p->p_pagep)
2017 schedctl_proc_cleanup();
2018
2019 /*
2020 * Clean up any DTrace helpers for the process.
2021 */
2022 if (p->p_dtrace_helpers != NULL) {
2023 ASSERT(dtrace_helpers_cleanup != NULL);
2024 (*dtrace_helpers_cleanup)();
2025 }
2026
2027 mutex_enter(&p->p_lock);
2028 /*
2029 * Cleanup the DTrace provider associated with this process.
2030 */
2031 if (p->p_dtrace_probes) {
2032 ASSERT(dtrace_fasttrap_exec_ptr != NULL);
2033 dtrace_fasttrap_exec_ptr(p);
2034 }
2035 mutex_exit(&p->p_lock);
2036
2037 /*
2038 * discard the lwpchan cache.
2039 */
2040 if (p->p_lcp != NULL)
2041 lwpchan_destroy_cache(1);
2042
2043 /*
2044 * Delete the POSIX timers.
2045 */
2046 if (p->p_itimer != NULL)
2047 timer_exit();
2048
2049 /*
2050 * Delete the ITIMER_REALPROF interval timer.
2051 * The other ITIMER_* interval timers are specified
2052 * to be inherited across exec().
2053 */
2054 delete_itimer_realprof();
2055
2056 if (AU_AUDITING())
2057 audit_exec(args->stk_base, args->stk_base + args->arglen,
2058 args->na - args->ne, args->ne, args->pfcred);
2059
2060 /*
2061 * Ensure that we don't change resource associations while we
2062 * change address spaces.
2063 */
2064 mutex_enter(&p->p_lock);
2065 pool_barrier_enter();
2066 mutex_exit(&p->p_lock);
2067
2068 /*
2069 * Destroy the old address space and create a new one.
2070 * From here on, any errors are fatal to the exec()ing process.
2071 * On error we return -1, which means the caller must SIGKILL
2072 * the process.
2073 */
2074 relvm();
2075
2076 mutex_enter(&p->p_lock);
2077 pool_barrier_exit();
2078 mutex_exit(&p->p_lock);
2079
2080 up->u_execsw = args->execswp;
2081
2082 p->p_brkbase = NULL;
2083 p->p_brksize = 0;
2084 p->p_brkpageszc = 0;
2085 p->p_stksize = 0;
2086 p->p_stkpageszc = 0;
2087 p->p_model = args->to_model;
2088 p->p_usrstack = usrstack;
2089 p->p_stkprot = args->stk_prot;
2090 p->p_datprot = args->dat_prot;
2091
2092 /*
2093 * Reset resource controls such that all controls are again active as
2094 * well as appropriate to the potentially new address model for the
2095 * process.
2096 */
2097 e.rcep_p.proc = p;
2098 e.rcep_t = RCENTITY_PROCESS;
2099 rctl_set_reset(p->p_rctls, p, &e);
2100
2101 /* Too early to call map_pgsz for the heap */
2102 if (use_stk_lpg) {
2103 p->p_stkpageszc = page_szc(map_pgsz(MAPPGSZ_STK, p, 0, 0, 0));
2104 }
2105
2106 mutex_enter(&p->p_lock);
2107 p->p_flag |= SAUTOLPG; /* kernel controls page sizes */
2108 mutex_exit(&p->p_lock);
2109
2110 /*
2111 * Some platforms may choose to randomize real stack start by adding a
2112 * small slew (not more than a few hundred bytes) to the top of the
2113 * stack. This helps avoid cache thrashing when identical processes
2114 * simultaneously share caches that don't provide enough associativity
2115 * (e.g. sun4v systems). In this case stack slewing makes the same hot
2116 * stack variables in different processes to live in different cache
2117 * sets increasing effective associativity.
2118 */
2119 sp_slew = exec_get_spslew();
2120 ASSERT(P2PHASE(sp_slew, args->stk_align) == 0);
2121 exec_set_sp(size + sp_slew);
2122
2123 as = as_alloc();
2124 p->p_as = as;
2125 as->a_proc = p;
2126 if (p->p_model == DATAMODEL_ILP32 || args->addr32)
2127 as->a_userlimit = (caddr_t)USERLIMIT32;
2128 (void) hat_setup(as->a_hat, HAT_ALLOC);
2129 hat_join_srd(as->a_hat, args->ex_vp);
2130
2131 /*
2132 * Finally, write out the contents of the new stack.
2133 */
2134 error = stk_copyout(args, usrstack - sp_slew, auxvpp, up);
2135 kmem_free(args->stk_base, args->stk_size);
2136 return (error);
2137 }