Print this page
OS-5354 lx shebang argument handling is incorrect
Reviewed by: Patrick Mooney <patrick.mooney@joyent.com>
OS-4364 intpexec mishandles process branding
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
OS-4119 lxbrand panic when running native perl inside lx zone
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/exec/intp/intp.c
+++ new/usr/src/uts/common/exec/intp/intp.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
|
↓ open down ↓ |
14 lines elided |
↑ open up ↑ |
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 24 * Copyright 2012 Milan Jurik. All rights reserved.
25 + * Copyright 2016, Joyent, Inc.
25 26 */
26 27
27 28 /* Copyright (c) 1988 AT&T */
28 29 /* All Rights Reserved */
29 30
30 31
31 32 /* from S5R4 1.6 */
32 33
33 34 #include <sys/types.h>
34 35 #include <sys/param.h>
35 36 #include <sys/sysmacros.h>
36 37 #include <sys/signal.h>
37 38 #include <sys/cred.h>
38 39 #include <sys/user.h>
39 40 #include <sys/errno.h>
|
↓ open down ↓ |
5 lines elided |
↑ open up ↑ |
40 41 #include <sys/vnode.h>
41 42 #include <sys/proc.h>
42 43 #include <sys/cmn_err.h>
43 44 #include <sys/debug.h>
44 45 #include <sys/pathname.h>
45 46 #include <sys/disp.h>
46 47 #include <sys/exec.h>
47 48 #include <sys/kmem.h>
48 49 #include <sys/note.h>
49 50 #include <sys/sdt.h>
51 +#include <sys/brand.h>
50 52
51 53 /*
52 54 * This is the loadable module wrapper.
53 55 */
54 56 #include <sys/modctl.h>
55 57
56 58 extern int intpexec(struct vnode *, struct execa *, struct uarg *,
57 - struct intpdata *, int, long *, int, caddr_t, struct cred *, int);
59 + struct intpdata *, int, long *, int, caddr_t, struct cred *, int *);
58 60
59 61 static struct execsw esw = {
60 62 intpmagicstr,
61 63 0,
62 64 2,
63 65 intpexec,
64 66 NULL
65 67 };
66 68
67 69 /*
68 70 * Module linkage information for the kernel.
69 71 */
70 72 extern struct mod_ops mod_execops;
71 73
72 74 static struct modlexec modlexec = {
73 75 &mod_execops, "exec mod for interp", &esw
74 76 };
75 77
76 78 static struct modlinkage modlinkage = {
77 79 MODREV_1, (void *)&modlexec, NULL
78 80 };
79 81
80 82 int
81 83 _init()
82 84 {
83 85 return (mod_install(&modlinkage));
84 86 }
85 87
86 88 int
87 89 _fini()
88 90 {
89 91 return (mod_remove(&modlinkage));
90 92 }
91 93
92 94 int
93 95 _info(struct modinfo *modinfop)
94 96 {
95 97 return (mod_info(&modlinkage, modinfop));
96 98 }
97 99
98 100
99 101 /*
100 102 * Crack open a '#!' line.
101 103 */
102 104 static int
103 105 getintphead(struct vnode *vp, struct intpdata *idatap)
104 106 {
105 107 int error;
106 108 char *cp, *linep = idatap->intp;
107 109 ssize_t resid;
108 110
109 111 /*
110 112 * Read the entire line and confirm that it starts with '#!'.
111 113 */
112 114 if (error = vn_rdwr(UIO_READ, vp, linep, INTPSZ, (offset_t)0,
113 115 UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid))
114 116 return (error);
115 117 if (resid > INTPSZ-2 || linep[0] != '#' || linep[1] != '!')
116 118 return (ENOEXEC);
117 119 /*
118 120 * Blank all white space and find the newline.
|
↓ open down ↓ |
51 lines elided |
↑ open up ↑ |
119 121 */
120 122 for (cp = &linep[2]; cp < &linep[INTPSZ] && *cp != '\n'; cp++)
121 123 if (*cp == '\t')
122 124 *cp = ' ';
123 125 if (cp >= &linep[INTPSZ])
124 126 return (ENOEXEC);
125 127 ASSERT(*cp == '\n');
126 128 *cp = '\0';
127 129
128 130 /*
129 - * Locate the beginning and end of the interpreter name.
130 - * In addition to the name, one additional argument may
131 - * optionally be included here, to be prepended to the
132 - * arguments provided on the command line. Thus, for
133 - * example, you can say
131 + * Locate the beginning and end of the interpreter name. Historically,
132 + * for illumos and its predecessors, in addition to the name, one
133 + * additional argument may optionally be included here, to be prepended
134 + * to the arguments provided on the command line. Thus, for example,
135 + * you can say
134 136 *
135 137 * #! /usr/bin/awk -f
138 + *
139 + * However, handling of interpreter arguments varies across operating
140 + * systems and other systems allow more than one argument. In
141 + * particular, Linux allows more than one and delivers all arguments
142 + * as a single string (argv[1] is "-arg1 -arg2 ..."). We support this
143 + * style of argument handling as a brand-specific option (setting
144 + * b_intp_parse_arg to B_FALSE).
136 145 */
137 146 for (cp = &linep[2]; *cp == ' '; cp++)
138 147 ;
139 148 if (*cp == '\0')
140 149 return (ENOEXEC);
141 150 idatap->intp_name[0] = cp;
142 151 while (*cp && *cp != ' ')
143 152 cp++;
144 153 if (*cp == '\0') {
145 154 idatap->intp_arg[0] = NULL;
146 155 } else {
147 156 *cp++ = '\0';
148 157 while (*cp == ' ')
149 158 cp++;
150 159 if (*cp == '\0')
151 160 idatap->intp_arg[0] = NULL;
152 161 else {
153 162 idatap->intp_arg[0] = cp;
154 - while (*cp && *cp != ' ')
155 - cp++;
156 - *cp = '\0';
163 + if (!PROC_IS_BRANDED(curproc) ||
164 + BROP(curproc)->b_intp_parse_arg) {
165 + while (*cp && *cp != ' ')
166 + cp++;
167 + *cp = '\0';
168 + }
157 169 }
158 170 }
159 171 return (0);
160 172 }
161 173
162 174 /*
163 175 * We support nested interpreters up to a depth of INTP_MAXDEPTH (this value
164 176 * matches the depth on Linux). When a nested interpreter is in use, the
165 177 * previous name and argument must be passed along. We use the intpdata_t
166 178 * name and argument arrays for this. In the normal, non-nested case, only the
167 179 * first element in those arrays will be populated.
168 180 *
169 181 * For setid scripts the "script hole" is a security race condition between
170 182 * when we exec the interpreter and when the interpreter reads the script. We
171 183 * handle this below for the initial script, but we don't allow setid scripts
172 184 * when using nested interpreters. Because gexec only modifies the credentials
173 185 * for a setid script at level 0, then if we come back through for a nested
174 186 * interpreter we know that args->fname will be set (the first script is setid)
175 187 * and we can return an error. If an intermediate nested interpreter is setid
176 188 * then it will not be run with different credentials because of the gexec
177 189 * handling, so it is effectively no longer setid and we don't have to worry
178 190 * about the "script hole".
179 191 */
180 192 int
|
↓ open down ↓ |
14 lines elided |
↑ open up ↑ |
181 193 intpexec(
182 194 struct vnode *vp,
183 195 struct execa *uap,
184 196 struct uarg *args,
185 197 struct intpdata *idatap,
186 198 int level,
187 199 long *execsz,
188 200 int setid,
189 201 caddr_t exec_file,
190 202 struct cred *cred,
191 - int brand_action)
203 + int *brand_action)
192 204 {
193 - _NOTE(ARGUNUSED(brand_action))
194 205 vnode_t *nvp;
195 206 int error = 0;
196 207 struct intpdata idata;
197 208 struct pathname intppn;
198 209 struct pathname resolvepn;
199 210 char *opath;
200 211 char devfd[19]; /* 32-bit int fits in 10 digits + 8 for "/dev/fd/" */
201 212 int fd = -1;
202 213
203 214 if (level >= INTP_MAXDEPTH) { /* Can't recurse past maxdepth */
204 215 error = ELOOP;
205 216 goto bad;
206 217 }
207 218
208 219 if (level == 0)
209 220 ASSERT(idatap == (struct intpdata *)NULL);
210 221
211 222 bzero(&idata, sizeof (intpdata_t));
212 223
213 224 /*
214 225 * Allocate a buffer to read in the interpreter pathname.
215 226 */
216 227 idata.intp = kmem_alloc(INTPSZ, KM_SLEEP);
217 228 if (error = getintphead(vp, &idata))
218 229 goto fail;
219 230
220 231 /*
221 232 * Look the new vnode up.
222 233 */
223 234 if (error = pn_get(idata.intp_name[0], UIO_SYSSPACE, &intppn))
224 235 goto fail;
225 236 pn_alloc(&resolvepn);
226 237 if (error = lookuppn(&intppn, &resolvepn, FOLLOW, NULLVPP, &nvp)) {
227 238 pn_free(&resolvepn);
228 239 pn_free(&intppn);
229 240 goto fail;
230 241 }
231 242
232 243 if (level > 0) {
233 244 /*
234 245 * We have a nested interpreter. The previous name(s) and
235 246 * argument(s) need to be passed along. We also keep track
236 247 * of how often this zone uses nested interpreters.
237 248 */
238 249 int i;
239 250
240 251 atomic_inc_32(&curproc->p_zone->zone_nested_intp);
241 252
242 253 ASSERT(idatap != NULL);
243 254 /* since we're shifting up, loop stops one short */
244 255 for (i = 0; i < (INTP_MAXDEPTH - 1); i++) {
245 256 idata.intp_name[i + 1] = idatap->intp_name[i];
246 257 idata.intp_arg[i + 1] = idatap->intp_arg[i];
247 258 }
248 259
249 260 DTRACE_PROBE3(nested__intp, int, level, void *, &idata,
250 261 void *, nvp);
251 262 }
252 263
253 264 opath = args->pathname;
254 265 args->pathname = resolvepn.pn_path;
255 266 /* don't free resolvepn until we are done with args */
256 267 pn_free(&intppn);
257 268
258 269 /*
259 270 * Disallow setuid or additional privilege execution for nested
260 271 * interpreters.
261 272 */
262 273 if (level > 0 && args->fname != NULL) {
263 274 error = ENOEXEC;
264 275 goto done;
265 276 }
266 277
267 278 /*
268 279 * When we're executing a set-uid script resulting in uids
269 280 * mismatching or when we execute with additional privileges,
270 281 * we close the "replace script between exec and open by shell"
271 282 * hole by passing the script as /dev/fd parameter.
272 283 */
273 284 if ((setid & EXECSETID_PRIVS) != 0 ||
|
↓ open down ↓ |
70 lines elided |
↑ open up ↑ |
274 285 (setid & (EXECSETID_UGIDS|EXECSETID_SETID)) ==
275 286 (EXECSETID_UGIDS|EXECSETID_SETID)) {
276 287 (void) strcpy(devfd, "/dev/fd/");
277 288 if (error = execopen(&vp, &fd))
278 289 goto done;
279 290 numtos(fd, &devfd[8]);
280 291 args->fname = devfd;
281 292 }
282 293
283 294 error = gexec(&nvp, uap, args, &idata, ++level, execsz, exec_file, cred,
284 - EBA_NONE);
295 + brand_action);
285 296
286 297 if (!error) {
287 298 /*
288 299 * Close this executable as the interpreter
289 300 * will open and close it later on.
290 301 */
291 302 (void) VOP_CLOSE(vp, FREAD, 1, (offset_t)0, cred, NULL);
292 303 }
293 304 done:
294 305 VN_RELE(nvp);
295 306 args->pathname = opath;
296 307 pn_free(&resolvepn);
297 308 fail:
298 309 kmem_free(idata.intp, INTPSZ);
299 310 if (error && fd != -1)
300 311 (void) execclose(fd);
301 312 bad:
302 313 return (error);
303 314 }
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX