Print this page
Reduce lint
OS-4818 contract template disappears on exec
OS-4460 exec brands processes that still have multiple threads
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Reviewed by: Joshua M. Clulow <jmc@joyent.com>
OS-3742 lxbrand add support for signalfd
OS-4382 remove obsolete brand hooks added during lx development
OS-4188 NULL dereference in lwp_hash_in
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Reviewed by: Joshua M. Clulow <jmc@joyent.com>
OS-4119 lxbrand panic when running native perl inside lx zone
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
OS-4151 setbrand hooks should be sane during fork
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Reviewed by: Joshua M. Clulow <jmc@joyent.com>
OS-4129 lxbrand should not abuse p_brand_data for storing exit signal
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Reviewed by: Joshua M. Clulow <jmc@joyent.com>
OS-3561 lxbrand emulation library should execute on alternate stack
OS-3558 lxbrand add support for full in-kernel syscall handling
OS-3545 lx_syscall_regs should not walk stack
OS-3868 many LTP testcases now hang
OS-3901 lxbrand lx_recvmsg fails to translate control messages when 64-bit
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Reviewed by: Patrick Mooney <patrick.mooney@joyent.com>
Reviewed by: Bryan Cantrill <bryan@joyent.com>
OS-3871 AT_RANDOM aux entry should be populated using random_get_pseudo_bytes
OS-3611 lx brand: 64-bit processes should not use VAs above VA hole
OS-3438 lx brand: "start rsyslog" hangs
OS-3280 need a way to specify the root of a native system in the lx brand
OS-3279 lx brand should allow delegated datasets
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
OS-2949 add support for AT_RANDOM aux vector entry
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/os/exec.c
+++ new/usr/src/uts/common/os/exec.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
|
↓ open down ↓ |
18 lines elided |
↑ open up ↑ |
19 19 * CDDL HEADER END
20 20 */
21 21
22 22 /*
23 23 * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved.
24 24 */
25 25
26 26 /* Copyright (c) 1988 AT&T */
27 27 /* All Rights Reserved */
28 28 /*
29 - * Copyright 2014, Joyent, Inc. All rights reserved.
29 + * Copyright 2015, Joyent, Inc. All rights reserved.
30 30 */
31 31
32 32 #include <sys/types.h>
33 33 #include <sys/param.h>
34 34 #include <sys/sysmacros.h>
35 35 #include <sys/systm.h>
36 36 #include <sys/signal.h>
37 37 #include <sys/cred_impl.h>
38 38 #include <sys/policy.h>
39 39 #include <sys/user.h>
40 40 #include <sys/errno.h>
41 41 #include <sys/file.h>
42 42 #include <sys/vfs.h>
43 43 #include <sys/vnode.h>
44 44 #include <sys/mman.h>
45 45 #include <sys/acct.h>
46 46 #include <sys/cpuvar.h>
47 47 #include <sys/proc.h>
48 48 #include <sys/cmn_err.h>
49 49 #include <sys/debug.h>
50 50 #include <sys/pathname.h>
51 51 #include <sys/vm.h>
52 52 #include <sys/lgrp.h>
53 53 #include <sys/vtrace.h>
54 54 #include <sys/exec.h>
55 55 #include <sys/exechdr.h>
56 56 #include <sys/kmem.h>
57 57 #include <sys/prsystm.h>
58 58 #include <sys/modctl.h>
59 59 #include <sys/vmparam.h>
60 60 #include <sys/door.h>
61 61 #include <sys/schedctl.h>
|
↓ open down ↓ |
22 lines elided |
↑ open up ↑ |
62 62 #include <sys/utrap.h>
63 63 #include <sys/systeminfo.h>
64 64 #include <sys/stack.h>
65 65 #include <sys/rctl.h>
66 66 #include <sys/dtrace.h>
67 67 #include <sys/lwpchan_impl.h>
68 68 #include <sys/pool.h>
69 69 #include <sys/sdt.h>
70 70 #include <sys/brand.h>
71 71 #include <sys/klpd.h>
72 +#include <sys/random.h>
72 73
73 74 #include <c2/audit.h>
74 75
75 76 #include <vm/hat.h>
76 77 #include <vm/anon.h>
77 78 #include <vm/as.h>
78 79 #include <vm/seg.h>
79 80 #include <vm/seg_vn.h>
80 81
81 82 #define PRIV_RESET 0x01 /* needs to reset privs */
82 83 #define PRIV_SETID 0x02 /* needs to change uids */
83 84 #define PRIV_SETUGID 0x04 /* is setuid/setgid/forced privs */
84 85 #define PRIV_INCREASE 0x08 /* child runs with more privs */
85 86 #define MAC_FLAGS 0x10 /* need to adjust MAC flags */
86 87 #define PRIV_FORCED 0x20 /* has forced privileges */
87 88
88 89 static int execsetid(struct vnode *, struct vattr *, uid_t *, uid_t *,
89 90 priv_set_t *, cred_t *, const char *);
|
↓ open down ↓ |
8 lines elided |
↑ open up ↑ |
90 91 static int hold_execsw(struct execsw *);
91 92
92 93 uint_t auxv_hwcap = 0; /* auxv AT_SUN_HWCAP value; determined on the fly */
93 94 uint_t auxv_hwcap_2 = 0; /* AT_SUN_HWCAP2 */
94 95 #if defined(_SYSCALL32_IMPL)
95 96 uint_t auxv_hwcap32 = 0; /* 32-bit version of auxv_hwcap */
96 97 uint_t auxv_hwcap32_2 = 0; /* 32-bit version of auxv_hwcap2 */
97 98 #endif
98 99
99 100 #define PSUIDFLAGS (SNOCD|SUGID)
101 +#define RANDOM_LEN 16 /* 16 bytes for AT_RANDOM aux entry */
100 102
101 103 /*
102 104 * exece() - system call wrapper around exec_common()
103 105 */
104 106 int
105 107 exece(const char *fname, const char **argp, const char **envp)
106 108 {
107 109 int error;
108 110
109 111 error = exec_common(fname, argp, envp, EBA_NONE);
110 112 return (error ? (set_errno(error)) : 0);
111 113 }
112 114
113 115 int
114 116 exec_common(const char *fname, const char **argp, const char **envp,
115 117 int brand_action)
116 118 {
117 119 vnode_t *vp = NULL, *dir = NULL, *tmpvp = NULL;
118 120 proc_t *p = ttoproc(curthread);
119 121 klwp_t *lwp = ttolwp(curthread);
120 122 struct user *up = PTOU(p);
121 123 long execsz; /* temporary count of exec size */
122 124 int i;
123 125 int error;
124 126 char exec_file[MAXCOMLEN+1];
125 127 struct pathname pn;
126 128 struct pathname resolvepn;
127 129 struct uarg args;
128 130 struct execa ua;
129 131 k_sigset_t savedmask;
130 132 lwpdir_t *lwpdir = NULL;
131 133 tidhash_t *tidhash;
132 134 lwpdir_t *old_lwpdir = NULL;
133 135 uint_t old_lwpdir_sz;
134 136 tidhash_t *old_tidhash;
135 137 uint_t old_tidhash_sz;
136 138 ret_tidhash_t *ret_tidhash;
137 139 lwpent_t *lep;
138 140 boolean_t brandme = B_FALSE;
139 141
140 142 /*
141 143 * exec() is not supported for the /proc agent lwp.
142 144 */
143 145 if (curthread == p->p_agenttp)
144 146 return (ENOTSUP);
145 147
146 148 if (brand_action != EBA_NONE) {
147 149 /*
148 150 * Brand actions are not supported for processes that are not
149 151 * running in a branded zone.
150 152 */
151 153 if (!ZONE_IS_BRANDED(p->p_zone))
152 154 return (ENOTSUP);
153 155
154 156 if (brand_action == EBA_NATIVE) {
155 157 /* Only branded processes can be unbranded */
156 158 if (!PROC_IS_BRANDED(p))
157 159 return (ENOTSUP);
158 160 } else {
159 161 /* Only unbranded processes can be branded */
160 162 if (PROC_IS_BRANDED(p))
161 163 return (ENOTSUP);
162 164 brandme = B_TRUE;
163 165 }
164 166 } else {
165 167 /*
166 168 * If this is a native zone, or if the process is already
167 169 * branded, then we don't need to do anything. If this is
168 170 * a native process in a branded zone, we need to brand the
169 171 * process as it exec()s the new binary.
170 172 */
171 173 if (ZONE_IS_BRANDED(p->p_zone) && !PROC_IS_BRANDED(p))
172 174 brandme = B_TRUE;
173 175 }
174 176
175 177 /*
176 178 * Inform /proc that an exec() has started.
177 179 * Hold signals that are ignored by default so that we will
178 180 * not be interrupted by a signal that will be ignored after
179 181 * successful completion of gexec().
180 182 */
181 183 mutex_enter(&p->p_lock);
182 184 prexecstart();
183 185 schedctl_finish_sigblock(curthread);
184 186 savedmask = curthread->t_hold;
185 187 sigorset(&curthread->t_hold, &ignoredefault);
186 188 mutex_exit(&p->p_lock);
187 189
188 190 /*
189 191 * Look up path name and remember last component for later.
190 192 * To help coreadm expand its %d token, we attempt to save
191 193 * the directory containing the executable in p_execdir. The
192 194 * first call to lookuppn() may fail and return EINVAL because
193 195 * dirvpp is non-NULL. In that case, we make a second call to
194 196 * lookuppn() with dirvpp set to NULL; p_execdir will be NULL,
195 197 * but coreadm is allowed to expand %d to the empty string and
196 198 * there are other cases in which that failure may occur.
197 199 */
198 200 if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
199 201 goto out;
200 202 pn_alloc(&resolvepn);
201 203 if ((error = lookuppn(&pn, &resolvepn, FOLLOW, &dir, &vp)) != 0) {
202 204 pn_free(&resolvepn);
203 205 pn_free(&pn);
204 206 if (error != EINVAL)
205 207 goto out;
206 208
207 209 dir = NULL;
208 210 if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
209 211 goto out;
210 212 pn_alloc(&resolvepn);
211 213 if ((error = lookuppn(&pn, &resolvepn, FOLLOW, NULLVPP,
212 214 &vp)) != 0) {
213 215 pn_free(&resolvepn);
214 216 pn_free(&pn);
215 217 goto out;
216 218 }
217 219 }
218 220 if (vp == NULL) {
219 221 if (dir != NULL)
220 222 VN_RELE(dir);
221 223 error = ENOENT;
222 224 pn_free(&resolvepn);
223 225 pn_free(&pn);
224 226 goto out;
225 227 }
226 228
227 229 if ((error = secpolicy_basic_exec(CRED(), vp)) != 0) {
228 230 if (dir != NULL)
229 231 VN_RELE(dir);
230 232 pn_free(&resolvepn);
231 233 pn_free(&pn);
232 234 VN_RELE(vp);
233 235 goto out;
234 236 }
235 237
236 238 /*
237 239 * We do not allow executing files in attribute directories.
238 240 * We test this by determining whether the resolved path
239 241 * contains a "/" when we're in an attribute directory;
240 242 * only if the pathname does not contain a "/" the resolved path
241 243 * points to a file in the current working (attribute) directory.
242 244 */
243 245 if ((p->p_user.u_cdir->v_flag & V_XATTRDIR) != 0 &&
244 246 strchr(resolvepn.pn_path, '/') == NULL) {
245 247 if (dir != NULL)
246 248 VN_RELE(dir);
247 249 error = EACCES;
248 250 pn_free(&resolvepn);
249 251 pn_free(&pn);
250 252 VN_RELE(vp);
251 253 goto out;
252 254 }
253 255
254 256 bzero(exec_file, MAXCOMLEN+1);
255 257 (void) strncpy(exec_file, pn.pn_path, MAXCOMLEN);
256 258 bzero(&args, sizeof (args));
257 259 args.pathname = resolvepn.pn_path;
258 260 /* don't free resolvepn until we are done with args */
259 261 pn_free(&pn);
260 262
261 263 /*
262 264 * If we're running in a profile shell, then call pfexecd.
263 265 */
264 266 if ((CR_FLAGS(p->p_cred) & PRIV_PFEXEC) != 0) {
265 267 error = pfexec_call(p->p_cred, &resolvepn, &args.pfcred,
266 268 &args.scrubenv);
267 269
268 270 /* Returning errno in case we're not allowed to execute. */
269 271 if (error > 0) {
270 272 if (dir != NULL)
271 273 VN_RELE(dir);
272 274 pn_free(&resolvepn);
273 275 VN_RELE(vp);
274 276 goto out;
275 277 }
276 278
277 279 /* Don't change the credentials when using old ptrace. */
278 280 if (args.pfcred != NULL &&
279 281 (p->p_proc_flag & P_PR_PTRACE) != 0) {
280 282 crfree(args.pfcred);
281 283 args.pfcred = NULL;
282 284 args.scrubenv = B_FALSE;
283 285 }
284 286 }
285 287
286 288 /*
287 289 * Specific exec handlers, or policies determined via
288 290 * /etc/system may override the historical default.
289 291 */
|
↓ open down ↓ |
180 lines elided |
↑ open up ↑ |
290 292 args.stk_prot = PROT_ZFOD;
291 293 args.dat_prot = PROT_ZFOD;
292 294
293 295 CPU_STATS_ADD_K(sys, sysexec, 1);
294 296 DTRACE_PROC1(exec, char *, args.pathname);
295 297
296 298 ua.fname = fname;
297 299 ua.argp = argp;
298 300 ua.envp = envp;
299 301
300 - /* If necessary, brand this process before we start the exec. */
301 - if (brandme)
302 - brand_setbrand(p);
302 + /* If necessary, brand this process/lwp before we start the exec. */
303 + if (brandme) {
304 + void *brand_data = NULL;
303 305
306 + /*
307 + * Process branding may fail if multiple LWPs are present and
308 + * holdlwps() cannot complete successfully.
309 + */
310 + error = brand_setbrand(p, B_TRUE);
311 +
312 + if (error == 0 && BROP(p)->b_lwpdata_alloc != NULL) {
313 + brand_data = BROP(p)->b_lwpdata_alloc(p);
314 + if (brand_data == NULL) {
315 + error = 1;
316 + }
317 + }
318 +
319 + if (error == 0) {
320 + mutex_enter(&p->p_lock);
321 + BROP(p)->b_initlwp(lwp, brand_data);
322 + mutex_exit(&p->p_lock);
323 + } else {
324 + VN_RELE(vp);
325 + if (dir != NULL) {
326 + VN_RELE(dir);
327 + }
328 + pn_free(&resolvepn);
329 + goto fail;
330 + }
331 + }
332 +
304 333 if ((error = gexec(&vp, &ua, &args, NULL, 0, &execsz,
305 - exec_file, p->p_cred, brand_action)) != 0) {
306 - if (brandme)
307 - brand_clearbrand(p, B_FALSE);
334 + exec_file, p->p_cred, &brand_action)) != 0) {
335 + if (brandme) {
336 + BROP(p)->b_freelwp(lwp);
337 + brand_clearbrand(p, B_TRUE);
338 + }
308 339 VN_RELE(vp);
309 340 if (dir != NULL)
310 341 VN_RELE(dir);
311 342 pn_free(&resolvepn);
312 343 goto fail;
313 344 }
314 345
315 346 /*
316 347 * Free floating point registers (sun4u only)
317 348 */
318 349 ASSERT(lwp != NULL);
319 350 lwp_freeregs(lwp, 1);
320 351
321 352 /*
322 353 * Free thread and process context ops.
323 354 */
324 355 if (curthread->t_ctx)
325 356 freectx(curthread, 1);
326 357 if (p->p_pctx)
327 358 freepctx(p, 1);
328 359
|
↓ open down ↓ |
11 lines elided |
↑ open up ↑ |
329 360 /*
330 361 * Remember file name for accounting; clear any cached DTrace predicate.
331 362 */
332 363 up->u_acflag &= ~AFORK;
333 364 bcopy(exec_file, up->u_comm, MAXCOMLEN+1);
334 365 curthread->t_predcache = NULL;
335 366
336 367 /*
337 368 * Clear contract template state
338 369 */
339 - lwp_ctmpl_clear(lwp);
370 + lwp_ctmpl_clear(lwp, B_TRUE);
340 371
341 372 /*
342 373 * Save the directory in which we found the executable for expanding
343 374 * the %d token used in core file patterns.
344 375 */
345 376 mutex_enter(&p->p_lock);
346 377 tmpvp = p->p_execdir;
347 378 p->p_execdir = dir;
348 379 if (p->p_execdir != NULL)
349 380 VN_HOLD(p->p_execdir);
350 381 mutex_exit(&p->p_lock);
351 382
352 383 if (tmpvp != NULL)
|
↓ open down ↓ |
3 lines elided |
↑ open up ↑ |
353 384 VN_RELE(tmpvp);
354 385
355 386 /*
356 387 * Reset stack state to the user stack, clear set of signals
357 388 * caught on the signal stack, and reset list of signals that
358 389 * restart system calls; the new program's environment should
359 390 * not be affected by detritus from the old program. Any
360 391 * pending held signals remain held, so don't clear t_hold.
361 392 */
362 393 mutex_enter(&p->p_lock);
394 + DTRACE_PROBE3(oldcontext__set, klwp_t *, lwp,
395 + uintptr_t, lwp->lwp_oldcontext, uintptr_t, 0);
363 396 lwp->lwp_oldcontext = 0;
364 397 lwp->lwp_ustack = 0;
365 398 lwp->lwp_old_stk_ctl = 0;
366 399 sigemptyset(&up->u_signodefer);
367 400 sigemptyset(&up->u_sigonstack);
368 401 sigemptyset(&up->u_sigresethand);
369 402 lwp->lwp_sigaltstack.ss_sp = 0;
370 403 lwp->lwp_sigaltstack.ss_size = 0;
371 404 lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
372 405
373 406 /*
374 407 * Make saved resource limit == current resource limit.
375 408 */
376 409 for (i = 0; i < RLIM_NLIMITS; i++) {
377 410 /*CONSTCOND*/
378 411 if (RLIM_SAVED(i)) {
379 412 (void) rctl_rlimit_get(rctlproc_legacy[i], p,
380 413 &up->u_saved_rlimit[i]);
381 414 }
382 415 }
383 416
384 417 /*
385 418 * If the action was to catch the signal, then the action
386 419 * must be reset to SIG_DFL.
387 420 */
388 421 sigdefault(p);
389 422 p->p_flag &= ~(SNOWAIT|SJCTL);
390 423 p->p_flag |= (SEXECED|SMSACCT|SMSFORK);
391 424 up->u_signal[SIGCLD - 1] = SIG_DFL;
392 425
393 426 /*
394 427 * Delete the dot4 sigqueues/signotifies.
395 428 */
396 429 sigqfree(p);
397 430
398 431 mutex_exit(&p->p_lock);
399 432
400 433 mutex_enter(&p->p_pflock);
401 434 p->p_prof.pr_base = NULL;
402 435 p->p_prof.pr_size = 0;
403 436 p->p_prof.pr_off = 0;
404 437 p->p_prof.pr_scale = 0;
405 438 p->p_prof.pr_samples = 0;
406 439 mutex_exit(&p->p_pflock);
407 440
408 441 ASSERT(curthread->t_schedctl == NULL);
409 442
410 443 #if defined(__sparc)
411 444 if (p->p_utraps != NULL)
|
↓ open down ↓ |
39 lines elided |
↑ open up ↑ |
412 445 utrap_free(p);
413 446 #endif /* __sparc */
414 447
415 448 /*
416 449 * Close all close-on-exec files.
417 450 */
418 451 close_exec(P_FINFO(p));
419 452 TRACE_2(TR_FAC_PROC, TR_PROC_EXEC, "proc_exec:p %p up %p", p, up);
420 453
421 454 /* Unbrand ourself if necessary. */
422 - if (PROC_IS_BRANDED(p) && (brand_action == EBA_NATIVE))
455 + if (PROC_IS_BRANDED(p) && (brand_action == EBA_NATIVE)) {
456 + BROP(p)->b_freelwp(lwp);
423 457 brand_clearbrand(p, B_FALSE);
458 + }
424 459
425 460 setregs(&args);
426 461
427 462 /* Mark this as an executable vnode */
428 463 mutex_enter(&vp->v_lock);
429 464 vp->v_flag |= VVMEXEC;
430 465 mutex_exit(&vp->v_lock);
431 466
432 467 VN_RELE(vp);
433 468 if (dir != NULL)
434 469 VN_RELE(dir);
435 470 pn_free(&resolvepn);
436 471
437 472 /*
438 473 * Allocate a new lwp directory and lwpid hash table if necessary.
439 474 */
440 475 if (curthread->t_tid != 1 || p->p_lwpdir_sz != 2) {
441 476 lwpdir = kmem_zalloc(2 * sizeof (lwpdir_t), KM_SLEEP);
442 477 lwpdir->ld_next = lwpdir + 1;
443 478 tidhash = kmem_zalloc(2 * sizeof (tidhash_t), KM_SLEEP);
444 479 if (p->p_lwpdir != NULL)
445 480 lep = p->p_lwpdir[curthread->t_dslot].ld_entry;
446 481 else
447 482 lep = kmem_zalloc(sizeof (*lep), KM_SLEEP);
448 483 }
449 484
450 485 if (PROC_IS_BRANDED(p))
451 486 BROP(p)->b_exec();
452 487
453 488 mutex_enter(&p->p_lock);
454 489 prbarrier(p);
455 490
456 491 /*
457 492 * Reset lwp id to the default value of 1.
458 493 * This is a single-threaded process now
459 494 * and lwp #1 is lwp_wait()able by default.
460 495 * The t_unpark flag should not be inherited.
461 496 */
462 497 ASSERT(p->p_lwpcnt == 1 && p->p_zombcnt == 0);
463 498 curthread->t_tid = 1;
464 499 kpreempt_disable();
465 500 ASSERT(curthread->t_lpl != NULL);
466 501 p->p_t1_lgrpid = curthread->t_lpl->lpl_lgrpid;
467 502 kpreempt_enable();
468 503 if (p->p_tr_lgrpid != LGRP_NONE && p->p_tr_lgrpid != p->p_t1_lgrpid) {
469 504 lgrp_update_trthr_migrations(1);
470 505 }
471 506 curthread->t_unpark = 0;
472 507 curthread->t_proc_flag |= TP_TWAIT;
473 508 curthread->t_proc_flag &= ~TP_DAEMON; /* daemons shouldn't exec */
474 509 p->p_lwpdaemon = 0; /* but oh well ... */
475 510 p->p_lwpid = 1;
476 511
477 512 /*
478 513 * Install the newly-allocated lwp directory and lwpid hash table
479 514 * and insert the current thread into the new hash table.
480 515 */
481 516 if (lwpdir != NULL) {
482 517 old_lwpdir = p->p_lwpdir;
483 518 old_lwpdir_sz = p->p_lwpdir_sz;
484 519 old_tidhash = p->p_tidhash;
485 520 old_tidhash_sz = p->p_tidhash_sz;
486 521 p->p_lwpdir = p->p_lwpfree = lwpdir;
487 522 p->p_lwpdir_sz = 2;
488 523 lep->le_thread = curthread;
489 524 lep->le_lwpid = curthread->t_tid;
490 525 lep->le_start = curthread->t_start;
491 526 lwp_hash_in(p, lep, tidhash, 2, 0);
492 527 p->p_tidhash = tidhash;
493 528 p->p_tidhash_sz = 2;
494 529 }
495 530 ret_tidhash = p->p_ret_tidhash;
496 531 p->p_ret_tidhash = NULL;
497 532
498 533 /*
499 534 * Restore the saved signal mask and
500 535 * inform /proc that the exec() has finished.
501 536 */
502 537 curthread->t_hold = savedmask;
503 538 prexecend();
504 539 mutex_exit(&p->p_lock);
505 540 if (old_lwpdir) {
506 541 kmem_free(old_lwpdir, old_lwpdir_sz * sizeof (lwpdir_t));
507 542 kmem_free(old_tidhash, old_tidhash_sz * sizeof (tidhash_t));
508 543 }
509 544 while (ret_tidhash != NULL) {
510 545 ret_tidhash_t *next = ret_tidhash->rth_next;
511 546 kmem_free(ret_tidhash->rth_tidhash,
512 547 ret_tidhash->rth_tidhash_sz * sizeof (tidhash_t));
513 548 kmem_free(ret_tidhash, sizeof (*ret_tidhash));
514 549 ret_tidhash = next;
515 550 }
516 551
517 552 ASSERT(error == 0);
518 553 DTRACE_PROC(exec__success);
519 554 return (0);
520 555
521 556 fail:
522 557 DTRACE_PROC1(exec__failure, int, error);
523 558 out: /* error return */
524 559 mutex_enter(&p->p_lock);
525 560 curthread->t_hold = savedmask;
526 561 prexecend();
527 562 mutex_exit(&p->p_lock);
528 563 ASSERT(error != 0);
529 564 return (error);
530 565 }
531 566
532 567
533 568 /*
534 569 * Perform generic exec duties and switchout to object-file specific
535 570 * handler.
536 571 */
|
↓ open down ↓ |
103 lines elided |
↑ open up ↑ |
537 572 int
538 573 gexec(
539 574 struct vnode **vpp,
540 575 struct execa *uap,
541 576 struct uarg *args,
542 577 struct intpdata *idatap,
543 578 int level,
544 579 long *execsz,
545 580 caddr_t exec_file,
546 581 struct cred *cred,
547 - int brand_action)
582 + int *brand_action)
548 583 {
549 584 struct vnode *vp, *execvp = NULL;
550 585 proc_t *pp = ttoproc(curthread);
551 586 struct execsw *eswp;
552 587 int error = 0;
553 588 int suidflags = 0;
554 589 ssize_t resid;
555 590 uid_t uid, gid;
556 591 struct vattr vattr;
557 592 char magbuf[MAGIC_BYTES];
558 593 int setid;
559 594 cred_t *oldcred, *newcred = NULL;
560 595 int privflags = 0;
561 596 int setidfl;
562 597 priv_set_t fset;
563 598
564 599 /*
565 600 * If the SNOCD or SUGID flag is set, turn it off and remember the
566 601 * previous setting so we can restore it if we encounter an error.
567 602 */
568 603 if (level == 0 && (pp->p_flag & PSUIDFLAGS)) {
569 604 mutex_enter(&pp->p_lock);
570 605 suidflags = pp->p_flag & PSUIDFLAGS;
571 606 pp->p_flag &= ~PSUIDFLAGS;
572 607 mutex_exit(&pp->p_lock);
573 608 }
574 609
575 610 if ((error = execpermissions(*vpp, &vattr, args)) != 0)
576 611 goto bad_noclose;
577 612
578 613 /* need to open vnode for stateful file systems */
579 614 if ((error = VOP_OPEN(vpp, FREAD, CRED(), NULL)) != 0)
580 615 goto bad_noclose;
581 616 vp = *vpp;
582 617
583 618 /*
584 619 * Note: to support binary compatibility with SunOS a.out
585 620 * executables, we read in the first four bytes, as the
586 621 * magic number is in bytes 2-3.
587 622 */
588 623 if (error = vn_rdwr(UIO_READ, vp, magbuf, sizeof (magbuf),
589 624 (offset_t)0, UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid))
590 625 goto bad;
591 626 if (resid != 0)
592 627 goto bad;
593 628
594 629 if ((eswp = findexec_by_hdr(magbuf)) == NULL)
595 630 goto bad;
596 631
597 632 if (level == 0 &&
598 633 (privflags = execsetid(vp, &vattr, &uid, &gid, &fset,
599 634 args->pfcred == NULL ? cred : args->pfcred, args->pathname)) != 0) {
600 635
601 636 /* Pfcred is a credential with a ref count of 1 */
602 637
603 638 if (args->pfcred != NULL) {
604 639 privflags |= PRIV_INCREASE|PRIV_RESET;
605 640 newcred = cred = args->pfcred;
606 641 } else {
607 642 newcred = cred = crdup(cred);
608 643 }
609 644
610 645 /* If we can, drop the PA bit */
611 646 if ((privflags & PRIV_RESET) != 0)
612 647 priv_adjust_PA(cred);
613 648
614 649 if (privflags & PRIV_SETID) {
615 650 cred->cr_uid = uid;
616 651 cred->cr_gid = gid;
617 652 cred->cr_suid = uid;
618 653 cred->cr_sgid = gid;
619 654 }
620 655
621 656 if (privflags & MAC_FLAGS) {
622 657 if (!(CR_FLAGS(cred) & NET_MAC_AWARE_INHERIT))
623 658 CR_FLAGS(cred) &= ~NET_MAC_AWARE;
624 659 CR_FLAGS(cred) &= ~NET_MAC_AWARE_INHERIT;
625 660 }
626 661
627 662 /*
628 663 * Implement the privilege updates:
629 664 *
630 665 * Restrict with L:
631 666 *
632 667 * I' = I & L
633 668 *
634 669 * E' = P' = (I' + F) & A
635 670 *
636 671 * But if running under ptrace, we cap I and F with P.
637 672 */
638 673 if ((privflags & (PRIV_RESET|PRIV_FORCED)) != 0) {
639 674 if ((privflags & PRIV_INCREASE) != 0 &&
640 675 (pp->p_proc_flag & P_PR_PTRACE) != 0) {
641 676 priv_intersect(&CR_OPPRIV(cred),
642 677 &CR_IPRIV(cred));
643 678 priv_intersect(&CR_OPPRIV(cred), &fset);
644 679 }
645 680 priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
646 681 CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
647 682 if (privflags & PRIV_FORCED) {
648 683 priv_set_PA(cred);
649 684 priv_union(&fset, &CR_EPRIV(cred));
650 685 priv_union(&fset, &CR_PPRIV(cred));
651 686 }
652 687 priv_adjust_PA(cred);
653 688 }
654 689 } else if (level == 0 && args->pfcred != NULL) {
655 690 newcred = cred = args->pfcred;
656 691 privflags |= PRIV_INCREASE;
657 692 /* pfcred is not forced to adhere to these settings */
658 693 priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
659 694 CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
660 695 priv_adjust_PA(cred);
661 696 }
662 697
663 698 /* SunOS 4.x buy-back */
664 699 if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) &&
665 700 (vattr.va_mode & (VSUID|VSGID))) {
666 701 char path[MAXNAMELEN];
667 702 refstr_t *mntpt = NULL;
668 703 int ret = -1;
669 704
670 705 bzero(path, sizeof (path));
671 706 zone_hold(pp->p_zone);
672 707
673 708 ret = vnodetopath(pp->p_zone->zone_rootvp, vp, path,
674 709 sizeof (path), cred);
675 710
676 711 /* fallback to mountpoint if a path can't be found */
677 712 if ((ret != 0) || (ret == 0 && path[0] == '\0'))
678 713 mntpt = vfs_getmntpoint(vp->v_vfsp);
679 714
680 715 if (mntpt == NULL)
681 716 zcmn_err(pp->p_zone->zone_id, CE_NOTE,
682 717 "!uid %d: setuid execution not allowed, "
683 718 "file=%s", cred->cr_uid, path);
684 719 else
685 720 zcmn_err(pp->p_zone->zone_id, CE_NOTE,
686 721 "!uid %d: setuid execution not allowed, "
687 722 "fs=%s, file=%s", cred->cr_uid,
688 723 ZONE_PATH_TRANSLATE(refstr_value(mntpt),
689 724 pp->p_zone), exec_file);
690 725
691 726 if (!INGLOBALZONE(pp)) {
692 727 /* zone_rootpath always has trailing / */
693 728 if (mntpt == NULL)
694 729 cmn_err(CE_NOTE, "!zone: %s, uid: %d "
695 730 "setuid execution not allowed, file=%s%s",
696 731 pp->p_zone->zone_name, cred->cr_uid,
697 732 pp->p_zone->zone_rootpath, path + 1);
698 733 else
699 734 cmn_err(CE_NOTE, "!zone: %s, uid: %d "
700 735 "setuid execution not allowed, fs=%s, "
701 736 "file=%s", pp->p_zone->zone_name,
702 737 cred->cr_uid, refstr_value(mntpt),
703 738 exec_file);
704 739 }
705 740
706 741 if (mntpt != NULL)
707 742 refstr_rele(mntpt);
708 743
709 744 zone_rele(pp->p_zone);
710 745 }
711 746
712 747 /*
713 748 * execsetid() told us whether or not we had to change the
714 749 * credentials of the process. In privflags, it told us
715 750 * whether we gained any privileges or executed a set-uid executable.
716 751 */
717 752 setid = (privflags & (PRIV_SETUGID|PRIV_INCREASE|PRIV_FORCED));
718 753
719 754 /*
720 755 * Use /etc/system variable to determine if the stack
721 756 * should be marked as executable by default.
722 757 */
723 758 if (noexec_user_stack)
724 759 args->stk_prot &= ~PROT_EXEC;
725 760
726 761 args->execswp = eswp; /* Save execsw pointer in uarg for exec_func */
727 762 args->ex_vp = vp;
728 763
729 764 /*
730 765 * Traditionally, the setid flags told the sub processes whether
731 766 * the file just executed was set-uid or set-gid; this caused
732 767 * some confusion as the 'setid' flag did not match the SUGID
733 768 * process flag which is only set when the uids/gids do not match.
734 769 * A script set-gid/set-uid to the real uid/gid would start with
735 770 * /dev/fd/X but an executable would happily trust LD_LIBRARY_PATH.
736 771 * Now we flag those cases where the calling process cannot
737 772 * be trusted to influence the newly exec'ed process, either
738 773 * because it runs with more privileges or when the uids/gids
739 774 * do in fact not match.
740 775 * This also makes the runtime linker agree with the on exec
741 776 * values of SNOCD and SUGID.
742 777 */
743 778 setidfl = 0;
744 779 if (cred->cr_uid != cred->cr_ruid || (cred->cr_rgid != cred->cr_gid &&
745 780 !supgroupmember(cred->cr_gid, cred))) {
746 781 setidfl |= EXECSETID_UGIDS;
747 782 }
748 783 if (setid & PRIV_SETUGID)
749 784 setidfl |= EXECSETID_SETID;
750 785 if (setid & PRIV_FORCED)
751 786 setidfl |= EXECSETID_PRIVS;
752 787
753 788 execvp = pp->p_exec;
754 789 if (execvp)
755 790 VN_HOLD(execvp);
756 791
757 792 error = (*eswp->exec_func)(vp, uap, args, idatap, level, execsz,
758 793 setidfl, exec_file, cred, brand_action);
759 794 rw_exit(eswp->exec_lock);
760 795 if (error != 0) {
761 796 if (execvp)
762 797 VN_RELE(execvp);
763 798 /*
764 799 * If this process's p_exec has been set to the vp of
765 800 * the executable by exec_func, we will return without
766 801 * calling VOP_CLOSE because proc_exit will close it
767 802 * on exit.
768 803 */
769 804 if (pp->p_exec == vp)
770 805 goto bad_noclose;
771 806 else
772 807 goto bad;
773 808 }
774 809
775 810 if (level == 0) {
776 811 uid_t oruid;
777 812
778 813 if (execvp != NULL) {
779 814 /*
780 815 * Close the previous executable only if we are
781 816 * at level 0.
782 817 */
783 818 (void) VOP_CLOSE(execvp, FREAD, 1, (offset_t)0,
784 819 cred, NULL);
785 820 }
786 821
787 822 mutex_enter(&pp->p_crlock);
788 823
789 824 oruid = pp->p_cred->cr_ruid;
790 825
791 826 if (newcred != NULL) {
792 827 /*
793 828 * Free the old credentials, and set the new ones.
794 829 * Do this for both the process and the (single) thread.
795 830 */
796 831 crfree(pp->p_cred);
797 832 pp->p_cred = cred; /* cred already held for proc */
798 833 crhold(cred); /* hold new cred for thread */
799 834 /*
800 835 * DTrace accesses t_cred in probe context. t_cred
801 836 * must always be either NULL, or point to a valid,
802 837 * allocated cred structure.
803 838 */
804 839 oldcred = curthread->t_cred;
805 840 curthread->t_cred = cred;
806 841 crfree(oldcred);
807 842
808 843 if (priv_basic_test >= 0 &&
809 844 !PRIV_ISASSERT(&CR_IPRIV(newcred),
810 845 priv_basic_test)) {
811 846 pid_t pid = pp->p_pid;
812 847 char *fn = PTOU(pp)->u_comm;
813 848
814 849 cmn_err(CE_WARN, "%s[%d]: exec: basic_test "
815 850 "privilege removed from E/I", fn, pid);
816 851 }
817 852 }
818 853 /*
819 854 * On emerging from a successful exec(), the saved
820 855 * uid and gid equal the effective uid and gid.
821 856 */
822 857 cred->cr_suid = cred->cr_uid;
823 858 cred->cr_sgid = cred->cr_gid;
824 859
825 860 /*
826 861 * If the real and effective ids do not match, this
827 862 * is a setuid process that should not dump core.
828 863 * The group comparison is tricky; we prevent the code
829 864 * from flagging SNOCD when executing with an effective gid
830 865 * which is a supplementary group.
831 866 */
832 867 if (cred->cr_ruid != cred->cr_uid ||
833 868 (cred->cr_rgid != cred->cr_gid &&
834 869 !supgroupmember(cred->cr_gid, cred)) ||
835 870 (privflags & PRIV_INCREASE) != 0)
836 871 suidflags = PSUIDFLAGS;
837 872 else
838 873 suidflags = 0;
839 874
840 875 mutex_exit(&pp->p_crlock);
841 876 if (newcred != NULL && oruid != newcred->cr_ruid) {
842 877 /* Note that the process remains in the same zone. */
843 878 mutex_enter(&pidlock);
844 879 upcount_dec(oruid, crgetzoneid(newcred));
845 880 upcount_inc(newcred->cr_ruid, crgetzoneid(newcred));
846 881 mutex_exit(&pidlock);
847 882 }
848 883 if (suidflags) {
849 884 mutex_enter(&pp->p_lock);
850 885 pp->p_flag |= suidflags;
|
↓ open down ↓ |
293 lines elided |
↑ open up ↑ |
851 886 mutex_exit(&pp->p_lock);
852 887 }
853 888 if (setid && (pp->p_proc_flag & P_PR_PTRACE) == 0) {
854 889 /*
855 890 * If process is traced via /proc, arrange to
856 891 * invalidate the associated /proc vnode.
857 892 */
858 893 if (pp->p_plist || (pp->p_proc_flag & P_PR_TRACE))
859 894 args->traceinval = 1;
860 895 }
861 - if (pp->p_proc_flag & P_PR_PTRACE)
896 +
897 + /*
898 + * If legacy ptrace is enabled, generate the SIGTRAP.
899 + */
900 + if (pp->p_proc_flag & P_PR_PTRACE) {
862 901 psignal(pp, SIGTRAP);
902 + }
903 +
863 904 if (args->traceinval)
864 905 prinvalidate(&pp->p_user);
865 906 }
866 907 if (execvp)
867 908 VN_RELE(execvp);
868 909 return (0);
869 910
870 911 bad:
871 912 (void) VOP_CLOSE(vp, FREAD, 1, (offset_t)0, cred, NULL);
872 913
873 914 bad_noclose:
874 915 if (newcred != NULL)
875 916 crfree(newcred);
876 917 if (error == 0)
877 918 error = ENOEXEC;
878 919
879 920 if (suidflags) {
880 921 mutex_enter(&pp->p_lock);
881 922 pp->p_flag |= suidflags;
882 923 mutex_exit(&pp->p_lock);
883 924 }
884 925 return (error);
885 926 }
886 927
887 928 extern char *execswnames[];
888 929
889 930 struct execsw *
890 931 allocate_execsw(char *name, char *magic, size_t magic_size)
891 932 {
892 933 int i, j;
893 934 char *ename;
894 935 char *magicp;
895 936
896 937 mutex_enter(&execsw_lock);
897 938 for (i = 0; i < nexectype; i++) {
898 939 if (execswnames[i] == NULL) {
899 940 ename = kmem_alloc(strlen(name) + 1, KM_SLEEP);
900 941 (void) strcpy(ename, name);
901 942 execswnames[i] = ename;
902 943 /*
903 944 * Set the magic number last so that we
904 945 * don't need to hold the execsw_lock in
905 946 * findexectype().
906 947 */
907 948 magicp = kmem_alloc(magic_size, KM_SLEEP);
908 949 for (j = 0; j < magic_size; j++)
909 950 magicp[j] = magic[j];
910 951 execsw[i].exec_magic = magicp;
911 952 mutex_exit(&execsw_lock);
912 953 return (&execsw[i]);
913 954 }
914 955 }
915 956 mutex_exit(&execsw_lock);
916 957 return (NULL);
917 958 }
918 959
919 960 /*
920 961 * Find the exec switch table entry with the corresponding magic string.
921 962 */
922 963 struct execsw *
923 964 findexecsw(char *magic)
924 965 {
925 966 struct execsw *eswp;
926 967
927 968 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
928 969 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
929 970 if (magic && eswp->exec_maglen != 0 &&
930 971 bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0)
931 972 return (eswp);
932 973 }
933 974 return (NULL);
934 975 }
935 976
936 977 /*
937 978 * Find the execsw[] index for the given exec header string by looking for the
938 979 * magic string at a specified offset and length for each kind of executable
939 980 * file format until one matches. If no execsw[] entry is found, try to
940 981 * autoload a module for this magic string.
941 982 */
942 983 struct execsw *
943 984 findexec_by_hdr(char *header)
944 985 {
945 986 struct execsw *eswp;
946 987
947 988 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
948 989 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
949 990 if (header && eswp->exec_maglen != 0 &&
950 991 bcmp(&header[eswp->exec_magoff], eswp->exec_magic,
951 992 eswp->exec_maglen) == 0) {
952 993 if (hold_execsw(eswp) != 0)
953 994 return (NULL);
954 995 return (eswp);
955 996 }
956 997 }
957 998 return (NULL); /* couldn't find the type */
958 999 }
959 1000
960 1001 /*
961 1002 * Find the execsw[] index for the given magic string. If no execsw[] entry
962 1003 * is found, try to autoload a module for this magic string.
963 1004 */
964 1005 struct execsw *
965 1006 findexec_by_magic(char *magic)
966 1007 {
967 1008 struct execsw *eswp;
968 1009
969 1010 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
970 1011 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
971 1012 if (magic && eswp->exec_maglen != 0 &&
972 1013 bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0) {
973 1014 if (hold_execsw(eswp) != 0)
974 1015 return (NULL);
975 1016 return (eswp);
976 1017 }
977 1018 }
978 1019 return (NULL); /* couldn't find the type */
979 1020 }
980 1021
981 1022 static int
982 1023 hold_execsw(struct execsw *eswp)
983 1024 {
984 1025 char *name;
985 1026
986 1027 rw_enter(eswp->exec_lock, RW_READER);
987 1028 while (!LOADED_EXEC(eswp)) {
988 1029 rw_exit(eswp->exec_lock);
989 1030 name = execswnames[eswp-execsw];
990 1031 ASSERT(name);
991 1032 if (modload("exec", name) == -1)
992 1033 return (-1);
993 1034 rw_enter(eswp->exec_lock, RW_READER);
994 1035 }
995 1036 return (0);
996 1037 }
997 1038
998 1039 static int
999 1040 execsetid(struct vnode *vp, struct vattr *vattrp, uid_t *uidp, uid_t *gidp,
1000 1041 priv_set_t *fset, cred_t *cr, const char *pathname)
1001 1042 {
1002 1043 proc_t *pp = ttoproc(curthread);
1003 1044 uid_t uid, gid;
1004 1045 int privflags = 0;
1005 1046
1006 1047 /*
1007 1048 * Remember credentials.
1008 1049 */
1009 1050 uid = cr->cr_uid;
1010 1051 gid = cr->cr_gid;
1011 1052
1012 1053 /* Will try to reset the PRIV_AWARE bit later. */
1013 1054 if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_INHERIT)) == PRIV_AWARE)
1014 1055 privflags |= PRIV_RESET;
1015 1056
1016 1057 if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) == 0) {
1017 1058 /*
1018 1059 * If it's a set-uid root program we perform the
1019 1060 * forced privilege look-aside. This has three possible
1020 1061 * outcomes:
1021 1062 * no look aside information -> treat as before
1022 1063 * look aside in Limit set -> apply forced privs
1023 1064 * look aside not in Limit set -> ignore set-uid root
1024 1065 *
1025 1066 * Ordinary set-uid root execution only allowed if the limit
1026 1067 * set holds all unsafe privileges.
1027 1068 */
1028 1069 if (vattrp->va_mode & VSUID) {
1029 1070 if (vattrp->va_uid == 0) {
1030 1071 int res = get_forced_privs(cr, pathname, fset);
1031 1072
1032 1073 switch (res) {
1033 1074 case -1:
1034 1075 if (priv_issubset(&priv_unsafe,
1035 1076 &CR_LPRIV(cr))) {
1036 1077 uid = vattrp->va_uid;
1037 1078 privflags |= PRIV_SETUGID;
1038 1079 }
1039 1080 break;
1040 1081 case 0:
1041 1082 privflags |= PRIV_FORCED|PRIV_INCREASE;
1042 1083 break;
1043 1084 default:
1044 1085 break;
1045 1086 }
1046 1087 } else {
1047 1088 uid = vattrp->va_uid;
1048 1089 privflags |= PRIV_SETUGID;
1049 1090 }
1050 1091 }
1051 1092 if (vattrp->va_mode & VSGID) {
1052 1093 gid = vattrp->va_gid;
1053 1094 privflags |= PRIV_SETUGID;
1054 1095 }
1055 1096 }
1056 1097
1057 1098 /*
1058 1099 * Do we need to change our credential anyway?
1059 1100 * This is the case when E != I or P != I, as
1060 1101 * we need to do the assignments (with F empty and A full)
1061 1102 * Or when I is not a subset of L; in that case we need to
1062 1103 * enforce L.
1063 1104 *
1064 1105 * I' = L & I
1065 1106 *
1066 1107 * E' = P' = (I' + F) & A
1067 1108 * or
1068 1109 * E' = P' = I'
1069 1110 */
1070 1111 if (!priv_isequalset(&CR_EPRIV(cr), &CR_IPRIV(cr)) ||
1071 1112 !priv_issubset(&CR_IPRIV(cr), &CR_LPRIV(cr)) ||
1072 1113 !priv_isequalset(&CR_PPRIV(cr), &CR_IPRIV(cr)))
1073 1114 privflags |= PRIV_RESET;
1074 1115
1075 1116 /* Child has more privileges than parent */
1076 1117 if (!priv_issubset(&CR_IPRIV(cr), &CR_PPRIV(cr)))
1077 1118 privflags |= PRIV_INCREASE;
1078 1119
1079 1120 /* If MAC-aware flag(s) are on, need to update cred to remove. */
1080 1121 if ((CR_FLAGS(cr) & NET_MAC_AWARE) ||
1081 1122 (CR_FLAGS(cr) & NET_MAC_AWARE_INHERIT))
1082 1123 privflags |= MAC_FLAGS;
1083 1124 /*
1084 1125 * Set setuid/setgid protections if no ptrace() compatibility.
1085 1126 * For privileged processes, honor setuid/setgid even in
1086 1127 * the presence of ptrace() compatibility.
1087 1128 */
1088 1129 if (((pp->p_proc_flag & P_PR_PTRACE) == 0 ||
1089 1130 PRIV_POLICY_ONLY(cr, PRIV_PROC_OWNER, (uid == 0))) &&
1090 1131 (cr->cr_uid != uid ||
1091 1132 cr->cr_gid != gid ||
1092 1133 cr->cr_suid != uid ||
1093 1134 cr->cr_sgid != gid)) {
1094 1135 *uidp = uid;
1095 1136 *gidp = gid;
1096 1137 privflags |= PRIV_SETID;
1097 1138 }
1098 1139 return (privflags);
1099 1140 }
1100 1141
1101 1142 int
1102 1143 execpermissions(struct vnode *vp, struct vattr *vattrp, struct uarg *args)
1103 1144 {
1104 1145 int error;
1105 1146 proc_t *p = ttoproc(curthread);
1106 1147
1107 1148 vattrp->va_mask = AT_MODE | AT_UID | AT_GID | AT_SIZE;
1108 1149 if (error = VOP_GETATTR(vp, vattrp, ATTR_EXEC, p->p_cred, NULL))
1109 1150 return (error);
1110 1151 /*
1111 1152 * Check the access mode.
1112 1153 * If VPROC, ask /proc if the file is an object file.
1113 1154 */
1114 1155 if ((error = VOP_ACCESS(vp, VEXEC, 0, p->p_cred, NULL)) != 0 ||
1115 1156 !(vp->v_type == VREG || (vp->v_type == VPROC && pr_isobject(vp))) ||
1116 1157 (vp->v_vfsp->vfs_flag & VFS_NOEXEC) != 0 ||
1117 1158 (vattrp->va_mode & (VEXEC|(VEXEC>>3)|(VEXEC>>6))) == 0) {
1118 1159 if (error == 0)
1119 1160 error = EACCES;
1120 1161 return (error);
1121 1162 }
1122 1163
1123 1164 if ((p->p_plist || (p->p_proc_flag & (P_PR_PTRACE|P_PR_TRACE))) &&
1124 1165 (error = VOP_ACCESS(vp, VREAD, 0, p->p_cred, NULL))) {
1125 1166 /*
1126 1167 * If process is under ptrace(2) compatibility,
1127 1168 * fail the exec(2).
1128 1169 */
1129 1170 if (p->p_proc_flag & P_PR_PTRACE)
1130 1171 goto bad;
1131 1172 /*
1132 1173 * Process is traced via /proc.
1133 1174 * Arrange to invalidate the /proc vnode.
1134 1175 */
1135 1176 args->traceinval = 1;
1136 1177 }
1137 1178 return (0);
1138 1179 bad:
1139 1180 if (error == 0)
1140 1181 error = ENOEXEC;
1141 1182 return (error);
1142 1183 }
1143 1184
1144 1185 /*
1145 1186 * Map a section of an executable file into the user's
1146 1187 * address space.
1147 1188 */
1148 1189 int
1149 1190 execmap(struct vnode *vp, caddr_t addr, size_t len, size_t zfodlen,
1150 1191 off_t offset, int prot, int page, uint_t szc)
1151 1192 {
1152 1193 int error = 0;
1153 1194 off_t oldoffset;
1154 1195 caddr_t zfodbase, oldaddr;
1155 1196 size_t end, oldlen;
1156 1197 size_t zfoddiff;
1157 1198 label_t ljb;
1158 1199 proc_t *p = ttoproc(curthread);
1159 1200
1160 1201 oldaddr = addr;
1161 1202 addr = (caddr_t)((uintptr_t)addr & (uintptr_t)PAGEMASK);
1162 1203 if (len) {
1163 1204 oldlen = len;
1164 1205 len += ((size_t)oldaddr - (size_t)addr);
1165 1206 oldoffset = offset;
1166 1207 offset = (off_t)((uintptr_t)offset & PAGEMASK);
1167 1208 if (page) {
1168 1209 spgcnt_t prefltmem, availm, npages;
1169 1210 int preread;
1170 1211 uint_t mflag = MAP_PRIVATE | MAP_FIXED;
1171 1212
1172 1213 if ((prot & (PROT_WRITE | PROT_EXEC)) == PROT_EXEC) {
1173 1214 mflag |= MAP_TEXT;
1174 1215 } else {
1175 1216 mflag |= MAP_INITDATA;
1176 1217 }
1177 1218
1178 1219 if (valid_usr_range(addr, len, prot, p->p_as,
1179 1220 p->p_as->a_userlimit) != RANGE_OKAY) {
1180 1221 error = ENOMEM;
1181 1222 goto bad;
1182 1223 }
1183 1224 if (error = VOP_MAP(vp, (offset_t)offset,
1184 1225 p->p_as, &addr, len, prot, PROT_ALL,
1185 1226 mflag, CRED(), NULL))
1186 1227 goto bad;
1187 1228
1188 1229 /*
1189 1230 * If the segment can fit, then we prefault
1190 1231 * the entire segment in. This is based on the
1191 1232 * model that says the best working set of a
1192 1233 * small program is all of its pages.
1193 1234 */
1194 1235 npages = (spgcnt_t)btopr(len);
1195 1236 prefltmem = freemem - desfree;
1196 1237 preread =
1197 1238 (npages < prefltmem && len < PGTHRESH) ? 1 : 0;
1198 1239
1199 1240 /*
1200 1241 * If we aren't prefaulting the segment,
1201 1242 * increment "deficit", if necessary to ensure
1202 1243 * that pages will become available when this
1203 1244 * process starts executing.
1204 1245 */
1205 1246 availm = freemem - lotsfree;
1206 1247 if (preread == 0 && npages > availm &&
1207 1248 deficit < lotsfree) {
1208 1249 deficit += MIN((pgcnt_t)(npages - availm),
1209 1250 lotsfree - deficit);
1210 1251 }
1211 1252
1212 1253 if (preread) {
1213 1254 TRACE_2(TR_FAC_PROC, TR_EXECMAP_PREREAD,
1214 1255 "execmap preread:freemem %d size %lu",
1215 1256 freemem, len);
1216 1257 (void) as_fault(p->p_as->a_hat, p->p_as,
1217 1258 (caddr_t)addr, len, F_INVAL, S_READ);
1218 1259 }
1219 1260 } else {
1220 1261 if (valid_usr_range(addr, len, prot, p->p_as,
1221 1262 p->p_as->a_userlimit) != RANGE_OKAY) {
1222 1263 error = ENOMEM;
1223 1264 goto bad;
1224 1265 }
1225 1266
1226 1267 if (error = as_map(p->p_as, addr, len,
1227 1268 segvn_create, zfod_argsp))
1228 1269 goto bad;
1229 1270 /*
1230 1271 * Read in the segment in one big chunk.
1231 1272 */
1232 1273 if (error = vn_rdwr(UIO_READ, vp, (caddr_t)oldaddr,
1233 1274 oldlen, (offset_t)oldoffset, UIO_USERSPACE, 0,
1234 1275 (rlim64_t)0, CRED(), (ssize_t *)0))
1235 1276 goto bad;
1236 1277 /*
1237 1278 * Now set protections.
1238 1279 */
1239 1280 if (prot != PROT_ZFOD) {
1240 1281 (void) as_setprot(p->p_as, (caddr_t)addr,
1241 1282 len, prot);
1242 1283 }
1243 1284 }
1244 1285 }
1245 1286
1246 1287 if (zfodlen) {
1247 1288 struct as *as = curproc->p_as;
1248 1289 struct seg *seg;
1249 1290 uint_t zprot = 0;
1250 1291
1251 1292 end = (size_t)addr + len;
1252 1293 zfodbase = (caddr_t)roundup(end, PAGESIZE);
1253 1294 zfoddiff = (uintptr_t)zfodbase - end;
1254 1295 if (zfoddiff) {
1255 1296 /*
1256 1297 * Before we go to zero the remaining space on the last
1257 1298 * page, make sure we have write permission.
1258 1299 *
1259 1300 * Normal illumos binaries don't even hit the case
1260 1301 * where we have to change permission on the last page
1261 1302 * since their protection is typically either
1262 1303 * PROT_USER | PROT_WRITE | PROT_READ
1263 1304 * or
1264 1305 * PROT_ZFOD (same as PROT_ALL).
1265 1306 *
1266 1307 * We need to be careful how we zero-fill the last page
1267 1308 * if the segment protection does not include
1268 1309 * PROT_WRITE. Using as_setprot() can cause the VM
1269 1310 * segment code to call segvn_vpage(), which must
1270 1311 * allocate a page struct for each page in the segment.
1271 1312 * If we have a very large segment, this may fail, so
1272 1313 * we have to check for that, even though we ignore
1273 1314 * other return values from as_setprot.
1274 1315 */
1275 1316
1276 1317 AS_LOCK_ENTER(as, RW_READER);
1277 1318 seg = as_segat(curproc->p_as, (caddr_t)end);
1278 1319 if (seg != NULL)
1279 1320 SEGOP_GETPROT(seg, (caddr_t)end, zfoddiff - 1,
1280 1321 &zprot);
1281 1322 AS_LOCK_EXIT(as);
1282 1323
1283 1324 if (seg != NULL && (zprot & PROT_WRITE) == 0) {
1284 1325 if (as_setprot(as, (caddr_t)end, zfoddiff - 1,
1285 1326 zprot | PROT_WRITE) == ENOMEM) {
1286 1327 error = ENOMEM;
1287 1328 goto bad;
1288 1329 }
1289 1330 }
1290 1331
1291 1332 if (on_fault(&ljb)) {
1292 1333 no_fault();
1293 1334 if (seg != NULL && (zprot & PROT_WRITE) == 0)
1294 1335 (void) as_setprot(as, (caddr_t)end,
1295 1336 zfoddiff - 1, zprot);
1296 1337 error = EFAULT;
1297 1338 goto bad;
1298 1339 }
1299 1340 uzero((void *)end, zfoddiff);
1300 1341 no_fault();
1301 1342 if (seg != NULL && (zprot & PROT_WRITE) == 0)
1302 1343 (void) as_setprot(as, (caddr_t)end,
1303 1344 zfoddiff - 1, zprot);
1304 1345 }
1305 1346 if (zfodlen > zfoddiff) {
1306 1347 struct segvn_crargs crargs =
1307 1348 SEGVN_ZFOD_ARGS(PROT_ZFOD, PROT_ALL);
1308 1349
1309 1350 zfodlen -= zfoddiff;
1310 1351 if (valid_usr_range(zfodbase, zfodlen, prot, p->p_as,
1311 1352 p->p_as->a_userlimit) != RANGE_OKAY) {
1312 1353 error = ENOMEM;
1313 1354 goto bad;
1314 1355 }
1315 1356 if (szc > 0) {
1316 1357 /*
1317 1358 * ASSERT alignment because the mapelfexec()
1318 1359 * caller for the szc > 0 case extended zfod
1319 1360 * so it's end is pgsz aligned.
1320 1361 */
1321 1362 size_t pgsz = page_get_pagesize(szc);
1322 1363 ASSERT(IS_P2ALIGNED(zfodbase + zfodlen, pgsz));
1323 1364
1324 1365 if (IS_P2ALIGNED(zfodbase, pgsz)) {
1325 1366 crargs.szc = szc;
1326 1367 } else {
1327 1368 crargs.szc = AS_MAP_HEAP;
1328 1369 }
1329 1370 } else {
1330 1371 crargs.szc = AS_MAP_NO_LPOOB;
1331 1372 }
1332 1373 if (error = as_map(p->p_as, (caddr_t)zfodbase,
1333 1374 zfodlen, segvn_create, &crargs))
1334 1375 goto bad;
1335 1376 if (prot != PROT_ZFOD) {
1336 1377 (void) as_setprot(p->p_as, (caddr_t)zfodbase,
1337 1378 zfodlen, prot);
1338 1379 }
1339 1380 }
1340 1381 }
1341 1382 return (0);
1342 1383 bad:
1343 1384 return (error);
1344 1385 }
1345 1386
1346 1387 void
1347 1388 setexecenv(struct execenv *ep)
1348 1389 {
1349 1390 proc_t *p = ttoproc(curthread);
1350 1391 klwp_t *lwp = ttolwp(curthread);
1351 1392 struct vnode *vp;
1352 1393
1353 1394 p->p_bssbase = ep->ex_bssbase;
1354 1395 p->p_brkbase = ep->ex_brkbase;
1355 1396 p->p_brksize = ep->ex_brksize;
1356 1397 if (p->p_exec)
1357 1398 VN_RELE(p->p_exec); /* out with the old */
1358 1399 vp = p->p_exec = ep->ex_vp;
1359 1400 if (vp != NULL)
1360 1401 VN_HOLD(vp); /* in with the new */
1361 1402
1362 1403 lwp->lwp_sigaltstack.ss_sp = 0;
1363 1404 lwp->lwp_sigaltstack.ss_size = 0;
1364 1405 lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
1365 1406 }
1366 1407
1367 1408 int
1368 1409 execopen(struct vnode **vpp, int *fdp)
1369 1410 {
1370 1411 struct vnode *vp = *vpp;
1371 1412 file_t *fp;
1372 1413 int error = 0;
1373 1414 int filemode = FREAD;
1374 1415
1375 1416 VN_HOLD(vp); /* open reference */
1376 1417 if (error = falloc(NULL, filemode, &fp, fdp)) {
1377 1418 VN_RELE(vp);
1378 1419 *fdp = -1; /* just in case falloc changed value */
1379 1420 return (error);
1380 1421 }
1381 1422 if (error = VOP_OPEN(&vp, filemode, CRED(), NULL)) {
1382 1423 VN_RELE(vp);
1383 1424 setf(*fdp, NULL);
1384 1425 unfalloc(fp);
1385 1426 *fdp = -1;
1386 1427 return (error);
1387 1428 }
1388 1429 *vpp = vp; /* vnode should not have changed */
1389 1430 fp->f_vnode = vp;
1390 1431 mutex_exit(&fp->f_tlock);
1391 1432 setf(*fdp, fp);
1392 1433 return (0);
1393 1434 }
1394 1435
1395 1436 int
1396 1437 execclose(int fd)
1397 1438 {
1398 1439 return (closeandsetf(fd, NULL));
1399 1440 }
1400 1441
1401 1442
1402 1443 /*
1403 1444 * noexec stub function.
1404 1445 */
1405 1446 /*ARGSUSED*/
1406 1447 int
1407 1448 noexec(
1408 1449 struct vnode *vp,
1409 1450 struct execa *uap,
1410 1451 struct uarg *args,
1411 1452 struct intpdata *idatap,
1412 1453 int level,
1413 1454 long *execsz,
1414 1455 int setid,
1415 1456 caddr_t exec_file,
1416 1457 struct cred *cred)
1417 1458 {
1418 1459 cmn_err(CE_WARN, "missing exec capability for %s", uap->fname);
1419 1460 return (ENOEXEC);
1420 1461 }
1421 1462
1422 1463 /*
1423 1464 * Support routines for building a user stack.
1424 1465 *
1425 1466 * execve(path, argv, envp) must construct a new stack with the specified
1426 1467 * arguments and environment variables (see exec_args() for a description
1427 1468 * of the user stack layout). To do this, we copy the arguments and
1428 1469 * environment variables from the old user address space into the kernel,
1429 1470 * free the old as, create the new as, and copy our buffered information
1430 1471 * to the new stack. Our kernel buffer has the following structure:
1431 1472 *
1432 1473 * +-----------------------+ <--- stk_base + stk_size
1433 1474 * | string offsets |
1434 1475 * +-----------------------+ <--- stk_offp
1435 1476 * | |
1436 1477 * | STK_AVAIL() space |
1437 1478 * | |
1438 1479 * +-----------------------+ <--- stk_strp
1439 1480 * | strings |
1440 1481 * +-----------------------+ <--- stk_base
1441 1482 *
1442 1483 * When we add a string, we store the string's contents (including the null
1443 1484 * terminator) at stk_strp, and we store the offset of the string relative to
1444 1485 * stk_base at --stk_offp. At strings are added, stk_strp increases and
1445 1486 * stk_offp decreases. The amount of space remaining, STK_AVAIL(), is just
1446 1487 * the difference between these pointers. If we run out of space, we return
1447 1488 * an error and exec_args() starts all over again with a buffer twice as large.
1448 1489 * When we're all done, the kernel buffer looks like this:
1449 1490 *
1450 1491 * +-----------------------+ <--- stk_base + stk_size
1451 1492 * | argv[0] offset |
1452 1493 * +-----------------------+
1453 1494 * | ... |
1454 1495 * +-----------------------+
1455 1496 * | argv[argc-1] offset |
1456 1497 * +-----------------------+
1457 1498 * | envp[0] offset |
1458 1499 * +-----------------------+
1459 1500 * | ... |
1460 1501 * +-----------------------+
1461 1502 * | envp[envc-1] offset |
1462 1503 * +-----------------------+
1463 1504 * | AT_SUN_PLATFORM offset|
1464 1505 * +-----------------------+
1465 1506 * | AT_SUN_EXECNAME offset|
1466 1507 * +-----------------------+ <--- stk_offp
1467 1508 * | |
1468 1509 * | STK_AVAIL() space |
1469 1510 * | |
1470 1511 * +-----------------------+ <--- stk_strp
1471 1512 * | AT_SUN_EXECNAME offset|
1472 1513 * +-----------------------+
1473 1514 * | AT_SUN_PLATFORM offset|
1474 1515 * +-----------------------+
1475 1516 * | envp[envc-1] string |
1476 1517 * +-----------------------+
1477 1518 * | ... |
1478 1519 * +-----------------------+
1479 1520 * | envp[0] string |
1480 1521 * +-----------------------+
1481 1522 * | argv[argc-1] string |
1482 1523 * +-----------------------+
1483 1524 * | ... |
1484 1525 * +-----------------------+
1485 1526 * | argv[0] string |
1486 1527 * +-----------------------+ <--- stk_base
1487 1528 */
1488 1529
1489 1530 #define STK_AVAIL(args) ((char *)(args)->stk_offp - (args)->stk_strp)
1490 1531
1491 1532 /*
1492 1533 * Add a string to the stack.
1493 1534 */
1494 1535 static int
1495 1536 stk_add(uarg_t *args, const char *sp, enum uio_seg segflg)
1496 1537 {
1497 1538 int error;
1498 1539 size_t len;
1499 1540
1500 1541 if (STK_AVAIL(args) < sizeof (int))
1501 1542 return (E2BIG);
1502 1543 *--args->stk_offp = args->stk_strp - args->stk_base;
1503 1544
1504 1545 if (segflg == UIO_USERSPACE) {
1505 1546 error = copyinstr(sp, args->stk_strp, STK_AVAIL(args), &len);
1506 1547 if (error != 0)
1507 1548 return (error);
1508 1549 } else {
1509 1550 len = strlen(sp) + 1;
|
↓ open down ↓ |
637 lines elided |
↑ open up ↑ |
1510 1551 if (len > STK_AVAIL(args))
1511 1552 return (E2BIG);
1512 1553 bcopy(sp, args->stk_strp, len);
1513 1554 }
1514 1555
1515 1556 args->stk_strp += len;
1516 1557
1517 1558 return (0);
1518 1559 }
1519 1560
1561 +/*
1562 + * Add a fixed size byte array to the stack (only from kernel space).
1563 + */
1520 1564 static int
1565 +stk_byte_add(uarg_t *args, const uint8_t *sp, size_t len)
1566 +{
1567 + if (STK_AVAIL(args) < sizeof (int))
1568 + return (E2BIG);
1569 + *--args->stk_offp = args->stk_strp - args->stk_base;
1570 +
1571 + if (len > STK_AVAIL(args))
1572 + return (E2BIG);
1573 + bcopy(sp, args->stk_strp, len);
1574 +
1575 + args->stk_strp += len;
1576 +
1577 + return (0);
1578 +}
1579 +
1580 +static int
1521 1581 stk_getptr(uarg_t *args, char *src, char **dst)
1522 1582 {
1523 1583 int error;
1524 1584
1525 1585 if (args->from_model == DATAMODEL_NATIVE) {
1526 1586 ulong_t ptr;
1527 1587 error = fulword(src, &ptr);
1528 1588 *dst = (caddr_t)ptr;
1529 1589 } else {
1530 1590 uint32_t ptr;
1531 1591 error = fuword32(src, &ptr);
1532 1592 *dst = (caddr_t)(uintptr_t)ptr;
1533 1593 }
1534 1594 return (error);
1535 1595 }
1536 1596
1537 1597 static int
1538 1598 stk_putptr(uarg_t *args, char *addr, char *value)
1539 1599 {
1540 1600 if (args->to_model == DATAMODEL_NATIVE)
1541 1601 return (sulword(addr, (ulong_t)value));
1542 1602 else
1543 1603 return (suword32(addr, (uint32_t)(uintptr_t)value));
1544 1604 }
1545 1605
|
↓ open down ↓ |
15 lines elided |
↑ open up ↑ |
1546 1606 static int
1547 1607 stk_copyin(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1548 1608 {
1549 1609 char *sp;
1550 1610 int argc, error;
1551 1611 int argv_empty = 0;
1552 1612 size_t ptrsize = args->from_ptrsize;
1553 1613 size_t size, pad;
1554 1614 char *argv = (char *)uap->argp;
1555 1615 char *envp = (char *)uap->envp;
1616 + uint8_t rdata[RANDOM_LEN];
1556 1617
1557 1618 /*
1558 1619 * Copy interpreter's name and argument to argv[0] and argv[1].
1559 1620 * In the rare case that we have nested interpreters then those names
1560 1621 * and arguments are also copied to the subsequent slots in argv.
1561 1622 */
1562 1623 if (intp != NULL && intp->intp_name[0] != NULL) {
1563 1624 int i;
1564 1625
1565 1626 for (i = 0; i < INTP_MAXDEPTH; i++) {
1566 1627 if (intp->intp_name[i] == NULL)
1567 1628 break;
1568 1629 error = stk_add(args, intp->intp_name[i], UIO_SYSSPACE);
1569 1630 if (error != 0)
1570 1631 return (error);
1571 1632 if (intp->intp_arg[i] != NULL) {
1572 1633 error = stk_add(args, intp->intp_arg[i],
1573 1634 UIO_SYSSPACE);
1574 1635 if (error != 0)
1575 1636 return (error);
1576 1637 }
1577 1638 }
1578 1639
1579 1640 if (args->fname != NULL)
1580 1641 error = stk_add(args, args->fname, UIO_SYSSPACE);
1581 1642 else
1582 1643 error = stk_add(args, uap->fname, UIO_USERSPACE);
1583 1644 if (error)
1584 1645 return (error);
1585 1646
1586 1647 /*
1587 1648 * Check for an empty argv[].
1588 1649 */
1589 1650 if (stk_getptr(args, argv, &sp))
1590 1651 return (EFAULT);
1591 1652 if (sp == NULL)
1592 1653 argv_empty = 1;
1593 1654
1594 1655 argv += ptrsize; /* ignore original argv[0] */
1595 1656 }
1596 1657
1597 1658 if (argv_empty == 0) {
1598 1659 /*
1599 1660 * Add argv[] strings to the stack.
1600 1661 */
1601 1662 for (;;) {
1602 1663 if (stk_getptr(args, argv, &sp))
1603 1664 return (EFAULT);
1604 1665 if (sp == NULL)
1605 1666 break;
1606 1667 if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1607 1668 return (error);
1608 1669 argv += ptrsize;
1609 1670 }
1610 1671 }
1611 1672 argc = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1612 1673 args->arglen = args->stk_strp - args->stk_base;
1613 1674
1614 1675 /*
1615 1676 * Add environ[] strings to the stack.
1616 1677 */
1617 1678 if (envp != NULL) {
1618 1679 for (;;) {
1619 1680 char *tmp = args->stk_strp;
1620 1681 if (stk_getptr(args, envp, &sp))
1621 1682 return (EFAULT);
1622 1683 if (sp == NULL)
1623 1684 break;
1624 1685 if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1625 1686 return (error);
1626 1687 if (args->scrubenv && strncmp(tmp, "LD_", 3) == 0) {
1627 1688 /* Undo the copied string */
|
↓ open down ↓ |
62 lines elided |
↑ open up ↑ |
1628 1689 args->stk_strp = tmp;
1629 1690 *(args->stk_offp++) = NULL;
1630 1691 }
1631 1692 envp += ptrsize;
1632 1693 }
1633 1694 }
1634 1695 args->na = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1635 1696 args->ne = args->na - argc;
1636 1697
1637 1698 /*
1638 - * Add AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME, and
1639 - * AT_SUN_EMULATOR strings to the stack.
1699 + * Add AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME,
1700 + * AT_SUN_BRAND_NROOT, and AT_SUN_EMULATOR strings, as well as AT_RANDOM
1701 + * array, to the stack.
1640 1702 */
1641 1703 if (auxvpp != NULL && *auxvpp != NULL) {
1642 1704 if ((error = stk_add(args, platform, UIO_SYSSPACE)) != 0)
1643 1705 return (error);
1644 1706 if ((error = stk_add(args, args->pathname, UIO_SYSSPACE)) != 0)
1645 1707 return (error);
1646 1708 if (args->brandname != NULL &&
1647 1709 (error = stk_add(args, args->brandname, UIO_SYSSPACE)) != 0)
1648 1710 return (error);
1649 1711 if (args->emulator != NULL &&
1650 1712 (error = stk_add(args, args->emulator, UIO_SYSSPACE)) != 0)
1651 1713 return (error);
1714 +
1715 + /*
1716 + * For the AT_RANDOM aux vector we provide 16 bytes of random
1717 + * data.
1718 + */
1719 + (void) random_get_pseudo_bytes(rdata, sizeof (rdata));
1720 +
1721 + if ((error = stk_byte_add(args, rdata, sizeof (rdata))) != 0)
1722 + return (error);
1723 +
1724 + if (args->brand_nroot != NULL &&
1725 + (error = stk_add(args, args->brand_nroot,
1726 + UIO_SYSSPACE)) != 0)
1727 + return (error);
1652 1728 }
1653 1729
1654 1730 /*
1655 1731 * Compute the size of the stack. This includes all the pointers,
1656 1732 * the space reserved for the aux vector, and all the strings.
1657 1733 * The total number of pointers is args->na (which is argc + envc)
1658 1734 * plus 4 more: (1) a pointer's worth of space for argc; (2) the NULL
1659 1735 * after the last argument (i.e. argv[argc]); (3) the NULL after the
1660 1736 * last environment variable (i.e. envp[envc]); and (4) the NULL after
1661 1737 * all the strings, at the very top of the stack.
1662 1738 */
1663 1739 size = (args->na + 4) * args->to_ptrsize + args->auxsize +
1664 1740 (args->stk_strp - args->stk_base);
1665 1741
1666 1742 /*
1667 1743 * Pad the string section with zeroes to align the stack size.
1668 1744 */
1669 1745 pad = P2NPHASE(size, args->stk_align);
1670 1746
1671 1747 if (STK_AVAIL(args) < pad)
1672 1748 return (E2BIG);
1673 1749
1674 1750 args->usrstack_size = size + pad;
1675 1751
1676 1752 while (pad-- != 0)
1677 1753 *args->stk_strp++ = 0;
1678 1754
1679 1755 args->nc = args->stk_strp - args->stk_base;
1680 1756
1681 1757 return (0);
1682 1758 }
1683 1759
1684 1760 static int
1685 1761 stk_copyout(uarg_t *args, char *usrstack, void **auxvpp, user_t *up)
1686 1762 {
1687 1763 size_t ptrsize = args->to_ptrsize;
1688 1764 ssize_t pslen;
1689 1765 char *kstrp = args->stk_base;
1690 1766 char *ustrp = usrstack - args->nc - ptrsize;
1691 1767 char *usp = usrstack - args->usrstack_size;
1692 1768 int *offp = (int *)(args->stk_base + args->stk_size);
1693 1769 int envc = args->ne;
1694 1770 int argc = args->na - envc;
1695 1771 int i;
1696 1772
1697 1773 /*
1698 1774 * Record argc for /proc.
1699 1775 */
1700 1776 up->u_argc = argc;
1701 1777
1702 1778 /*
1703 1779 * Put argc on the stack. Note that even though it's an int,
1704 1780 * it always consumes ptrsize bytes (for alignment).
1705 1781 */
1706 1782 if (stk_putptr(args, usp, (char *)(uintptr_t)argc))
1707 1783 return (-1);
1708 1784
1709 1785 /*
1710 1786 * Add argc space (ptrsize) to usp and record argv for /proc.
1711 1787 */
1712 1788 up->u_argv = (uintptr_t)(usp += ptrsize);
1713 1789
1714 1790 /*
1715 1791 * Put the argv[] pointers on the stack.
1716 1792 */
1717 1793 for (i = 0; i < argc; i++, usp += ptrsize)
1718 1794 if (stk_putptr(args, usp, &ustrp[*--offp]))
1719 1795 return (-1);
1720 1796
1721 1797 /*
1722 1798 * Copy arguments to u_psargs.
1723 1799 */
1724 1800 pslen = MIN(args->arglen, PSARGSZ) - 1;
1725 1801 for (i = 0; i < pslen; i++)
1726 1802 up->u_psargs[i] = (kstrp[i] == '\0' ? ' ' : kstrp[i]);
1727 1803 while (i < PSARGSZ)
1728 1804 up->u_psargs[i++] = '\0';
1729 1805
1730 1806 /*
1731 1807 * Add space for argv[]'s NULL terminator (ptrsize) to usp and
1732 1808 * record envp for /proc.
1733 1809 */
1734 1810 up->u_envp = (uintptr_t)(usp += ptrsize);
1735 1811
1736 1812 /*
1737 1813 * Put the envp[] pointers on the stack.
1738 1814 */
1739 1815 for (i = 0; i < envc; i++, usp += ptrsize)
1740 1816 if (stk_putptr(args, usp, &ustrp[*--offp]))
1741 1817 return (-1);
1742 1818
1743 1819 /*
1744 1820 * Add space for envp[]'s NULL terminator (ptrsize) to usp and
1745 1821 * remember where the stack ends, which is also where auxv begins.
1746 1822 */
1747 1823 args->stackend = usp += ptrsize;
|
↓ open down ↓ |
86 lines elided |
↑ open up ↑ |
1748 1824
1749 1825 /*
1750 1826 * Put all the argv[], envp[], and auxv strings on the stack.
1751 1827 */
1752 1828 if (copyout(args->stk_base, ustrp, args->nc))
1753 1829 return (-1);
1754 1830
1755 1831 /*
1756 1832 * Fill in the aux vector now that we know the user stack addresses
1757 1833 * for the AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME and
1758 - * AT_SUN_EMULATOR strings.
1834 + * AT_SUN_EMULATOR strings, as well as the AT_RANDOM array.
1759 1835 */
1760 1836 if (auxvpp != NULL && *auxvpp != NULL) {
1761 1837 if (args->to_model == DATAMODEL_NATIVE) {
1762 1838 auxv_t **a = (auxv_t **)auxvpp;
1763 1839 ADDAUX(*a, AT_SUN_PLATFORM, (long)&ustrp[*--offp])
1764 1840 ADDAUX(*a, AT_SUN_EXECNAME, (long)&ustrp[*--offp])
1765 1841 if (args->brandname != NULL)
1766 1842 ADDAUX(*a,
1767 1843 AT_SUN_BRANDNAME, (long)&ustrp[*--offp])
1768 1844 if (args->emulator != NULL)
1769 1845 ADDAUX(*a,
1770 1846 AT_SUN_EMULATOR, (long)&ustrp[*--offp])
1847 + ADDAUX(*a, AT_RANDOM, (long)&ustrp[*--offp])
1848 + if (args->brand_nroot != NULL) {
1849 + ADDAUX(*a,
1850 + AT_SUN_BRAND_NROOT, (long)&ustrp[*--offp])
1851 + }
1771 1852 } else {
1772 1853 auxv32_t **a = (auxv32_t **)auxvpp;
1773 1854 ADDAUX(*a,
1774 1855 AT_SUN_PLATFORM, (int)(uintptr_t)&ustrp[*--offp])
1775 1856 ADDAUX(*a,
1776 1857 AT_SUN_EXECNAME, (int)(uintptr_t)&ustrp[*--offp])
1777 1858 if (args->brandname != NULL)
1778 1859 ADDAUX(*a, AT_SUN_BRANDNAME,
1779 1860 (int)(uintptr_t)&ustrp[*--offp])
1780 1861 if (args->emulator != NULL)
1781 1862 ADDAUX(*a, AT_SUN_EMULATOR,
1782 1863 (int)(uintptr_t)&ustrp[*--offp])
1864 + ADDAUX(*a, AT_RANDOM, (int)(uintptr_t)&ustrp[*--offp])
1865 + if (args->brand_nroot != NULL) {
1866 + ADDAUX(*a, AT_SUN_BRAND_NROOT,
1867 + (int)(uintptr_t)&ustrp[*--offp])
1868 + }
1783 1869 }
1784 1870 }
1785 1871
1786 1872 return (0);
1787 1873 }
1788 1874
1789 1875 /*
1790 1876 * Initialize a new user stack with the specified arguments and environment.
1791 1877 * The initial user stack layout is as follows:
1792 1878 *
1793 1879 * User Stack
1794 1880 * +---------------+ <--- curproc->p_usrstack
1795 1881 * | |
1796 1882 * | slew |
1797 1883 * | |
1798 1884 * +---------------+
1799 1885 * | NULL |
1800 1886 * +---------------+
1801 1887 * | |
1802 1888 * | auxv strings |
1803 1889 * | |
1804 1890 * +---------------+
1805 1891 * | |
1806 1892 * | envp strings |
1807 1893 * | |
1808 1894 * +---------------+
1809 1895 * | |
1810 1896 * | argv strings |
1811 1897 * | |
1812 1898 * +---------------+ <--- ustrp
1813 1899 * | |
1814 1900 * | aux vector |
1815 1901 * | |
1816 1902 * +---------------+ <--- auxv
1817 1903 * | NULL |
1818 1904 * +---------------+
1819 1905 * | envp[envc-1] |
1820 1906 * +---------------+
1821 1907 * | ... |
1822 1908 * +---------------+
1823 1909 * | envp[0] |
1824 1910 * +---------------+ <--- envp[]
1825 1911 * | NULL |
1826 1912 * +---------------+
1827 1913 * | argv[argc-1] |
1828 1914 * +---------------+
1829 1915 * | ... |
1830 1916 * +---------------+
1831 1917 * | argv[0] |
1832 1918 * +---------------+ <--- argv[]
1833 1919 * | argc |
1834 1920 * +---------------+ <--- stack base
1835 1921 */
1836 1922 int
1837 1923 exec_args(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1838 1924 {
1839 1925 size_t size;
1840 1926 int error;
1841 1927 proc_t *p = ttoproc(curthread);
1842 1928 user_t *up = PTOU(p);
1843 1929 char *usrstack;
1844 1930 rctl_entity_p_t e;
1845 1931 struct as *as;
1846 1932 extern int use_stk_lpg;
1847 1933 size_t sp_slew;
1848 1934
1849 1935 args->from_model = p->p_model;
1850 1936 if (p->p_model == DATAMODEL_NATIVE) {
1851 1937 args->from_ptrsize = sizeof (long);
1852 1938 } else {
1853 1939 args->from_ptrsize = sizeof (int32_t);
1854 1940 }
1855 1941
1856 1942 if (args->to_model == DATAMODEL_NATIVE) {
1857 1943 args->to_ptrsize = sizeof (long);
1858 1944 args->ncargs = NCARGS;
1859 1945 args->stk_align = STACK_ALIGN;
1860 1946 if (args->addr32)
|
↓ open down ↓ |
68 lines elided |
↑ open up ↑ |
1861 1947 usrstack = (char *)USRSTACK64_32;
1862 1948 else
1863 1949 usrstack = (char *)USRSTACK;
1864 1950 } else {
1865 1951 args->to_ptrsize = sizeof (int32_t);
1866 1952 args->ncargs = NCARGS32;
1867 1953 args->stk_align = STACK_ALIGN32;
1868 1954 usrstack = (char *)USRSTACK32;
1869 1955 }
1870 1956
1957 + if (args->maxstack != 0 && (uintptr_t)usrstack > args->maxstack)
1958 + usrstack = (char *)args->maxstack;
1959 +
1871 1960 ASSERT(P2PHASE((uintptr_t)usrstack, args->stk_align) == 0);
1872 1961
1873 1962 #if defined(__sparc)
1874 1963 /*
1875 1964 * Make sure user register windows are empty before
1876 1965 * attempting to make a new stack.
1877 1966 */
1878 1967 (void) flush_user_windows_to_stack(NULL);
1879 1968 #endif
1880 1969
1881 1970 for (size = PAGESIZE; ; size *= 2) {
1882 1971 args->stk_size = size;
1883 1972 args->stk_base = kmem_alloc(size, KM_SLEEP);
1884 1973 args->stk_strp = args->stk_base;
1885 1974 args->stk_offp = (int *)(args->stk_base + size);
1886 1975 error = stk_copyin(uap, args, intp, auxvpp);
1887 1976 if (error == 0)
1888 1977 break;
1889 1978 kmem_free(args->stk_base, size);
1890 1979 if (error != E2BIG && error != ENAMETOOLONG)
1891 1980 return (error);
1892 1981 if (size >= args->ncargs)
1893 1982 return (E2BIG);
1894 1983 }
1895 1984
1896 1985 size = args->usrstack_size;
1897 1986
1898 1987 ASSERT(error == 0);
1899 1988 ASSERT(P2PHASE(size, args->stk_align) == 0);
1900 1989 ASSERT((ssize_t)STK_AVAIL(args) >= 0);
1901 1990
1902 1991 if (size > args->ncargs) {
1903 1992 kmem_free(args->stk_base, args->stk_size);
1904 1993 return (E2BIG);
1905 1994 }
1906 1995
1907 1996 /*
1908 1997 * Leave only the current lwp and force the other lwps to exit.
1909 1998 * If another lwp beat us to the punch by calling exit(), bail out.
1910 1999 */
1911 2000 if ((error = exitlwps(0)) != 0) {
1912 2001 kmem_free(args->stk_base, args->stk_size);
1913 2002 return (error);
1914 2003 }
1915 2004
1916 2005 /*
1917 2006 * Revoke any doors created by the process.
1918 2007 */
1919 2008 if (p->p_door_list)
1920 2009 door_exit();
1921 2010
1922 2011 /*
1923 2012 * Release schedctl data structures.
1924 2013 */
1925 2014 if (p->p_pagep)
1926 2015 schedctl_proc_cleanup();
1927 2016
1928 2017 /*
1929 2018 * Clean up any DTrace helpers for the process.
1930 2019 */
1931 2020 if (p->p_dtrace_helpers != NULL) {
1932 2021 ASSERT(dtrace_helpers_cleanup != NULL);
1933 2022 (*dtrace_helpers_cleanup)();
1934 2023 }
1935 2024
1936 2025 mutex_enter(&p->p_lock);
1937 2026 /*
1938 2027 * Cleanup the DTrace provider associated with this process.
1939 2028 */
1940 2029 if (p->p_dtrace_probes) {
1941 2030 ASSERT(dtrace_fasttrap_exec_ptr != NULL);
1942 2031 dtrace_fasttrap_exec_ptr(p);
1943 2032 }
1944 2033 mutex_exit(&p->p_lock);
1945 2034
1946 2035 /*
1947 2036 * discard the lwpchan cache.
1948 2037 */
1949 2038 if (p->p_lcp != NULL)
1950 2039 lwpchan_destroy_cache(1);
1951 2040
1952 2041 /*
1953 2042 * Delete the POSIX timers.
1954 2043 */
1955 2044 if (p->p_itimer != NULL)
1956 2045 timer_exit();
1957 2046
1958 2047 /*
1959 2048 * Delete the ITIMER_REALPROF interval timer.
1960 2049 * The other ITIMER_* interval timers are specified
1961 2050 * to be inherited across exec().
1962 2051 */
1963 2052 delete_itimer_realprof();
1964 2053
1965 2054 if (AU_AUDITING())
1966 2055 audit_exec(args->stk_base, args->stk_base + args->arglen,
1967 2056 args->na - args->ne, args->ne, args->pfcred);
1968 2057
1969 2058 /*
1970 2059 * Ensure that we don't change resource associations while we
1971 2060 * change address spaces.
1972 2061 */
1973 2062 mutex_enter(&p->p_lock);
1974 2063 pool_barrier_enter();
1975 2064 mutex_exit(&p->p_lock);
1976 2065
1977 2066 /*
1978 2067 * Destroy the old address space and create a new one.
1979 2068 * From here on, any errors are fatal to the exec()ing process.
1980 2069 * On error we return -1, which means the caller must SIGKILL
1981 2070 * the process.
1982 2071 */
1983 2072 relvm();
1984 2073
1985 2074 mutex_enter(&p->p_lock);
1986 2075 pool_barrier_exit();
1987 2076 mutex_exit(&p->p_lock);
1988 2077
1989 2078 up->u_execsw = args->execswp;
1990 2079
1991 2080 p->p_brkbase = NULL;
1992 2081 p->p_brksize = 0;
1993 2082 p->p_brkpageszc = 0;
1994 2083 p->p_stksize = 0;
1995 2084 p->p_stkpageszc = 0;
1996 2085 p->p_model = args->to_model;
1997 2086 p->p_usrstack = usrstack;
1998 2087 p->p_stkprot = args->stk_prot;
1999 2088 p->p_datprot = args->dat_prot;
2000 2089
2001 2090 /*
2002 2091 * Reset resource controls such that all controls are again active as
2003 2092 * well as appropriate to the potentially new address model for the
2004 2093 * process.
2005 2094 */
2006 2095 e.rcep_p.proc = p;
2007 2096 e.rcep_t = RCENTITY_PROCESS;
2008 2097 rctl_set_reset(p->p_rctls, p, &e);
2009 2098
2010 2099 /* Too early to call map_pgsz for the heap */
2011 2100 if (use_stk_lpg) {
2012 2101 p->p_stkpageszc = page_szc(map_pgsz(MAPPGSZ_STK, p, 0, 0, 0));
2013 2102 }
2014 2103
2015 2104 mutex_enter(&p->p_lock);
2016 2105 p->p_flag |= SAUTOLPG; /* kernel controls page sizes */
2017 2106 mutex_exit(&p->p_lock);
2018 2107
2019 2108 /*
2020 2109 * Some platforms may choose to randomize real stack start by adding a
2021 2110 * small slew (not more than a few hundred bytes) to the top of the
2022 2111 * stack. This helps avoid cache thrashing when identical processes
2023 2112 * simultaneously share caches that don't provide enough associativity
2024 2113 * (e.g. sun4v systems). In this case stack slewing makes the same hot
2025 2114 * stack variables in different processes to live in different cache
2026 2115 * sets increasing effective associativity.
2027 2116 */
2028 2117 sp_slew = exec_get_spslew();
2029 2118 ASSERT(P2PHASE(sp_slew, args->stk_align) == 0);
2030 2119 exec_set_sp(size + sp_slew);
2031 2120
2032 2121 as = as_alloc();
2033 2122 p->p_as = as;
2034 2123 as->a_proc = p;
2035 2124 if (p->p_model == DATAMODEL_ILP32 || args->addr32)
2036 2125 as->a_userlimit = (caddr_t)USERLIMIT32;
2037 2126 (void) hat_setup(as->a_hat, HAT_ALLOC);
2038 2127 hat_join_srd(as->a_hat, args->ex_vp);
2039 2128
2040 2129 /*
2041 2130 * Finally, write out the contents of the new stack.
2042 2131 */
2043 2132 error = stk_copyout(args, usrstack - sp_slew, auxvpp, up);
2044 2133 kmem_free(args->stk_base, args->stk_size);
2045 2134 return (error);
2046 2135 }
|
↓ open down ↓ |
166 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX