1 /* 2 * Copyright (c) 1993, David Greenman 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. All advertising materials mentioning features or use of this software 14 * must display the following acknowledgement: 15 * This product includes software developed by David Greenman 16 * 4. The name of the developer may not be used to endorse or promote products 17 * derived from this software without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 * 31 * $Id: kern_exec.c,v 1.25 1995/11/06 12:52:32 davidg Exp $ 32 */ 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/sysproto.h> 37 #include <sys/signalvar.h> 38 #include <sys/kernel.h> 39 #include <sys/mount.h> 40 #include <sys/filedesc.h> 41 #include <sys/fcntl.h> 42 #include <sys/acct.h> 43 #include <sys/exec.h> 44 #include <sys/imgact.h> 45 #include <sys/wait.h> 46 #include <sys/malloc.h> 47 #include <sys/sysent.h> 48 #include <sys/syslog.h> 49 #include <sys/shm.h> 50 51 #include <vm/vm.h> 52 #include <vm/vm_kern.h> 53 54 #include <machine/reg.h> 55 56 int *exec_copyout_strings __P((struct image_params *)); 57 58 static int exec_check_permissions(struct image_params *); 59 60 /* 61 * execsw_set is constructed for us by the linker. Each of the items 62 * is a pointer to a `const struct execsw', hence the double pointer here. 63 */ 64 const struct execsw **execsw = (const struct execsw **)&execsw_set.ls_items[0]; 65 66 #ifndef _SYS_SYSPROTO_H_ 67 struct execve_args { 68 char *fname; 69 char **argv; 70 char **envv; 71 }; 72 #endif 73 74 /* 75 * execve() system call. 76 */ 77 int 78 execve(p, uap, retval) 79 struct proc *p; 80 register struct execve_args *uap; 81 int *retval; 82 { 83 struct nameidata nd, *ndp; 84 int *stack_base; 85 int error, len, i; 86 struct image_params image_params, *imgp; 87 struct vattr attr; 88 89 imgp = &image_params; 90 91 /* 92 * Initialize part of the common data 93 */ 94 imgp->proc = p; 95 imgp->uap = uap; 96 imgp->attr = &attr; 97 imgp->image_header = NULL; 98 imgp->argc = imgp->envc = 0; 99 imgp->entry_addr = 0; 100 imgp->vmspace_destroyed = 0; 101 imgp->interpreted = 0; 102 imgp->interpreter_name[0] = '\0'; 103 104 /* 105 * Allocate temporary demand zeroed space for argument and 106 * environment strings 107 */ 108 imgp->stringbase = (char *)vm_map_min(exec_map); 109 error = vm_map_find(exec_map, NULL, 0, (vm_offset_t *)&imgp->stringbase, 110 ARG_MAX, TRUE); 111 if (error) { 112 log(LOG_WARNING, "execve: failed to allocate string space\n"); 113 return (error); 114 } 115 116 if (!imgp->stringbase) { 117 error = ENOMEM; 118 goto exec_fail; 119 } 120 imgp->stringp = imgp->stringbase; 121 imgp->stringspace = ARG_MAX; 122 123 /* 124 * Translate the file name. namei() returns a vnode pointer 125 * in ni_vp amoung other things. 126 */ 127 ndp = &nd; 128 NDINIT(ndp, LOOKUP, LOCKLEAF | FOLLOW | SAVENAME, 129 UIO_USERSPACE, uap->fname, p); 130 131 interpret: 132 133 error = namei(ndp); 134 if (error) { 135 vm_map_remove(exec_map, (vm_offset_t)imgp->stringbase, 136 (vm_offset_t)imgp->stringbase + ARG_MAX); 137 goto exec_fail; 138 } 139 140 imgp->vp = ndp->ni_vp; 141 if (imgp->vp == NULL) { 142 error = ENOEXEC; 143 goto exec_fail_dealloc; 144 } 145 146 /* 147 * Check file permissions (also 'opens' file) 148 */ 149 error = exec_check_permissions(imgp); 150 151 /* 152 * Lose the lock on the vnode. It's no longer needed, and must not 153 * exist for the pagefault paging to work below. 154 */ 155 VOP_UNLOCK(imgp->vp); 156 157 if (error) 158 goto exec_fail_dealloc; 159 160 /* 161 * Map the image header (first page) of the file into 162 * kernel address space 163 */ 164 error = vm_mmap(kernel_map, /* map */ 165 (vm_offset_t *)&imgp->image_header, /* address */ 166 PAGE_SIZE, /* size */ 167 VM_PROT_READ, /* protection */ 168 VM_PROT_READ, /* max protection */ 169 0, /* flags */ 170 (caddr_t)imgp->vp, /* vnode */ 171 0); /* offset */ 172 if (error) { 173 uprintf("mmap failed: %d\n",error); 174 goto exec_fail_dealloc; 175 } 176 177 /* 178 * Loop through list of image activators, calling each one. 179 * If there is no match, the activator returns -1. If there 180 * is a match, but there was an error during the activation, 181 * the error is returned. Otherwise 0 means success. If the 182 * image is interpreted, loop back up and try activating 183 * the interpreter. 184 */ 185 for (i = 0; execsw[i]; ++i) { 186 if (execsw[i]->ex_imgact) 187 error = (*execsw[i]->ex_imgact)(imgp); 188 else 189 continue; 190 191 if (error == -1) 192 continue; 193 if (error) 194 goto exec_fail_dealloc; 195 if (imgp->interpreted) { 196 /* free old vnode and name buffer */ 197 vrele(ndp->ni_vp); 198 FREE(ndp->ni_cnd.cn_pnbuf, M_NAMEI); 199 if (vm_map_remove(kernel_map, (vm_offset_t)imgp->image_header, 200 (vm_offset_t)imgp->image_header + PAGE_SIZE)) 201 panic("execve: header dealloc failed (1)"); 202 203 /* set new name to that of the interpreter */ 204 NDINIT(ndp, LOOKUP, LOCKLEAF | FOLLOW | SAVENAME, 205 UIO_SYSSPACE, imgp->interpreter_name, p); 206 goto interpret; 207 } 208 break; 209 } 210 /* If we made it through all the activators and none matched, exit. */ 211 if (error == -1) { 212 error = ENOEXEC; 213 goto exec_fail_dealloc; 214 } 215 216 /* 217 * Copy out strings (args and env) and initialize stack base 218 */ 219 stack_base = exec_copyout_strings(imgp); 220 p->p_vmspace->vm_minsaddr = (char *)stack_base; 221 222 /* 223 * If custom stack fixup routine present for this process 224 * let it do the stack setup. 225 * Else stuff argument count as first item on stack 226 */ 227 if (p->p_sysent->sv_fixup) 228 (*p->p_sysent->sv_fixup)(&stack_base, imgp); 229 else 230 suword(--stack_base, imgp->argc); 231 232 /* close files on exec */ 233 fdcloseexec(p); 234 235 /* reset caught signals */ 236 execsigs(p); 237 238 /* name this process - nameiexec(p, ndp) */ 239 len = min(ndp->ni_cnd.cn_namelen,MAXCOMLEN); 240 bcopy(ndp->ni_cnd.cn_nameptr, p->p_comm, len); 241 p->p_comm[len] = 0; 242 243 /* 244 * mark as executable, wakeup any process that was vforked and tell 245 * it that it now has it's own resources back 246 */ 247 p->p_flag |= P_EXEC; 248 if (p->p_pptr && (p->p_flag & P_PPWAIT)) { 249 p->p_flag &= ~P_PPWAIT; 250 wakeup((caddr_t)p->p_pptr); 251 } 252 253 /* 254 * Implement image setuid/setgid. Disallow if the process is 255 * being traced. 256 */ 257 if ((attr.va_mode & (VSUID | VSGID)) && 258 (p->p_flag & P_TRACED) == 0) { 259 /* 260 * Turn off syscall tracing for set-id programs, except for 261 * root. 262 */ 263 if (p->p_tracep && suser(p->p_ucred, &p->p_acflag)) { 264 p->p_traceflag = 0; 265 vrele(p->p_tracep); 266 p->p_tracep = NULL; 267 } 268 /* 269 * Set the new credentials. 270 */ 271 p->p_ucred = crcopy(p->p_ucred); 272 if (attr.va_mode & VSUID) 273 p->p_ucred->cr_uid = attr.va_uid; 274 if (attr.va_mode & VSGID) 275 p->p_ucred->cr_groups[0] = attr.va_gid; 276 p->p_flag |= P_SUGID; 277 } else { 278 p->p_flag &= ~P_SUGID; 279 } 280 281 /* 282 * Implement correct POSIX saved-id behavior. 283 */ 284 p->p_cred->p_svuid = p->p_ucred->cr_uid; 285 p->p_cred->p_svgid = p->p_ucred->cr_gid; 286 287 /* 288 * Store the vp for use in procfs 289 */ 290 if (p->p_textvp) /* release old reference */ 291 vrele(p->p_textvp); 292 VREF(ndp->ni_vp); 293 p->p_textvp = ndp->ni_vp; 294 295 /* 296 * If tracing the process, trap to debugger so breakpoints 297 * can be set before the program executes. 298 */ 299 if (p->p_flag & P_TRACED) 300 psignal(p, SIGTRAP); 301 302 /* clear "fork but no exec" flag, as we _are_ execing */ 303 p->p_acflag &= ~AFORK; 304 305 /* Set entry address */ 306 setregs(p, imgp->entry_addr, (u_long)stack_base); 307 308 /* 309 * free various allocated resources 310 */ 311 if (vm_map_remove(exec_map, (vm_offset_t)imgp->stringbase, 312 (vm_offset_t)imgp->stringbase + ARG_MAX)) 313 panic("execve: string buffer dealloc failed (1)"); 314 if (vm_map_remove(kernel_map, (vm_offset_t)imgp->image_header, 315 (vm_offset_t)imgp->image_header + PAGE_SIZE)) 316 panic("execve: header dealloc failed (2)"); 317 vrele(ndp->ni_vp); 318 FREE(ndp->ni_cnd.cn_pnbuf, M_NAMEI); 319 320 return (0); 321 322 exec_fail_dealloc: 323 if (imgp->stringbase && imgp->stringbase != (char *)-1) 324 if (vm_map_remove(exec_map, (vm_offset_t)imgp->stringbase, 325 (vm_offset_t)imgp->stringbase + ARG_MAX)) 326 panic("execve: string buffer dealloc failed (2)"); 327 if (imgp->image_header && imgp->image_header != (char *)-1) 328 if (vm_map_remove(kernel_map, (vm_offset_t)imgp->image_header, 329 (vm_offset_t)imgp->image_header + PAGE_SIZE)) 330 panic("execve: header dealloc failed (3)"); 331 if (ndp->ni_vp) 332 vrele(ndp->ni_vp); 333 FREE(ndp->ni_cnd.cn_pnbuf, M_NAMEI); 334 335 exec_fail: 336 if (imgp->vmspace_destroyed) { 337 /* sorry, no more process anymore. exit gracefully */ 338 exit1(p, W_EXITCODE(0, SIGABRT)); 339 /* NOT REACHED */ 340 return(0); 341 } else { 342 return(error); 343 } 344 } 345 346 /* 347 * Destroy old address space, and allocate a new stack 348 * The new stack is only SGROWSIZ large because it is grown 349 * automatically in trap.c. 350 */ 351 int 352 exec_new_vmspace(imgp) 353 struct image_params *imgp; 354 { 355 int error; 356 struct vmspace *vmspace = imgp->proc->p_vmspace; 357 caddr_t stack_addr = (caddr_t) (USRSTACK - SGROWSIZ); 358 359 imgp->vmspace_destroyed = 1; 360 361 /* Blow away entire process VM */ 362 #ifdef SYSVSHM 363 if (vmspace->vm_shm) 364 shmexit(imgp->proc); 365 #endif 366 vm_map_remove(&vmspace->vm_map, 0, USRSTACK); 367 368 /* Allocate a new stack */ 369 error = vm_map_find(&vmspace->vm_map, NULL, 0, (vm_offset_t *)&stack_addr, 370 SGROWSIZ, FALSE); 371 if (error) 372 return(error); 373 374 vmspace->vm_ssize = SGROWSIZ >> PAGE_SHIFT; 375 376 /* Initialize maximum stack address */ 377 vmspace->vm_maxsaddr = (char *)USRSTACK - MAXSSIZ; 378 379 return(0); 380 } 381 382 /* 383 * Copy out argument and environment strings from the old process 384 * address space into the temporary string buffer. 385 */ 386 int 387 exec_extract_strings(imgp) 388 struct image_params *imgp; 389 { 390 char **argv, **envv; 391 char *argp, *envp; 392 int error, length; 393 394 /* 395 * extract arguments first 396 */ 397 398 argv = imgp->uap->argv; 399 400 if (argv) { 401 while ((argp = (caddr_t) fuword(argv++))) { 402 if (argp == (caddr_t) -1) 403 return (EFAULT); 404 if ((error = copyinstr(argp, imgp->stringp, 405 imgp->stringspace, &length))) { 406 if (error == ENAMETOOLONG) 407 return(E2BIG); 408 return (error); 409 } 410 imgp->stringspace -= length; 411 imgp->stringp += length; 412 imgp->argc++; 413 } 414 } 415 416 /* 417 * extract environment strings 418 */ 419 420 envv = imgp->uap->envv; 421 422 if (envv) { 423 while ((envp = (caddr_t) fuword(envv++))) { 424 if (envp == (caddr_t) -1) 425 return (EFAULT); 426 if ((error = copyinstr(envp, imgp->stringp, 427 imgp->stringspace, &length))) { 428 if (error == ENAMETOOLONG) 429 return(E2BIG); 430 return (error); 431 } 432 imgp->stringspace -= length; 433 imgp->stringp += length; 434 imgp->envc++; 435 } 436 } 437 438 return (0); 439 } 440 441 /* 442 * Copy strings out to the new process address space, constructing 443 * new arg and env vector tables. Return a pointer to the base 444 * so that it can be used as the initial stack pointer. 445 */ 446 int * 447 exec_copyout_strings(imgp) 448 struct image_params *imgp; 449 { 450 int argc, envc; 451 char **vectp; 452 char *stringp, *destp; 453 int *stack_base; 454 struct ps_strings *arginfo; 455 456 /* 457 * Calculate string base and vector table pointers. 458 */ 459 arginfo = PS_STRINGS; 460 destp = (caddr_t)arginfo - roundup((ARG_MAX - imgp->stringspace), sizeof(char *)); 461 /* 462 * The '+ 2' is for the null pointers at the end of each of the 463 * arg and env vector sets 464 */ 465 vectp = (char **) (destp - 466 (imgp->argc + imgp->envc + 2) * sizeof(char *)); 467 468 /* 469 * vectp also becomes our initial stack base 470 */ 471 stack_base = (int *)vectp; 472 473 stringp = imgp->stringbase; 474 argc = imgp->argc; 475 envc = imgp->envc; 476 477 /* 478 * Copy out strings - arguments and environment. 479 */ 480 copyout(stringp, destp, ARG_MAX - imgp->stringspace); 481 482 /* 483 * Fill in "ps_strings" struct for ps, w, etc. 484 */ 485 suword(&arginfo->ps_argvstr, (int)destp); 486 suword(&arginfo->ps_nargvstr, argc); 487 488 /* 489 * Fill in argument portion of vector table. 490 */ 491 for (; argc > 0; --argc) { 492 suword(vectp++, (int)destp); 493 while (*stringp++ != 0) 494 destp++; 495 destp++; 496 } 497 498 /* a null vector table pointer seperates the argp's from the envp's */ 499 suword(vectp++, NULL); 500 501 suword(&arginfo->ps_envstr, (int)destp); 502 suword(&arginfo->ps_nenvstr, envc); 503 504 /* 505 * Fill in environment portion of vector table. 506 */ 507 for (; envc > 0; --envc) { 508 suword(vectp++, (int)destp); 509 while (*stringp++ != 0) 510 destp++; 511 destp++; 512 } 513 514 /* end of vector table is a null pointer */ 515 suword(vectp, NULL); 516 517 return (stack_base); 518 } 519 520 /* 521 * Check permissions of file to execute. 522 * Return 0 for success or error code on failure. 523 */ 524 static int 525 exec_check_permissions(imgp) 526 struct image_params *imgp; 527 { 528 struct proc *p = imgp->proc; 529 struct vnode *vp = imgp->vp; 530 struct vattr *attr = imgp->attr; 531 int error; 532 533 /* 534 * Check number of open-for-writes on the file and deny execution 535 * if there are any. 536 */ 537 if (vp->v_writecount) { 538 return (ETXTBSY); 539 } 540 541 /* Get file attributes */ 542 error = VOP_GETATTR(vp, attr, p->p_ucred, p); 543 if (error) 544 return (error); 545 546 /* 547 * 1) Check if file execution is disabled for the filesystem that this 548 * file resides on. 549 * 2) Insure that at least one execute bit is on - otherwise root 550 * will always succeed, and we don't want to happen unless the 551 * file really is executable. 552 * 3) Insure that the file is a regular file. 553 */ 554 if ((vp->v_mount->mnt_flag & MNT_NOEXEC) || 555 ((attr->va_mode & 0111) == 0) || 556 (attr->va_type != VREG)) { 557 return (EACCES); 558 } 559 560 /* 561 * Zero length files can't be exec'd 562 */ 563 if (attr->va_size == 0) 564 return (ENOEXEC); 565 566 /* 567 * Disable setuid/setgid if the filesystem prohibits it or if 568 * the process is being traced. 569 */ 570 if ((vp->v_mount->mnt_flag & MNT_NOSUID) || (p->p_flag & P_TRACED)) 571 attr->va_mode &= ~(VSUID | VSGID); 572 573 /* 574 * Check for execute permission to file based on current credentials. 575 * Then call filesystem specific open routine (which does nothing 576 * in the general case). 577 */ 578 error = VOP_ACCESS(vp, VEXEC, p->p_ucred, p); 579 if (error) 580 return (error); 581 582 error = VOP_OPEN(vp, FREAD, p->p_ucred, p); 583 if (error) 584 return (error); 585 586 return (0); 587 } 588