xref: /illumos-gate/usr/src/uts/common/os/exec.c (revision 386e9c9ebfe4116f62e7a0950acd30564fc60125)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved.
24  */
25 
26 /*	Copyright (c) 1988 AT&T	*/
27 /*	  All Rights Reserved  	*/
28 /*
29  * Copyright 2014, Joyent, Inc.  All rights reserved.
30  */
31 
32 #include <sys/types.h>
33 #include <sys/param.h>
34 #include <sys/sysmacros.h>
35 #include <sys/systm.h>
36 #include <sys/signal.h>
37 #include <sys/cred_impl.h>
38 #include <sys/policy.h>
39 #include <sys/user.h>
40 #include <sys/errno.h>
41 #include <sys/file.h>
42 #include <sys/vfs.h>
43 #include <sys/vnode.h>
44 #include <sys/mman.h>
45 #include <sys/acct.h>
46 #include <sys/cpuvar.h>
47 #include <sys/proc.h>
48 #include <sys/cmn_err.h>
49 #include <sys/debug.h>
50 #include <sys/pathname.h>
51 #include <sys/vm.h>
52 #include <sys/lgrp.h>
53 #include <sys/vtrace.h>
54 #include <sys/exec.h>
55 #include <sys/exechdr.h>
56 #include <sys/kmem.h>
57 #include <sys/prsystm.h>
58 #include <sys/modctl.h>
59 #include <sys/vmparam.h>
60 #include <sys/door.h>
61 #include <sys/schedctl.h>
62 #include <sys/utrap.h>
63 #include <sys/systeminfo.h>
64 #include <sys/stack.h>
65 #include <sys/rctl.h>
66 #include <sys/dtrace.h>
67 #include <sys/lwpchan_impl.h>
68 #include <sys/pool.h>
69 #include <sys/sdt.h>
70 #include <sys/brand.h>
71 #include <sys/klpd.h>
72 
73 #include <c2/audit.h>
74 
75 #include <vm/hat.h>
76 #include <vm/anon.h>
77 #include <vm/as.h>
78 #include <vm/seg.h>
79 #include <vm/seg_vn.h>
80 
81 #define	PRIV_RESET		0x01	/* needs to reset privs */
82 #define	PRIV_SETID		0x02	/* needs to change uids */
83 #define	PRIV_SETUGID		0x04	/* is setuid/setgid/forced privs */
84 #define	PRIV_INCREASE		0x08	/* child runs with more privs */
85 #define	MAC_FLAGS		0x10	/* need to adjust MAC flags */
86 #define	PRIV_FORCED		0x20	/* has forced privileges */
87 
88 static int execsetid(struct vnode *, struct vattr *, uid_t *, uid_t *,
89     priv_set_t *, cred_t *, const char *);
90 static int hold_execsw(struct execsw *);
91 
92 uint_t auxv_hwcap = 0;	/* auxv AT_SUN_HWCAP value; determined on the fly */
93 uint_t auxv_hwcap_2 = 0;	/* AT_SUN_HWCAP2 */
94 #if defined(_SYSCALL32_IMPL)
95 uint_t auxv_hwcap32 = 0;	/* 32-bit version of auxv_hwcap */
96 uint_t auxv_hwcap32_2 = 0;	/* 32-bit version of auxv_hwcap2 */
97 #endif
98 
99 #define	PSUIDFLAGS		(SNOCD|SUGID)
100 
101 /*
102  * exece() - system call wrapper around exec_common()
103  */
104 int
105 exece(const char *fname, const char **argp, const char **envp)
106 {
107 	int error;
108 
109 	error = exec_common(fname, argp, envp, EBA_NONE);
110 	return (error ? (set_errno(error)) : 0);
111 }
112 
113 int
114 exec_common(const char *fname, const char **argp, const char **envp,
115     int brand_action)
116 {
117 	vnode_t *vp = NULL, *dir = NULL, *tmpvp = NULL;
118 	proc_t *p = ttoproc(curthread);
119 	klwp_t *lwp = ttolwp(curthread);
120 	struct user *up = PTOU(p);
121 	long execsz;		/* temporary count of exec size */
122 	int i;
123 	int error;
124 	char exec_file[MAXCOMLEN+1];
125 	struct pathname pn;
126 	struct pathname resolvepn;
127 	struct uarg args;
128 	struct execa ua;
129 	k_sigset_t savedmask;
130 	lwpdir_t *lwpdir = NULL;
131 	tidhash_t *tidhash;
132 	lwpdir_t *old_lwpdir = NULL;
133 	uint_t old_lwpdir_sz;
134 	tidhash_t *old_tidhash;
135 	uint_t old_tidhash_sz;
136 	ret_tidhash_t *ret_tidhash;
137 	lwpent_t *lep;
138 	boolean_t brandme = B_FALSE;
139 
140 	/*
141 	 * exec() is not supported for the /proc agent lwp.
142 	 */
143 	if (curthread == p->p_agenttp)
144 		return (ENOTSUP);
145 
146 	if (brand_action != EBA_NONE) {
147 		/*
148 		 * Brand actions are not supported for processes that are not
149 		 * running in a branded zone.
150 		 */
151 		if (!ZONE_IS_BRANDED(p->p_zone))
152 			return (ENOTSUP);
153 
154 		if (brand_action == EBA_NATIVE) {
155 			/* Only branded processes can be unbranded */
156 			if (!PROC_IS_BRANDED(p))
157 				return (ENOTSUP);
158 		} else {
159 			/* Only unbranded processes can be branded */
160 			if (PROC_IS_BRANDED(p))
161 				return (ENOTSUP);
162 			brandme = B_TRUE;
163 		}
164 	} else {
165 		/*
166 		 * If this is a native zone, or if the process is already
167 		 * branded, then we don't need to do anything.  If this is
168 		 * a native process in a branded zone, we need to brand the
169 		 * process as it exec()s the new binary.
170 		 */
171 		if (ZONE_IS_BRANDED(p->p_zone) && !PROC_IS_BRANDED(p))
172 			brandme = B_TRUE;
173 	}
174 
175 	/*
176 	 * Inform /proc that an exec() has started.
177 	 * Hold signals that are ignored by default so that we will
178 	 * not be interrupted by a signal that will be ignored after
179 	 * successful completion of gexec().
180 	 */
181 	mutex_enter(&p->p_lock);
182 	prexecstart();
183 	schedctl_finish_sigblock(curthread);
184 	savedmask = curthread->t_hold;
185 	sigorset(&curthread->t_hold, &ignoredefault);
186 	mutex_exit(&p->p_lock);
187 
188 	/*
189 	 * Look up path name and remember last component for later.
190 	 * To help coreadm expand its %d token, we attempt to save
191 	 * the directory containing the executable in p_execdir. The
192 	 * first call to lookuppn() may fail and return EINVAL because
193 	 * dirvpp is non-NULL. In that case, we make a second call to
194 	 * lookuppn() with dirvpp set to NULL; p_execdir will be NULL,
195 	 * but coreadm is allowed to expand %d to the empty string and
196 	 * there are other cases in which that failure may occur.
197 	 */
198 	if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
199 		goto out;
200 	pn_alloc(&resolvepn);
201 	if ((error = lookuppn(&pn, &resolvepn, FOLLOW, &dir, &vp)) != 0) {
202 		pn_free(&resolvepn);
203 		pn_free(&pn);
204 		if (error != EINVAL)
205 			goto out;
206 
207 		dir = NULL;
208 		if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
209 			goto out;
210 		pn_alloc(&resolvepn);
211 		if ((error = lookuppn(&pn, &resolvepn, FOLLOW, NULLVPP,
212 		    &vp)) != 0) {
213 			pn_free(&resolvepn);
214 			pn_free(&pn);
215 			goto out;
216 		}
217 	}
218 	if (vp == NULL) {
219 		if (dir != NULL)
220 			VN_RELE(dir);
221 		error = ENOENT;
222 		pn_free(&resolvepn);
223 		pn_free(&pn);
224 		goto out;
225 	}
226 
227 	if ((error = secpolicy_basic_exec(CRED(), vp)) != 0) {
228 		if (dir != NULL)
229 			VN_RELE(dir);
230 		pn_free(&resolvepn);
231 		pn_free(&pn);
232 		VN_RELE(vp);
233 		goto out;
234 	}
235 
236 	/*
237 	 * We do not allow executing files in attribute directories.
238 	 * We test this by determining whether the resolved path
239 	 * contains a "/" when we're in an attribute directory;
240 	 * only if the pathname does not contain a "/" the resolved path
241 	 * points to a file in the current working (attribute) directory.
242 	 */
243 	if ((p->p_user.u_cdir->v_flag & V_XATTRDIR) != 0 &&
244 	    strchr(resolvepn.pn_path, '/') == NULL) {
245 		if (dir != NULL)
246 			VN_RELE(dir);
247 		error = EACCES;
248 		pn_free(&resolvepn);
249 		pn_free(&pn);
250 		VN_RELE(vp);
251 		goto out;
252 	}
253 
254 	bzero(exec_file, MAXCOMLEN+1);
255 	(void) strncpy(exec_file, pn.pn_path, MAXCOMLEN);
256 	bzero(&args, sizeof (args));
257 	args.pathname = resolvepn.pn_path;
258 	/* don't free resolvepn until we are done with args */
259 	pn_free(&pn);
260 
261 	/*
262 	 * If we're running in a profile shell, then call pfexecd.
263 	 */
264 	if ((CR_FLAGS(p->p_cred) & PRIV_PFEXEC) != 0) {
265 		error = pfexec_call(p->p_cred, &resolvepn, &args.pfcred,
266 		    &args.scrubenv);
267 
268 		/* Returning errno in case we're not allowed to execute. */
269 		if (error > 0) {
270 			if (dir != NULL)
271 				VN_RELE(dir);
272 			pn_free(&resolvepn);
273 			VN_RELE(vp);
274 			goto out;
275 		}
276 
277 		/* Don't change the credentials when using old ptrace. */
278 		if (args.pfcred != NULL &&
279 		    (p->p_proc_flag & P_PR_PTRACE) != 0) {
280 			crfree(args.pfcred);
281 			args.pfcred = NULL;
282 			args.scrubenv = B_FALSE;
283 		}
284 	}
285 
286 	/*
287 	 * Specific exec handlers, or policies determined via
288 	 * /etc/system may override the historical default.
289 	 */
290 	args.stk_prot = PROT_ZFOD;
291 	args.dat_prot = PROT_ZFOD;
292 
293 	CPU_STATS_ADD_K(sys, sysexec, 1);
294 	DTRACE_PROC1(exec, char *, args.pathname);
295 
296 	ua.fname = fname;
297 	ua.argp = argp;
298 	ua.envp = envp;
299 
300 	/* If necessary, brand this process before we start the exec. */
301 	if (brandme)
302 		brand_setbrand(p);
303 
304 	if ((error = gexec(&vp, &ua, &args, NULL, 0, &execsz,
305 	    exec_file, p->p_cred, brand_action)) != 0) {
306 		if (brandme)
307 			brand_clearbrand(p, B_FALSE);
308 		VN_RELE(vp);
309 		if (dir != NULL)
310 			VN_RELE(dir);
311 		pn_free(&resolvepn);
312 		goto fail;
313 	}
314 
315 	/*
316 	 * Free floating point registers (sun4u only)
317 	 */
318 	ASSERT(lwp != NULL);
319 	lwp_freeregs(lwp, 1);
320 
321 	/*
322 	 * Free thread and process context ops.
323 	 */
324 	if (curthread->t_ctx)
325 		freectx(curthread, 1);
326 	if (p->p_pctx)
327 		freepctx(p, 1);
328 
329 	/*
330 	 * Remember file name for accounting; clear any cached DTrace predicate.
331 	 */
332 	up->u_acflag &= ~AFORK;
333 	bcopy(exec_file, up->u_comm, MAXCOMLEN+1);
334 	curthread->t_predcache = NULL;
335 
336 	/*
337 	 * Clear contract template state
338 	 */
339 	lwp_ctmpl_clear(lwp);
340 
341 	/*
342 	 * Save the directory in which we found the executable for expanding
343 	 * the %d token used in core file patterns.
344 	 */
345 	mutex_enter(&p->p_lock);
346 	tmpvp = p->p_execdir;
347 	p->p_execdir = dir;
348 	if (p->p_execdir != NULL)
349 		VN_HOLD(p->p_execdir);
350 	mutex_exit(&p->p_lock);
351 
352 	if (tmpvp != NULL)
353 		VN_RELE(tmpvp);
354 
355 	/*
356 	 * Reset stack state to the user stack, clear set of signals
357 	 * caught on the signal stack, and reset list of signals that
358 	 * restart system calls; the new program's environment should
359 	 * not be affected by detritus from the old program.  Any
360 	 * pending held signals remain held, so don't clear t_hold.
361 	 */
362 	mutex_enter(&p->p_lock);
363 	lwp->lwp_oldcontext = 0;
364 	lwp->lwp_ustack = 0;
365 	lwp->lwp_old_stk_ctl = 0;
366 	sigemptyset(&up->u_signodefer);
367 	sigemptyset(&up->u_sigonstack);
368 	sigemptyset(&up->u_sigresethand);
369 	lwp->lwp_sigaltstack.ss_sp = 0;
370 	lwp->lwp_sigaltstack.ss_size = 0;
371 	lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
372 
373 	/*
374 	 * Make saved resource limit == current resource limit.
375 	 */
376 	for (i = 0; i < RLIM_NLIMITS; i++) {
377 		/*CONSTCOND*/
378 		if (RLIM_SAVED(i)) {
379 			(void) rctl_rlimit_get(rctlproc_legacy[i], p,
380 			    &up->u_saved_rlimit[i]);
381 		}
382 	}
383 
384 	/*
385 	 * If the action was to catch the signal, then the action
386 	 * must be reset to SIG_DFL.
387 	 */
388 	sigdefault(p);
389 	p->p_flag &= ~(SNOWAIT|SJCTL);
390 	p->p_flag |= (SEXECED|SMSACCT|SMSFORK);
391 	up->u_signal[SIGCLD - 1] = SIG_DFL;
392 
393 	/*
394 	 * Delete the dot4 sigqueues/signotifies.
395 	 */
396 	sigqfree(p);
397 
398 	mutex_exit(&p->p_lock);
399 
400 	mutex_enter(&p->p_pflock);
401 	p->p_prof.pr_base = NULL;
402 	p->p_prof.pr_size = 0;
403 	p->p_prof.pr_off = 0;
404 	p->p_prof.pr_scale = 0;
405 	p->p_prof.pr_samples = 0;
406 	mutex_exit(&p->p_pflock);
407 
408 	ASSERT(curthread->t_schedctl == NULL);
409 
410 #if defined(__sparc)
411 	if (p->p_utraps != NULL)
412 		utrap_free(p);
413 #endif	/* __sparc */
414 
415 	/*
416 	 * Close all close-on-exec files.
417 	 */
418 	close_exec(P_FINFO(p));
419 	TRACE_2(TR_FAC_PROC, TR_PROC_EXEC, "proc_exec:p %p up %p", p, up);
420 
421 	/* Unbrand ourself if necessary. */
422 	if (PROC_IS_BRANDED(p) && (brand_action == EBA_NATIVE))
423 		brand_clearbrand(p, B_FALSE);
424 
425 	setregs(&args);
426 
427 	/* Mark this as an executable vnode */
428 	mutex_enter(&vp->v_lock);
429 	vp->v_flag |= VVMEXEC;
430 	mutex_exit(&vp->v_lock);
431 
432 	VN_RELE(vp);
433 	if (dir != NULL)
434 		VN_RELE(dir);
435 	pn_free(&resolvepn);
436 
437 	/*
438 	 * Allocate a new lwp directory and lwpid hash table if necessary.
439 	 */
440 	if (curthread->t_tid != 1 || p->p_lwpdir_sz != 2) {
441 		lwpdir = kmem_zalloc(2 * sizeof (lwpdir_t), KM_SLEEP);
442 		lwpdir->ld_next = lwpdir + 1;
443 		tidhash = kmem_zalloc(2 * sizeof (tidhash_t), KM_SLEEP);
444 		if (p->p_lwpdir != NULL)
445 			lep = p->p_lwpdir[curthread->t_dslot].ld_entry;
446 		else
447 			lep = kmem_zalloc(sizeof (*lep), KM_SLEEP);
448 	}
449 
450 	if (PROC_IS_BRANDED(p))
451 		BROP(p)->b_exec();
452 
453 	mutex_enter(&p->p_lock);
454 	prbarrier(p);
455 
456 	/*
457 	 * Reset lwp id to the default value of 1.
458 	 * This is a single-threaded process now
459 	 * and lwp #1 is lwp_wait()able by default.
460 	 * The t_unpark flag should not be inherited.
461 	 */
462 	ASSERT(p->p_lwpcnt == 1 && p->p_zombcnt == 0);
463 	curthread->t_tid = 1;
464 	kpreempt_disable();
465 	ASSERT(curthread->t_lpl != NULL);
466 	p->p_t1_lgrpid = curthread->t_lpl->lpl_lgrpid;
467 	kpreempt_enable();
468 	if (p->p_tr_lgrpid != LGRP_NONE && p->p_tr_lgrpid != p->p_t1_lgrpid) {
469 		lgrp_update_trthr_migrations(1);
470 	}
471 	curthread->t_unpark = 0;
472 	curthread->t_proc_flag |= TP_TWAIT;
473 	curthread->t_proc_flag &= ~TP_DAEMON;	/* daemons shouldn't exec */
474 	p->p_lwpdaemon = 0;			/* but oh well ... */
475 	p->p_lwpid = 1;
476 
477 	/*
478 	 * Install the newly-allocated lwp directory and lwpid hash table
479 	 * and insert the current thread into the new hash table.
480 	 */
481 	if (lwpdir != NULL) {
482 		old_lwpdir = p->p_lwpdir;
483 		old_lwpdir_sz = p->p_lwpdir_sz;
484 		old_tidhash = p->p_tidhash;
485 		old_tidhash_sz = p->p_tidhash_sz;
486 		p->p_lwpdir = p->p_lwpfree = lwpdir;
487 		p->p_lwpdir_sz = 2;
488 		lep->le_thread = curthread;
489 		lep->le_lwpid = curthread->t_tid;
490 		lep->le_start = curthread->t_start;
491 		lwp_hash_in(p, lep, tidhash, 2, 0);
492 		p->p_tidhash = tidhash;
493 		p->p_tidhash_sz = 2;
494 	}
495 	ret_tidhash = p->p_ret_tidhash;
496 	p->p_ret_tidhash = NULL;
497 
498 	/*
499 	 * Restore the saved signal mask and
500 	 * inform /proc that the exec() has finished.
501 	 */
502 	curthread->t_hold = savedmask;
503 	prexecend();
504 	mutex_exit(&p->p_lock);
505 	if (old_lwpdir) {
506 		kmem_free(old_lwpdir, old_lwpdir_sz * sizeof (lwpdir_t));
507 		kmem_free(old_tidhash, old_tidhash_sz * sizeof (tidhash_t));
508 	}
509 	while (ret_tidhash != NULL) {
510 		ret_tidhash_t *next = ret_tidhash->rth_next;
511 		kmem_free(ret_tidhash->rth_tidhash,
512 		    ret_tidhash->rth_tidhash_sz * sizeof (tidhash_t));
513 		kmem_free(ret_tidhash, sizeof (*ret_tidhash));
514 		ret_tidhash = next;
515 	}
516 
517 	ASSERT(error == 0);
518 	DTRACE_PROC(exec__success);
519 	return (0);
520 
521 fail:
522 	DTRACE_PROC1(exec__failure, int, error);
523 out:		/* error return */
524 	mutex_enter(&p->p_lock);
525 	curthread->t_hold = savedmask;
526 	prexecend();
527 	mutex_exit(&p->p_lock);
528 	ASSERT(error != 0);
529 	return (error);
530 }
531 
532 
533 /*
534  * Perform generic exec duties and switchout to object-file specific
535  * handler.
536  */
537 int
538 gexec(
539 	struct vnode **vpp,
540 	struct execa *uap,
541 	struct uarg *args,
542 	struct intpdata *idatap,
543 	int level,
544 	long *execsz,
545 	caddr_t exec_file,
546 	struct cred *cred,
547 	int brand_action)
548 {
549 	struct vnode *vp, *execvp = NULL;
550 	proc_t *pp = ttoproc(curthread);
551 	struct execsw *eswp;
552 	int error = 0;
553 	int suidflags = 0;
554 	ssize_t resid;
555 	uid_t uid, gid;
556 	struct vattr vattr;
557 	char magbuf[MAGIC_BYTES];
558 	int setid;
559 	cred_t *oldcred, *newcred = NULL;
560 	int privflags = 0;
561 	int setidfl;
562 	priv_set_t fset;
563 
564 	/*
565 	 * If the SNOCD or SUGID flag is set, turn it off and remember the
566 	 * previous setting so we can restore it if we encounter an error.
567 	 */
568 	if (level == 0 && (pp->p_flag & PSUIDFLAGS)) {
569 		mutex_enter(&pp->p_lock);
570 		suidflags = pp->p_flag & PSUIDFLAGS;
571 		pp->p_flag &= ~PSUIDFLAGS;
572 		mutex_exit(&pp->p_lock);
573 	}
574 
575 	if ((error = execpermissions(*vpp, &vattr, args)) != 0)
576 		goto bad_noclose;
577 
578 	/* need to open vnode for stateful file systems */
579 	if ((error = VOP_OPEN(vpp, FREAD, CRED(), NULL)) != 0)
580 		goto bad_noclose;
581 	vp = *vpp;
582 
583 	/*
584 	 * Note: to support binary compatibility with SunOS a.out
585 	 * executables, we read in the first four bytes, as the
586 	 * magic number is in bytes 2-3.
587 	 */
588 	if (error = vn_rdwr(UIO_READ, vp, magbuf, sizeof (magbuf),
589 	    (offset_t)0, UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid))
590 		goto bad;
591 	if (resid != 0)
592 		goto bad;
593 
594 	if ((eswp = findexec_by_hdr(magbuf)) == NULL)
595 		goto bad;
596 
597 	if (level == 0 &&
598 	    (privflags = execsetid(vp, &vattr, &uid, &gid, &fset,
599 	    args->pfcred == NULL ? cred : args->pfcred, args->pathname)) != 0) {
600 
601 		/* Pfcred is a credential with a ref count of 1 */
602 
603 		if (args->pfcred != NULL) {
604 			privflags |= PRIV_INCREASE|PRIV_RESET;
605 			newcred = cred = args->pfcred;
606 		} else {
607 			newcred = cred = crdup(cred);
608 		}
609 
610 		/* If we can, drop the PA bit */
611 		if ((privflags & PRIV_RESET) != 0)
612 			priv_adjust_PA(cred);
613 
614 		if (privflags & PRIV_SETID) {
615 			cred->cr_uid = uid;
616 			cred->cr_gid = gid;
617 			cred->cr_suid = uid;
618 			cred->cr_sgid = gid;
619 		}
620 
621 		if (privflags & MAC_FLAGS) {
622 			if (!(CR_FLAGS(cred) & NET_MAC_AWARE_INHERIT))
623 				CR_FLAGS(cred) &= ~NET_MAC_AWARE;
624 			CR_FLAGS(cred) &= ~NET_MAC_AWARE_INHERIT;
625 		}
626 
627 		/*
628 		 * Implement the privilege updates:
629 		 *
630 		 * Restrict with L:
631 		 *
632 		 *	I' = I & L
633 		 *
634 		 *	E' = P' = (I' + F) & A
635 		 *
636 		 * But if running under ptrace, we cap I and F with P.
637 		 */
638 		if ((privflags & (PRIV_RESET|PRIV_FORCED)) != 0) {
639 			if ((privflags & PRIV_INCREASE) != 0 &&
640 			    (pp->p_proc_flag & P_PR_PTRACE) != 0) {
641 				priv_intersect(&CR_OPPRIV(cred),
642 				    &CR_IPRIV(cred));
643 				priv_intersect(&CR_OPPRIV(cred), &fset);
644 			}
645 			priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
646 			CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
647 			if (privflags & PRIV_FORCED) {
648 				priv_set_PA(cred);
649 				priv_union(&fset, &CR_EPRIV(cred));
650 				priv_union(&fset, &CR_PPRIV(cred));
651 			}
652 			priv_adjust_PA(cred);
653 		}
654 	} else if (level == 0 && args->pfcred != NULL) {
655 		newcred = cred = args->pfcred;
656 		privflags |= PRIV_INCREASE;
657 		/* pfcred is not forced to adhere to these settings */
658 		priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
659 		CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
660 		priv_adjust_PA(cred);
661 	}
662 
663 	/* SunOS 4.x buy-back */
664 	if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) &&
665 	    (vattr.va_mode & (VSUID|VSGID))) {
666 		char path[MAXNAMELEN];
667 		refstr_t *mntpt = NULL;
668 		int ret = -1;
669 
670 		bzero(path, sizeof (path));
671 		zone_hold(pp->p_zone);
672 
673 		ret = vnodetopath(pp->p_zone->zone_rootvp, vp, path,
674 		    sizeof (path), cred);
675 
676 		/* fallback to mountpoint if a path can't be found */
677 		if ((ret != 0) || (ret == 0 && path[0] == '\0'))
678 			mntpt = vfs_getmntpoint(vp->v_vfsp);
679 
680 		if (mntpt == NULL)
681 			zcmn_err(pp->p_zone->zone_id, CE_NOTE,
682 			    "!uid %d: setuid execution not allowed, "
683 			    "file=%s", cred->cr_uid, path);
684 		else
685 			zcmn_err(pp->p_zone->zone_id, CE_NOTE,
686 			    "!uid %d: setuid execution not allowed, "
687 			    "fs=%s, file=%s", cred->cr_uid,
688 			    ZONE_PATH_TRANSLATE(refstr_value(mntpt),
689 			    pp->p_zone), exec_file);
690 
691 		if (!INGLOBALZONE(pp)) {
692 			/* zone_rootpath always has trailing / */
693 			if (mntpt == NULL)
694 				cmn_err(CE_NOTE, "!zone: %s, uid: %d "
695 				    "setuid execution not allowed, file=%s%s",
696 				    pp->p_zone->zone_name, cred->cr_uid,
697 				    pp->p_zone->zone_rootpath, path + 1);
698 			else
699 				cmn_err(CE_NOTE, "!zone: %s, uid: %d "
700 				    "setuid execution not allowed, fs=%s, "
701 				    "file=%s", pp->p_zone->zone_name,
702 				    cred->cr_uid, refstr_value(mntpt),
703 				    exec_file);
704 		}
705 
706 		if (mntpt != NULL)
707 			refstr_rele(mntpt);
708 
709 		zone_rele(pp->p_zone);
710 	}
711 
712 	/*
713 	 * execsetid() told us whether or not we had to change the
714 	 * credentials of the process.  In privflags, it told us
715 	 * whether we gained any privileges or executed a set-uid executable.
716 	 */
717 	setid = (privflags & (PRIV_SETUGID|PRIV_INCREASE|PRIV_FORCED));
718 
719 	/*
720 	 * Use /etc/system variable to determine if the stack
721 	 * should be marked as executable by default.
722 	 */
723 	if (noexec_user_stack)
724 		args->stk_prot &= ~PROT_EXEC;
725 
726 	args->execswp = eswp; /* Save execsw pointer in uarg for exec_func */
727 	args->ex_vp = vp;
728 
729 	/*
730 	 * Traditionally, the setid flags told the sub processes whether
731 	 * the file just executed was set-uid or set-gid; this caused
732 	 * some confusion as the 'setid' flag did not match the SUGID
733 	 * process flag which is only set when the uids/gids do not match.
734 	 * A script set-gid/set-uid to the real uid/gid would start with
735 	 * /dev/fd/X but an executable would happily trust LD_LIBRARY_PATH.
736 	 * Now we flag those cases where the calling process cannot
737 	 * be trusted to influence the newly exec'ed process, either
738 	 * because it runs with more privileges or when the uids/gids
739 	 * do in fact not match.
740 	 * This also makes the runtime linker agree with the on exec
741 	 * values of SNOCD and SUGID.
742 	 */
743 	setidfl = 0;
744 	if (cred->cr_uid != cred->cr_ruid || (cred->cr_rgid != cred->cr_gid &&
745 	    !supgroupmember(cred->cr_gid, cred))) {
746 		setidfl |= EXECSETID_UGIDS;
747 	}
748 	if (setid & PRIV_SETUGID)
749 		setidfl |= EXECSETID_SETID;
750 	if (setid & PRIV_FORCED)
751 		setidfl |= EXECSETID_PRIVS;
752 
753 	execvp = pp->p_exec;
754 	if (execvp)
755 		VN_HOLD(execvp);
756 
757 	error = (*eswp->exec_func)(vp, uap, args, idatap, level, execsz,
758 	    setidfl, exec_file, cred, brand_action);
759 	rw_exit(eswp->exec_lock);
760 	if (error != 0) {
761 		if (execvp)
762 			VN_RELE(execvp);
763 		/*
764 		 * If this process's p_exec has been set to the vp of
765 		 * the executable by exec_func, we will return without
766 		 * calling VOP_CLOSE because proc_exit will close it
767 		 * on exit.
768 		 */
769 		if (pp->p_exec == vp)
770 			goto bad_noclose;
771 		else
772 			goto bad;
773 	}
774 
775 	if (level == 0) {
776 		uid_t oruid;
777 
778 		if (execvp != NULL) {
779 			/*
780 			 * Close the previous executable only if we are
781 			 * at level 0.
782 			 */
783 			(void) VOP_CLOSE(execvp, FREAD, 1, (offset_t)0,
784 			    cred, NULL);
785 		}
786 
787 		mutex_enter(&pp->p_crlock);
788 
789 		oruid = pp->p_cred->cr_ruid;
790 
791 		if (newcred != NULL) {
792 			/*
793 			 * Free the old credentials, and set the new ones.
794 			 * Do this for both the process and the (single) thread.
795 			 */
796 			crfree(pp->p_cred);
797 			pp->p_cred = cred;	/* cred already held for proc */
798 			crhold(cred);		/* hold new cred for thread */
799 			/*
800 			 * DTrace accesses t_cred in probe context.  t_cred
801 			 * must always be either NULL, or point to a valid,
802 			 * allocated cred structure.
803 			 */
804 			oldcred = curthread->t_cred;
805 			curthread->t_cred = cred;
806 			crfree(oldcred);
807 
808 			if (priv_basic_test >= 0 &&
809 			    !PRIV_ISASSERT(&CR_IPRIV(newcred),
810 			    priv_basic_test)) {
811 				pid_t pid = pp->p_pid;
812 				char *fn = PTOU(pp)->u_comm;
813 
814 				cmn_err(CE_WARN, "%s[%d]: exec: basic_test "
815 				    "privilege removed from E/I", fn, pid);
816 			}
817 		}
818 		/*
819 		 * On emerging from a successful exec(), the saved
820 		 * uid and gid equal the effective uid and gid.
821 		 */
822 		cred->cr_suid = cred->cr_uid;
823 		cred->cr_sgid = cred->cr_gid;
824 
825 		/*
826 		 * If the real and effective ids do not match, this
827 		 * is a setuid process that should not dump core.
828 		 * The group comparison is tricky; we prevent the code
829 		 * from flagging SNOCD when executing with an effective gid
830 		 * which is a supplementary group.
831 		 */
832 		if (cred->cr_ruid != cred->cr_uid ||
833 		    (cred->cr_rgid != cred->cr_gid &&
834 		    !supgroupmember(cred->cr_gid, cred)) ||
835 		    (privflags & PRIV_INCREASE) != 0)
836 			suidflags = PSUIDFLAGS;
837 		else
838 			suidflags = 0;
839 
840 		mutex_exit(&pp->p_crlock);
841 		if (newcred != NULL && oruid != newcred->cr_ruid) {
842 			/* Note that the process remains in the same zone. */
843 			mutex_enter(&pidlock);
844 			upcount_dec(oruid, crgetzoneid(newcred));
845 			upcount_inc(newcred->cr_ruid, crgetzoneid(newcred));
846 			mutex_exit(&pidlock);
847 		}
848 		if (suidflags) {
849 			mutex_enter(&pp->p_lock);
850 			pp->p_flag |= suidflags;
851 			mutex_exit(&pp->p_lock);
852 		}
853 		if (setid && (pp->p_proc_flag & P_PR_PTRACE) == 0) {
854 			/*
855 			 * If process is traced via /proc, arrange to
856 			 * invalidate the associated /proc vnode.
857 			 */
858 			if (pp->p_plist || (pp->p_proc_flag & P_PR_TRACE))
859 				args->traceinval = 1;
860 		}
861 		if (pp->p_proc_flag & P_PR_PTRACE)
862 			psignal(pp, SIGTRAP);
863 		if (args->traceinval)
864 			prinvalidate(&pp->p_user);
865 	}
866 	if (execvp)
867 		VN_RELE(execvp);
868 	return (0);
869 
870 bad:
871 	(void) VOP_CLOSE(vp, FREAD, 1, (offset_t)0, cred, NULL);
872 
873 bad_noclose:
874 	if (newcred != NULL)
875 		crfree(newcred);
876 	if (error == 0)
877 		error = ENOEXEC;
878 
879 	if (suidflags) {
880 		mutex_enter(&pp->p_lock);
881 		pp->p_flag |= suidflags;
882 		mutex_exit(&pp->p_lock);
883 	}
884 	return (error);
885 }
886 
887 extern char *execswnames[];
888 
889 struct execsw *
890 allocate_execsw(char *name, char *magic, size_t magic_size)
891 {
892 	int i, j;
893 	char *ename;
894 	char *magicp;
895 
896 	mutex_enter(&execsw_lock);
897 	for (i = 0; i < nexectype; i++) {
898 		if (execswnames[i] == NULL) {
899 			ename = kmem_alloc(strlen(name) + 1, KM_SLEEP);
900 			(void) strcpy(ename, name);
901 			execswnames[i] = ename;
902 			/*
903 			 * Set the magic number last so that we
904 			 * don't need to hold the execsw_lock in
905 			 * findexectype().
906 			 */
907 			magicp = kmem_alloc(magic_size, KM_SLEEP);
908 			for (j = 0; j < magic_size; j++)
909 				magicp[j] = magic[j];
910 			execsw[i].exec_magic = magicp;
911 			mutex_exit(&execsw_lock);
912 			return (&execsw[i]);
913 		}
914 	}
915 	mutex_exit(&execsw_lock);
916 	return (NULL);
917 }
918 
919 /*
920  * Find the exec switch table entry with the corresponding magic string.
921  */
922 struct execsw *
923 findexecsw(char *magic)
924 {
925 	struct execsw *eswp;
926 
927 	for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
928 		ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
929 		if (magic && eswp->exec_maglen != 0 &&
930 		    bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0)
931 			return (eswp);
932 	}
933 	return (NULL);
934 }
935 
936 /*
937  * Find the execsw[] index for the given exec header string by looking for the
938  * magic string at a specified offset and length for each kind of executable
939  * file format until one matches.  If no execsw[] entry is found, try to
940  * autoload a module for this magic string.
941  */
942 struct execsw *
943 findexec_by_hdr(char *header)
944 {
945 	struct execsw *eswp;
946 
947 	for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
948 		ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
949 		if (header && eswp->exec_maglen != 0 &&
950 		    bcmp(&header[eswp->exec_magoff], eswp->exec_magic,
951 		    eswp->exec_maglen) == 0) {
952 			if (hold_execsw(eswp) != 0)
953 				return (NULL);
954 			return (eswp);
955 		}
956 	}
957 	return (NULL);	/* couldn't find the type */
958 }
959 
960 /*
961  * Find the execsw[] index for the given magic string.  If no execsw[] entry
962  * is found, try to autoload a module for this magic string.
963  */
964 struct execsw *
965 findexec_by_magic(char *magic)
966 {
967 	struct execsw *eswp;
968 
969 	for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
970 		ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
971 		if (magic && eswp->exec_maglen != 0 &&
972 		    bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0) {
973 			if (hold_execsw(eswp) != 0)
974 				return (NULL);
975 			return (eswp);
976 		}
977 	}
978 	return (NULL);	/* couldn't find the type */
979 }
980 
981 static int
982 hold_execsw(struct execsw *eswp)
983 {
984 	char *name;
985 
986 	rw_enter(eswp->exec_lock, RW_READER);
987 	while (!LOADED_EXEC(eswp)) {
988 		rw_exit(eswp->exec_lock);
989 		name = execswnames[eswp-execsw];
990 		ASSERT(name);
991 		if (modload("exec", name) == -1)
992 			return (-1);
993 		rw_enter(eswp->exec_lock, RW_READER);
994 	}
995 	return (0);
996 }
997 
998 static int
999 execsetid(struct vnode *vp, struct vattr *vattrp, uid_t *uidp, uid_t *gidp,
1000     priv_set_t *fset, cred_t *cr, const char *pathname)
1001 {
1002 	proc_t *pp = ttoproc(curthread);
1003 	uid_t uid, gid;
1004 	int privflags = 0;
1005 
1006 	/*
1007 	 * Remember credentials.
1008 	 */
1009 	uid = cr->cr_uid;
1010 	gid = cr->cr_gid;
1011 
1012 	/* Will try to reset the PRIV_AWARE bit later. */
1013 	if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_INHERIT)) == PRIV_AWARE)
1014 		privflags |= PRIV_RESET;
1015 
1016 	if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) == 0) {
1017 		/*
1018 		 * If it's a set-uid root program we perform the
1019 		 * forced privilege look-aside. This has three possible
1020 		 * outcomes:
1021 		 *	no look aside information -> treat as before
1022 		 *	look aside in Limit set -> apply forced privs
1023 		 *	look aside not in Limit set -> ignore set-uid root
1024 		 *
1025 		 * Ordinary set-uid root execution only allowed if the limit
1026 		 * set holds all unsafe privileges.
1027 		 */
1028 		if (vattrp->va_mode & VSUID) {
1029 			if (vattrp->va_uid == 0) {
1030 				int res = get_forced_privs(cr, pathname, fset);
1031 
1032 				switch (res) {
1033 				case -1:
1034 					if (priv_issubset(&priv_unsafe,
1035 					    &CR_LPRIV(cr))) {
1036 						uid = vattrp->va_uid;
1037 						privflags |= PRIV_SETUGID;
1038 					}
1039 					break;
1040 				case 0:
1041 					privflags |= PRIV_FORCED|PRIV_INCREASE;
1042 					break;
1043 				default:
1044 					break;
1045 				}
1046 			} else {
1047 				uid = vattrp->va_uid;
1048 				privflags |= PRIV_SETUGID;
1049 			}
1050 		}
1051 		if (vattrp->va_mode & VSGID) {
1052 			gid = vattrp->va_gid;
1053 			privflags |= PRIV_SETUGID;
1054 		}
1055 	}
1056 
1057 	/*
1058 	 * Do we need to change our credential anyway?
1059 	 * This is the case when E != I or P != I, as
1060 	 * we need to do the assignments (with F empty and A full)
1061 	 * Or when I is not a subset of L; in that case we need to
1062 	 * enforce L.
1063 	 *
1064 	 *		I' = L & I
1065 	 *
1066 	 *		E' = P' = (I' + F) & A
1067 	 * or
1068 	 *		E' = P' = I'
1069 	 */
1070 	if (!priv_isequalset(&CR_EPRIV(cr), &CR_IPRIV(cr)) ||
1071 	    !priv_issubset(&CR_IPRIV(cr), &CR_LPRIV(cr)) ||
1072 	    !priv_isequalset(&CR_PPRIV(cr), &CR_IPRIV(cr)))
1073 		privflags |= PRIV_RESET;
1074 
1075 	/* Child has more privileges than parent */
1076 	if (!priv_issubset(&CR_IPRIV(cr), &CR_PPRIV(cr)))
1077 		privflags |= PRIV_INCREASE;
1078 
1079 	/* If MAC-aware flag(s) are on, need to update cred to remove. */
1080 	if ((CR_FLAGS(cr) & NET_MAC_AWARE) ||
1081 	    (CR_FLAGS(cr) & NET_MAC_AWARE_INHERIT))
1082 		privflags |= MAC_FLAGS;
1083 	/*
1084 	 * Set setuid/setgid protections if no ptrace() compatibility.
1085 	 * For privileged processes, honor setuid/setgid even in
1086 	 * the presence of ptrace() compatibility.
1087 	 */
1088 	if (((pp->p_proc_flag & P_PR_PTRACE) == 0 ||
1089 	    PRIV_POLICY_ONLY(cr, PRIV_PROC_OWNER, (uid == 0))) &&
1090 	    (cr->cr_uid != uid ||
1091 	    cr->cr_gid != gid ||
1092 	    cr->cr_suid != uid ||
1093 	    cr->cr_sgid != gid)) {
1094 		*uidp = uid;
1095 		*gidp = gid;
1096 		privflags |= PRIV_SETID;
1097 	}
1098 	return (privflags);
1099 }
1100 
1101 int
1102 execpermissions(struct vnode *vp, struct vattr *vattrp, struct uarg *args)
1103 {
1104 	int error;
1105 	proc_t *p = ttoproc(curthread);
1106 
1107 	vattrp->va_mask = AT_MODE | AT_UID | AT_GID | AT_SIZE;
1108 	if (error = VOP_GETATTR(vp, vattrp, ATTR_EXEC, p->p_cred, NULL))
1109 		return (error);
1110 	/*
1111 	 * Check the access mode.
1112 	 * If VPROC, ask /proc if the file is an object file.
1113 	 */
1114 	if ((error = VOP_ACCESS(vp, VEXEC, 0, p->p_cred, NULL)) != 0 ||
1115 	    !(vp->v_type == VREG || (vp->v_type == VPROC && pr_isobject(vp))) ||
1116 	    (vp->v_vfsp->vfs_flag & VFS_NOEXEC) != 0 ||
1117 	    (vattrp->va_mode & (VEXEC|(VEXEC>>3)|(VEXEC>>6))) == 0) {
1118 		if (error == 0)
1119 			error = EACCES;
1120 		return (error);
1121 	}
1122 
1123 	if ((p->p_plist || (p->p_proc_flag & (P_PR_PTRACE|P_PR_TRACE))) &&
1124 	    (error = VOP_ACCESS(vp, VREAD, 0, p->p_cred, NULL))) {
1125 		/*
1126 		 * If process is under ptrace(2) compatibility,
1127 		 * fail the exec(2).
1128 		 */
1129 		if (p->p_proc_flag & P_PR_PTRACE)
1130 			goto bad;
1131 		/*
1132 		 * Process is traced via /proc.
1133 		 * Arrange to invalidate the /proc vnode.
1134 		 */
1135 		args->traceinval = 1;
1136 	}
1137 	return (0);
1138 bad:
1139 	if (error == 0)
1140 		error = ENOEXEC;
1141 	return (error);
1142 }
1143 
1144 /*
1145  * Map a section of an executable file into the user's
1146  * address space.
1147  */
1148 int
1149 execmap(struct vnode *vp, caddr_t addr, size_t len, size_t zfodlen,
1150     off_t offset, int prot, int page, uint_t szc)
1151 {
1152 	int error = 0;
1153 	off_t oldoffset;
1154 	caddr_t zfodbase, oldaddr;
1155 	size_t end, oldlen;
1156 	size_t zfoddiff;
1157 	label_t ljb;
1158 	proc_t *p = ttoproc(curthread);
1159 
1160 	oldaddr = addr;
1161 	addr = (caddr_t)((uintptr_t)addr & (uintptr_t)PAGEMASK);
1162 	if (len) {
1163 		oldlen = len;
1164 		len += ((size_t)oldaddr - (size_t)addr);
1165 		oldoffset = offset;
1166 		offset = (off_t)((uintptr_t)offset & PAGEMASK);
1167 		if (page) {
1168 			spgcnt_t  prefltmem, availm, npages;
1169 			int preread;
1170 			uint_t mflag = MAP_PRIVATE | MAP_FIXED;
1171 
1172 			if ((prot & (PROT_WRITE | PROT_EXEC)) == PROT_EXEC) {
1173 				mflag |= MAP_TEXT;
1174 			} else {
1175 				mflag |= MAP_INITDATA;
1176 			}
1177 
1178 			if (valid_usr_range(addr, len, prot, p->p_as,
1179 			    p->p_as->a_userlimit) != RANGE_OKAY) {
1180 				error = ENOMEM;
1181 				goto bad;
1182 			}
1183 			if (error = VOP_MAP(vp, (offset_t)offset,
1184 			    p->p_as, &addr, len, prot, PROT_ALL,
1185 			    mflag, CRED(), NULL))
1186 				goto bad;
1187 
1188 			/*
1189 			 * If the segment can fit, then we prefault
1190 			 * the entire segment in.  This is based on the
1191 			 * model that says the best working set of a
1192 			 * small program is all of its pages.
1193 			 */
1194 			npages = (spgcnt_t)btopr(len);
1195 			prefltmem = freemem - desfree;
1196 			preread =
1197 			    (npages < prefltmem && len < PGTHRESH) ? 1 : 0;
1198 
1199 			/*
1200 			 * If we aren't prefaulting the segment,
1201 			 * increment "deficit", if necessary to ensure
1202 			 * that pages will become available when this
1203 			 * process starts executing.
1204 			 */
1205 			availm = freemem - lotsfree;
1206 			if (preread == 0 && npages > availm &&
1207 			    deficit < lotsfree) {
1208 				deficit += MIN((pgcnt_t)(npages - availm),
1209 				    lotsfree - deficit);
1210 			}
1211 
1212 			if (preread) {
1213 				TRACE_2(TR_FAC_PROC, TR_EXECMAP_PREREAD,
1214 				    "execmap preread:freemem %d size %lu",
1215 				    freemem, len);
1216 				(void) as_fault(p->p_as->a_hat, p->p_as,
1217 				    (caddr_t)addr, len, F_INVAL, S_READ);
1218 			}
1219 		} else {
1220 			if (valid_usr_range(addr, len, prot, p->p_as,
1221 			    p->p_as->a_userlimit) != RANGE_OKAY) {
1222 				error = ENOMEM;
1223 				goto bad;
1224 			}
1225 
1226 			if (error = as_map(p->p_as, addr, len,
1227 			    segvn_create, zfod_argsp))
1228 				goto bad;
1229 			/*
1230 			 * Read in the segment in one big chunk.
1231 			 */
1232 			if (error = vn_rdwr(UIO_READ, vp, (caddr_t)oldaddr,
1233 			    oldlen, (offset_t)oldoffset, UIO_USERSPACE, 0,
1234 			    (rlim64_t)0, CRED(), (ssize_t *)0))
1235 				goto bad;
1236 			/*
1237 			 * Now set protections.
1238 			 */
1239 			if (prot != PROT_ZFOD) {
1240 				(void) as_setprot(p->p_as, (caddr_t)addr,
1241 				    len, prot);
1242 			}
1243 		}
1244 	}
1245 
1246 	if (zfodlen) {
1247 		struct as *as = curproc->p_as;
1248 		struct seg *seg;
1249 		uint_t zprot = 0;
1250 
1251 		end = (size_t)addr + len;
1252 		zfodbase = (caddr_t)roundup(end, PAGESIZE);
1253 		zfoddiff = (uintptr_t)zfodbase - end;
1254 		if (zfoddiff) {
1255 			/*
1256 			 * Before we go to zero the remaining space on the last
1257 			 * page, make sure we have write permission.
1258 			 *
1259 			 * Normal illumos binaries don't even hit the case
1260 			 * where we have to change permission on the last page
1261 			 * since their protection is typically either
1262 			 *    PROT_USER | PROT_WRITE | PROT_READ
1263 			 * or
1264 			 *    PROT_ZFOD (same as PROT_ALL).
1265 			 *
1266 			 * We need to be careful how we zero-fill the last page
1267 			 * if the segment protection does not include
1268 			 * PROT_WRITE. Using as_setprot() can cause the VM
1269 			 * segment code to call segvn_vpage(), which must
1270 			 * allocate a page struct for each page in the segment.
1271 			 * If we have a very large segment, this may fail, so
1272 			 * we have to check for that, even though we ignore
1273 			 * other return values from as_setprot.
1274 			 */
1275 
1276 			AS_LOCK_ENTER(as, &as->a_lock, RW_READER);
1277 			seg = as_segat(curproc->p_as, (caddr_t)end);
1278 			if (seg != NULL)
1279 				SEGOP_GETPROT(seg, (caddr_t)end, zfoddiff - 1,
1280 				    &zprot);
1281 			AS_LOCK_EXIT(as, &as->a_lock);
1282 
1283 			if (seg != NULL && (zprot & PROT_WRITE) == 0) {
1284 				if (as_setprot(as, (caddr_t)end, zfoddiff - 1,
1285 				    zprot | PROT_WRITE) == ENOMEM) {
1286 					error = ENOMEM;
1287 					goto bad;
1288 				}
1289 			}
1290 
1291 			if (on_fault(&ljb)) {
1292 				no_fault();
1293 				if (seg != NULL && (zprot & PROT_WRITE) == 0)
1294 					(void) as_setprot(as, (caddr_t)end,
1295 					    zfoddiff - 1, zprot);
1296 				error = EFAULT;
1297 				goto bad;
1298 			}
1299 			uzero((void *)end, zfoddiff);
1300 			no_fault();
1301 			if (seg != NULL && (zprot & PROT_WRITE) == 0)
1302 				(void) as_setprot(as, (caddr_t)end,
1303 				    zfoddiff - 1, zprot);
1304 		}
1305 		if (zfodlen > zfoddiff) {
1306 			struct segvn_crargs crargs =
1307 			    SEGVN_ZFOD_ARGS(PROT_ZFOD, PROT_ALL);
1308 
1309 			zfodlen -= zfoddiff;
1310 			if (valid_usr_range(zfodbase, zfodlen, prot, p->p_as,
1311 			    p->p_as->a_userlimit) != RANGE_OKAY) {
1312 				error = ENOMEM;
1313 				goto bad;
1314 			}
1315 			if (szc > 0) {
1316 				/*
1317 				 * ASSERT alignment because the mapelfexec()
1318 				 * caller for the szc > 0 case extended zfod
1319 				 * so it's end is pgsz aligned.
1320 				 */
1321 				size_t pgsz = page_get_pagesize(szc);
1322 				ASSERT(IS_P2ALIGNED(zfodbase + zfodlen, pgsz));
1323 
1324 				if (IS_P2ALIGNED(zfodbase, pgsz)) {
1325 					crargs.szc = szc;
1326 				} else {
1327 					crargs.szc = AS_MAP_HEAP;
1328 				}
1329 			} else {
1330 				crargs.szc = AS_MAP_NO_LPOOB;
1331 			}
1332 			if (error = as_map(p->p_as, (caddr_t)zfodbase,
1333 			    zfodlen, segvn_create, &crargs))
1334 				goto bad;
1335 			if (prot != PROT_ZFOD) {
1336 				(void) as_setprot(p->p_as, (caddr_t)zfodbase,
1337 				    zfodlen, prot);
1338 			}
1339 		}
1340 	}
1341 	return (0);
1342 bad:
1343 	return (error);
1344 }
1345 
1346 void
1347 setexecenv(struct execenv *ep)
1348 {
1349 	proc_t *p = ttoproc(curthread);
1350 	klwp_t *lwp = ttolwp(curthread);
1351 	struct vnode *vp;
1352 
1353 	p->p_bssbase = ep->ex_bssbase;
1354 	p->p_brkbase = ep->ex_brkbase;
1355 	p->p_brksize = ep->ex_brksize;
1356 	if (p->p_exec)
1357 		VN_RELE(p->p_exec);	/* out with the old */
1358 	vp = p->p_exec = ep->ex_vp;
1359 	if (vp != NULL)
1360 		VN_HOLD(vp);		/* in with the new */
1361 
1362 	lwp->lwp_sigaltstack.ss_sp = 0;
1363 	lwp->lwp_sigaltstack.ss_size = 0;
1364 	lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
1365 }
1366 
1367 int
1368 execopen(struct vnode **vpp, int *fdp)
1369 {
1370 	struct vnode *vp = *vpp;
1371 	file_t *fp;
1372 	int error = 0;
1373 	int filemode = FREAD;
1374 
1375 	VN_HOLD(vp);		/* open reference */
1376 	if (error = falloc(NULL, filemode, &fp, fdp)) {
1377 		VN_RELE(vp);
1378 		*fdp = -1;	/* just in case falloc changed value */
1379 		return (error);
1380 	}
1381 	if (error = VOP_OPEN(&vp, filemode, CRED(), NULL)) {
1382 		VN_RELE(vp);
1383 		setf(*fdp, NULL);
1384 		unfalloc(fp);
1385 		*fdp = -1;
1386 		return (error);
1387 	}
1388 	*vpp = vp;		/* vnode should not have changed */
1389 	fp->f_vnode = vp;
1390 	mutex_exit(&fp->f_tlock);
1391 	setf(*fdp, fp);
1392 	return (0);
1393 }
1394 
1395 int
1396 execclose(int fd)
1397 {
1398 	return (closeandsetf(fd, NULL));
1399 }
1400 
1401 
1402 /*
1403  * noexec stub function.
1404  */
1405 /*ARGSUSED*/
1406 int
1407 noexec(
1408     struct vnode *vp,
1409     struct execa *uap,
1410     struct uarg *args,
1411     struct intpdata *idatap,
1412     int level,
1413     long *execsz,
1414     int setid,
1415     caddr_t exec_file,
1416     struct cred *cred)
1417 {
1418 	cmn_err(CE_WARN, "missing exec capability for %s", uap->fname);
1419 	return (ENOEXEC);
1420 }
1421 
1422 /*
1423  * Support routines for building a user stack.
1424  *
1425  * execve(path, argv, envp) must construct a new stack with the specified
1426  * arguments and environment variables (see exec_args() for a description
1427  * of the user stack layout).  To do this, we copy the arguments and
1428  * environment variables from the old user address space into the kernel,
1429  * free the old as, create the new as, and copy our buffered information
1430  * to the new stack.  Our kernel buffer has the following structure:
1431  *
1432  *	+-----------------------+ <--- stk_base + stk_size
1433  *	| string offsets	|
1434  *	+-----------------------+ <--- stk_offp
1435  *	|			|
1436  *	| STK_AVAIL() space	|
1437  *	|			|
1438  *	+-----------------------+ <--- stk_strp
1439  *	| strings		|
1440  *	+-----------------------+ <--- stk_base
1441  *
1442  * When we add a string, we store the string's contents (including the null
1443  * terminator) at stk_strp, and we store the offset of the string relative to
1444  * stk_base at --stk_offp.  At strings are added, stk_strp increases and
1445  * stk_offp decreases.  The amount of space remaining, STK_AVAIL(), is just
1446  * the difference between these pointers.  If we run out of space, we return
1447  * an error and exec_args() starts all over again with a buffer twice as large.
1448  * When we're all done, the kernel buffer looks like this:
1449  *
1450  *	+-----------------------+ <--- stk_base + stk_size
1451  *	| argv[0] offset	|
1452  *	+-----------------------+
1453  *	| ...			|
1454  *	+-----------------------+
1455  *	| argv[argc-1] offset	|
1456  *	+-----------------------+
1457  *	| envp[0] offset	|
1458  *	+-----------------------+
1459  *	| ...			|
1460  *	+-----------------------+
1461  *	| envp[envc-1] offset	|
1462  *	+-----------------------+
1463  *	| AT_SUN_PLATFORM offset|
1464  *	+-----------------------+
1465  *	| AT_SUN_EXECNAME offset|
1466  *	+-----------------------+ <--- stk_offp
1467  *	|			|
1468  *	| STK_AVAIL() space	|
1469  *	|			|
1470  *	+-----------------------+ <--- stk_strp
1471  *	| AT_SUN_EXECNAME offset|
1472  *	+-----------------------+
1473  *	| AT_SUN_PLATFORM offset|
1474  *	+-----------------------+
1475  *	| envp[envc-1] string	|
1476  *	+-----------------------+
1477  *	| ...			|
1478  *	+-----------------------+
1479  *	| envp[0] string	|
1480  *	+-----------------------+
1481  *	| argv[argc-1] string	|
1482  *	+-----------------------+
1483  *	| ...			|
1484  *	+-----------------------+
1485  *	| argv[0] string	|
1486  *	+-----------------------+ <--- stk_base
1487  */
1488 
1489 #define	STK_AVAIL(args)		((char *)(args)->stk_offp - (args)->stk_strp)
1490 
1491 /*
1492  * Add a string to the stack.
1493  */
1494 static int
1495 stk_add(uarg_t *args, const char *sp, enum uio_seg segflg)
1496 {
1497 	int error;
1498 	size_t len;
1499 
1500 	if (STK_AVAIL(args) < sizeof (int))
1501 		return (E2BIG);
1502 	*--args->stk_offp = args->stk_strp - args->stk_base;
1503 
1504 	if (segflg == UIO_USERSPACE) {
1505 		error = copyinstr(sp, args->stk_strp, STK_AVAIL(args), &len);
1506 		if (error != 0)
1507 			return (error);
1508 	} else {
1509 		len = strlen(sp) + 1;
1510 		if (len > STK_AVAIL(args))
1511 			return (E2BIG);
1512 		bcopy(sp, args->stk_strp, len);
1513 	}
1514 
1515 	args->stk_strp += len;
1516 
1517 	return (0);
1518 }
1519 
1520 static int
1521 stk_getptr(uarg_t *args, char *src, char **dst)
1522 {
1523 	int error;
1524 
1525 	if (args->from_model == DATAMODEL_NATIVE) {
1526 		ulong_t ptr;
1527 		error = fulword(src, &ptr);
1528 		*dst = (caddr_t)ptr;
1529 	} else {
1530 		uint32_t ptr;
1531 		error = fuword32(src, &ptr);
1532 		*dst = (caddr_t)(uintptr_t)ptr;
1533 	}
1534 	return (error);
1535 }
1536 
1537 static int
1538 stk_putptr(uarg_t *args, char *addr, char *value)
1539 {
1540 	if (args->to_model == DATAMODEL_NATIVE)
1541 		return (sulword(addr, (ulong_t)value));
1542 	else
1543 		return (suword32(addr, (uint32_t)(uintptr_t)value));
1544 }
1545 
1546 static int
1547 stk_copyin(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1548 {
1549 	char *sp;
1550 	int argc, error;
1551 	int argv_empty = 0;
1552 	size_t ptrsize = args->from_ptrsize;
1553 	size_t size, pad;
1554 	char *argv = (char *)uap->argp;
1555 	char *envp = (char *)uap->envp;
1556 
1557 	/*
1558 	 * Copy interpreter's name and argument to argv[0] and argv[1].
1559 	 */
1560 	if (intp != NULL && intp->intp_name != NULL) {
1561 		if ((error = stk_add(args, intp->intp_name, UIO_SYSSPACE)) != 0)
1562 			return (error);
1563 		if (intp->intp_arg != NULL &&
1564 		    (error = stk_add(args, intp->intp_arg, UIO_SYSSPACE)) != 0)
1565 			return (error);
1566 		if (args->fname != NULL)
1567 			error = stk_add(args, args->fname, UIO_SYSSPACE);
1568 		else
1569 			error = stk_add(args, uap->fname, UIO_USERSPACE);
1570 		if (error)
1571 			return (error);
1572 
1573 		/*
1574 		 * Check for an empty argv[].
1575 		 */
1576 		if (stk_getptr(args, argv, &sp))
1577 			return (EFAULT);
1578 		if (sp == NULL)
1579 			argv_empty = 1;
1580 
1581 		argv += ptrsize;		/* ignore original argv[0] */
1582 	}
1583 
1584 	if (argv_empty == 0) {
1585 		/*
1586 		 * Add argv[] strings to the stack.
1587 		 */
1588 		for (;;) {
1589 			if (stk_getptr(args, argv, &sp))
1590 				return (EFAULT);
1591 			if (sp == NULL)
1592 				break;
1593 			if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1594 				return (error);
1595 			argv += ptrsize;
1596 		}
1597 	}
1598 	argc = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1599 	args->arglen = args->stk_strp - args->stk_base;
1600 
1601 	/*
1602 	 * Add environ[] strings to the stack.
1603 	 */
1604 	if (envp != NULL) {
1605 		for (;;) {
1606 			char *tmp = args->stk_strp;
1607 			if (stk_getptr(args, envp, &sp))
1608 				return (EFAULT);
1609 			if (sp == NULL)
1610 				break;
1611 			if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1612 				return (error);
1613 			if (args->scrubenv && strncmp(tmp, "LD_", 3) == 0) {
1614 				/* Undo the copied string */
1615 				args->stk_strp = tmp;
1616 				*(args->stk_offp++) = NULL;
1617 			}
1618 			envp += ptrsize;
1619 		}
1620 	}
1621 	args->na = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1622 	args->ne = args->na - argc;
1623 
1624 	/*
1625 	 * Add AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME, and
1626 	 * AT_SUN_EMULATOR strings to the stack.
1627 	 */
1628 	if (auxvpp != NULL && *auxvpp != NULL) {
1629 		if ((error = stk_add(args, platform, UIO_SYSSPACE)) != 0)
1630 			return (error);
1631 		if ((error = stk_add(args, args->pathname, UIO_SYSSPACE)) != 0)
1632 			return (error);
1633 		if (args->brandname != NULL &&
1634 		    (error = stk_add(args, args->brandname, UIO_SYSSPACE)) != 0)
1635 			return (error);
1636 		if (args->emulator != NULL &&
1637 		    (error = stk_add(args, args->emulator, UIO_SYSSPACE)) != 0)
1638 			return (error);
1639 	}
1640 
1641 	/*
1642 	 * Compute the size of the stack.  This includes all the pointers,
1643 	 * the space reserved for the aux vector, and all the strings.
1644 	 * The total number of pointers is args->na (which is argc + envc)
1645 	 * plus 4 more: (1) a pointer's worth of space for argc; (2) the NULL
1646 	 * after the last argument (i.e. argv[argc]); (3) the NULL after the
1647 	 * last environment variable (i.e. envp[envc]); and (4) the NULL after
1648 	 * all the strings, at the very top of the stack.
1649 	 */
1650 	size = (args->na + 4) * args->to_ptrsize + args->auxsize +
1651 	    (args->stk_strp - args->stk_base);
1652 
1653 	/*
1654 	 * Pad the string section with zeroes to align the stack size.
1655 	 */
1656 	pad = P2NPHASE(size, args->stk_align);
1657 
1658 	if (STK_AVAIL(args) < pad)
1659 		return (E2BIG);
1660 
1661 	args->usrstack_size = size + pad;
1662 
1663 	while (pad-- != 0)
1664 		*args->stk_strp++ = 0;
1665 
1666 	args->nc = args->stk_strp - args->stk_base;
1667 
1668 	return (0);
1669 }
1670 
1671 static int
1672 stk_copyout(uarg_t *args, char *usrstack, void **auxvpp, user_t *up)
1673 {
1674 	size_t ptrsize = args->to_ptrsize;
1675 	ssize_t pslen;
1676 	char *kstrp = args->stk_base;
1677 	char *ustrp = usrstack - args->nc - ptrsize;
1678 	char *usp = usrstack - args->usrstack_size;
1679 	int *offp = (int *)(args->stk_base + args->stk_size);
1680 	int envc = args->ne;
1681 	int argc = args->na - envc;
1682 	int i;
1683 
1684 	/*
1685 	 * Record argc for /proc.
1686 	 */
1687 	up->u_argc = argc;
1688 
1689 	/*
1690 	 * Put argc on the stack.  Note that even though it's an int,
1691 	 * it always consumes ptrsize bytes (for alignment).
1692 	 */
1693 	if (stk_putptr(args, usp, (char *)(uintptr_t)argc))
1694 		return (-1);
1695 
1696 	/*
1697 	 * Add argc space (ptrsize) to usp and record argv for /proc.
1698 	 */
1699 	up->u_argv = (uintptr_t)(usp += ptrsize);
1700 
1701 	/*
1702 	 * Put the argv[] pointers on the stack.
1703 	 */
1704 	for (i = 0; i < argc; i++, usp += ptrsize)
1705 		if (stk_putptr(args, usp, &ustrp[*--offp]))
1706 			return (-1);
1707 
1708 	/*
1709 	 * Copy arguments to u_psargs.
1710 	 */
1711 	pslen = MIN(args->arglen, PSARGSZ) - 1;
1712 	for (i = 0; i < pslen; i++)
1713 		up->u_psargs[i] = (kstrp[i] == '\0' ? ' ' : kstrp[i]);
1714 	while (i < PSARGSZ)
1715 		up->u_psargs[i++] = '\0';
1716 
1717 	/*
1718 	 * Add space for argv[]'s NULL terminator (ptrsize) to usp and
1719 	 * record envp for /proc.
1720 	 */
1721 	up->u_envp = (uintptr_t)(usp += ptrsize);
1722 
1723 	/*
1724 	 * Put the envp[] pointers on the stack.
1725 	 */
1726 	for (i = 0; i < envc; i++, usp += ptrsize)
1727 		if (stk_putptr(args, usp, &ustrp[*--offp]))
1728 			return (-1);
1729 
1730 	/*
1731 	 * Add space for envp[]'s NULL terminator (ptrsize) to usp and
1732 	 * remember where the stack ends, which is also where auxv begins.
1733 	 */
1734 	args->stackend = usp += ptrsize;
1735 
1736 	/*
1737 	 * Put all the argv[], envp[], and auxv strings on the stack.
1738 	 */
1739 	if (copyout(args->stk_base, ustrp, args->nc))
1740 		return (-1);
1741 
1742 	/*
1743 	 * Fill in the aux vector now that we know the user stack addresses
1744 	 * for the AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME and
1745 	 * AT_SUN_EMULATOR strings.
1746 	 */
1747 	if (auxvpp != NULL && *auxvpp != NULL) {
1748 		if (args->to_model == DATAMODEL_NATIVE) {
1749 			auxv_t **a = (auxv_t **)auxvpp;
1750 			ADDAUX(*a, AT_SUN_PLATFORM, (long)&ustrp[*--offp])
1751 			ADDAUX(*a, AT_SUN_EXECNAME, (long)&ustrp[*--offp])
1752 			if (args->brandname != NULL)
1753 				ADDAUX(*a,
1754 				    AT_SUN_BRANDNAME, (long)&ustrp[*--offp])
1755 			if (args->emulator != NULL)
1756 				ADDAUX(*a,
1757 				    AT_SUN_EMULATOR, (long)&ustrp[*--offp])
1758 		} else {
1759 			auxv32_t **a = (auxv32_t **)auxvpp;
1760 			ADDAUX(*a,
1761 			    AT_SUN_PLATFORM, (int)(uintptr_t)&ustrp[*--offp])
1762 			ADDAUX(*a,
1763 			    AT_SUN_EXECNAME, (int)(uintptr_t)&ustrp[*--offp])
1764 			if (args->brandname != NULL)
1765 				ADDAUX(*a, AT_SUN_BRANDNAME,
1766 				    (int)(uintptr_t)&ustrp[*--offp])
1767 			if (args->emulator != NULL)
1768 				ADDAUX(*a, AT_SUN_EMULATOR,
1769 				    (int)(uintptr_t)&ustrp[*--offp])
1770 		}
1771 	}
1772 
1773 	return (0);
1774 }
1775 
1776 /*
1777  * Initialize a new user stack with the specified arguments and environment.
1778  * The initial user stack layout is as follows:
1779  *
1780  *	User Stack
1781  *	+---------------+ <--- curproc->p_usrstack
1782  *	|		|
1783  *	| slew		|
1784  *	|		|
1785  *	+---------------+
1786  *	| NULL		|
1787  *	+---------------+
1788  *	|		|
1789  *	| auxv strings	|
1790  *	|		|
1791  *	+---------------+
1792  *	|		|
1793  *	| envp strings	|
1794  *	|		|
1795  *	+---------------+
1796  *	|		|
1797  *	| argv strings	|
1798  *	|		|
1799  *	+---------------+ <--- ustrp
1800  *	|		|
1801  *	| aux vector	|
1802  *	|		|
1803  *	+---------------+ <--- auxv
1804  *	| NULL		|
1805  *	+---------------+
1806  *	| envp[envc-1]	|
1807  *	+---------------+
1808  *	| ...		|
1809  *	+---------------+
1810  *	| envp[0]	|
1811  *	+---------------+ <--- envp[]
1812  *	| NULL		|
1813  *	+---------------+
1814  *	| argv[argc-1]	|
1815  *	+---------------+
1816  *	| ...		|
1817  *	+---------------+
1818  *	| argv[0]	|
1819  *	+---------------+ <--- argv[]
1820  *	| argc		|
1821  *	+---------------+ <--- stack base
1822  */
1823 int
1824 exec_args(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1825 {
1826 	size_t size;
1827 	int error;
1828 	proc_t *p = ttoproc(curthread);
1829 	user_t *up = PTOU(p);
1830 	char *usrstack;
1831 	rctl_entity_p_t e;
1832 	struct as *as;
1833 	extern int use_stk_lpg;
1834 	size_t sp_slew;
1835 
1836 	args->from_model = p->p_model;
1837 	if (p->p_model == DATAMODEL_NATIVE) {
1838 		args->from_ptrsize = sizeof (long);
1839 	} else {
1840 		args->from_ptrsize = sizeof (int32_t);
1841 	}
1842 
1843 	if (args->to_model == DATAMODEL_NATIVE) {
1844 		args->to_ptrsize = sizeof (long);
1845 		args->ncargs = NCARGS;
1846 		args->stk_align = STACK_ALIGN;
1847 		if (args->addr32)
1848 			usrstack = (char *)USRSTACK64_32;
1849 		else
1850 			usrstack = (char *)USRSTACK;
1851 	} else {
1852 		args->to_ptrsize = sizeof (int32_t);
1853 		args->ncargs = NCARGS32;
1854 		args->stk_align = STACK_ALIGN32;
1855 		usrstack = (char *)USRSTACK32;
1856 	}
1857 
1858 	ASSERT(P2PHASE((uintptr_t)usrstack, args->stk_align) == 0);
1859 
1860 #if defined(__sparc)
1861 	/*
1862 	 * Make sure user register windows are empty before
1863 	 * attempting to make a new stack.
1864 	 */
1865 	(void) flush_user_windows_to_stack(NULL);
1866 #endif
1867 
1868 	for (size = PAGESIZE; ; size *= 2) {
1869 		args->stk_size = size;
1870 		args->stk_base = kmem_alloc(size, KM_SLEEP);
1871 		args->stk_strp = args->stk_base;
1872 		args->stk_offp = (int *)(args->stk_base + size);
1873 		error = stk_copyin(uap, args, intp, auxvpp);
1874 		if (error == 0)
1875 			break;
1876 		kmem_free(args->stk_base, size);
1877 		if (error != E2BIG && error != ENAMETOOLONG)
1878 			return (error);
1879 		if (size >= args->ncargs)
1880 			return (E2BIG);
1881 	}
1882 
1883 	size = args->usrstack_size;
1884 
1885 	ASSERT(error == 0);
1886 	ASSERT(P2PHASE(size, args->stk_align) == 0);
1887 	ASSERT((ssize_t)STK_AVAIL(args) >= 0);
1888 
1889 	if (size > args->ncargs) {
1890 		kmem_free(args->stk_base, args->stk_size);
1891 		return (E2BIG);
1892 	}
1893 
1894 	/*
1895 	 * Leave only the current lwp and force the other lwps to exit.
1896 	 * If another lwp beat us to the punch by calling exit(), bail out.
1897 	 */
1898 	if ((error = exitlwps(0)) != 0) {
1899 		kmem_free(args->stk_base, args->stk_size);
1900 		return (error);
1901 	}
1902 
1903 	/*
1904 	 * Revoke any doors created by the process.
1905 	 */
1906 	if (p->p_door_list)
1907 		door_exit();
1908 
1909 	/*
1910 	 * Release schedctl data structures.
1911 	 */
1912 	if (p->p_pagep)
1913 		schedctl_proc_cleanup();
1914 
1915 	/*
1916 	 * Clean up any DTrace helpers for the process.
1917 	 */
1918 	if (p->p_dtrace_helpers != NULL) {
1919 		ASSERT(dtrace_helpers_cleanup != NULL);
1920 		(*dtrace_helpers_cleanup)();
1921 	}
1922 
1923 	mutex_enter(&p->p_lock);
1924 	/*
1925 	 * Cleanup the DTrace provider associated with this process.
1926 	 */
1927 	if (p->p_dtrace_probes) {
1928 		ASSERT(dtrace_fasttrap_exec_ptr != NULL);
1929 		dtrace_fasttrap_exec_ptr(p);
1930 	}
1931 	mutex_exit(&p->p_lock);
1932 
1933 	/*
1934 	 * discard the lwpchan cache.
1935 	 */
1936 	if (p->p_lcp != NULL)
1937 		lwpchan_destroy_cache(1);
1938 
1939 	/*
1940 	 * Delete the POSIX timers.
1941 	 */
1942 	if (p->p_itimer != NULL)
1943 		timer_exit();
1944 
1945 	/*
1946 	 * Delete the ITIMER_REALPROF interval timer.
1947 	 * The other ITIMER_* interval timers are specified
1948 	 * to be inherited across exec().
1949 	 */
1950 	delete_itimer_realprof();
1951 
1952 	if (AU_AUDITING())
1953 		audit_exec(args->stk_base, args->stk_base + args->arglen,
1954 		    args->na - args->ne, args->ne, args->pfcred);
1955 
1956 	/*
1957 	 * Ensure that we don't change resource associations while we
1958 	 * change address spaces.
1959 	 */
1960 	mutex_enter(&p->p_lock);
1961 	pool_barrier_enter();
1962 	mutex_exit(&p->p_lock);
1963 
1964 	/*
1965 	 * Destroy the old address space and create a new one.
1966 	 * From here on, any errors are fatal to the exec()ing process.
1967 	 * On error we return -1, which means the caller must SIGKILL
1968 	 * the process.
1969 	 */
1970 	relvm();
1971 
1972 	mutex_enter(&p->p_lock);
1973 	pool_barrier_exit();
1974 	mutex_exit(&p->p_lock);
1975 
1976 	up->u_execsw = args->execswp;
1977 
1978 	p->p_brkbase = NULL;
1979 	p->p_brksize = 0;
1980 	p->p_brkpageszc = 0;
1981 	p->p_stksize = 0;
1982 	p->p_stkpageszc = 0;
1983 	p->p_model = args->to_model;
1984 	p->p_usrstack = usrstack;
1985 	p->p_stkprot = args->stk_prot;
1986 	p->p_datprot = args->dat_prot;
1987 
1988 	/*
1989 	 * Reset resource controls such that all controls are again active as
1990 	 * well as appropriate to the potentially new address model for the
1991 	 * process.
1992 	 */
1993 	e.rcep_p.proc = p;
1994 	e.rcep_t = RCENTITY_PROCESS;
1995 	rctl_set_reset(p->p_rctls, p, &e);
1996 
1997 	/* Too early to call map_pgsz for the heap */
1998 	if (use_stk_lpg) {
1999 		p->p_stkpageszc = page_szc(map_pgsz(MAPPGSZ_STK, p, 0, 0, 0));
2000 	}
2001 
2002 	mutex_enter(&p->p_lock);
2003 	p->p_flag |= SAUTOLPG;	/* kernel controls page sizes */
2004 	mutex_exit(&p->p_lock);
2005 
2006 	/*
2007 	 * Some platforms may choose to randomize real stack start by adding a
2008 	 * small slew (not more than a few hundred bytes) to the top of the
2009 	 * stack. This helps avoid cache thrashing when identical processes
2010 	 * simultaneously share caches that don't provide enough associativity
2011 	 * (e.g. sun4v systems). In this case stack slewing makes the same hot
2012 	 * stack variables in different processes to live in different cache
2013 	 * sets increasing effective associativity.
2014 	 */
2015 	sp_slew = exec_get_spslew();
2016 	ASSERT(P2PHASE(sp_slew, args->stk_align) == 0);
2017 	exec_set_sp(size + sp_slew);
2018 
2019 	as = as_alloc();
2020 	p->p_as = as;
2021 	as->a_proc = p;
2022 	if (p->p_model == DATAMODEL_ILP32 || args->addr32)
2023 		as->a_userlimit = (caddr_t)USERLIMIT32;
2024 	(void) hat_setup(as->a_hat, HAT_ALLOC);
2025 	hat_join_srd(as->a_hat, args->ex_vp);
2026 
2027 	/*
2028 	 * Finally, write out the contents of the new stack.
2029 	 */
2030 	error = stk_copyout(args, usrstack - sp_slew, auxvpp, up);
2031 	kmem_free(args->stk_base, args->stk_size);
2032 	return (error);
2033 }
2034