1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26 /* Copyright (c) 1988 AT&T */ 27 /* All Rights Reserved */ 28 29 #include <sys/types.h> 30 #include <sys/param.h> 31 #include <sys/sysmacros.h> 32 #include <sys/systm.h> 33 #include <sys/signal.h> 34 #include <sys/cred_impl.h> 35 #include <sys/policy.h> 36 #include <sys/user.h> 37 #include <sys/errno.h> 38 #include <sys/file.h> 39 #include <sys/vfs.h> 40 #include <sys/vnode.h> 41 #include <sys/mman.h> 42 #include <sys/acct.h> 43 #include <sys/cpuvar.h> 44 #include <sys/proc.h> 45 #include <sys/cmn_err.h> 46 #include <sys/debug.h> 47 #include <sys/pathname.h> 48 #include <sys/vm.h> 49 #include <sys/lgrp.h> 50 #include <sys/vtrace.h> 51 #include <sys/exec.h> 52 #include <sys/exechdr.h> 53 #include <sys/kmem.h> 54 #include <sys/prsystm.h> 55 #include <sys/modctl.h> 56 #include <sys/vmparam.h> 57 #include <sys/door.h> 58 #include <sys/schedctl.h> 59 #include <sys/utrap.h> 60 #include <sys/systeminfo.h> 61 #include <sys/stack.h> 62 #include <sys/rctl.h> 63 #include <sys/dtrace.h> 64 #include <sys/lwpchan_impl.h> 65 #include <sys/pool.h> 66 #include <sys/sdt.h> 67 #include <sys/brand.h> 68 #include <sys/klpd.h> 69 70 #include <c2/audit.h> 71 72 #include <vm/hat.h> 73 #include <vm/anon.h> 74 #include <vm/as.h> 75 #include <vm/seg.h> 76 #include <vm/seg_vn.h> 77 78 #define PRIV_RESET 0x01 /* needs to reset privs */ 79 #define PRIV_SETID 0x02 /* needs to change uids */ 80 #define PRIV_SETUGID 0x04 /* is setuid/setgid/forced privs */ 81 #define PRIV_INCREASE 0x08 /* child runs with more privs */ 82 #define MAC_FLAGS 0x10 /* need to adjust MAC flags */ 83 #define PRIV_FORCED 0x20 /* has forced privileges */ 84 85 static int execsetid(struct vnode *, struct vattr *, uid_t *, uid_t *, 86 priv_set_t *, cred_t *, const char *); 87 static int hold_execsw(struct execsw *); 88 89 uint_t auxv_hwcap = 0; /* auxv AT_SUN_HWCAP value; determined on the fly */ 90 #if defined(_SYSCALL32_IMPL) 91 uint_t auxv_hwcap32 = 0; /* 32-bit version of auxv_hwcap */ 92 #endif 93 94 #define PSUIDFLAGS (SNOCD|SUGID) 95 96 /* 97 * exece() - system call wrapper around exec_common() 98 */ 99 int 100 exece(const char *fname, const char **argp, const char **envp) 101 { 102 int error; 103 104 error = exec_common(fname, argp, envp, EBA_NONE); 105 return (error ? (set_errno(error)) : 0); 106 } 107 108 int 109 exec_common(const char *fname, const char **argp, const char **envp, 110 int brand_action) 111 { 112 vnode_t *vp = NULL, *dir = NULL, *tmpvp = NULL; 113 proc_t *p = ttoproc(curthread); 114 klwp_t *lwp = ttolwp(curthread); 115 struct user *up = PTOU(p); 116 long execsz; /* temporary count of exec size */ 117 int i; 118 int error; 119 char exec_file[MAXCOMLEN+1]; 120 struct pathname pn; 121 struct pathname resolvepn; 122 struct uarg args; 123 struct execa ua; 124 k_sigset_t savedmask; 125 lwpdir_t *lwpdir = NULL; 126 tidhash_t *tidhash; 127 lwpdir_t *old_lwpdir = NULL; 128 uint_t old_lwpdir_sz; 129 tidhash_t *old_tidhash; 130 uint_t old_tidhash_sz; 131 ret_tidhash_t *ret_tidhash; 132 lwpent_t *lep; 133 boolean_t brandme = B_FALSE; 134 135 /* 136 * exec() is not supported for the /proc agent lwp. 137 */ 138 if (curthread == p->p_agenttp) 139 return (ENOTSUP); 140 141 if (brand_action != EBA_NONE) { 142 /* 143 * Brand actions are not supported for processes that are not 144 * running in a branded zone. 145 */ 146 if (!ZONE_IS_BRANDED(p->p_zone)) 147 return (ENOTSUP); 148 149 if (brand_action == EBA_NATIVE) { 150 /* Only branded processes can be unbranded */ 151 if (!PROC_IS_BRANDED(p)) 152 return (ENOTSUP); 153 } else { 154 /* Only unbranded processes can be branded */ 155 if (PROC_IS_BRANDED(p)) 156 return (ENOTSUP); 157 brandme = B_TRUE; 158 } 159 } else { 160 /* 161 * If this is a native zone, or if the process is already 162 * branded, then we don't need to do anything. If this is 163 * a native process in a branded zone, we need to brand the 164 * process as it exec()s the new binary. 165 */ 166 if (ZONE_IS_BRANDED(p->p_zone) && !PROC_IS_BRANDED(p)) 167 brandme = B_TRUE; 168 } 169 170 /* 171 * Inform /proc that an exec() has started. 172 * Hold signals that are ignored by default so that we will 173 * not be interrupted by a signal that will be ignored after 174 * successful completion of gexec(). 175 */ 176 mutex_enter(&p->p_lock); 177 prexecstart(); 178 schedctl_finish_sigblock(curthread); 179 savedmask = curthread->t_hold; 180 sigorset(&curthread->t_hold, &ignoredefault); 181 mutex_exit(&p->p_lock); 182 183 /* 184 * Look up path name and remember last component for later. 185 * To help coreadm expand its %d token, we attempt to save 186 * the directory containing the executable in p_execdir. The 187 * first call to lookuppn() may fail and return EINVAL because 188 * dirvpp is non-NULL. In that case, we make a second call to 189 * lookuppn() with dirvpp set to NULL; p_execdir will be NULL, 190 * but coreadm is allowed to expand %d to the empty string and 191 * there are other cases in which that failure may occur. 192 */ 193 if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0) 194 goto out; 195 pn_alloc(&resolvepn); 196 if ((error = lookuppn(&pn, &resolvepn, FOLLOW, &dir, &vp)) != 0) { 197 pn_free(&resolvepn); 198 pn_free(&pn); 199 if (error != EINVAL) 200 goto out; 201 202 dir = NULL; 203 if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0) 204 goto out; 205 pn_alloc(&resolvepn); 206 if ((error = lookuppn(&pn, &resolvepn, FOLLOW, NULLVPP, 207 &vp)) != 0) { 208 pn_free(&resolvepn); 209 pn_free(&pn); 210 goto out; 211 } 212 } 213 if (vp == NULL) { 214 if (dir != NULL) 215 VN_RELE(dir); 216 error = ENOENT; 217 pn_free(&resolvepn); 218 pn_free(&pn); 219 goto out; 220 } 221 222 if ((error = secpolicy_basic_exec(CRED(), vp)) != 0) { 223 if (dir != NULL) 224 VN_RELE(dir); 225 pn_free(&resolvepn); 226 pn_free(&pn); 227 VN_RELE(vp); 228 goto out; 229 } 230 231 /* 232 * We do not allow executing files in attribute directories. 233 * We test this by determining whether the resolved path 234 * contains a "/" when we're in an attribute directory; 235 * only if the pathname does not contain a "/" the resolved path 236 * points to a file in the current working (attribute) directory. 237 */ 238 if ((p->p_user.u_cdir->v_flag & V_XATTRDIR) != 0 && 239 strchr(resolvepn.pn_path, '/') == NULL) { 240 if (dir != NULL) 241 VN_RELE(dir); 242 error = EACCES; 243 pn_free(&resolvepn); 244 pn_free(&pn); 245 VN_RELE(vp); 246 goto out; 247 } 248 249 bzero(exec_file, MAXCOMLEN+1); 250 (void) strncpy(exec_file, pn.pn_path, MAXCOMLEN); 251 bzero(&args, sizeof (args)); 252 args.pathname = resolvepn.pn_path; 253 /* don't free resolvepn until we are done with args */ 254 pn_free(&pn); 255 256 /* 257 * If we're running in a profile shell, then call pfexecd. 258 */ 259 if ((CR_FLAGS(p->p_cred) & PRIV_PFEXEC) != 0) { 260 error = pfexec_call(p->p_cred, &resolvepn, &args.pfcred, 261 &args.scrubenv); 262 263 /* Returning errno in case we're not allowed to execute. */ 264 if (error > 0) { 265 if (dir != NULL) 266 VN_RELE(dir); 267 pn_free(&resolvepn); 268 VN_RELE(vp); 269 goto out; 270 } 271 272 /* Don't change the credentials when using old ptrace. */ 273 if (args.pfcred != NULL && 274 (p->p_proc_flag & P_PR_PTRACE) != 0) { 275 crfree(args.pfcred); 276 args.pfcred = NULL; 277 args.scrubenv = B_FALSE; 278 } 279 } 280 281 /* 282 * Specific exec handlers, or policies determined via 283 * /etc/system may override the historical default. 284 */ 285 args.stk_prot = PROT_ZFOD; 286 args.dat_prot = PROT_ZFOD; 287 288 CPU_STATS_ADD_K(sys, sysexec, 1); 289 DTRACE_PROC1(exec, char *, args.pathname); 290 291 ua.fname = fname; 292 ua.argp = argp; 293 ua.envp = envp; 294 295 /* If necessary, brand this process before we start the exec. */ 296 if (brandme) 297 brand_setbrand(p); 298 299 if ((error = gexec(&vp, &ua, &args, NULL, 0, &execsz, 300 exec_file, p->p_cred, brand_action)) != 0) { 301 if (brandme) 302 brand_clearbrand(p); 303 VN_RELE(vp); 304 if (dir != NULL) 305 VN_RELE(dir); 306 pn_free(&resolvepn); 307 goto fail; 308 } 309 310 /* 311 * Free floating point registers (sun4u only) 312 */ 313 ASSERT(lwp != NULL); 314 lwp_freeregs(lwp, 1); 315 316 /* 317 * Free thread and process context ops. 318 */ 319 if (curthread->t_ctx) 320 freectx(curthread, 1); 321 if (p->p_pctx) 322 freepctx(p, 1); 323 324 /* 325 * Remember file name for accounting; clear any cached DTrace predicate. 326 */ 327 up->u_acflag &= ~AFORK; 328 bcopy(exec_file, up->u_comm, MAXCOMLEN+1); 329 curthread->t_predcache = NULL; 330 331 /* 332 * Clear contract template state 333 */ 334 lwp_ctmpl_clear(lwp); 335 336 /* 337 * Save the directory in which we found the executable for expanding 338 * the %d token used in core file patterns. 339 */ 340 mutex_enter(&p->p_lock); 341 tmpvp = p->p_execdir; 342 p->p_execdir = dir; 343 if (p->p_execdir != NULL) 344 VN_HOLD(p->p_execdir); 345 mutex_exit(&p->p_lock); 346 347 if (tmpvp != NULL) 348 VN_RELE(tmpvp); 349 350 /* 351 * Reset stack state to the user stack, clear set of signals 352 * caught on the signal stack, and reset list of signals that 353 * restart system calls; the new program's environment should 354 * not be affected by detritus from the old program. Any 355 * pending held signals remain held, so don't clear t_hold. 356 */ 357 mutex_enter(&p->p_lock); 358 lwp->lwp_oldcontext = 0; 359 lwp->lwp_ustack = 0; 360 lwp->lwp_old_stk_ctl = 0; 361 sigemptyset(&up->u_signodefer); 362 sigemptyset(&up->u_sigonstack); 363 sigemptyset(&up->u_sigresethand); 364 lwp->lwp_sigaltstack.ss_sp = 0; 365 lwp->lwp_sigaltstack.ss_size = 0; 366 lwp->lwp_sigaltstack.ss_flags = SS_DISABLE; 367 368 /* 369 * Make saved resource limit == current resource limit. 370 */ 371 for (i = 0; i < RLIM_NLIMITS; i++) { 372 /*CONSTCOND*/ 373 if (RLIM_SAVED(i)) { 374 (void) rctl_rlimit_get(rctlproc_legacy[i], p, 375 &up->u_saved_rlimit[i]); 376 } 377 } 378 379 /* 380 * If the action was to catch the signal, then the action 381 * must be reset to SIG_DFL. 382 */ 383 sigdefault(p); 384 p->p_flag &= ~(SNOWAIT|SJCTL); 385 p->p_flag |= (SEXECED|SMSACCT|SMSFORK); 386 up->u_signal[SIGCLD - 1] = SIG_DFL; 387 388 /* 389 * Delete the dot4 sigqueues/signotifies. 390 */ 391 sigqfree(p); 392 393 mutex_exit(&p->p_lock); 394 395 mutex_enter(&p->p_pflock); 396 p->p_prof.pr_base = NULL; 397 p->p_prof.pr_size = 0; 398 p->p_prof.pr_off = 0; 399 p->p_prof.pr_scale = 0; 400 p->p_prof.pr_samples = 0; 401 mutex_exit(&p->p_pflock); 402 403 ASSERT(curthread->t_schedctl == NULL); 404 405 #if defined(__sparc) 406 if (p->p_utraps != NULL) 407 utrap_free(p); 408 #endif /* __sparc */ 409 410 /* 411 * Close all close-on-exec files. 412 */ 413 close_exec(P_FINFO(p)); 414 TRACE_2(TR_FAC_PROC, TR_PROC_EXEC, "proc_exec:p %p up %p", p, up); 415 416 /* Unbrand ourself if necessary. */ 417 if (PROC_IS_BRANDED(p) && (brand_action == EBA_NATIVE)) 418 brand_clearbrand(p); 419 420 setregs(&args); 421 422 /* Mark this as an executable vnode */ 423 mutex_enter(&vp->v_lock); 424 vp->v_flag |= VVMEXEC; 425 mutex_exit(&vp->v_lock); 426 427 VN_RELE(vp); 428 if (dir != NULL) 429 VN_RELE(dir); 430 pn_free(&resolvepn); 431 432 /* 433 * Allocate a new lwp directory and lwpid hash table if necessary. 434 */ 435 if (curthread->t_tid != 1 || p->p_lwpdir_sz != 2) { 436 lwpdir = kmem_zalloc(2 * sizeof (lwpdir_t), KM_SLEEP); 437 lwpdir->ld_next = lwpdir + 1; 438 tidhash = kmem_zalloc(2 * sizeof (tidhash_t), KM_SLEEP); 439 if (p->p_lwpdir != NULL) 440 lep = p->p_lwpdir[curthread->t_dslot].ld_entry; 441 else 442 lep = kmem_zalloc(sizeof (*lep), KM_SLEEP); 443 } 444 445 if (PROC_IS_BRANDED(p)) 446 BROP(p)->b_exec(); 447 448 mutex_enter(&p->p_lock); 449 prbarrier(p); 450 451 /* 452 * Reset lwp id to the default value of 1. 453 * This is a single-threaded process now 454 * and lwp #1 is lwp_wait()able by default. 455 * The t_unpark flag should not be inherited. 456 */ 457 ASSERT(p->p_lwpcnt == 1 && p->p_zombcnt == 0); 458 curthread->t_tid = 1; 459 kpreempt_disable(); 460 ASSERT(curthread->t_lpl != NULL); 461 p->p_t1_lgrpid = curthread->t_lpl->lpl_lgrpid; 462 kpreempt_enable(); 463 if (p->p_tr_lgrpid != LGRP_NONE && p->p_tr_lgrpid != p->p_t1_lgrpid) { 464 lgrp_update_trthr_migrations(1); 465 } 466 curthread->t_unpark = 0; 467 curthread->t_proc_flag |= TP_TWAIT; 468 curthread->t_proc_flag &= ~TP_DAEMON; /* daemons shouldn't exec */ 469 p->p_lwpdaemon = 0; /* but oh well ... */ 470 p->p_lwpid = 1; 471 472 /* 473 * Install the newly-allocated lwp directory and lwpid hash table 474 * and insert the current thread into the new hash table. 475 */ 476 if (lwpdir != NULL) { 477 old_lwpdir = p->p_lwpdir; 478 old_lwpdir_sz = p->p_lwpdir_sz; 479 old_tidhash = p->p_tidhash; 480 old_tidhash_sz = p->p_tidhash_sz; 481 p->p_lwpdir = p->p_lwpfree = lwpdir; 482 p->p_lwpdir_sz = 2; 483 lep->le_thread = curthread; 484 lep->le_lwpid = curthread->t_tid; 485 lep->le_start = curthread->t_start; 486 lwp_hash_in(p, lep, tidhash, 2, 0); 487 p->p_tidhash = tidhash; 488 p->p_tidhash_sz = 2; 489 } 490 ret_tidhash = p->p_ret_tidhash; 491 p->p_ret_tidhash = NULL; 492 493 /* 494 * Restore the saved signal mask and 495 * inform /proc that the exec() has finished. 496 */ 497 curthread->t_hold = savedmask; 498 prexecend(); 499 mutex_exit(&p->p_lock); 500 if (old_lwpdir) { 501 kmem_free(old_lwpdir, old_lwpdir_sz * sizeof (lwpdir_t)); 502 kmem_free(old_tidhash, old_tidhash_sz * sizeof (tidhash_t)); 503 } 504 while (ret_tidhash != NULL) { 505 ret_tidhash_t *next = ret_tidhash->rth_next; 506 kmem_free(ret_tidhash->rth_tidhash, 507 ret_tidhash->rth_tidhash_sz * sizeof (tidhash_t)); 508 kmem_free(ret_tidhash, sizeof (*ret_tidhash)); 509 ret_tidhash = next; 510 } 511 512 ASSERT(error == 0); 513 DTRACE_PROC(exec__success); 514 return (0); 515 516 fail: 517 DTRACE_PROC1(exec__failure, int, error); 518 out: /* error return */ 519 mutex_enter(&p->p_lock); 520 curthread->t_hold = savedmask; 521 prexecend(); 522 mutex_exit(&p->p_lock); 523 ASSERT(error != 0); 524 return (error); 525 } 526 527 528 /* 529 * Perform generic exec duties and switchout to object-file specific 530 * handler. 531 */ 532 int 533 gexec( 534 struct vnode **vpp, 535 struct execa *uap, 536 struct uarg *args, 537 struct intpdata *idatap, 538 int level, 539 long *execsz, 540 caddr_t exec_file, 541 struct cred *cred, 542 int brand_action) 543 { 544 struct vnode *vp, *execvp = NULL; 545 proc_t *pp = ttoproc(curthread); 546 struct execsw *eswp; 547 int error = 0; 548 int suidflags = 0; 549 ssize_t resid; 550 uid_t uid, gid; 551 struct vattr vattr; 552 char magbuf[MAGIC_BYTES]; 553 int setid; 554 cred_t *oldcred, *newcred = NULL; 555 int privflags = 0; 556 int setidfl; 557 priv_set_t fset; 558 559 /* 560 * If the SNOCD or SUGID flag is set, turn it off and remember the 561 * previous setting so we can restore it if we encounter an error. 562 */ 563 if (level == 0 && (pp->p_flag & PSUIDFLAGS)) { 564 mutex_enter(&pp->p_lock); 565 suidflags = pp->p_flag & PSUIDFLAGS; 566 pp->p_flag &= ~PSUIDFLAGS; 567 mutex_exit(&pp->p_lock); 568 } 569 570 if ((error = execpermissions(*vpp, &vattr, args)) != 0) 571 goto bad_noclose; 572 573 /* need to open vnode for stateful file systems */ 574 if ((error = VOP_OPEN(vpp, FREAD, CRED(), NULL)) != 0) 575 goto bad_noclose; 576 vp = *vpp; 577 578 /* 579 * Note: to support binary compatibility with SunOS a.out 580 * executables, we read in the first four bytes, as the 581 * magic number is in bytes 2-3. 582 */ 583 if (error = vn_rdwr(UIO_READ, vp, magbuf, sizeof (magbuf), 584 (offset_t)0, UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid)) 585 goto bad; 586 if (resid != 0) 587 goto bad; 588 589 if ((eswp = findexec_by_hdr(magbuf)) == NULL) 590 goto bad; 591 592 if (level == 0 && 593 (privflags = execsetid(vp, &vattr, &uid, &gid, &fset, 594 args->pfcred == NULL ? cred : args->pfcred, args->pathname)) != 0) { 595 596 /* Pfcred is a credential with a ref count of 1 */ 597 598 if (args->pfcred != NULL) { 599 privflags |= PRIV_INCREASE|PRIV_RESET; 600 newcred = cred = args->pfcred; 601 } else { 602 newcred = cred = crdup(cred); 603 } 604 605 /* If we can, drop the PA bit */ 606 if ((privflags & PRIV_RESET) != 0) 607 priv_adjust_PA(cred); 608 609 if (privflags & PRIV_SETID) { 610 cred->cr_uid = uid; 611 cred->cr_gid = gid; 612 cred->cr_suid = uid; 613 cred->cr_sgid = gid; 614 } 615 616 if (privflags & MAC_FLAGS) { 617 if (!(CR_FLAGS(cred) & NET_MAC_AWARE_INHERIT)) 618 CR_FLAGS(cred) &= ~NET_MAC_AWARE; 619 CR_FLAGS(cred) &= ~NET_MAC_AWARE_INHERIT; 620 } 621 622 /* 623 * Implement the privilege updates: 624 * 625 * Restrict with L: 626 * 627 * I' = I & L 628 * 629 * E' = P' = (I' + F) & A 630 * 631 * But if running under ptrace, we cap I and F with P. 632 */ 633 if ((privflags & (PRIV_RESET|PRIV_FORCED)) != 0) { 634 if ((privflags & PRIV_INCREASE) != 0 && 635 (pp->p_proc_flag & P_PR_PTRACE) != 0) { 636 priv_intersect(&CR_OPPRIV(cred), 637 &CR_IPRIV(cred)); 638 priv_intersect(&CR_OPPRIV(cred), &fset); 639 } 640 priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred)); 641 CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred); 642 if (privflags & PRIV_FORCED) { 643 priv_set_PA(cred); 644 priv_union(&fset, &CR_EPRIV(cred)); 645 priv_union(&fset, &CR_PPRIV(cred)); 646 } 647 priv_adjust_PA(cred); 648 } 649 } else if (level == 0 && args->pfcred != NULL) { 650 newcred = cred = args->pfcred; 651 privflags |= PRIV_INCREASE; 652 /* pfcred is not forced to adhere to these settings */ 653 priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred)); 654 CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred); 655 priv_adjust_PA(cred); 656 } 657 658 /* SunOS 4.x buy-back */ 659 if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) && 660 (vattr.va_mode & (VSUID|VSGID))) { 661 char path[MAXNAMELEN]; 662 refstr_t *mntpt = NULL; 663 int ret = -1; 664 665 bzero(path, sizeof (path)); 666 zone_hold(pp->p_zone); 667 668 ret = vnodetopath(pp->p_zone->zone_rootvp, vp, path, 669 sizeof (path), cred); 670 671 /* fallback to mountpoint if a path can't be found */ 672 if ((ret != 0) || (ret == 0 && path[0] == '\0')) 673 mntpt = vfs_getmntpoint(vp->v_vfsp); 674 675 if (mntpt == NULL) 676 zcmn_err(pp->p_zone->zone_id, CE_NOTE, 677 "!uid %d: setuid execution not allowed, " 678 "file=%s", cred->cr_uid, path); 679 else 680 zcmn_err(pp->p_zone->zone_id, CE_NOTE, 681 "!uid %d: setuid execution not allowed, " 682 "fs=%s, file=%s", cred->cr_uid, 683 ZONE_PATH_TRANSLATE(refstr_value(mntpt), 684 pp->p_zone), exec_file); 685 686 if (!INGLOBALZONE(pp)) { 687 /* zone_rootpath always has trailing / */ 688 if (mntpt == NULL) 689 cmn_err(CE_NOTE, "!zone: %s, uid: %d " 690 "setuid execution not allowed, file=%s%s", 691 pp->p_zone->zone_name, cred->cr_uid, 692 pp->p_zone->zone_rootpath, path + 1); 693 else 694 cmn_err(CE_NOTE, "!zone: %s, uid: %d " 695 "setuid execution not allowed, fs=%s, " 696 "file=%s", pp->p_zone->zone_name, 697 cred->cr_uid, refstr_value(mntpt), 698 exec_file); 699 } 700 701 if (mntpt != NULL) 702 refstr_rele(mntpt); 703 704 zone_rele(pp->p_zone); 705 } 706 707 /* 708 * execsetid() told us whether or not we had to change the 709 * credentials of the process. In privflags, it told us 710 * whether we gained any privileges or executed a set-uid executable. 711 */ 712 setid = (privflags & (PRIV_SETUGID|PRIV_INCREASE|PRIV_FORCED)); 713 714 /* 715 * Use /etc/system variable to determine if the stack 716 * should be marked as executable by default. 717 */ 718 if (noexec_user_stack) 719 args->stk_prot &= ~PROT_EXEC; 720 721 args->execswp = eswp; /* Save execsw pointer in uarg for exec_func */ 722 args->ex_vp = vp; 723 724 /* 725 * Traditionally, the setid flags told the sub processes whether 726 * the file just executed was set-uid or set-gid; this caused 727 * some confusion as the 'setid' flag did not match the SUGID 728 * process flag which is only set when the uids/gids do not match. 729 * A script set-gid/set-uid to the real uid/gid would start with 730 * /dev/fd/X but an executable would happily trust LD_LIBRARY_PATH. 731 * Now we flag those cases where the calling process cannot 732 * be trusted to influence the newly exec'ed process, either 733 * because it runs with more privileges or when the uids/gids 734 * do in fact not match. 735 * This also makes the runtime linker agree with the on exec 736 * values of SNOCD and SUGID. 737 */ 738 setidfl = 0; 739 if (cred->cr_uid != cred->cr_ruid || (cred->cr_rgid != cred->cr_gid && 740 !supgroupmember(cred->cr_gid, cred))) { 741 setidfl |= EXECSETID_UGIDS; 742 } 743 if (setid & PRIV_SETUGID) 744 setidfl |= EXECSETID_SETID; 745 if (setid & PRIV_FORCED) 746 setidfl |= EXECSETID_PRIVS; 747 748 execvp = pp->p_exec; 749 if (execvp) 750 VN_HOLD(execvp); 751 752 error = (*eswp->exec_func)(vp, uap, args, idatap, level, execsz, 753 setidfl, exec_file, cred, brand_action); 754 rw_exit(eswp->exec_lock); 755 if (error != 0) { 756 if (execvp) 757 VN_RELE(execvp); 758 /* 759 * If this process's p_exec has been set to the vp of 760 * the executable by exec_func, we will return without 761 * calling VOP_CLOSE because proc_exit will close it 762 * on exit. 763 */ 764 if (pp->p_exec == vp) 765 goto bad_noclose; 766 else 767 goto bad; 768 } 769 770 if (level == 0) { 771 uid_t oruid; 772 773 if (execvp != NULL) { 774 /* 775 * Close the previous executable only if we are 776 * at level 0. 777 */ 778 (void) VOP_CLOSE(execvp, FREAD, 1, (offset_t)0, 779 cred, NULL); 780 } 781 782 mutex_enter(&pp->p_crlock); 783 784 oruid = pp->p_cred->cr_ruid; 785 786 if (newcred != NULL) { 787 /* 788 * Free the old credentials, and set the new ones. 789 * Do this for both the process and the (single) thread. 790 */ 791 crfree(pp->p_cred); 792 pp->p_cred = cred; /* cred already held for proc */ 793 crhold(cred); /* hold new cred for thread */ 794 /* 795 * DTrace accesses t_cred in probe context. t_cred 796 * must always be either NULL, or point to a valid, 797 * allocated cred structure. 798 */ 799 oldcred = curthread->t_cred; 800 curthread->t_cred = cred; 801 crfree(oldcred); 802 803 if (priv_basic_test >= 0 && 804 !PRIV_ISASSERT(&CR_IPRIV(newcred), 805 priv_basic_test)) { 806 pid_t pid = pp->p_pid; 807 char *fn = PTOU(pp)->u_comm; 808 809 cmn_err(CE_WARN, "%s[%d]: exec: basic_test " 810 "privilege removed from E/I", fn, pid); 811 } 812 } 813 /* 814 * On emerging from a successful exec(), the saved 815 * uid and gid equal the effective uid and gid. 816 */ 817 cred->cr_suid = cred->cr_uid; 818 cred->cr_sgid = cred->cr_gid; 819 820 /* 821 * If the real and effective ids do not match, this 822 * is a setuid process that should not dump core. 823 * The group comparison is tricky; we prevent the code 824 * from flagging SNOCD when executing with an effective gid 825 * which is a supplementary group. 826 */ 827 if (cred->cr_ruid != cred->cr_uid || 828 (cred->cr_rgid != cred->cr_gid && 829 !supgroupmember(cred->cr_gid, cred)) || 830 (privflags & PRIV_INCREASE) != 0) 831 suidflags = PSUIDFLAGS; 832 else 833 suidflags = 0; 834 835 mutex_exit(&pp->p_crlock); 836 if (newcred != NULL && oruid != newcred->cr_ruid) { 837 /* Note that the process remains in the same zone. */ 838 mutex_enter(&pidlock); 839 upcount_dec(oruid, crgetzoneid(newcred)); 840 upcount_inc(newcred->cr_ruid, crgetzoneid(newcred)); 841 mutex_exit(&pidlock); 842 } 843 if (suidflags) { 844 mutex_enter(&pp->p_lock); 845 pp->p_flag |= suidflags; 846 mutex_exit(&pp->p_lock); 847 } 848 if (setid && (pp->p_proc_flag & P_PR_PTRACE) == 0) { 849 /* 850 * If process is traced via /proc, arrange to 851 * invalidate the associated /proc vnode. 852 */ 853 if (pp->p_plist || (pp->p_proc_flag & P_PR_TRACE)) 854 args->traceinval = 1; 855 } 856 if (pp->p_proc_flag & P_PR_PTRACE) 857 psignal(pp, SIGTRAP); 858 if (args->traceinval) 859 prinvalidate(&pp->p_user); 860 } 861 if (execvp) 862 VN_RELE(execvp); 863 return (0); 864 865 bad: 866 (void) VOP_CLOSE(vp, FREAD, 1, (offset_t)0, cred, NULL); 867 868 bad_noclose: 869 if (newcred != NULL) 870 crfree(newcred); 871 if (error == 0) 872 error = ENOEXEC; 873 874 if (suidflags) { 875 mutex_enter(&pp->p_lock); 876 pp->p_flag |= suidflags; 877 mutex_exit(&pp->p_lock); 878 } 879 return (error); 880 } 881 882 extern char *execswnames[]; 883 884 struct execsw * 885 allocate_execsw(char *name, char *magic, size_t magic_size) 886 { 887 int i, j; 888 char *ename; 889 char *magicp; 890 891 mutex_enter(&execsw_lock); 892 for (i = 0; i < nexectype; i++) { 893 if (execswnames[i] == NULL) { 894 ename = kmem_alloc(strlen(name) + 1, KM_SLEEP); 895 (void) strcpy(ename, name); 896 execswnames[i] = ename; 897 /* 898 * Set the magic number last so that we 899 * don't need to hold the execsw_lock in 900 * findexectype(). 901 */ 902 magicp = kmem_alloc(magic_size, KM_SLEEP); 903 for (j = 0; j < magic_size; j++) 904 magicp[j] = magic[j]; 905 execsw[i].exec_magic = magicp; 906 mutex_exit(&execsw_lock); 907 return (&execsw[i]); 908 } 909 } 910 mutex_exit(&execsw_lock); 911 return (NULL); 912 } 913 914 /* 915 * Find the exec switch table entry with the corresponding magic string. 916 */ 917 struct execsw * 918 findexecsw(char *magic) 919 { 920 struct execsw *eswp; 921 922 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) { 923 ASSERT(eswp->exec_maglen <= MAGIC_BYTES); 924 if (magic && eswp->exec_maglen != 0 && 925 bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0) 926 return (eswp); 927 } 928 return (NULL); 929 } 930 931 /* 932 * Find the execsw[] index for the given exec header string by looking for the 933 * magic string at a specified offset and length for each kind of executable 934 * file format until one matches. If no execsw[] entry is found, try to 935 * autoload a module for this magic string. 936 */ 937 struct execsw * 938 findexec_by_hdr(char *header) 939 { 940 struct execsw *eswp; 941 942 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) { 943 ASSERT(eswp->exec_maglen <= MAGIC_BYTES); 944 if (header && eswp->exec_maglen != 0 && 945 bcmp(&header[eswp->exec_magoff], eswp->exec_magic, 946 eswp->exec_maglen) == 0) { 947 if (hold_execsw(eswp) != 0) 948 return (NULL); 949 return (eswp); 950 } 951 } 952 return (NULL); /* couldn't find the type */ 953 } 954 955 /* 956 * Find the execsw[] index for the given magic string. If no execsw[] entry 957 * is found, try to autoload a module for this magic string. 958 */ 959 struct execsw * 960 findexec_by_magic(char *magic) 961 { 962 struct execsw *eswp; 963 964 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) { 965 ASSERT(eswp->exec_maglen <= MAGIC_BYTES); 966 if (magic && eswp->exec_maglen != 0 && 967 bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0) { 968 if (hold_execsw(eswp) != 0) 969 return (NULL); 970 return (eswp); 971 } 972 } 973 return (NULL); /* couldn't find the type */ 974 } 975 976 static int 977 hold_execsw(struct execsw *eswp) 978 { 979 char *name; 980 981 rw_enter(eswp->exec_lock, RW_READER); 982 while (!LOADED_EXEC(eswp)) { 983 rw_exit(eswp->exec_lock); 984 name = execswnames[eswp-execsw]; 985 ASSERT(name); 986 if (modload("exec", name) == -1) 987 return (-1); 988 rw_enter(eswp->exec_lock, RW_READER); 989 } 990 return (0); 991 } 992 993 static int 994 execsetid(struct vnode *vp, struct vattr *vattrp, uid_t *uidp, uid_t *gidp, 995 priv_set_t *fset, cred_t *cr, const char *pathname) 996 { 997 proc_t *pp = ttoproc(curthread); 998 uid_t uid, gid; 999 int privflags = 0; 1000 1001 /* 1002 * Remember credentials. 1003 */ 1004 uid = cr->cr_uid; 1005 gid = cr->cr_gid; 1006 1007 /* Will try to reset the PRIV_AWARE bit later. */ 1008 if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_INHERIT)) == PRIV_AWARE) 1009 privflags |= PRIV_RESET; 1010 1011 if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) == 0) { 1012 /* 1013 * If it's a set-uid root program we perform the 1014 * forced privilege look-aside. This has three possible 1015 * outcomes: 1016 * no look aside information -> treat as before 1017 * look aside in Limit set -> apply forced privs 1018 * look aside not in Limit set -> ignore set-uid root 1019 * 1020 * Ordinary set-uid root execution only allowed if the limit 1021 * set holds all unsafe privileges. 1022 */ 1023 if (vattrp->va_mode & VSUID) { 1024 if (vattrp->va_uid == 0) { 1025 int res = get_forced_privs(cr, pathname, fset); 1026 1027 switch (res) { 1028 case -1: 1029 if (priv_issubset(&priv_unsafe, 1030 &CR_LPRIV(cr))) { 1031 uid = vattrp->va_uid; 1032 privflags |= PRIV_SETUGID; 1033 } 1034 break; 1035 case 0: 1036 privflags |= PRIV_FORCED|PRIV_INCREASE; 1037 break; 1038 default: 1039 break; 1040 } 1041 } else { 1042 uid = vattrp->va_uid; 1043 privflags |= PRIV_SETUGID; 1044 } 1045 } 1046 if (vattrp->va_mode & VSGID) { 1047 gid = vattrp->va_gid; 1048 privflags |= PRIV_SETUGID; 1049 } 1050 } 1051 1052 /* 1053 * Do we need to change our credential anyway? 1054 * This is the case when E != I or P != I, as 1055 * we need to do the assignments (with F empty and A full) 1056 * Or when I is not a subset of L; in that case we need to 1057 * enforce L. 1058 * 1059 * I' = L & I 1060 * 1061 * E' = P' = (I' + F) & A 1062 * or 1063 * E' = P' = I' 1064 */ 1065 if (!priv_isequalset(&CR_EPRIV(cr), &CR_IPRIV(cr)) || 1066 !priv_issubset(&CR_IPRIV(cr), &CR_LPRIV(cr)) || 1067 !priv_isequalset(&CR_PPRIV(cr), &CR_IPRIV(cr))) 1068 privflags |= PRIV_RESET; 1069 1070 /* Child has more privileges than parent */ 1071 if (!priv_issubset(&CR_IPRIV(cr), &CR_PPRIV(cr))) 1072 privflags |= PRIV_INCREASE; 1073 1074 /* If MAC-aware flag(s) are on, need to update cred to remove. */ 1075 if ((CR_FLAGS(cr) & NET_MAC_AWARE) || 1076 (CR_FLAGS(cr) & NET_MAC_AWARE_INHERIT)) 1077 privflags |= MAC_FLAGS; 1078 /* 1079 * Set setuid/setgid protections if no ptrace() compatibility. 1080 * For privileged processes, honor setuid/setgid even in 1081 * the presence of ptrace() compatibility. 1082 */ 1083 if (((pp->p_proc_flag & P_PR_PTRACE) == 0 || 1084 PRIV_POLICY_ONLY(cr, PRIV_PROC_OWNER, (uid == 0))) && 1085 (cr->cr_uid != uid || 1086 cr->cr_gid != gid || 1087 cr->cr_suid != uid || 1088 cr->cr_sgid != gid)) { 1089 *uidp = uid; 1090 *gidp = gid; 1091 privflags |= PRIV_SETID; 1092 } 1093 return (privflags); 1094 } 1095 1096 int 1097 execpermissions(struct vnode *vp, struct vattr *vattrp, struct uarg *args) 1098 { 1099 int error; 1100 proc_t *p = ttoproc(curthread); 1101 1102 vattrp->va_mask = AT_MODE | AT_UID | AT_GID | AT_SIZE; 1103 if (error = VOP_GETATTR(vp, vattrp, ATTR_EXEC, p->p_cred, NULL)) 1104 return (error); 1105 /* 1106 * Check the access mode. 1107 * If VPROC, ask /proc if the file is an object file. 1108 */ 1109 if ((error = VOP_ACCESS(vp, VEXEC, 0, p->p_cred, NULL)) != 0 || 1110 !(vp->v_type == VREG || (vp->v_type == VPROC && pr_isobject(vp))) || 1111 (vp->v_vfsp->vfs_flag & VFS_NOEXEC) != 0 || 1112 (vattrp->va_mode & (VEXEC|(VEXEC>>3)|(VEXEC>>6))) == 0) { 1113 if (error == 0) 1114 error = EACCES; 1115 return (error); 1116 } 1117 1118 if ((p->p_plist || (p->p_proc_flag & (P_PR_PTRACE|P_PR_TRACE))) && 1119 (error = VOP_ACCESS(vp, VREAD, 0, p->p_cred, NULL))) { 1120 /* 1121 * If process is under ptrace(2) compatibility, 1122 * fail the exec(2). 1123 */ 1124 if (p->p_proc_flag & P_PR_PTRACE) 1125 goto bad; 1126 /* 1127 * Process is traced via /proc. 1128 * Arrange to invalidate the /proc vnode. 1129 */ 1130 args->traceinval = 1; 1131 } 1132 return (0); 1133 bad: 1134 if (error == 0) 1135 error = ENOEXEC; 1136 return (error); 1137 } 1138 1139 /* 1140 * Map a section of an executable file into the user's 1141 * address space. 1142 */ 1143 int 1144 execmap(struct vnode *vp, caddr_t addr, size_t len, size_t zfodlen, 1145 off_t offset, int prot, int page, uint_t szc) 1146 { 1147 int error = 0; 1148 off_t oldoffset; 1149 caddr_t zfodbase, oldaddr; 1150 size_t end, oldlen; 1151 size_t zfoddiff; 1152 label_t ljb; 1153 proc_t *p = ttoproc(curthread); 1154 1155 oldaddr = addr; 1156 addr = (caddr_t)((uintptr_t)addr & (uintptr_t)PAGEMASK); 1157 if (len) { 1158 oldlen = len; 1159 len += ((size_t)oldaddr - (size_t)addr); 1160 oldoffset = offset; 1161 offset = (off_t)((uintptr_t)offset & PAGEMASK); 1162 if (page) { 1163 spgcnt_t prefltmem, availm, npages; 1164 int preread; 1165 uint_t mflag = MAP_PRIVATE | MAP_FIXED; 1166 1167 if ((prot & (PROT_WRITE | PROT_EXEC)) == PROT_EXEC) { 1168 mflag |= MAP_TEXT; 1169 } else { 1170 mflag |= MAP_INITDATA; 1171 } 1172 1173 if (valid_usr_range(addr, len, prot, p->p_as, 1174 p->p_as->a_userlimit) != RANGE_OKAY) { 1175 error = ENOMEM; 1176 goto bad; 1177 } 1178 if (error = VOP_MAP(vp, (offset_t)offset, 1179 p->p_as, &addr, len, prot, PROT_ALL, 1180 mflag, CRED(), NULL)) 1181 goto bad; 1182 1183 /* 1184 * If the segment can fit, then we prefault 1185 * the entire segment in. This is based on the 1186 * model that says the best working set of a 1187 * small program is all of its pages. 1188 */ 1189 npages = (spgcnt_t)btopr(len); 1190 prefltmem = freemem - desfree; 1191 preread = 1192 (npages < prefltmem && len < PGTHRESH) ? 1 : 0; 1193 1194 /* 1195 * If we aren't prefaulting the segment, 1196 * increment "deficit", if necessary to ensure 1197 * that pages will become available when this 1198 * process starts executing. 1199 */ 1200 availm = freemem - lotsfree; 1201 if (preread == 0 && npages > availm && 1202 deficit < lotsfree) { 1203 deficit += MIN((pgcnt_t)(npages - availm), 1204 lotsfree - deficit); 1205 } 1206 1207 if (preread) { 1208 TRACE_2(TR_FAC_PROC, TR_EXECMAP_PREREAD, 1209 "execmap preread:freemem %d size %lu", 1210 freemem, len); 1211 (void) as_fault(p->p_as->a_hat, p->p_as, 1212 (caddr_t)addr, len, F_INVAL, S_READ); 1213 } 1214 } else { 1215 if (valid_usr_range(addr, len, prot, p->p_as, 1216 p->p_as->a_userlimit) != RANGE_OKAY) { 1217 error = ENOMEM; 1218 goto bad; 1219 } 1220 1221 if (error = as_map(p->p_as, addr, len, 1222 segvn_create, zfod_argsp)) 1223 goto bad; 1224 /* 1225 * Read in the segment in one big chunk. 1226 */ 1227 if (error = vn_rdwr(UIO_READ, vp, (caddr_t)oldaddr, 1228 oldlen, (offset_t)oldoffset, UIO_USERSPACE, 0, 1229 (rlim64_t)0, CRED(), (ssize_t *)0)) 1230 goto bad; 1231 /* 1232 * Now set protections. 1233 */ 1234 if (prot != PROT_ZFOD) { 1235 (void) as_setprot(p->p_as, (caddr_t)addr, 1236 len, prot); 1237 } 1238 } 1239 } 1240 1241 if (zfodlen) { 1242 struct as *as = curproc->p_as; 1243 struct seg *seg; 1244 uint_t zprot = 0; 1245 1246 end = (size_t)addr + len; 1247 zfodbase = (caddr_t)roundup(end, PAGESIZE); 1248 zfoddiff = (uintptr_t)zfodbase - end; 1249 if (zfoddiff) { 1250 /* 1251 * Before we go to zero the remaining space on the last 1252 * page, make sure we have write permission. 1253 */ 1254 1255 AS_LOCK_ENTER(as, &as->a_lock, RW_READER); 1256 seg = as_segat(curproc->p_as, (caddr_t)end); 1257 if (seg != NULL) 1258 SEGOP_GETPROT(seg, (caddr_t)end, zfoddiff - 1, 1259 &zprot); 1260 AS_LOCK_EXIT(as, &as->a_lock); 1261 1262 if (seg != NULL && (zprot & PROT_WRITE) == 0) { 1263 (void) as_setprot(as, (caddr_t)end, 1264 zfoddiff - 1, zprot | PROT_WRITE); 1265 } 1266 1267 if (on_fault(&ljb)) { 1268 no_fault(); 1269 if (seg != NULL && (zprot & PROT_WRITE) == 0) 1270 (void) as_setprot(as, (caddr_t)end, 1271 zfoddiff - 1, zprot); 1272 error = EFAULT; 1273 goto bad; 1274 } 1275 uzero((void *)end, zfoddiff); 1276 no_fault(); 1277 if (seg != NULL && (zprot & PROT_WRITE) == 0) 1278 (void) as_setprot(as, (caddr_t)end, 1279 zfoddiff - 1, zprot); 1280 } 1281 if (zfodlen > zfoddiff) { 1282 struct segvn_crargs crargs = 1283 SEGVN_ZFOD_ARGS(PROT_ZFOD, PROT_ALL); 1284 1285 zfodlen -= zfoddiff; 1286 if (valid_usr_range(zfodbase, zfodlen, prot, p->p_as, 1287 p->p_as->a_userlimit) != RANGE_OKAY) { 1288 error = ENOMEM; 1289 goto bad; 1290 } 1291 if (szc > 0) { 1292 /* 1293 * ASSERT alignment because the mapelfexec() 1294 * caller for the szc > 0 case extended zfod 1295 * so it's end is pgsz aligned. 1296 */ 1297 size_t pgsz = page_get_pagesize(szc); 1298 ASSERT(IS_P2ALIGNED(zfodbase + zfodlen, pgsz)); 1299 1300 if (IS_P2ALIGNED(zfodbase, pgsz)) { 1301 crargs.szc = szc; 1302 } else { 1303 crargs.szc = AS_MAP_HEAP; 1304 } 1305 } else { 1306 crargs.szc = AS_MAP_NO_LPOOB; 1307 } 1308 if (error = as_map(p->p_as, (caddr_t)zfodbase, 1309 zfodlen, segvn_create, &crargs)) 1310 goto bad; 1311 if (prot != PROT_ZFOD) { 1312 (void) as_setprot(p->p_as, (caddr_t)zfodbase, 1313 zfodlen, prot); 1314 } 1315 } 1316 } 1317 return (0); 1318 bad: 1319 return (error); 1320 } 1321 1322 void 1323 setexecenv(struct execenv *ep) 1324 { 1325 proc_t *p = ttoproc(curthread); 1326 klwp_t *lwp = ttolwp(curthread); 1327 struct vnode *vp; 1328 1329 p->p_bssbase = ep->ex_bssbase; 1330 p->p_brkbase = ep->ex_brkbase; 1331 p->p_brksize = ep->ex_brksize; 1332 if (p->p_exec) 1333 VN_RELE(p->p_exec); /* out with the old */ 1334 vp = p->p_exec = ep->ex_vp; 1335 if (vp != NULL) 1336 VN_HOLD(vp); /* in with the new */ 1337 1338 lwp->lwp_sigaltstack.ss_sp = 0; 1339 lwp->lwp_sigaltstack.ss_size = 0; 1340 lwp->lwp_sigaltstack.ss_flags = SS_DISABLE; 1341 } 1342 1343 int 1344 execopen(struct vnode **vpp, int *fdp) 1345 { 1346 struct vnode *vp = *vpp; 1347 file_t *fp; 1348 int error = 0; 1349 int filemode = FREAD; 1350 1351 VN_HOLD(vp); /* open reference */ 1352 if (error = falloc(NULL, filemode, &fp, fdp)) { 1353 VN_RELE(vp); 1354 *fdp = -1; /* just in case falloc changed value */ 1355 return (error); 1356 } 1357 if (error = VOP_OPEN(&vp, filemode, CRED(), NULL)) { 1358 VN_RELE(vp); 1359 setf(*fdp, NULL); 1360 unfalloc(fp); 1361 *fdp = -1; 1362 return (error); 1363 } 1364 *vpp = vp; /* vnode should not have changed */ 1365 fp->f_vnode = vp; 1366 mutex_exit(&fp->f_tlock); 1367 setf(*fdp, fp); 1368 return (0); 1369 } 1370 1371 int 1372 execclose(int fd) 1373 { 1374 return (closeandsetf(fd, NULL)); 1375 } 1376 1377 1378 /* 1379 * noexec stub function. 1380 */ 1381 /*ARGSUSED*/ 1382 int 1383 noexec( 1384 struct vnode *vp, 1385 struct execa *uap, 1386 struct uarg *args, 1387 struct intpdata *idatap, 1388 int level, 1389 long *execsz, 1390 int setid, 1391 caddr_t exec_file, 1392 struct cred *cred) 1393 { 1394 cmn_err(CE_WARN, "missing exec capability for %s", uap->fname); 1395 return (ENOEXEC); 1396 } 1397 1398 /* 1399 * Support routines for building a user stack. 1400 * 1401 * execve(path, argv, envp) must construct a new stack with the specified 1402 * arguments and environment variables (see exec_args() for a description 1403 * of the user stack layout). To do this, we copy the arguments and 1404 * environment variables from the old user address space into the kernel, 1405 * free the old as, create the new as, and copy our buffered information 1406 * to the new stack. Our kernel buffer has the following structure: 1407 * 1408 * +-----------------------+ <--- stk_base + stk_size 1409 * | string offsets | 1410 * +-----------------------+ <--- stk_offp 1411 * | | 1412 * | STK_AVAIL() space | 1413 * | | 1414 * +-----------------------+ <--- stk_strp 1415 * | strings | 1416 * +-----------------------+ <--- stk_base 1417 * 1418 * When we add a string, we store the string's contents (including the null 1419 * terminator) at stk_strp, and we store the offset of the string relative to 1420 * stk_base at --stk_offp. At strings are added, stk_strp increases and 1421 * stk_offp decreases. The amount of space remaining, STK_AVAIL(), is just 1422 * the difference between these pointers. If we run out of space, we return 1423 * an error and exec_args() starts all over again with a buffer twice as large. 1424 * When we're all done, the kernel buffer looks like this: 1425 * 1426 * +-----------------------+ <--- stk_base + stk_size 1427 * | argv[0] offset | 1428 * +-----------------------+ 1429 * | ... | 1430 * +-----------------------+ 1431 * | argv[argc-1] offset | 1432 * +-----------------------+ 1433 * | envp[0] offset | 1434 * +-----------------------+ 1435 * | ... | 1436 * +-----------------------+ 1437 * | envp[envc-1] offset | 1438 * +-----------------------+ 1439 * | AT_SUN_PLATFORM offset| 1440 * +-----------------------+ 1441 * | AT_SUN_EXECNAME offset| 1442 * +-----------------------+ <--- stk_offp 1443 * | | 1444 * | STK_AVAIL() space | 1445 * | | 1446 * +-----------------------+ <--- stk_strp 1447 * | AT_SUN_EXECNAME offset| 1448 * +-----------------------+ 1449 * | AT_SUN_PLATFORM offset| 1450 * +-----------------------+ 1451 * | envp[envc-1] string | 1452 * +-----------------------+ 1453 * | ... | 1454 * +-----------------------+ 1455 * | envp[0] string | 1456 * +-----------------------+ 1457 * | argv[argc-1] string | 1458 * +-----------------------+ 1459 * | ... | 1460 * +-----------------------+ 1461 * | argv[0] string | 1462 * +-----------------------+ <--- stk_base 1463 */ 1464 1465 #define STK_AVAIL(args) ((char *)(args)->stk_offp - (args)->stk_strp) 1466 1467 /* 1468 * Add a string to the stack. 1469 */ 1470 static int 1471 stk_add(uarg_t *args, const char *sp, enum uio_seg segflg) 1472 { 1473 int error; 1474 size_t len; 1475 1476 if (STK_AVAIL(args) < sizeof (int)) 1477 return (E2BIG); 1478 *--args->stk_offp = args->stk_strp - args->stk_base; 1479 1480 if (segflg == UIO_USERSPACE) { 1481 error = copyinstr(sp, args->stk_strp, STK_AVAIL(args), &len); 1482 if (error != 0) 1483 return (error); 1484 } else { 1485 len = strlen(sp) + 1; 1486 if (len > STK_AVAIL(args)) 1487 return (E2BIG); 1488 bcopy(sp, args->stk_strp, len); 1489 } 1490 1491 args->stk_strp += len; 1492 1493 return (0); 1494 } 1495 1496 static int 1497 stk_getptr(uarg_t *args, char *src, char **dst) 1498 { 1499 int error; 1500 1501 if (args->from_model == DATAMODEL_NATIVE) { 1502 ulong_t ptr; 1503 error = fulword(src, &ptr); 1504 *dst = (caddr_t)ptr; 1505 } else { 1506 uint32_t ptr; 1507 error = fuword32(src, &ptr); 1508 *dst = (caddr_t)(uintptr_t)ptr; 1509 } 1510 return (error); 1511 } 1512 1513 static int 1514 stk_putptr(uarg_t *args, char *addr, char *value) 1515 { 1516 if (args->to_model == DATAMODEL_NATIVE) 1517 return (sulword(addr, (ulong_t)value)); 1518 else 1519 return (suword32(addr, (uint32_t)(uintptr_t)value)); 1520 } 1521 1522 static int 1523 stk_copyin(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp) 1524 { 1525 char *sp; 1526 int argc, error; 1527 int argv_empty = 0; 1528 size_t ptrsize = args->from_ptrsize; 1529 size_t size, pad; 1530 char *argv = (char *)uap->argp; 1531 char *envp = (char *)uap->envp; 1532 1533 /* 1534 * Copy interpreter's name and argument to argv[0] and argv[1]. 1535 */ 1536 if (intp != NULL && intp->intp_name != NULL) { 1537 if ((error = stk_add(args, intp->intp_name, UIO_SYSSPACE)) != 0) 1538 return (error); 1539 if (intp->intp_arg != NULL && 1540 (error = stk_add(args, intp->intp_arg, UIO_SYSSPACE)) != 0) 1541 return (error); 1542 if (args->fname != NULL) 1543 error = stk_add(args, args->fname, UIO_SYSSPACE); 1544 else 1545 error = stk_add(args, uap->fname, UIO_USERSPACE); 1546 if (error) 1547 return (error); 1548 1549 /* 1550 * Check for an empty argv[]. 1551 */ 1552 if (stk_getptr(args, argv, &sp)) 1553 return (EFAULT); 1554 if (sp == NULL) 1555 argv_empty = 1; 1556 1557 argv += ptrsize; /* ignore original argv[0] */ 1558 } 1559 1560 if (argv_empty == 0) { 1561 /* 1562 * Add argv[] strings to the stack. 1563 */ 1564 for (;;) { 1565 if (stk_getptr(args, argv, &sp)) 1566 return (EFAULT); 1567 if (sp == NULL) 1568 break; 1569 if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0) 1570 return (error); 1571 argv += ptrsize; 1572 } 1573 } 1574 argc = (int *)(args->stk_base + args->stk_size) - args->stk_offp; 1575 args->arglen = args->stk_strp - args->stk_base; 1576 1577 /* 1578 * Add environ[] strings to the stack. 1579 */ 1580 if (envp != NULL) { 1581 for (;;) { 1582 char *tmp = args->stk_strp; 1583 if (stk_getptr(args, envp, &sp)) 1584 return (EFAULT); 1585 if (sp == NULL) 1586 break; 1587 if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0) 1588 return (error); 1589 if (args->scrubenv && strncmp(tmp, "LD_", 3) == 0) { 1590 /* Undo the copied string */ 1591 args->stk_strp = tmp; 1592 *(args->stk_offp++) = NULL; 1593 } 1594 envp += ptrsize; 1595 } 1596 } 1597 args->na = (int *)(args->stk_base + args->stk_size) - args->stk_offp; 1598 args->ne = args->na - argc; 1599 1600 /* 1601 * Add AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME, and 1602 * AT_SUN_EMULATOR strings to the stack. 1603 */ 1604 if (auxvpp != NULL && *auxvpp != NULL) { 1605 if ((error = stk_add(args, platform, UIO_SYSSPACE)) != 0) 1606 return (error); 1607 if ((error = stk_add(args, args->pathname, UIO_SYSSPACE)) != 0) 1608 return (error); 1609 if (args->brandname != NULL && 1610 (error = stk_add(args, args->brandname, UIO_SYSSPACE)) != 0) 1611 return (error); 1612 if (args->emulator != NULL && 1613 (error = stk_add(args, args->emulator, UIO_SYSSPACE)) != 0) 1614 return (error); 1615 } 1616 1617 /* 1618 * Compute the size of the stack. This includes all the pointers, 1619 * the space reserved for the aux vector, and all the strings. 1620 * The total number of pointers is args->na (which is argc + envc) 1621 * plus 4 more: (1) a pointer's worth of space for argc; (2) the NULL 1622 * after the last argument (i.e. argv[argc]); (3) the NULL after the 1623 * last environment variable (i.e. envp[envc]); and (4) the NULL after 1624 * all the strings, at the very top of the stack. 1625 */ 1626 size = (args->na + 4) * args->to_ptrsize + args->auxsize + 1627 (args->stk_strp - args->stk_base); 1628 1629 /* 1630 * Pad the string section with zeroes to align the stack size. 1631 */ 1632 pad = P2NPHASE(size, args->stk_align); 1633 1634 if (STK_AVAIL(args) < pad) 1635 return (E2BIG); 1636 1637 args->usrstack_size = size + pad; 1638 1639 while (pad-- != 0) 1640 *args->stk_strp++ = 0; 1641 1642 args->nc = args->stk_strp - args->stk_base; 1643 1644 return (0); 1645 } 1646 1647 static int 1648 stk_copyout(uarg_t *args, char *usrstack, void **auxvpp, user_t *up) 1649 { 1650 size_t ptrsize = args->to_ptrsize; 1651 ssize_t pslen; 1652 char *kstrp = args->stk_base; 1653 char *ustrp = usrstack - args->nc - ptrsize; 1654 char *usp = usrstack - args->usrstack_size; 1655 int *offp = (int *)(args->stk_base + args->stk_size); 1656 int envc = args->ne; 1657 int argc = args->na - envc; 1658 int i; 1659 1660 /* 1661 * Record argc for /proc. 1662 */ 1663 up->u_argc = argc; 1664 1665 /* 1666 * Put argc on the stack. Note that even though it's an int, 1667 * it always consumes ptrsize bytes (for alignment). 1668 */ 1669 if (stk_putptr(args, usp, (char *)(uintptr_t)argc)) 1670 return (-1); 1671 1672 /* 1673 * Add argc space (ptrsize) to usp and record argv for /proc. 1674 */ 1675 up->u_argv = (uintptr_t)(usp += ptrsize); 1676 1677 /* 1678 * Put the argv[] pointers on the stack. 1679 */ 1680 for (i = 0; i < argc; i++, usp += ptrsize) 1681 if (stk_putptr(args, usp, &ustrp[*--offp])) 1682 return (-1); 1683 1684 /* 1685 * Copy arguments to u_psargs. 1686 */ 1687 pslen = MIN(args->arglen, PSARGSZ) - 1; 1688 for (i = 0; i < pslen; i++) 1689 up->u_psargs[i] = (kstrp[i] == '\0' ? ' ' : kstrp[i]); 1690 while (i < PSARGSZ) 1691 up->u_psargs[i++] = '\0'; 1692 1693 /* 1694 * Add space for argv[]'s NULL terminator (ptrsize) to usp and 1695 * record envp for /proc. 1696 */ 1697 up->u_envp = (uintptr_t)(usp += ptrsize); 1698 1699 /* 1700 * Put the envp[] pointers on the stack. 1701 */ 1702 for (i = 0; i < envc; i++, usp += ptrsize) 1703 if (stk_putptr(args, usp, &ustrp[*--offp])) 1704 return (-1); 1705 1706 /* 1707 * Add space for envp[]'s NULL terminator (ptrsize) to usp and 1708 * remember where the stack ends, which is also where auxv begins. 1709 */ 1710 args->stackend = usp += ptrsize; 1711 1712 /* 1713 * Put all the argv[], envp[], and auxv strings on the stack. 1714 */ 1715 if (copyout(args->stk_base, ustrp, args->nc)) 1716 return (-1); 1717 1718 /* 1719 * Fill in the aux vector now that we know the user stack addresses 1720 * for the AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME and 1721 * AT_SUN_EMULATOR strings. 1722 */ 1723 if (auxvpp != NULL && *auxvpp != NULL) { 1724 if (args->to_model == DATAMODEL_NATIVE) { 1725 auxv_t **a = (auxv_t **)auxvpp; 1726 ADDAUX(*a, AT_SUN_PLATFORM, (long)&ustrp[*--offp]) 1727 ADDAUX(*a, AT_SUN_EXECNAME, (long)&ustrp[*--offp]) 1728 if (args->brandname != NULL) 1729 ADDAUX(*a, 1730 AT_SUN_BRANDNAME, (long)&ustrp[*--offp]) 1731 if (args->emulator != NULL) 1732 ADDAUX(*a, 1733 AT_SUN_EMULATOR, (long)&ustrp[*--offp]) 1734 } else { 1735 auxv32_t **a = (auxv32_t **)auxvpp; 1736 ADDAUX(*a, 1737 AT_SUN_PLATFORM, (int)(uintptr_t)&ustrp[*--offp]) 1738 ADDAUX(*a, 1739 AT_SUN_EXECNAME, (int)(uintptr_t)&ustrp[*--offp]) 1740 if (args->brandname != NULL) 1741 ADDAUX(*a, AT_SUN_BRANDNAME, 1742 (int)(uintptr_t)&ustrp[*--offp]) 1743 if (args->emulator != NULL) 1744 ADDAUX(*a, AT_SUN_EMULATOR, 1745 (int)(uintptr_t)&ustrp[*--offp]) 1746 } 1747 } 1748 1749 return (0); 1750 } 1751 1752 /* 1753 * Initialize a new user stack with the specified arguments and environment. 1754 * The initial user stack layout is as follows: 1755 * 1756 * User Stack 1757 * +---------------+ <--- curproc->p_usrstack 1758 * | | 1759 * | slew | 1760 * | | 1761 * +---------------+ 1762 * | NULL | 1763 * +---------------+ 1764 * | | 1765 * | auxv strings | 1766 * | | 1767 * +---------------+ 1768 * | | 1769 * | envp strings | 1770 * | | 1771 * +---------------+ 1772 * | | 1773 * | argv strings | 1774 * | | 1775 * +---------------+ <--- ustrp 1776 * | | 1777 * | aux vector | 1778 * | | 1779 * +---------------+ <--- auxv 1780 * | NULL | 1781 * +---------------+ 1782 * | envp[envc-1] | 1783 * +---------------+ 1784 * | ... | 1785 * +---------------+ 1786 * | envp[0] | 1787 * +---------------+ <--- envp[] 1788 * | NULL | 1789 * +---------------+ 1790 * | argv[argc-1] | 1791 * +---------------+ 1792 * | ... | 1793 * +---------------+ 1794 * | argv[0] | 1795 * +---------------+ <--- argv[] 1796 * | argc | 1797 * +---------------+ <--- stack base 1798 */ 1799 int 1800 exec_args(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp) 1801 { 1802 size_t size; 1803 int error; 1804 proc_t *p = ttoproc(curthread); 1805 user_t *up = PTOU(p); 1806 char *usrstack; 1807 rctl_entity_p_t e; 1808 struct as *as; 1809 extern int use_stk_lpg; 1810 size_t sp_slew; 1811 1812 args->from_model = p->p_model; 1813 if (p->p_model == DATAMODEL_NATIVE) { 1814 args->from_ptrsize = sizeof (long); 1815 } else { 1816 args->from_ptrsize = sizeof (int32_t); 1817 } 1818 1819 if (args->to_model == DATAMODEL_NATIVE) { 1820 args->to_ptrsize = sizeof (long); 1821 args->ncargs = NCARGS; 1822 args->stk_align = STACK_ALIGN; 1823 if (args->addr32) 1824 usrstack = (char *)USRSTACK64_32; 1825 else 1826 usrstack = (char *)USRSTACK; 1827 } else { 1828 args->to_ptrsize = sizeof (int32_t); 1829 args->ncargs = NCARGS32; 1830 args->stk_align = STACK_ALIGN32; 1831 usrstack = (char *)USRSTACK32; 1832 } 1833 1834 ASSERT(P2PHASE((uintptr_t)usrstack, args->stk_align) == 0); 1835 1836 #if defined(__sparc) 1837 /* 1838 * Make sure user register windows are empty before 1839 * attempting to make a new stack. 1840 */ 1841 (void) flush_user_windows_to_stack(NULL); 1842 #endif 1843 1844 for (size = PAGESIZE; ; size *= 2) { 1845 args->stk_size = size; 1846 args->stk_base = kmem_alloc(size, KM_SLEEP); 1847 args->stk_strp = args->stk_base; 1848 args->stk_offp = (int *)(args->stk_base + size); 1849 error = stk_copyin(uap, args, intp, auxvpp); 1850 if (error == 0) 1851 break; 1852 kmem_free(args->stk_base, size); 1853 if (error != E2BIG && error != ENAMETOOLONG) 1854 return (error); 1855 if (size >= args->ncargs) 1856 return (E2BIG); 1857 } 1858 1859 size = args->usrstack_size; 1860 1861 ASSERT(error == 0); 1862 ASSERT(P2PHASE(size, args->stk_align) == 0); 1863 ASSERT((ssize_t)STK_AVAIL(args) >= 0); 1864 1865 if (size > args->ncargs) { 1866 kmem_free(args->stk_base, args->stk_size); 1867 return (E2BIG); 1868 } 1869 1870 /* 1871 * Leave only the current lwp and force the other lwps to exit. 1872 * If another lwp beat us to the punch by calling exit(), bail out. 1873 */ 1874 if ((error = exitlwps(0)) != 0) { 1875 kmem_free(args->stk_base, args->stk_size); 1876 return (error); 1877 } 1878 1879 /* 1880 * Revoke any doors created by the process. 1881 */ 1882 if (p->p_door_list) 1883 door_exit(); 1884 1885 /* 1886 * Release schedctl data structures. 1887 */ 1888 if (p->p_pagep) 1889 schedctl_proc_cleanup(); 1890 1891 /* 1892 * Clean up any DTrace helpers for the process. 1893 */ 1894 if (p->p_dtrace_helpers != NULL) { 1895 ASSERT(dtrace_helpers_cleanup != NULL); 1896 (*dtrace_helpers_cleanup)(); 1897 } 1898 1899 mutex_enter(&p->p_lock); 1900 /* 1901 * Cleanup the DTrace provider associated with this process. 1902 */ 1903 if (p->p_dtrace_probes) { 1904 ASSERT(dtrace_fasttrap_exec_ptr != NULL); 1905 dtrace_fasttrap_exec_ptr(p); 1906 } 1907 mutex_exit(&p->p_lock); 1908 1909 /* 1910 * discard the lwpchan cache. 1911 */ 1912 if (p->p_lcp != NULL) 1913 lwpchan_destroy_cache(1); 1914 1915 /* 1916 * Delete the POSIX timers. 1917 */ 1918 if (p->p_itimer != NULL) 1919 timer_exit(); 1920 1921 /* 1922 * Delete the ITIMER_REALPROF interval timer. 1923 * The other ITIMER_* interval timers are specified 1924 * to be inherited across exec(). 1925 */ 1926 delete_itimer_realprof(); 1927 1928 if (AU_AUDITING()) 1929 audit_exec(args->stk_base, args->stk_base + args->arglen, 1930 args->na - args->ne, args->ne, args->pfcred); 1931 1932 /* 1933 * Ensure that we don't change resource associations while we 1934 * change address spaces. 1935 */ 1936 mutex_enter(&p->p_lock); 1937 pool_barrier_enter(); 1938 mutex_exit(&p->p_lock); 1939 1940 /* 1941 * Destroy the old address space and create a new one. 1942 * From here on, any errors are fatal to the exec()ing process. 1943 * On error we return -1, which means the caller must SIGKILL 1944 * the process. 1945 */ 1946 relvm(); 1947 1948 mutex_enter(&p->p_lock); 1949 pool_barrier_exit(); 1950 mutex_exit(&p->p_lock); 1951 1952 up->u_execsw = args->execswp; 1953 1954 p->p_brkbase = NULL; 1955 p->p_brksize = 0; 1956 p->p_brkpageszc = 0; 1957 p->p_stksize = 0; 1958 p->p_stkpageszc = 0; 1959 p->p_model = args->to_model; 1960 p->p_usrstack = usrstack; 1961 p->p_stkprot = args->stk_prot; 1962 p->p_datprot = args->dat_prot; 1963 1964 /* 1965 * Reset resource controls such that all controls are again active as 1966 * well as appropriate to the potentially new address model for the 1967 * process. 1968 */ 1969 e.rcep_p.proc = p; 1970 e.rcep_t = RCENTITY_PROCESS; 1971 rctl_set_reset(p->p_rctls, p, &e); 1972 1973 /* Too early to call map_pgsz for the heap */ 1974 if (use_stk_lpg) { 1975 p->p_stkpageszc = page_szc(map_pgsz(MAPPGSZ_STK, p, 0, 0, 0)); 1976 } 1977 1978 mutex_enter(&p->p_lock); 1979 p->p_flag |= SAUTOLPG; /* kernel controls page sizes */ 1980 mutex_exit(&p->p_lock); 1981 1982 /* 1983 * Some platforms may choose to randomize real stack start by adding a 1984 * small slew (not more than a few hundred bytes) to the top of the 1985 * stack. This helps avoid cache thrashing when identical processes 1986 * simultaneously share caches that don't provide enough associativity 1987 * (e.g. sun4v systems). In this case stack slewing makes the same hot 1988 * stack variables in different processes to live in different cache 1989 * sets increasing effective associativity. 1990 */ 1991 sp_slew = exec_get_spslew(); 1992 ASSERT(P2PHASE(sp_slew, args->stk_align) == 0); 1993 exec_set_sp(size + sp_slew); 1994 1995 as = as_alloc(); 1996 p->p_as = as; 1997 as->a_proc = p; 1998 if (p->p_model == DATAMODEL_ILP32 || args->addr32) 1999 as->a_userlimit = (caddr_t)USERLIMIT32; 2000 (void) hat_setup(as->a_hat, HAT_ALLOC); 2001 hat_join_srd(as->a_hat, args->ex_vp); 2002 2003 /* 2004 * Finally, write out the contents of the new stack. 2005 */ 2006 error = stk_copyout(args, usrstack - sp_slew, auxvpp, up); 2007 kmem_free(args->stk_base, args->stk_size); 2008 return (error); 2009 } 2010