xref: /titanic_50/usr/src/uts/common/os/exec.c (revision f38cb554a534c6df738be3f4d23327e69888e634)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved.
24  */
25 
26 /*	Copyright (c) 1988 AT&T	*/
27 /*	  All Rights Reserved  	*/
28 /*
29  * Copyright (c) 2012, Joyent, Inc.  All rights reserved.
30  */
31 
32 #include <sys/types.h>
33 #include <sys/param.h>
34 #include <sys/sysmacros.h>
35 #include <sys/systm.h>
36 #include <sys/signal.h>
37 #include <sys/cred_impl.h>
38 #include <sys/policy.h>
39 #include <sys/user.h>
40 #include <sys/errno.h>
41 #include <sys/file.h>
42 #include <sys/vfs.h>
43 #include <sys/vnode.h>
44 #include <sys/mman.h>
45 #include <sys/acct.h>
46 #include <sys/cpuvar.h>
47 #include <sys/proc.h>
48 #include <sys/cmn_err.h>
49 #include <sys/debug.h>
50 #include <sys/pathname.h>
51 #include <sys/vm.h>
52 #include <sys/lgrp.h>
53 #include <sys/vtrace.h>
54 #include <sys/exec.h>
55 #include <sys/exechdr.h>
56 #include <sys/kmem.h>
57 #include <sys/prsystm.h>
58 #include <sys/modctl.h>
59 #include <sys/vmparam.h>
60 #include <sys/door.h>
61 #include <sys/schedctl.h>
62 #include <sys/utrap.h>
63 #include <sys/systeminfo.h>
64 #include <sys/stack.h>
65 #include <sys/rctl.h>
66 #include <sys/dtrace.h>
67 #include <sys/lwpchan_impl.h>
68 #include <sys/pool.h>
69 #include <sys/sdt.h>
70 #include <sys/brand.h>
71 #include <sys/klpd.h>
72 
73 #include <c2/audit.h>
74 
75 #include <vm/hat.h>
76 #include <vm/anon.h>
77 #include <vm/as.h>
78 #include <vm/seg.h>
79 #include <vm/seg_vn.h>
80 
81 #define	PRIV_RESET		0x01	/* needs to reset privs */
82 #define	PRIV_SETID		0x02	/* needs to change uids */
83 #define	PRIV_SETUGID		0x04	/* is setuid/setgid/forced privs */
84 #define	PRIV_INCREASE		0x08	/* child runs with more privs */
85 #define	MAC_FLAGS		0x10	/* need to adjust MAC flags */
86 #define	PRIV_FORCED		0x20	/* has forced privileges */
87 
88 static int execsetid(struct vnode *, struct vattr *, uid_t *, uid_t *,
89     priv_set_t *, cred_t *, const char *);
90 static int hold_execsw(struct execsw *);
91 
92 uint_t auxv_hwcap = 0;	/* auxv AT_SUN_HWCAP value; determined on the fly */
93 uint_t auxv_hwcap_2 = 0;	/* AT_SUN_HWCAP2 */
94 #if defined(_SYSCALL32_IMPL)
95 uint_t auxv_hwcap32 = 0;	/* 32-bit version of auxv_hwcap */
96 uint_t auxv_hwcap32_2 = 0;	/* 32-bit version of auxv_hwcap2 */
97 #endif
98 
99 #define	PSUIDFLAGS		(SNOCD|SUGID)
100 
101 /*
102  * exece() - system call wrapper around exec_common()
103  */
104 int
105 exece(const char *fname, const char **argp, const char **envp)
106 {
107 	int error;
108 
109 	error = exec_common(fname, argp, envp, EBA_NONE);
110 	return (error ? (set_errno(error)) : 0);
111 }
112 
113 int
114 exec_common(const char *fname, const char **argp, const char **envp,
115     int brand_action)
116 {
117 	vnode_t *vp = NULL, *dir = NULL, *tmpvp = NULL;
118 	proc_t *p = ttoproc(curthread);
119 	klwp_t *lwp = ttolwp(curthread);
120 	struct user *up = PTOU(p);
121 	long execsz;		/* temporary count of exec size */
122 	int i;
123 	int error;
124 	char exec_file[MAXCOMLEN+1];
125 	struct pathname pn;
126 	struct pathname resolvepn;
127 	struct uarg args;
128 	struct execa ua;
129 	k_sigset_t savedmask;
130 	lwpdir_t *lwpdir = NULL;
131 	tidhash_t *tidhash;
132 	lwpdir_t *old_lwpdir = NULL;
133 	uint_t old_lwpdir_sz;
134 	tidhash_t *old_tidhash;
135 	uint_t old_tidhash_sz;
136 	ret_tidhash_t *ret_tidhash;
137 	lwpent_t *lep;
138 	boolean_t brandme = B_FALSE;
139 
140 	/*
141 	 * exec() is not supported for the /proc agent lwp.
142 	 */
143 	if (curthread == p->p_agenttp)
144 		return (ENOTSUP);
145 
146 	if (brand_action != EBA_NONE) {
147 		/*
148 		 * Brand actions are not supported for processes that are not
149 		 * running in a branded zone.
150 		 */
151 		if (!ZONE_IS_BRANDED(p->p_zone))
152 			return (ENOTSUP);
153 
154 		if (brand_action == EBA_NATIVE) {
155 			/* Only branded processes can be unbranded */
156 			if (!PROC_IS_BRANDED(p))
157 				return (ENOTSUP);
158 		} else {
159 			/* Only unbranded processes can be branded */
160 			if (PROC_IS_BRANDED(p))
161 				return (ENOTSUP);
162 			brandme = B_TRUE;
163 		}
164 	} else {
165 		/*
166 		 * If this is a native zone, or if the process is already
167 		 * branded, then we don't need to do anything.  If this is
168 		 * a native process in a branded zone, we need to brand the
169 		 * process as it exec()s the new binary.
170 		 */
171 		if (ZONE_IS_BRANDED(p->p_zone) && !PROC_IS_BRANDED(p))
172 			brandme = B_TRUE;
173 	}
174 
175 	/*
176 	 * Inform /proc that an exec() has started.
177 	 * Hold signals that are ignored by default so that we will
178 	 * not be interrupted by a signal that will be ignored after
179 	 * successful completion of gexec().
180 	 */
181 	mutex_enter(&p->p_lock);
182 	prexecstart();
183 	schedctl_finish_sigblock(curthread);
184 	savedmask = curthread->t_hold;
185 	sigorset(&curthread->t_hold, &ignoredefault);
186 	mutex_exit(&p->p_lock);
187 
188 	/*
189 	 * Look up path name and remember last component for later.
190 	 * To help coreadm expand its %d token, we attempt to save
191 	 * the directory containing the executable in p_execdir. The
192 	 * first call to lookuppn() may fail and return EINVAL because
193 	 * dirvpp is non-NULL. In that case, we make a second call to
194 	 * lookuppn() with dirvpp set to NULL; p_execdir will be NULL,
195 	 * but coreadm is allowed to expand %d to the empty string and
196 	 * there are other cases in which that failure may occur.
197 	 */
198 	if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
199 		goto out;
200 	pn_alloc(&resolvepn);
201 	if ((error = lookuppn(&pn, &resolvepn, FOLLOW, &dir, &vp)) != 0) {
202 		pn_free(&resolvepn);
203 		pn_free(&pn);
204 		if (error != EINVAL)
205 			goto out;
206 
207 		dir = NULL;
208 		if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
209 			goto out;
210 		pn_alloc(&resolvepn);
211 		if ((error = lookuppn(&pn, &resolvepn, FOLLOW, NULLVPP,
212 		    &vp)) != 0) {
213 			pn_free(&resolvepn);
214 			pn_free(&pn);
215 			goto out;
216 		}
217 	}
218 	if (vp == NULL) {
219 		if (dir != NULL)
220 			VN_RELE(dir);
221 		error = ENOENT;
222 		pn_free(&resolvepn);
223 		pn_free(&pn);
224 		goto out;
225 	}
226 
227 	if ((error = secpolicy_basic_exec(CRED(), vp)) != 0) {
228 		if (dir != NULL)
229 			VN_RELE(dir);
230 		pn_free(&resolvepn);
231 		pn_free(&pn);
232 		VN_RELE(vp);
233 		goto out;
234 	}
235 
236 	/*
237 	 * We do not allow executing files in attribute directories.
238 	 * We test this by determining whether the resolved path
239 	 * contains a "/" when we're in an attribute directory;
240 	 * only if the pathname does not contain a "/" the resolved path
241 	 * points to a file in the current working (attribute) directory.
242 	 */
243 	if ((p->p_user.u_cdir->v_flag & V_XATTRDIR) != 0 &&
244 	    strchr(resolvepn.pn_path, '/') == NULL) {
245 		if (dir != NULL)
246 			VN_RELE(dir);
247 		error = EACCES;
248 		pn_free(&resolvepn);
249 		pn_free(&pn);
250 		VN_RELE(vp);
251 		goto out;
252 	}
253 
254 	bzero(exec_file, MAXCOMLEN+1);
255 	(void) strncpy(exec_file, pn.pn_path, MAXCOMLEN);
256 	bzero(&args, sizeof (args));
257 	args.pathname = resolvepn.pn_path;
258 	/* don't free resolvepn until we are done with args */
259 	pn_free(&pn);
260 
261 	/*
262 	 * If we're running in a profile shell, then call pfexecd.
263 	 */
264 	if ((CR_FLAGS(p->p_cred) & PRIV_PFEXEC) != 0) {
265 		error = pfexec_call(p->p_cred, &resolvepn, &args.pfcred,
266 		    &args.scrubenv);
267 
268 		/* Returning errno in case we're not allowed to execute. */
269 		if (error > 0) {
270 			if (dir != NULL)
271 				VN_RELE(dir);
272 			pn_free(&resolvepn);
273 			VN_RELE(vp);
274 			goto out;
275 		}
276 
277 		/* Don't change the credentials when using old ptrace. */
278 		if (args.pfcred != NULL &&
279 		    (p->p_proc_flag & P_PR_PTRACE) != 0) {
280 			crfree(args.pfcred);
281 			args.pfcred = NULL;
282 			args.scrubenv = B_FALSE;
283 		}
284 	}
285 
286 	/*
287 	 * Specific exec handlers, or policies determined via
288 	 * /etc/system may override the historical default.
289 	 */
290 	args.stk_prot = PROT_ZFOD;
291 	args.dat_prot = PROT_ZFOD;
292 
293 	CPU_STATS_ADD_K(sys, sysexec, 1);
294 	DTRACE_PROC1(exec, char *, args.pathname);
295 
296 	ua.fname = fname;
297 	ua.argp = argp;
298 	ua.envp = envp;
299 
300 	/* If necessary, brand this process before we start the exec. */
301 	if (brandme)
302 		brand_setbrand(p);
303 
304 	if ((error = gexec(&vp, &ua, &args, NULL, 0, &execsz,
305 	    exec_file, p->p_cred, brand_action)) != 0) {
306 		if (brandme)
307 			brand_clearbrand(p, B_FALSE);
308 		VN_RELE(vp);
309 		if (dir != NULL)
310 			VN_RELE(dir);
311 		pn_free(&resolvepn);
312 		goto fail;
313 	}
314 
315 	/*
316 	 * Free floating point registers (sun4u only)
317 	 */
318 	ASSERT(lwp != NULL);
319 	lwp_freeregs(lwp, 1);
320 
321 	/*
322 	 * Free thread and process context ops.
323 	 */
324 	if (curthread->t_ctx)
325 		freectx(curthread, 1);
326 	if (p->p_pctx)
327 		freepctx(p, 1);
328 
329 	/*
330 	 * Remember file name for accounting; clear any cached DTrace predicate.
331 	 */
332 	up->u_acflag &= ~AFORK;
333 	bcopy(exec_file, up->u_comm, MAXCOMLEN+1);
334 	curthread->t_predcache = NULL;
335 
336 	/*
337 	 * Clear contract template state
338 	 */
339 	lwp_ctmpl_clear(lwp);
340 
341 	/*
342 	 * Save the directory in which we found the executable for expanding
343 	 * the %d token used in core file patterns.
344 	 */
345 	mutex_enter(&p->p_lock);
346 	tmpvp = p->p_execdir;
347 	p->p_execdir = dir;
348 	if (p->p_execdir != NULL)
349 		VN_HOLD(p->p_execdir);
350 	mutex_exit(&p->p_lock);
351 
352 	if (tmpvp != NULL)
353 		VN_RELE(tmpvp);
354 
355 	/*
356 	 * Reset stack state to the user stack, clear set of signals
357 	 * caught on the signal stack, and reset list of signals that
358 	 * restart system calls; the new program's environment should
359 	 * not be affected by detritus from the old program.  Any
360 	 * pending held signals remain held, so don't clear t_hold.
361 	 */
362 	mutex_enter(&p->p_lock);
363 	lwp->lwp_oldcontext = 0;
364 	lwp->lwp_ustack = 0;
365 	lwp->lwp_old_stk_ctl = 0;
366 	sigemptyset(&up->u_signodefer);
367 	sigemptyset(&up->u_sigonstack);
368 	sigemptyset(&up->u_sigresethand);
369 	lwp->lwp_sigaltstack.ss_sp = 0;
370 	lwp->lwp_sigaltstack.ss_size = 0;
371 	lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
372 
373 	/*
374 	 * Make saved resource limit == current resource limit.
375 	 */
376 	for (i = 0; i < RLIM_NLIMITS; i++) {
377 		/*CONSTCOND*/
378 		if (RLIM_SAVED(i)) {
379 			(void) rctl_rlimit_get(rctlproc_legacy[i], p,
380 			    &up->u_saved_rlimit[i]);
381 		}
382 	}
383 
384 	/*
385 	 * If the action was to catch the signal, then the action
386 	 * must be reset to SIG_DFL.
387 	 */
388 	sigdefault(p);
389 	p->p_flag &= ~(SNOWAIT|SJCTL);
390 	p->p_flag |= (SEXECED|SMSACCT|SMSFORK);
391 	up->u_signal[SIGCLD - 1] = SIG_DFL;
392 
393 	/*
394 	 * Delete the dot4 sigqueues/signotifies.
395 	 */
396 	sigqfree(p);
397 
398 	mutex_exit(&p->p_lock);
399 
400 	mutex_enter(&p->p_pflock);
401 	p->p_prof.pr_base = NULL;
402 	p->p_prof.pr_size = 0;
403 	p->p_prof.pr_off = 0;
404 	p->p_prof.pr_scale = 0;
405 	p->p_prof.pr_samples = 0;
406 	mutex_exit(&p->p_pflock);
407 
408 	ASSERT(curthread->t_schedctl == NULL);
409 
410 #if defined(__sparc)
411 	if (p->p_utraps != NULL)
412 		utrap_free(p);
413 #endif	/* __sparc */
414 
415 	/*
416 	 * Close all close-on-exec files.
417 	 */
418 	close_exec(P_FINFO(p));
419 	TRACE_2(TR_FAC_PROC, TR_PROC_EXEC, "proc_exec:p %p up %p", p, up);
420 
421 	/* Unbrand ourself if necessary. */
422 	if (PROC_IS_BRANDED(p) && (brand_action == EBA_NATIVE))
423 		brand_clearbrand(p, B_FALSE);
424 
425 	setregs(&args);
426 
427 	/* Mark this as an executable vnode */
428 	mutex_enter(&vp->v_lock);
429 	vp->v_flag |= VVMEXEC;
430 	mutex_exit(&vp->v_lock);
431 
432 	VN_RELE(vp);
433 	if (dir != NULL)
434 		VN_RELE(dir);
435 	pn_free(&resolvepn);
436 
437 	/*
438 	 * Allocate a new lwp directory and lwpid hash table if necessary.
439 	 */
440 	if (curthread->t_tid != 1 || p->p_lwpdir_sz != 2) {
441 		lwpdir = kmem_zalloc(2 * sizeof (lwpdir_t), KM_SLEEP);
442 		lwpdir->ld_next = lwpdir + 1;
443 		tidhash = kmem_zalloc(2 * sizeof (tidhash_t), KM_SLEEP);
444 		if (p->p_lwpdir != NULL)
445 			lep = p->p_lwpdir[curthread->t_dslot].ld_entry;
446 		else
447 			lep = kmem_zalloc(sizeof (*lep), KM_SLEEP);
448 	}
449 
450 	if (PROC_IS_BRANDED(p))
451 		BROP(p)->b_exec();
452 
453 	mutex_enter(&p->p_lock);
454 	prbarrier(p);
455 
456 	/*
457 	 * Reset lwp id to the default value of 1.
458 	 * This is a single-threaded process now
459 	 * and lwp #1 is lwp_wait()able by default.
460 	 * The t_unpark flag should not be inherited.
461 	 */
462 	ASSERT(p->p_lwpcnt == 1 && p->p_zombcnt == 0);
463 	curthread->t_tid = 1;
464 	kpreempt_disable();
465 	ASSERT(curthread->t_lpl != NULL);
466 	p->p_t1_lgrpid = curthread->t_lpl->lpl_lgrpid;
467 	kpreempt_enable();
468 	if (p->p_tr_lgrpid != LGRP_NONE && p->p_tr_lgrpid != p->p_t1_lgrpid) {
469 		lgrp_update_trthr_migrations(1);
470 	}
471 	curthread->t_unpark = 0;
472 	curthread->t_proc_flag |= TP_TWAIT;
473 	curthread->t_proc_flag &= ~TP_DAEMON;	/* daemons shouldn't exec */
474 	p->p_lwpdaemon = 0;			/* but oh well ... */
475 	p->p_lwpid = 1;
476 
477 	/*
478 	 * Install the newly-allocated lwp directory and lwpid hash table
479 	 * and insert the current thread into the new hash table.
480 	 */
481 	if (lwpdir != NULL) {
482 		old_lwpdir = p->p_lwpdir;
483 		old_lwpdir_sz = p->p_lwpdir_sz;
484 		old_tidhash = p->p_tidhash;
485 		old_tidhash_sz = p->p_tidhash_sz;
486 		p->p_lwpdir = p->p_lwpfree = lwpdir;
487 		p->p_lwpdir_sz = 2;
488 		lep->le_thread = curthread;
489 		lep->le_lwpid = curthread->t_tid;
490 		lep->le_start = curthread->t_start;
491 		lwp_hash_in(p, lep, tidhash, 2, 0);
492 		p->p_tidhash = tidhash;
493 		p->p_tidhash_sz = 2;
494 	}
495 	ret_tidhash = p->p_ret_tidhash;
496 	p->p_ret_tidhash = NULL;
497 
498 	/*
499 	 * Restore the saved signal mask and
500 	 * inform /proc that the exec() has finished.
501 	 */
502 	curthread->t_hold = savedmask;
503 	prexecend();
504 	mutex_exit(&p->p_lock);
505 	if (old_lwpdir) {
506 		kmem_free(old_lwpdir, old_lwpdir_sz * sizeof (lwpdir_t));
507 		kmem_free(old_tidhash, old_tidhash_sz * sizeof (tidhash_t));
508 	}
509 	while (ret_tidhash != NULL) {
510 		ret_tidhash_t *next = ret_tidhash->rth_next;
511 		kmem_free(ret_tidhash->rth_tidhash,
512 		    ret_tidhash->rth_tidhash_sz * sizeof (tidhash_t));
513 		kmem_free(ret_tidhash, sizeof (*ret_tidhash));
514 		ret_tidhash = next;
515 	}
516 
517 	ASSERT(error == 0);
518 	DTRACE_PROC(exec__success);
519 	return (0);
520 
521 fail:
522 	DTRACE_PROC1(exec__failure, int, error);
523 out:		/* error return */
524 	mutex_enter(&p->p_lock);
525 	curthread->t_hold = savedmask;
526 	prexecend();
527 	mutex_exit(&p->p_lock);
528 	ASSERT(error != 0);
529 	return (error);
530 }
531 
532 
533 /*
534  * Perform generic exec duties and switchout to object-file specific
535  * handler.
536  */
537 int
538 gexec(
539 	struct vnode **vpp,
540 	struct execa *uap,
541 	struct uarg *args,
542 	struct intpdata *idatap,
543 	int level,
544 	long *execsz,
545 	caddr_t exec_file,
546 	struct cred *cred,
547 	int brand_action)
548 {
549 	struct vnode *vp, *execvp = NULL;
550 	proc_t *pp = ttoproc(curthread);
551 	struct execsw *eswp;
552 	int error = 0;
553 	int suidflags = 0;
554 	ssize_t resid;
555 	uid_t uid, gid;
556 	struct vattr vattr;
557 	char magbuf[MAGIC_BYTES];
558 	int setid;
559 	cred_t *oldcred, *newcred = NULL;
560 	int privflags = 0;
561 	int setidfl;
562 	priv_set_t fset;
563 
564 	/*
565 	 * If the SNOCD or SUGID flag is set, turn it off and remember the
566 	 * previous setting so we can restore it if we encounter an error.
567 	 */
568 	if (level == 0 && (pp->p_flag & PSUIDFLAGS)) {
569 		mutex_enter(&pp->p_lock);
570 		suidflags = pp->p_flag & PSUIDFLAGS;
571 		pp->p_flag &= ~PSUIDFLAGS;
572 		mutex_exit(&pp->p_lock);
573 	}
574 
575 	if ((error = execpermissions(*vpp, &vattr, args)) != 0)
576 		goto bad_noclose;
577 
578 	/* need to open vnode for stateful file systems */
579 	if ((error = VOP_OPEN(vpp, FREAD, CRED(), NULL)) != 0)
580 		goto bad_noclose;
581 	vp = *vpp;
582 
583 	/*
584 	 * Note: to support binary compatibility with SunOS a.out
585 	 * executables, we read in the first four bytes, as the
586 	 * magic number is in bytes 2-3.
587 	 */
588 	if (error = vn_rdwr(UIO_READ, vp, magbuf, sizeof (magbuf),
589 	    (offset_t)0, UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid))
590 		goto bad;
591 	if (resid != 0)
592 		goto bad;
593 
594 	if ((eswp = findexec_by_hdr(magbuf)) == NULL)
595 		goto bad;
596 
597 	if (level == 0 &&
598 	    (privflags = execsetid(vp, &vattr, &uid, &gid, &fset,
599 	    args->pfcred == NULL ? cred : args->pfcred, args->pathname)) != 0) {
600 
601 		/* Pfcred is a credential with a ref count of 1 */
602 
603 		if (args->pfcred != NULL) {
604 			privflags |= PRIV_INCREASE|PRIV_RESET;
605 			newcred = cred = args->pfcred;
606 		} else {
607 			newcred = cred = crdup(cred);
608 		}
609 
610 		/* If we can, drop the PA bit */
611 		if ((privflags & PRIV_RESET) != 0)
612 			priv_adjust_PA(cred);
613 
614 		if (privflags & PRIV_SETID) {
615 			cred->cr_uid = uid;
616 			cred->cr_gid = gid;
617 			cred->cr_suid = uid;
618 			cred->cr_sgid = gid;
619 		}
620 
621 		if (privflags & MAC_FLAGS) {
622 			if (!(CR_FLAGS(cred) & NET_MAC_AWARE_INHERIT))
623 				CR_FLAGS(cred) &= ~NET_MAC_AWARE;
624 			CR_FLAGS(cred) &= ~NET_MAC_AWARE_INHERIT;
625 		}
626 
627 		/*
628 		 * Implement the privilege updates:
629 		 *
630 		 * Restrict with L:
631 		 *
632 		 *	I' = I & L
633 		 *
634 		 *	E' = P' = (I' + F) & A
635 		 *
636 		 * But if running under ptrace, we cap I and F with P.
637 		 */
638 		if ((privflags & (PRIV_RESET|PRIV_FORCED)) != 0) {
639 			if ((privflags & PRIV_INCREASE) != 0 &&
640 			    (pp->p_proc_flag & P_PR_PTRACE) != 0) {
641 				priv_intersect(&CR_OPPRIV(cred),
642 				    &CR_IPRIV(cred));
643 				priv_intersect(&CR_OPPRIV(cred), &fset);
644 			}
645 			priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
646 			CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
647 			if (privflags & PRIV_FORCED) {
648 				priv_set_PA(cred);
649 				priv_union(&fset, &CR_EPRIV(cred));
650 				priv_union(&fset, &CR_PPRIV(cred));
651 			}
652 			priv_adjust_PA(cred);
653 		}
654 	} else if (level == 0 && args->pfcred != NULL) {
655 		newcred = cred = args->pfcred;
656 		privflags |= PRIV_INCREASE;
657 		/* pfcred is not forced to adhere to these settings */
658 		priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
659 		CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
660 		priv_adjust_PA(cred);
661 	}
662 
663 	/* SunOS 4.x buy-back */
664 	if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) &&
665 	    (vattr.va_mode & (VSUID|VSGID))) {
666 		char path[MAXNAMELEN];
667 		refstr_t *mntpt = NULL;
668 		int ret = -1;
669 
670 		bzero(path, sizeof (path));
671 		zone_hold(pp->p_zone);
672 
673 		ret = vnodetopath(pp->p_zone->zone_rootvp, vp, path,
674 		    sizeof (path), cred);
675 
676 		/* fallback to mountpoint if a path can't be found */
677 		if ((ret != 0) || (ret == 0 && path[0] == '\0'))
678 			mntpt = vfs_getmntpoint(vp->v_vfsp);
679 
680 		if (mntpt == NULL)
681 			zcmn_err(pp->p_zone->zone_id, CE_NOTE,
682 			    "!uid %d: setuid execution not allowed, "
683 			    "file=%s", cred->cr_uid, path);
684 		else
685 			zcmn_err(pp->p_zone->zone_id, CE_NOTE,
686 			    "!uid %d: setuid execution not allowed, "
687 			    "fs=%s, file=%s", cred->cr_uid,
688 			    ZONE_PATH_TRANSLATE(refstr_value(mntpt),
689 			    pp->p_zone), exec_file);
690 
691 		if (!INGLOBALZONE(pp)) {
692 			/* zone_rootpath always has trailing / */
693 			if (mntpt == NULL)
694 				cmn_err(CE_NOTE, "!zone: %s, uid: %d "
695 				    "setuid execution not allowed, file=%s%s",
696 				    pp->p_zone->zone_name, cred->cr_uid,
697 				    pp->p_zone->zone_rootpath, path + 1);
698 			else
699 				cmn_err(CE_NOTE, "!zone: %s, uid: %d "
700 				    "setuid execution not allowed, fs=%s, "
701 				    "file=%s", pp->p_zone->zone_name,
702 				    cred->cr_uid, refstr_value(mntpt),
703 				    exec_file);
704 		}
705 
706 		if (mntpt != NULL)
707 			refstr_rele(mntpt);
708 
709 		zone_rele(pp->p_zone);
710 	}
711 
712 	/*
713 	 * execsetid() told us whether or not we had to change the
714 	 * credentials of the process.  In privflags, it told us
715 	 * whether we gained any privileges or executed a set-uid executable.
716 	 */
717 	setid = (privflags & (PRIV_SETUGID|PRIV_INCREASE|PRIV_FORCED));
718 
719 	/*
720 	 * Use /etc/system variable to determine if the stack
721 	 * should be marked as executable by default.
722 	 */
723 	if (noexec_user_stack)
724 		args->stk_prot &= ~PROT_EXEC;
725 
726 	args->execswp = eswp; /* Save execsw pointer in uarg for exec_func */
727 	args->ex_vp = vp;
728 
729 	/*
730 	 * Traditionally, the setid flags told the sub processes whether
731 	 * the file just executed was set-uid or set-gid; this caused
732 	 * some confusion as the 'setid' flag did not match the SUGID
733 	 * process flag which is only set when the uids/gids do not match.
734 	 * A script set-gid/set-uid to the real uid/gid would start with
735 	 * /dev/fd/X but an executable would happily trust LD_LIBRARY_PATH.
736 	 * Now we flag those cases where the calling process cannot
737 	 * be trusted to influence the newly exec'ed process, either
738 	 * because it runs with more privileges or when the uids/gids
739 	 * do in fact not match.
740 	 * This also makes the runtime linker agree with the on exec
741 	 * values of SNOCD and SUGID.
742 	 */
743 	setidfl = 0;
744 	if (cred->cr_uid != cred->cr_ruid || (cred->cr_rgid != cred->cr_gid &&
745 	    !supgroupmember(cred->cr_gid, cred))) {
746 		setidfl |= EXECSETID_UGIDS;
747 	}
748 	if (setid & PRIV_SETUGID)
749 		setidfl |= EXECSETID_SETID;
750 	if (setid & PRIV_FORCED)
751 		setidfl |= EXECSETID_PRIVS;
752 
753 	execvp = pp->p_exec;
754 	if (execvp)
755 		VN_HOLD(execvp);
756 
757 	error = (*eswp->exec_func)(vp, uap, args, idatap, level, execsz,
758 	    setidfl, exec_file, cred, brand_action);
759 	rw_exit(eswp->exec_lock);
760 	if (error != 0) {
761 		if (execvp)
762 			VN_RELE(execvp);
763 		/*
764 		 * If this process's p_exec has been set to the vp of
765 		 * the executable by exec_func, we will return without
766 		 * calling VOP_CLOSE because proc_exit will close it
767 		 * on exit.
768 		 */
769 		if (pp->p_exec == vp)
770 			goto bad_noclose;
771 		else
772 			goto bad;
773 	}
774 
775 	if (level == 0) {
776 		uid_t oruid;
777 
778 		if (execvp != NULL) {
779 			/*
780 			 * Close the previous executable only if we are
781 			 * at level 0.
782 			 */
783 			(void) VOP_CLOSE(execvp, FREAD, 1, (offset_t)0,
784 			    cred, NULL);
785 		}
786 
787 		mutex_enter(&pp->p_crlock);
788 
789 		oruid = pp->p_cred->cr_ruid;
790 
791 		if (newcred != NULL) {
792 			/*
793 			 * Free the old credentials, and set the new ones.
794 			 * Do this for both the process and the (single) thread.
795 			 */
796 			crfree(pp->p_cred);
797 			pp->p_cred = cred;	/* cred already held for proc */
798 			crhold(cred);		/* hold new cred for thread */
799 			/*
800 			 * DTrace accesses t_cred in probe context.  t_cred
801 			 * must always be either NULL, or point to a valid,
802 			 * allocated cred structure.
803 			 */
804 			oldcred = curthread->t_cred;
805 			curthread->t_cred = cred;
806 			crfree(oldcred);
807 
808 			if (priv_basic_test >= 0 &&
809 			    !PRIV_ISASSERT(&CR_IPRIV(newcred),
810 			    priv_basic_test)) {
811 				pid_t pid = pp->p_pid;
812 				char *fn = PTOU(pp)->u_comm;
813 
814 				cmn_err(CE_WARN, "%s[%d]: exec: basic_test "
815 				    "privilege removed from E/I", fn, pid);
816 			}
817 		}
818 		/*
819 		 * On emerging from a successful exec(), the saved
820 		 * uid and gid equal the effective uid and gid.
821 		 */
822 		cred->cr_suid = cred->cr_uid;
823 		cred->cr_sgid = cred->cr_gid;
824 
825 		/*
826 		 * If the real and effective ids do not match, this
827 		 * is a setuid process that should not dump core.
828 		 * The group comparison is tricky; we prevent the code
829 		 * from flagging SNOCD when executing with an effective gid
830 		 * which is a supplementary group.
831 		 */
832 		if (cred->cr_ruid != cred->cr_uid ||
833 		    (cred->cr_rgid != cred->cr_gid &&
834 		    !supgroupmember(cred->cr_gid, cred)) ||
835 		    (privflags & PRIV_INCREASE) != 0)
836 			suidflags = PSUIDFLAGS;
837 		else
838 			suidflags = 0;
839 
840 		mutex_exit(&pp->p_crlock);
841 		if (newcred != NULL && oruid != newcred->cr_ruid) {
842 			/* Note that the process remains in the same zone. */
843 			mutex_enter(&pidlock);
844 			upcount_dec(oruid, crgetzoneid(newcred));
845 			upcount_inc(newcred->cr_ruid, crgetzoneid(newcred));
846 			mutex_exit(&pidlock);
847 		}
848 		if (suidflags) {
849 			mutex_enter(&pp->p_lock);
850 			pp->p_flag |= suidflags;
851 			mutex_exit(&pp->p_lock);
852 		}
853 		if (setid && (pp->p_proc_flag & P_PR_PTRACE) == 0) {
854 			/*
855 			 * If process is traced via /proc, arrange to
856 			 * invalidate the associated /proc vnode.
857 			 */
858 			if (pp->p_plist || (pp->p_proc_flag & P_PR_TRACE))
859 				args->traceinval = 1;
860 		}
861 		if (pp->p_proc_flag & P_PR_PTRACE)
862 			psignal(pp, SIGTRAP);
863 		if (args->traceinval)
864 			prinvalidate(&pp->p_user);
865 	}
866 	if (execvp)
867 		VN_RELE(execvp);
868 	return (0);
869 
870 bad:
871 	(void) VOP_CLOSE(vp, FREAD, 1, (offset_t)0, cred, NULL);
872 
873 bad_noclose:
874 	if (newcred != NULL)
875 		crfree(newcred);
876 	if (error == 0)
877 		error = ENOEXEC;
878 
879 	if (suidflags) {
880 		mutex_enter(&pp->p_lock);
881 		pp->p_flag |= suidflags;
882 		mutex_exit(&pp->p_lock);
883 	}
884 	return (error);
885 }
886 
887 extern char *execswnames[];
888 
889 struct execsw *
890 allocate_execsw(char *name, char *magic, size_t magic_size)
891 {
892 	int i, j;
893 	char *ename;
894 	char *magicp;
895 
896 	mutex_enter(&execsw_lock);
897 	for (i = 0; i < nexectype; i++) {
898 		if (execswnames[i] == NULL) {
899 			ename = kmem_alloc(strlen(name) + 1, KM_SLEEP);
900 			(void) strcpy(ename, name);
901 			execswnames[i] = ename;
902 			/*
903 			 * Set the magic number last so that we
904 			 * don't need to hold the execsw_lock in
905 			 * findexectype().
906 			 */
907 			magicp = kmem_alloc(magic_size, KM_SLEEP);
908 			for (j = 0; j < magic_size; j++)
909 				magicp[j] = magic[j];
910 			execsw[i].exec_magic = magicp;
911 			mutex_exit(&execsw_lock);
912 			return (&execsw[i]);
913 		}
914 	}
915 	mutex_exit(&execsw_lock);
916 	return (NULL);
917 }
918 
919 /*
920  * Find the exec switch table entry with the corresponding magic string.
921  */
922 struct execsw *
923 findexecsw(char *magic)
924 {
925 	struct execsw *eswp;
926 
927 	for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
928 		ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
929 		if (magic && eswp->exec_maglen != 0 &&
930 		    bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0)
931 			return (eswp);
932 	}
933 	return (NULL);
934 }
935 
936 /*
937  * Find the execsw[] index for the given exec header string by looking for the
938  * magic string at a specified offset and length for each kind of executable
939  * file format until one matches.  If no execsw[] entry is found, try to
940  * autoload a module for this magic string.
941  */
942 struct execsw *
943 findexec_by_hdr(char *header)
944 {
945 	struct execsw *eswp;
946 
947 	for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
948 		ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
949 		if (header && eswp->exec_maglen != 0 &&
950 		    bcmp(&header[eswp->exec_magoff], eswp->exec_magic,
951 		    eswp->exec_maglen) == 0) {
952 			if (hold_execsw(eswp) != 0)
953 				return (NULL);
954 			return (eswp);
955 		}
956 	}
957 	return (NULL);	/* couldn't find the type */
958 }
959 
960 /*
961  * Find the execsw[] index for the given magic string.  If no execsw[] entry
962  * is found, try to autoload a module for this magic string.
963  */
964 struct execsw *
965 findexec_by_magic(char *magic)
966 {
967 	struct execsw *eswp;
968 
969 	for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
970 		ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
971 		if (magic && eswp->exec_maglen != 0 &&
972 		    bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0) {
973 			if (hold_execsw(eswp) != 0)
974 				return (NULL);
975 			return (eswp);
976 		}
977 	}
978 	return (NULL);	/* couldn't find the type */
979 }
980 
981 static int
982 hold_execsw(struct execsw *eswp)
983 {
984 	char *name;
985 
986 	rw_enter(eswp->exec_lock, RW_READER);
987 	while (!LOADED_EXEC(eswp)) {
988 		rw_exit(eswp->exec_lock);
989 		name = execswnames[eswp-execsw];
990 		ASSERT(name);
991 		if (modload("exec", name) == -1)
992 			return (-1);
993 		rw_enter(eswp->exec_lock, RW_READER);
994 	}
995 	return (0);
996 }
997 
998 static int
999 execsetid(struct vnode *vp, struct vattr *vattrp, uid_t *uidp, uid_t *gidp,
1000     priv_set_t *fset, cred_t *cr, const char *pathname)
1001 {
1002 	proc_t *pp = ttoproc(curthread);
1003 	uid_t uid, gid;
1004 	int privflags = 0;
1005 
1006 	/*
1007 	 * Remember credentials.
1008 	 */
1009 	uid = cr->cr_uid;
1010 	gid = cr->cr_gid;
1011 
1012 	/* Will try to reset the PRIV_AWARE bit later. */
1013 	if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_INHERIT)) == PRIV_AWARE)
1014 		privflags |= PRIV_RESET;
1015 
1016 	if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) == 0) {
1017 		/*
1018 		 * If it's a set-uid root program we perform the
1019 		 * forced privilege look-aside. This has three possible
1020 		 * outcomes:
1021 		 *	no look aside information -> treat as before
1022 		 *	look aside in Limit set -> apply forced privs
1023 		 *	look aside not in Limit set -> ignore set-uid root
1024 		 *
1025 		 * Ordinary set-uid root execution only allowed if the limit
1026 		 * set holds all unsafe privileges.
1027 		 */
1028 		if (vattrp->va_mode & VSUID) {
1029 			if (vattrp->va_uid == 0) {
1030 				int res = get_forced_privs(cr, pathname, fset);
1031 
1032 				switch (res) {
1033 				case -1:
1034 					if (priv_issubset(&priv_unsafe,
1035 					    &CR_LPRIV(cr))) {
1036 						uid = vattrp->va_uid;
1037 						privflags |= PRIV_SETUGID;
1038 					}
1039 					break;
1040 				case 0:
1041 					privflags |= PRIV_FORCED|PRIV_INCREASE;
1042 					break;
1043 				default:
1044 					break;
1045 				}
1046 			} else {
1047 				uid = vattrp->va_uid;
1048 				privflags |= PRIV_SETUGID;
1049 			}
1050 		}
1051 		if (vattrp->va_mode & VSGID) {
1052 			gid = vattrp->va_gid;
1053 			privflags |= PRIV_SETUGID;
1054 		}
1055 	}
1056 
1057 	/*
1058 	 * Do we need to change our credential anyway?
1059 	 * This is the case when E != I or P != I, as
1060 	 * we need to do the assignments (with F empty and A full)
1061 	 * Or when I is not a subset of L; in that case we need to
1062 	 * enforce L.
1063 	 *
1064 	 *		I' = L & I
1065 	 *
1066 	 *		E' = P' = (I' + F) & A
1067 	 * or
1068 	 *		E' = P' = I'
1069 	 */
1070 	if (!priv_isequalset(&CR_EPRIV(cr), &CR_IPRIV(cr)) ||
1071 	    !priv_issubset(&CR_IPRIV(cr), &CR_LPRIV(cr)) ||
1072 	    !priv_isequalset(&CR_PPRIV(cr), &CR_IPRIV(cr)))
1073 		privflags |= PRIV_RESET;
1074 
1075 	/* Child has more privileges than parent */
1076 	if (!priv_issubset(&CR_IPRIV(cr), &CR_PPRIV(cr)))
1077 		privflags |= PRIV_INCREASE;
1078 
1079 	/* If MAC-aware flag(s) are on, need to update cred to remove. */
1080 	if ((CR_FLAGS(cr) & NET_MAC_AWARE) ||
1081 	    (CR_FLAGS(cr) & NET_MAC_AWARE_INHERIT))
1082 		privflags |= MAC_FLAGS;
1083 	/*
1084 	 * Set setuid/setgid protections if no ptrace() compatibility.
1085 	 * For privileged processes, honor setuid/setgid even in
1086 	 * the presence of ptrace() compatibility.
1087 	 */
1088 	if (((pp->p_proc_flag & P_PR_PTRACE) == 0 ||
1089 	    PRIV_POLICY_ONLY(cr, PRIV_PROC_OWNER, (uid == 0))) &&
1090 	    (cr->cr_uid != uid ||
1091 	    cr->cr_gid != gid ||
1092 	    cr->cr_suid != uid ||
1093 	    cr->cr_sgid != gid)) {
1094 		*uidp = uid;
1095 		*gidp = gid;
1096 		privflags |= PRIV_SETID;
1097 	}
1098 	return (privflags);
1099 }
1100 
1101 int
1102 execpermissions(struct vnode *vp, struct vattr *vattrp, struct uarg *args)
1103 {
1104 	int error;
1105 	proc_t *p = ttoproc(curthread);
1106 
1107 	vattrp->va_mask = AT_MODE | AT_UID | AT_GID | AT_SIZE;
1108 	if (error = VOP_GETATTR(vp, vattrp, ATTR_EXEC, p->p_cred, NULL))
1109 		return (error);
1110 	/*
1111 	 * Check the access mode.
1112 	 * If VPROC, ask /proc if the file is an object file.
1113 	 */
1114 	if ((error = VOP_ACCESS(vp, VEXEC, 0, p->p_cred, NULL)) != 0 ||
1115 	    !(vp->v_type == VREG || (vp->v_type == VPROC && pr_isobject(vp))) ||
1116 	    (vp->v_vfsp->vfs_flag & VFS_NOEXEC) != 0 ||
1117 	    (vattrp->va_mode & (VEXEC|(VEXEC>>3)|(VEXEC>>6))) == 0) {
1118 		if (error == 0)
1119 			error = EACCES;
1120 		return (error);
1121 	}
1122 
1123 	if ((p->p_plist || (p->p_proc_flag & (P_PR_PTRACE|P_PR_TRACE))) &&
1124 	    (error = VOP_ACCESS(vp, VREAD, 0, p->p_cred, NULL))) {
1125 		/*
1126 		 * If process is under ptrace(2) compatibility,
1127 		 * fail the exec(2).
1128 		 */
1129 		if (p->p_proc_flag & P_PR_PTRACE)
1130 			goto bad;
1131 		/*
1132 		 * Process is traced via /proc.
1133 		 * Arrange to invalidate the /proc vnode.
1134 		 */
1135 		args->traceinval = 1;
1136 	}
1137 	return (0);
1138 bad:
1139 	if (error == 0)
1140 		error = ENOEXEC;
1141 	return (error);
1142 }
1143 
1144 /*
1145  * Map a section of an executable file into the user's
1146  * address space.
1147  */
1148 int
1149 execmap(struct vnode *vp, caddr_t addr, size_t len, size_t zfodlen,
1150     off_t offset, int prot, int page, uint_t szc)
1151 {
1152 	int error = 0;
1153 	off_t oldoffset;
1154 	caddr_t zfodbase, oldaddr;
1155 	size_t end, oldlen;
1156 	size_t zfoddiff;
1157 	label_t ljb;
1158 	proc_t *p = ttoproc(curthread);
1159 
1160 	oldaddr = addr;
1161 	addr = (caddr_t)((uintptr_t)addr & (uintptr_t)PAGEMASK);
1162 	if (len) {
1163 		oldlen = len;
1164 		len += ((size_t)oldaddr - (size_t)addr);
1165 		oldoffset = offset;
1166 		offset = (off_t)((uintptr_t)offset & PAGEMASK);
1167 		if (page) {
1168 			spgcnt_t  prefltmem, availm, npages;
1169 			int preread;
1170 			uint_t mflag = MAP_PRIVATE | MAP_FIXED;
1171 
1172 			if ((prot & (PROT_WRITE | PROT_EXEC)) == PROT_EXEC) {
1173 				mflag |= MAP_TEXT;
1174 			} else {
1175 				mflag |= MAP_INITDATA;
1176 			}
1177 
1178 			if (valid_usr_range(addr, len, prot, p->p_as,
1179 			    p->p_as->a_userlimit) != RANGE_OKAY) {
1180 				error = ENOMEM;
1181 				goto bad;
1182 			}
1183 			if (error = VOP_MAP(vp, (offset_t)offset,
1184 			    p->p_as, &addr, len, prot, PROT_ALL,
1185 			    mflag, CRED(), NULL))
1186 				goto bad;
1187 
1188 			/*
1189 			 * If the segment can fit, then we prefault
1190 			 * the entire segment in.  This is based on the
1191 			 * model that says the best working set of a
1192 			 * small program is all of its pages.
1193 			 */
1194 			npages = (spgcnt_t)btopr(len);
1195 			prefltmem = freemem - desfree;
1196 			preread =
1197 			    (npages < prefltmem && len < PGTHRESH) ? 1 : 0;
1198 
1199 			/*
1200 			 * If we aren't prefaulting the segment,
1201 			 * increment "deficit", if necessary to ensure
1202 			 * that pages will become available when this
1203 			 * process starts executing.
1204 			 */
1205 			availm = freemem - lotsfree;
1206 			if (preread == 0 && npages > availm &&
1207 			    deficit < lotsfree) {
1208 				deficit += MIN((pgcnt_t)(npages - availm),
1209 				    lotsfree - deficit);
1210 			}
1211 
1212 			if (preread) {
1213 				TRACE_2(TR_FAC_PROC, TR_EXECMAP_PREREAD,
1214 				    "execmap preread:freemem %d size %lu",
1215 				    freemem, len);
1216 				(void) as_fault(p->p_as->a_hat, p->p_as,
1217 				    (caddr_t)addr, len, F_INVAL, S_READ);
1218 			}
1219 		} else {
1220 			if (valid_usr_range(addr, len, prot, p->p_as,
1221 			    p->p_as->a_userlimit) != RANGE_OKAY) {
1222 				error = ENOMEM;
1223 				goto bad;
1224 			}
1225 
1226 			if (error = as_map(p->p_as, addr, len,
1227 			    segvn_create, zfod_argsp))
1228 				goto bad;
1229 			/*
1230 			 * Read in the segment in one big chunk.
1231 			 */
1232 			if (error = vn_rdwr(UIO_READ, vp, (caddr_t)oldaddr,
1233 			    oldlen, (offset_t)oldoffset, UIO_USERSPACE, 0,
1234 			    (rlim64_t)0, CRED(), (ssize_t *)0))
1235 				goto bad;
1236 			/*
1237 			 * Now set protections.
1238 			 */
1239 			if (prot != PROT_ZFOD) {
1240 				(void) as_setprot(p->p_as, (caddr_t)addr,
1241 				    len, prot);
1242 			}
1243 		}
1244 	}
1245 
1246 	if (zfodlen) {
1247 		struct as *as = curproc->p_as;
1248 		struct seg *seg;
1249 		uint_t zprot = 0;
1250 
1251 		end = (size_t)addr + len;
1252 		zfodbase = (caddr_t)roundup(end, PAGESIZE);
1253 		zfoddiff = (uintptr_t)zfodbase - end;
1254 		if (zfoddiff) {
1255 			/*
1256 			 * Before we go to zero the remaining space on the last
1257 			 * page, make sure we have write permission.
1258 			 */
1259 
1260 			AS_LOCK_ENTER(as, &as->a_lock, RW_READER);
1261 			seg = as_segat(curproc->p_as, (caddr_t)end);
1262 			if (seg != NULL)
1263 				SEGOP_GETPROT(seg, (caddr_t)end, zfoddiff - 1,
1264 				    &zprot);
1265 			AS_LOCK_EXIT(as, &as->a_lock);
1266 
1267 			if (seg != NULL && (zprot & PROT_WRITE) == 0) {
1268 				(void) as_setprot(as, (caddr_t)end,
1269 				    zfoddiff - 1, zprot | PROT_WRITE);
1270 			}
1271 
1272 			if (on_fault(&ljb)) {
1273 				no_fault();
1274 				if (seg != NULL && (zprot & PROT_WRITE) == 0)
1275 					(void) as_setprot(as, (caddr_t)end,
1276 					    zfoddiff - 1, zprot);
1277 				error = EFAULT;
1278 				goto bad;
1279 			}
1280 			uzero((void *)end, zfoddiff);
1281 			no_fault();
1282 			if (seg != NULL && (zprot & PROT_WRITE) == 0)
1283 				(void) as_setprot(as, (caddr_t)end,
1284 				    zfoddiff - 1, zprot);
1285 		}
1286 		if (zfodlen > zfoddiff) {
1287 			struct segvn_crargs crargs =
1288 			    SEGVN_ZFOD_ARGS(PROT_ZFOD, PROT_ALL);
1289 
1290 			zfodlen -= zfoddiff;
1291 			if (valid_usr_range(zfodbase, zfodlen, prot, p->p_as,
1292 			    p->p_as->a_userlimit) != RANGE_OKAY) {
1293 				error = ENOMEM;
1294 				goto bad;
1295 			}
1296 			if (szc > 0) {
1297 				/*
1298 				 * ASSERT alignment because the mapelfexec()
1299 				 * caller for the szc > 0 case extended zfod
1300 				 * so it's end is pgsz aligned.
1301 				 */
1302 				size_t pgsz = page_get_pagesize(szc);
1303 				ASSERT(IS_P2ALIGNED(zfodbase + zfodlen, pgsz));
1304 
1305 				if (IS_P2ALIGNED(zfodbase, pgsz)) {
1306 					crargs.szc = szc;
1307 				} else {
1308 					crargs.szc = AS_MAP_HEAP;
1309 				}
1310 			} else {
1311 				crargs.szc = AS_MAP_NO_LPOOB;
1312 			}
1313 			if (error = as_map(p->p_as, (caddr_t)zfodbase,
1314 			    zfodlen, segvn_create, &crargs))
1315 				goto bad;
1316 			if (prot != PROT_ZFOD) {
1317 				(void) as_setprot(p->p_as, (caddr_t)zfodbase,
1318 				    zfodlen, prot);
1319 			}
1320 		}
1321 	}
1322 	return (0);
1323 bad:
1324 	return (error);
1325 }
1326 
1327 void
1328 setexecenv(struct execenv *ep)
1329 {
1330 	proc_t *p = ttoproc(curthread);
1331 	klwp_t *lwp = ttolwp(curthread);
1332 	struct vnode *vp;
1333 
1334 	p->p_bssbase = ep->ex_bssbase;
1335 	p->p_brkbase = ep->ex_brkbase;
1336 	p->p_brksize = ep->ex_brksize;
1337 	if (p->p_exec)
1338 		VN_RELE(p->p_exec);	/* out with the old */
1339 	vp = p->p_exec = ep->ex_vp;
1340 	if (vp != NULL)
1341 		VN_HOLD(vp);		/* in with the new */
1342 
1343 	lwp->lwp_sigaltstack.ss_sp = 0;
1344 	lwp->lwp_sigaltstack.ss_size = 0;
1345 	lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
1346 }
1347 
1348 int
1349 execopen(struct vnode **vpp, int *fdp)
1350 {
1351 	struct vnode *vp = *vpp;
1352 	file_t *fp;
1353 	int error = 0;
1354 	int filemode = FREAD;
1355 
1356 	VN_HOLD(vp);		/* open reference */
1357 	if (error = falloc(NULL, filemode, &fp, fdp)) {
1358 		VN_RELE(vp);
1359 		*fdp = -1;	/* just in case falloc changed value */
1360 		return (error);
1361 	}
1362 	if (error = VOP_OPEN(&vp, filemode, CRED(), NULL)) {
1363 		VN_RELE(vp);
1364 		setf(*fdp, NULL);
1365 		unfalloc(fp);
1366 		*fdp = -1;
1367 		return (error);
1368 	}
1369 	*vpp = vp;		/* vnode should not have changed */
1370 	fp->f_vnode = vp;
1371 	mutex_exit(&fp->f_tlock);
1372 	setf(*fdp, fp);
1373 	return (0);
1374 }
1375 
1376 int
1377 execclose(int fd)
1378 {
1379 	return (closeandsetf(fd, NULL));
1380 }
1381 
1382 
1383 /*
1384  * noexec stub function.
1385  */
1386 /*ARGSUSED*/
1387 int
1388 noexec(
1389     struct vnode *vp,
1390     struct execa *uap,
1391     struct uarg *args,
1392     struct intpdata *idatap,
1393     int level,
1394     long *execsz,
1395     int setid,
1396     caddr_t exec_file,
1397     struct cred *cred)
1398 {
1399 	cmn_err(CE_WARN, "missing exec capability for %s", uap->fname);
1400 	return (ENOEXEC);
1401 }
1402 
1403 /*
1404  * Support routines for building a user stack.
1405  *
1406  * execve(path, argv, envp) must construct a new stack with the specified
1407  * arguments and environment variables (see exec_args() for a description
1408  * of the user stack layout).  To do this, we copy the arguments and
1409  * environment variables from the old user address space into the kernel,
1410  * free the old as, create the new as, and copy our buffered information
1411  * to the new stack.  Our kernel buffer has the following structure:
1412  *
1413  *	+-----------------------+ <--- stk_base + stk_size
1414  *	| string offsets	|
1415  *	+-----------------------+ <--- stk_offp
1416  *	|			|
1417  *	| STK_AVAIL() space	|
1418  *	|			|
1419  *	+-----------------------+ <--- stk_strp
1420  *	| strings		|
1421  *	+-----------------------+ <--- stk_base
1422  *
1423  * When we add a string, we store the string's contents (including the null
1424  * terminator) at stk_strp, and we store the offset of the string relative to
1425  * stk_base at --stk_offp.  At strings are added, stk_strp increases and
1426  * stk_offp decreases.  The amount of space remaining, STK_AVAIL(), is just
1427  * the difference between these pointers.  If we run out of space, we return
1428  * an error and exec_args() starts all over again with a buffer twice as large.
1429  * When we're all done, the kernel buffer looks like this:
1430  *
1431  *	+-----------------------+ <--- stk_base + stk_size
1432  *	| argv[0] offset	|
1433  *	+-----------------------+
1434  *	| ...			|
1435  *	+-----------------------+
1436  *	| argv[argc-1] offset	|
1437  *	+-----------------------+
1438  *	| envp[0] offset	|
1439  *	+-----------------------+
1440  *	| ...			|
1441  *	+-----------------------+
1442  *	| envp[envc-1] offset	|
1443  *	+-----------------------+
1444  *	| AT_SUN_PLATFORM offset|
1445  *	+-----------------------+
1446  *	| AT_SUN_EXECNAME offset|
1447  *	+-----------------------+ <--- stk_offp
1448  *	|			|
1449  *	| STK_AVAIL() space	|
1450  *	|			|
1451  *	+-----------------------+ <--- stk_strp
1452  *	| AT_SUN_EXECNAME offset|
1453  *	+-----------------------+
1454  *	| AT_SUN_PLATFORM offset|
1455  *	+-----------------------+
1456  *	| envp[envc-1] string	|
1457  *	+-----------------------+
1458  *	| ...			|
1459  *	+-----------------------+
1460  *	| envp[0] string	|
1461  *	+-----------------------+
1462  *	| argv[argc-1] string	|
1463  *	+-----------------------+
1464  *	| ...			|
1465  *	+-----------------------+
1466  *	| argv[0] string	|
1467  *	+-----------------------+ <--- stk_base
1468  */
1469 
1470 #define	STK_AVAIL(args)		((char *)(args)->stk_offp - (args)->stk_strp)
1471 
1472 /*
1473  * Add a string to the stack.
1474  */
1475 static int
1476 stk_add(uarg_t *args, const char *sp, enum uio_seg segflg)
1477 {
1478 	int error;
1479 	size_t len;
1480 
1481 	if (STK_AVAIL(args) < sizeof (int))
1482 		return (E2BIG);
1483 	*--args->stk_offp = args->stk_strp - args->stk_base;
1484 
1485 	if (segflg == UIO_USERSPACE) {
1486 		error = copyinstr(sp, args->stk_strp, STK_AVAIL(args), &len);
1487 		if (error != 0)
1488 			return (error);
1489 	} else {
1490 		len = strlen(sp) + 1;
1491 		if (len > STK_AVAIL(args))
1492 			return (E2BIG);
1493 		bcopy(sp, args->stk_strp, len);
1494 	}
1495 
1496 	args->stk_strp += len;
1497 
1498 	return (0);
1499 }
1500 
1501 static int
1502 stk_getptr(uarg_t *args, char *src, char **dst)
1503 {
1504 	int error;
1505 
1506 	if (args->from_model == DATAMODEL_NATIVE) {
1507 		ulong_t ptr;
1508 		error = fulword(src, &ptr);
1509 		*dst = (caddr_t)ptr;
1510 	} else {
1511 		uint32_t ptr;
1512 		error = fuword32(src, &ptr);
1513 		*dst = (caddr_t)(uintptr_t)ptr;
1514 	}
1515 	return (error);
1516 }
1517 
1518 static int
1519 stk_putptr(uarg_t *args, char *addr, char *value)
1520 {
1521 	if (args->to_model == DATAMODEL_NATIVE)
1522 		return (sulword(addr, (ulong_t)value));
1523 	else
1524 		return (suword32(addr, (uint32_t)(uintptr_t)value));
1525 }
1526 
1527 static int
1528 stk_copyin(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1529 {
1530 	char *sp;
1531 	int argc, error;
1532 	int argv_empty = 0;
1533 	size_t ptrsize = args->from_ptrsize;
1534 	size_t size, pad;
1535 	char *argv = (char *)uap->argp;
1536 	char *envp = (char *)uap->envp;
1537 
1538 	/*
1539 	 * Copy interpreter's name and argument to argv[0] and argv[1].
1540 	 */
1541 	if (intp != NULL && intp->intp_name != NULL) {
1542 		if ((error = stk_add(args, intp->intp_name, UIO_SYSSPACE)) != 0)
1543 			return (error);
1544 		if (intp->intp_arg != NULL &&
1545 		    (error = stk_add(args, intp->intp_arg, UIO_SYSSPACE)) != 0)
1546 			return (error);
1547 		if (args->fname != NULL)
1548 			error = stk_add(args, args->fname, UIO_SYSSPACE);
1549 		else
1550 			error = stk_add(args, uap->fname, UIO_USERSPACE);
1551 		if (error)
1552 			return (error);
1553 
1554 		/*
1555 		 * Check for an empty argv[].
1556 		 */
1557 		if (stk_getptr(args, argv, &sp))
1558 			return (EFAULT);
1559 		if (sp == NULL)
1560 			argv_empty = 1;
1561 
1562 		argv += ptrsize;		/* ignore original argv[0] */
1563 	}
1564 
1565 	if (argv_empty == 0) {
1566 		/*
1567 		 * Add argv[] strings to the stack.
1568 		 */
1569 		for (;;) {
1570 			if (stk_getptr(args, argv, &sp))
1571 				return (EFAULT);
1572 			if (sp == NULL)
1573 				break;
1574 			if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1575 				return (error);
1576 			argv += ptrsize;
1577 		}
1578 	}
1579 	argc = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1580 	args->arglen = args->stk_strp - args->stk_base;
1581 
1582 	/*
1583 	 * Add environ[] strings to the stack.
1584 	 */
1585 	if (envp != NULL) {
1586 		for (;;) {
1587 			char *tmp = args->stk_strp;
1588 			if (stk_getptr(args, envp, &sp))
1589 				return (EFAULT);
1590 			if (sp == NULL)
1591 				break;
1592 			if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1593 				return (error);
1594 			if (args->scrubenv && strncmp(tmp, "LD_", 3) == 0) {
1595 				/* Undo the copied string */
1596 				args->stk_strp = tmp;
1597 				*(args->stk_offp++) = NULL;
1598 			}
1599 			envp += ptrsize;
1600 		}
1601 	}
1602 	args->na = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1603 	args->ne = args->na - argc;
1604 
1605 	/*
1606 	 * Add AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME, and
1607 	 * AT_SUN_EMULATOR strings to the stack.
1608 	 */
1609 	if (auxvpp != NULL && *auxvpp != NULL) {
1610 		if ((error = stk_add(args, platform, UIO_SYSSPACE)) != 0)
1611 			return (error);
1612 		if ((error = stk_add(args, args->pathname, UIO_SYSSPACE)) != 0)
1613 			return (error);
1614 		if (args->brandname != NULL &&
1615 		    (error = stk_add(args, args->brandname, UIO_SYSSPACE)) != 0)
1616 			return (error);
1617 		if (args->emulator != NULL &&
1618 		    (error = stk_add(args, args->emulator, UIO_SYSSPACE)) != 0)
1619 			return (error);
1620 	}
1621 
1622 	/*
1623 	 * Compute the size of the stack.  This includes all the pointers,
1624 	 * the space reserved for the aux vector, and all the strings.
1625 	 * The total number of pointers is args->na (which is argc + envc)
1626 	 * plus 4 more: (1) a pointer's worth of space for argc; (2) the NULL
1627 	 * after the last argument (i.e. argv[argc]); (3) the NULL after the
1628 	 * last environment variable (i.e. envp[envc]); and (4) the NULL after
1629 	 * all the strings, at the very top of the stack.
1630 	 */
1631 	size = (args->na + 4) * args->to_ptrsize + args->auxsize +
1632 	    (args->stk_strp - args->stk_base);
1633 
1634 	/*
1635 	 * Pad the string section with zeroes to align the stack size.
1636 	 */
1637 	pad = P2NPHASE(size, args->stk_align);
1638 
1639 	if (STK_AVAIL(args) < pad)
1640 		return (E2BIG);
1641 
1642 	args->usrstack_size = size + pad;
1643 
1644 	while (pad-- != 0)
1645 		*args->stk_strp++ = 0;
1646 
1647 	args->nc = args->stk_strp - args->stk_base;
1648 
1649 	return (0);
1650 }
1651 
1652 static int
1653 stk_copyout(uarg_t *args, char *usrstack, void **auxvpp, user_t *up)
1654 {
1655 	size_t ptrsize = args->to_ptrsize;
1656 	ssize_t pslen;
1657 	char *kstrp = args->stk_base;
1658 	char *ustrp = usrstack - args->nc - ptrsize;
1659 	char *usp = usrstack - args->usrstack_size;
1660 	int *offp = (int *)(args->stk_base + args->stk_size);
1661 	int envc = args->ne;
1662 	int argc = args->na - envc;
1663 	int i;
1664 
1665 	/*
1666 	 * Record argc for /proc.
1667 	 */
1668 	up->u_argc = argc;
1669 
1670 	/*
1671 	 * Put argc on the stack.  Note that even though it's an int,
1672 	 * it always consumes ptrsize bytes (for alignment).
1673 	 */
1674 	if (stk_putptr(args, usp, (char *)(uintptr_t)argc))
1675 		return (-1);
1676 
1677 	/*
1678 	 * Add argc space (ptrsize) to usp and record argv for /proc.
1679 	 */
1680 	up->u_argv = (uintptr_t)(usp += ptrsize);
1681 
1682 	/*
1683 	 * Put the argv[] pointers on the stack.
1684 	 */
1685 	for (i = 0; i < argc; i++, usp += ptrsize)
1686 		if (stk_putptr(args, usp, &ustrp[*--offp]))
1687 			return (-1);
1688 
1689 	/*
1690 	 * Copy arguments to u_psargs.
1691 	 */
1692 	pslen = MIN(args->arglen, PSARGSZ) - 1;
1693 	for (i = 0; i < pslen; i++)
1694 		up->u_psargs[i] = (kstrp[i] == '\0' ? ' ' : kstrp[i]);
1695 	while (i < PSARGSZ)
1696 		up->u_psargs[i++] = '\0';
1697 
1698 	/*
1699 	 * Add space for argv[]'s NULL terminator (ptrsize) to usp and
1700 	 * record envp for /proc.
1701 	 */
1702 	up->u_envp = (uintptr_t)(usp += ptrsize);
1703 
1704 	/*
1705 	 * Put the envp[] pointers on the stack.
1706 	 */
1707 	for (i = 0; i < envc; i++, usp += ptrsize)
1708 		if (stk_putptr(args, usp, &ustrp[*--offp]))
1709 			return (-1);
1710 
1711 	/*
1712 	 * Add space for envp[]'s NULL terminator (ptrsize) to usp and
1713 	 * remember where the stack ends, which is also where auxv begins.
1714 	 */
1715 	args->stackend = usp += ptrsize;
1716 
1717 	/*
1718 	 * Put all the argv[], envp[], and auxv strings on the stack.
1719 	 */
1720 	if (copyout(args->stk_base, ustrp, args->nc))
1721 		return (-1);
1722 
1723 	/*
1724 	 * Fill in the aux vector now that we know the user stack addresses
1725 	 * for the AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME and
1726 	 * AT_SUN_EMULATOR strings.
1727 	 */
1728 	if (auxvpp != NULL && *auxvpp != NULL) {
1729 		if (args->to_model == DATAMODEL_NATIVE) {
1730 			auxv_t **a = (auxv_t **)auxvpp;
1731 			ADDAUX(*a, AT_SUN_PLATFORM, (long)&ustrp[*--offp])
1732 			ADDAUX(*a, AT_SUN_EXECNAME, (long)&ustrp[*--offp])
1733 			if (args->brandname != NULL)
1734 				ADDAUX(*a,
1735 				    AT_SUN_BRANDNAME, (long)&ustrp[*--offp])
1736 			if (args->emulator != NULL)
1737 				ADDAUX(*a,
1738 				    AT_SUN_EMULATOR, (long)&ustrp[*--offp])
1739 		} else {
1740 			auxv32_t **a = (auxv32_t **)auxvpp;
1741 			ADDAUX(*a,
1742 			    AT_SUN_PLATFORM, (int)(uintptr_t)&ustrp[*--offp])
1743 			ADDAUX(*a,
1744 			    AT_SUN_EXECNAME, (int)(uintptr_t)&ustrp[*--offp])
1745 			if (args->brandname != NULL)
1746 				ADDAUX(*a, AT_SUN_BRANDNAME,
1747 				    (int)(uintptr_t)&ustrp[*--offp])
1748 			if (args->emulator != NULL)
1749 				ADDAUX(*a, AT_SUN_EMULATOR,
1750 				    (int)(uintptr_t)&ustrp[*--offp])
1751 		}
1752 	}
1753 
1754 	return (0);
1755 }
1756 
1757 /*
1758  * Initialize a new user stack with the specified arguments and environment.
1759  * The initial user stack layout is as follows:
1760  *
1761  *	User Stack
1762  *	+---------------+ <--- curproc->p_usrstack
1763  *	|		|
1764  *	| slew		|
1765  *	|		|
1766  *	+---------------+
1767  *	| NULL		|
1768  *	+---------------+
1769  *	|		|
1770  *	| auxv strings	|
1771  *	|		|
1772  *	+---------------+
1773  *	|		|
1774  *	| envp strings	|
1775  *	|		|
1776  *	+---------------+
1777  *	|		|
1778  *	| argv strings	|
1779  *	|		|
1780  *	+---------------+ <--- ustrp
1781  *	|		|
1782  *	| aux vector	|
1783  *	|		|
1784  *	+---------------+ <--- auxv
1785  *	| NULL		|
1786  *	+---------------+
1787  *	| envp[envc-1]	|
1788  *	+---------------+
1789  *	| ...		|
1790  *	+---------------+
1791  *	| envp[0]	|
1792  *	+---------------+ <--- envp[]
1793  *	| NULL		|
1794  *	+---------------+
1795  *	| argv[argc-1]	|
1796  *	+---------------+
1797  *	| ...		|
1798  *	+---------------+
1799  *	| argv[0]	|
1800  *	+---------------+ <--- argv[]
1801  *	| argc		|
1802  *	+---------------+ <--- stack base
1803  */
1804 int
1805 exec_args(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1806 {
1807 	size_t size;
1808 	int error;
1809 	proc_t *p = ttoproc(curthread);
1810 	user_t *up = PTOU(p);
1811 	char *usrstack;
1812 	rctl_entity_p_t e;
1813 	struct as *as;
1814 	extern int use_stk_lpg;
1815 	size_t sp_slew;
1816 
1817 	args->from_model = p->p_model;
1818 	if (p->p_model == DATAMODEL_NATIVE) {
1819 		args->from_ptrsize = sizeof (long);
1820 	} else {
1821 		args->from_ptrsize = sizeof (int32_t);
1822 	}
1823 
1824 	if (args->to_model == DATAMODEL_NATIVE) {
1825 		args->to_ptrsize = sizeof (long);
1826 		args->ncargs = NCARGS;
1827 		args->stk_align = STACK_ALIGN;
1828 		if (args->addr32)
1829 			usrstack = (char *)USRSTACK64_32;
1830 		else
1831 			usrstack = (char *)USRSTACK;
1832 	} else {
1833 		args->to_ptrsize = sizeof (int32_t);
1834 		args->ncargs = NCARGS32;
1835 		args->stk_align = STACK_ALIGN32;
1836 		usrstack = (char *)USRSTACK32;
1837 	}
1838 
1839 	ASSERT(P2PHASE((uintptr_t)usrstack, args->stk_align) == 0);
1840 
1841 #if defined(__sparc)
1842 	/*
1843 	 * Make sure user register windows are empty before
1844 	 * attempting to make a new stack.
1845 	 */
1846 	(void) flush_user_windows_to_stack(NULL);
1847 #endif
1848 
1849 	for (size = PAGESIZE; ; size *= 2) {
1850 		args->stk_size = size;
1851 		args->stk_base = kmem_alloc(size, KM_SLEEP);
1852 		args->stk_strp = args->stk_base;
1853 		args->stk_offp = (int *)(args->stk_base + size);
1854 		error = stk_copyin(uap, args, intp, auxvpp);
1855 		if (error == 0)
1856 			break;
1857 		kmem_free(args->stk_base, size);
1858 		if (error != E2BIG && error != ENAMETOOLONG)
1859 			return (error);
1860 		if (size >= args->ncargs)
1861 			return (E2BIG);
1862 	}
1863 
1864 	size = args->usrstack_size;
1865 
1866 	ASSERT(error == 0);
1867 	ASSERT(P2PHASE(size, args->stk_align) == 0);
1868 	ASSERT((ssize_t)STK_AVAIL(args) >= 0);
1869 
1870 	if (size > args->ncargs) {
1871 		kmem_free(args->stk_base, args->stk_size);
1872 		return (E2BIG);
1873 	}
1874 
1875 	/*
1876 	 * Leave only the current lwp and force the other lwps to exit.
1877 	 * If another lwp beat us to the punch by calling exit(), bail out.
1878 	 */
1879 	if ((error = exitlwps(0)) != 0) {
1880 		kmem_free(args->stk_base, args->stk_size);
1881 		return (error);
1882 	}
1883 
1884 	/*
1885 	 * Revoke any doors created by the process.
1886 	 */
1887 	if (p->p_door_list)
1888 		door_exit();
1889 
1890 	/*
1891 	 * Release schedctl data structures.
1892 	 */
1893 	if (p->p_pagep)
1894 		schedctl_proc_cleanup();
1895 
1896 	/*
1897 	 * Clean up any DTrace helpers for the process.
1898 	 */
1899 	if (p->p_dtrace_helpers != NULL) {
1900 		ASSERT(dtrace_helpers_cleanup != NULL);
1901 		(*dtrace_helpers_cleanup)();
1902 	}
1903 
1904 	mutex_enter(&p->p_lock);
1905 	/*
1906 	 * Cleanup the DTrace provider associated with this process.
1907 	 */
1908 	if (p->p_dtrace_probes) {
1909 		ASSERT(dtrace_fasttrap_exec_ptr != NULL);
1910 		dtrace_fasttrap_exec_ptr(p);
1911 	}
1912 	mutex_exit(&p->p_lock);
1913 
1914 	/*
1915 	 * discard the lwpchan cache.
1916 	 */
1917 	if (p->p_lcp != NULL)
1918 		lwpchan_destroy_cache(1);
1919 
1920 	/*
1921 	 * Delete the POSIX timers.
1922 	 */
1923 	if (p->p_itimer != NULL)
1924 		timer_exit();
1925 
1926 	/*
1927 	 * Delete the ITIMER_REALPROF interval timer.
1928 	 * The other ITIMER_* interval timers are specified
1929 	 * to be inherited across exec().
1930 	 */
1931 	delete_itimer_realprof();
1932 
1933 	if (AU_AUDITING())
1934 		audit_exec(args->stk_base, args->stk_base + args->arglen,
1935 		    args->na - args->ne, args->ne, args->pfcred);
1936 
1937 	/*
1938 	 * Ensure that we don't change resource associations while we
1939 	 * change address spaces.
1940 	 */
1941 	mutex_enter(&p->p_lock);
1942 	pool_barrier_enter();
1943 	mutex_exit(&p->p_lock);
1944 
1945 	/*
1946 	 * Destroy the old address space and create a new one.
1947 	 * From here on, any errors are fatal to the exec()ing process.
1948 	 * On error we return -1, which means the caller must SIGKILL
1949 	 * the process.
1950 	 */
1951 	relvm();
1952 
1953 	mutex_enter(&p->p_lock);
1954 	pool_barrier_exit();
1955 	mutex_exit(&p->p_lock);
1956 
1957 	up->u_execsw = args->execswp;
1958 
1959 	p->p_brkbase = NULL;
1960 	p->p_brksize = 0;
1961 	p->p_brkpageszc = 0;
1962 	p->p_stksize = 0;
1963 	p->p_stkpageszc = 0;
1964 	p->p_model = args->to_model;
1965 	p->p_usrstack = usrstack;
1966 	p->p_stkprot = args->stk_prot;
1967 	p->p_datprot = args->dat_prot;
1968 
1969 	/*
1970 	 * Reset resource controls such that all controls are again active as
1971 	 * well as appropriate to the potentially new address model for the
1972 	 * process.
1973 	 */
1974 	e.rcep_p.proc = p;
1975 	e.rcep_t = RCENTITY_PROCESS;
1976 	rctl_set_reset(p->p_rctls, p, &e);
1977 
1978 	/* Too early to call map_pgsz for the heap */
1979 	if (use_stk_lpg) {
1980 		p->p_stkpageszc = page_szc(map_pgsz(MAPPGSZ_STK, p, 0, 0, 0));
1981 	}
1982 
1983 	mutex_enter(&p->p_lock);
1984 	p->p_flag |= SAUTOLPG;	/* kernel controls page sizes */
1985 	mutex_exit(&p->p_lock);
1986 
1987 	/*
1988 	 * Some platforms may choose to randomize real stack start by adding a
1989 	 * small slew (not more than a few hundred bytes) to the top of the
1990 	 * stack. This helps avoid cache thrashing when identical processes
1991 	 * simultaneously share caches that don't provide enough associativity
1992 	 * (e.g. sun4v systems). In this case stack slewing makes the same hot
1993 	 * stack variables in different processes to live in different cache
1994 	 * sets increasing effective associativity.
1995 	 */
1996 	sp_slew = exec_get_spslew();
1997 	ASSERT(P2PHASE(sp_slew, args->stk_align) == 0);
1998 	exec_set_sp(size + sp_slew);
1999 
2000 	as = as_alloc();
2001 	p->p_as = as;
2002 	as->a_proc = p;
2003 	if (p->p_model == DATAMODEL_ILP32 || args->addr32)
2004 		as->a_userlimit = (caddr_t)USERLIMIT32;
2005 	(void) hat_setup(as->a_hat, HAT_ALLOC);
2006 	hat_join_srd(as->a_hat, args->ex_vp);
2007 
2008 	/*
2009 	 * Finally, write out the contents of the new stack.
2010 	 */
2011 	error = stk_copyout(args, usrstack - sp_slew, auxvpp, up);
2012 	kmem_free(args->stk_base, args->stk_size);
2013 	return (error);
2014 }
2015