2005-01-06 23:35:40 +00:00
|
|
|
/*-
|
1994-05-25 09:21:21 +00:00
|
|
|
* Copyright (c) 1993, David Greenman
|
|
|
|
|
* All rights reserved.
|
1994-05-24 10:09:53 +00:00
|
|
|
*
|
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
|
* are met:
|
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
|
*
|
1994-05-25 09:21:21 +00:00
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
1994-05-24 10:09:53 +00:00
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
1994-05-25 09:21:21 +00:00
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
1994-05-24 10:09:53 +00:00
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
|
*/
|
|
|
|
|
|
2003-06-11 00:56:59 +00:00
|
|
|
#include <sys/cdefs.h>
|
|
|
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
|
|
2005-06-24 00:16:57 +00:00
|
|
|
#include "opt_hwpmc_hooks.h"
|
2002-07-01 19:49:04 +00:00
|
|
|
#include "opt_ktrace.h"
|
2002-08-01 14:31:58 +00:00
|
|
|
#include "opt_mac.h"
|
2002-07-01 19:49:04 +00:00
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <sys/param.h>
|
1994-05-25 09:21:21 +00:00
|
|
|
#include <sys/systm.h>
|
2003-03-24 21:15:35 +00:00
|
|
|
#include <sys/eventhandler.h>
|
2001-05-01 08:13:21 +00:00
|
|
|
#include <sys/lock.h>
|
|
|
|
|
#include <sys/mutex.h>
|
1995-11-12 06:43:28 +00:00
|
|
|
#include <sys/sysproto.h>
|
1994-05-25 09:21:21 +00:00
|
|
|
#include <sys/signalvar.h>
|
|
|
|
|
#include <sys/kernel.h>
|
|
|
|
|
#include <sys/mount.h>
|
1994-10-02 17:35:40 +00:00
|
|
|
#include <sys/filedesc.h>
|
1995-10-21 08:38:13 +00:00
|
|
|
#include <sys/fcntl.h>
|
1994-05-25 09:21:21 +00:00
|
|
|
#include <sys/acct.h>
|
|
|
|
|
#include <sys/exec.h>
|
|
|
|
|
#include <sys/imgact.h>
|
1996-03-10 08:42:54 +00:00
|
|
|
#include <sys/imgact_elf.h>
|
1994-05-25 09:21:21 +00:00
|
|
|
#include <sys/wait.h>
|
2001-07-09 19:01:42 +00:00
|
|
|
#include <sys/malloc.h>
|
1996-05-01 02:43:13 +00:00
|
|
|
#include <sys/proc.h>
|
1997-12-06 04:11:14 +00:00
|
|
|
#include <sys/pioctl.h>
|
1996-05-01 02:43:13 +00:00
|
|
|
#include <sys/namei.h>
|
2004-11-27 06:51:39 +00:00
|
|
|
#include <sys/resourcevar.h>
|
2004-04-23 03:01:40 +00:00
|
|
|
#include <sys/sf_buf.h>
|
2004-10-07 13:50:10 +00:00
|
|
|
#include <sys/syscallsubr.h>
|
1995-02-14 19:23:22 +00:00
|
|
|
#include <sys/sysent.h>
|
1994-10-02 17:35:40 +00:00
|
|
|
#include <sys/shm.h>
|
1996-02-24 14:32:53 +00:00
|
|
|
#include <sys/sysctl.h>
|
1996-05-01 02:43:13 +00:00
|
|
|
#include <sys/vnode.h>
|
2002-07-01 23:18:08 +00:00
|
|
|
#ifdef KTRACE
|
|
|
|
|
#include <sys/ktrace.h>
|
|
|
|
|
#endif
|
1994-05-25 09:21:21 +00:00
|
|
|
|
|
|
|
|
#include <vm/vm.h>
|
1995-12-07 12:48:31 +00:00
|
|
|
#include <vm/vm_param.h>
|
|
|
|
|
#include <vm/pmap.h>
|
1998-01-11 21:35:38 +00:00
|
|
|
#include <vm/vm_page.h>
|
1995-12-07 12:48:31 +00:00
|
|
|
#include <vm/vm_map.h>
|
1994-05-25 09:21:21 +00:00
|
|
|
#include <vm/vm_kern.h>
|
1995-12-07 12:48:31 +00:00
|
|
|
#include <vm/vm_extern.h>
|
1997-04-18 02:43:05 +00:00
|
|
|
#include <vm/vm_object.h>
|
1998-01-11 21:35:38 +00:00
|
|
|
#include <vm/vm_pager.h>
|
1994-05-25 09:21:21 +00:00
|
|
|
|
2005-04-19 04:01:25 +00:00
|
|
|
#ifdef HWPMC_HOOKS
|
|
|
|
|
#include <sys/pmckern.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
1994-05-25 09:21:21 +00:00
|
|
|
#include <machine/reg.h>
|
|
|
|
|
|
2006-09-01 11:45:40 +00:00
|
|
|
#include <security/audit/audit.h>
|
2006-10-22 11:52:19 +00:00
|
|
|
#include <security/mac/mac_framework.h>
|
2006-09-01 11:45:40 +00:00
|
|
|
|
1999-11-16 20:31:58 +00:00
|
|
|
MALLOC_DEFINE(M_PARGS, "proc-args", "Process arguments");
|
|
|
|
|
|
2002-09-21 22:07:17 +00:00
|
|
|
static int sysctl_kern_ps_strings(SYSCTL_HANDLER_ARGS);
|
|
|
|
|
static int sysctl_kern_usrstack(SYSCTL_HANDLER_ARGS);
|
2003-01-04 07:54:23 +00:00
|
|
|
static int sysctl_kern_stackprot(SYSCTL_HANDLER_ARGS);
|
2005-01-29 23:12:00 +00:00
|
|
|
static int do_execve(struct thread *td, struct image_args *args,
|
|
|
|
|
struct mac *mac_p);
|
2006-02-06 22:06:54 +00:00
|
|
|
static void exec_free_args(struct image_args *);
|
2002-09-21 22:07:17 +00:00
|
|
|
|
2000-07-05 07:46:41 +00:00
|
|
|
/* XXX This should be vm_size_t. */
|
2002-09-21 22:07:17 +00:00
|
|
|
SYSCTL_PROC(_kern, KERN_PS_STRINGS, ps_strings, CTLTYPE_ULONG|CTLFLAG_RD,
|
|
|
|
|
NULL, 0, sysctl_kern_ps_strings, "LU", "");
|
1998-12-27 18:03:29 +00:00
|
|
|
|
2000-07-05 07:46:41 +00:00
|
|
|
/* XXX This should be vm_size_t. */
|
2002-09-21 22:07:17 +00:00
|
|
|
SYSCTL_PROC(_kern, KERN_USRSTACK, usrstack, CTLTYPE_ULONG|CTLFLAG_RD,
|
|
|
|
|
NULL, 0, sysctl_kern_usrstack, "LU", "");
|
1996-02-24 14:32:53 +00:00
|
|
|
|
2003-01-04 07:54:23 +00:00
|
|
|
SYSCTL_PROC(_kern, OID_AUTO, stackprot, CTLTYPE_INT|CTLFLAG_RD,
|
|
|
|
|
NULL, 0, sysctl_kern_stackprot, "I", "");
|
|
|
|
|
|
1999-11-16 20:31:58 +00:00
|
|
|
u_long ps_arg_cache_limit = PAGE_SIZE / 16;
|
2001-11-08 00:24:48 +00:00
|
|
|
SYSCTL_ULONG(_kern, OID_AUTO, ps_arg_cache_limit, CTLFLAG_RW,
|
2000-07-05 07:46:41 +00:00
|
|
|
&ps_arg_cache_limit, 0, "");
|
1999-11-16 20:31:58 +00:00
|
|
|
|
2002-09-21 22:07:17 +00:00
|
|
|
static int
|
|
|
|
|
sysctl_kern_ps_strings(SYSCTL_HANDLER_ARGS)
|
|
|
|
|
{
|
|
|
|
|
struct proc *p;
|
2004-02-18 00:54:17 +00:00
|
|
|
int error;
|
2002-09-21 22:07:17 +00:00
|
|
|
|
|
|
|
|
p = curproc;
|
2004-10-11 22:04:16 +00:00
|
|
|
#ifdef SCTL_MASK32
|
|
|
|
|
if (req->flags & SCTL_MASK32) {
|
2004-02-18 00:54:17 +00:00
|
|
|
unsigned int val;
|
|
|
|
|
val = (unsigned int)p->p_sysent->sv_psstrings;
|
|
|
|
|
error = SYSCTL_OUT(req, &val, sizeof(val));
|
|
|
|
|
} else
|
|
|
|
|
#endif
|
|
|
|
|
error = SYSCTL_OUT(req, &p->p_sysent->sv_psstrings,
|
|
|
|
|
sizeof(p->p_sysent->sv_psstrings));
|
|
|
|
|
return error;
|
2002-09-21 22:07:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
sysctl_kern_usrstack(SYSCTL_HANDLER_ARGS)
|
|
|
|
|
{
|
|
|
|
|
struct proc *p;
|
2004-02-18 00:54:17 +00:00
|
|
|
int error;
|
2002-09-21 22:07:17 +00:00
|
|
|
|
|
|
|
|
p = curproc;
|
2004-10-11 22:04:16 +00:00
|
|
|
#ifdef SCTL_MASK32
|
|
|
|
|
if (req->flags & SCTL_MASK32) {
|
2004-02-18 00:54:17 +00:00
|
|
|
unsigned int val;
|
|
|
|
|
val = (unsigned int)p->p_sysent->sv_usrstack;
|
|
|
|
|
error = SYSCTL_OUT(req, &val, sizeof(val));
|
|
|
|
|
} else
|
|
|
|
|
#endif
|
|
|
|
|
error = SYSCTL_OUT(req, &p->p_sysent->sv_usrstack,
|
|
|
|
|
sizeof(p->p_sysent->sv_usrstack));
|
|
|
|
|
return error;
|
2002-09-21 22:07:17 +00:00
|
|
|
}
|
|
|
|
|
|
2003-01-04 07:54:23 +00:00
|
|
|
static int
|
|
|
|
|
sysctl_kern_stackprot(SYSCTL_HANDLER_ARGS)
|
|
|
|
|
{
|
|
|
|
|
struct proc *p;
|
|
|
|
|
|
|
|
|
|
p = curproc;
|
|
|
|
|
return (SYSCTL_OUT(req, &p->p_sysent->sv_stackprot,
|
|
|
|
|
sizeof(p->p_sysent->sv_stackprot)));
|
|
|
|
|
}
|
|
|
|
|
|
1994-05-25 09:21:21 +00:00
|
|
|
/*
|
1998-10-16 03:55:01 +00:00
|
|
|
* Each of the items is a pointer to a `const struct execsw', hence the
|
|
|
|
|
* double pointer here.
|
1994-05-25 09:21:21 +00:00
|
|
|
*/
|
1998-10-16 03:55:01 +00:00
|
|
|
static const struct execsw **execsw;
|
1994-05-25 09:21:21 +00:00
|
|
|
|
2003-12-28 04:18:13 +00:00
|
|
|
#ifndef _SYS_SYSPROTO_H_
|
|
|
|
|
struct execve_args {
|
2004-07-24 04:57:41 +00:00
|
|
|
char *fname;
|
|
|
|
|
char **argv;
|
|
|
|
|
char **envv;
|
2003-12-28 04:18:13 +00:00
|
|
|
};
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* MPSAFE
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
execve(td, uap)
|
|
|
|
|
struct thread *td;
|
|
|
|
|
struct execve_args /* {
|
|
|
|
|
char *fname;
|
|
|
|
|
char **argv;
|
|
|
|
|
char **envv;
|
|
|
|
|
} */ *uap;
|
|
|
|
|
{
|
2005-01-29 23:12:00 +00:00
|
|
|
int error;
|
|
|
|
|
struct image_args args;
|
|
|
|
|
|
|
|
|
|
error = exec_copyin_args(&args, uap->fname, UIO_USERSPACE,
|
|
|
|
|
uap->argv, uap->envv);
|
|
|
|
|
if (error == 0)
|
|
|
|
|
error = kern_execve(td, &args, NULL);
|
|
|
|
|
return (error);
|
2003-12-28 04:18:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifndef _SYS_SYSPROTO_H_
|
|
|
|
|
struct __mac_execve_args {
|
|
|
|
|
char *fname;
|
|
|
|
|
char **argv;
|
|
|
|
|
char **envv;
|
|
|
|
|
struct mac *mac_p;
|
|
|
|
|
};
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* MPSAFE
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
__mac_execve(td, uap)
|
|
|
|
|
struct thread *td;
|
|
|
|
|
struct __mac_execve_args /* {
|
|
|
|
|
char *fname;
|
|
|
|
|
char **argv;
|
|
|
|
|
char **envv;
|
|
|
|
|
struct mac *mac_p;
|
|
|
|
|
} */ *uap;
|
|
|
|
|
{
|
|
|
|
|
#ifdef MAC
|
2005-01-29 23:12:00 +00:00
|
|
|
int error;
|
|
|
|
|
struct image_args args;
|
|
|
|
|
|
|
|
|
|
error = exec_copyin_args(&args, uap->fname, UIO_USERSPACE,
|
|
|
|
|
uap->argv, uap->envv);
|
|
|
|
|
if (error == 0)
|
|
|
|
|
error = kern_execve(td, &args, uap->mac_p);
|
|
|
|
|
return (error);
|
2003-12-28 04:18:13 +00:00
|
|
|
#else
|
|
|
|
|
return (ENOSYS);
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
2005-10-03 12:49:54 +00:00
|
|
|
/*
|
|
|
|
|
* XXX: kern_execve has the astonishing property of not always
|
|
|
|
|
* returning to the caller. If sufficiently bad things happen during
|
|
|
|
|
* the call to do_execve(), it can end up calling exit1(); as a result,
|
|
|
|
|
* callers must avoid doing anything which they might need to undo
|
|
|
|
|
* (e.g., allocating memory).
|
|
|
|
|
*/
|
2004-10-07 13:50:10 +00:00
|
|
|
int
|
2005-01-29 23:12:00 +00:00
|
|
|
kern_execve(td, args, mac_p)
|
In original kern_execve() code, at the start of the function, it forces
all other threads to suicide, problem is execve() could be failed, and
a failed execve() would change threaded process to unthreaded, this side
effect is unexpected.
The new code introduces a new single threading mode SINGLE_BOUNDARY, in
the mode, all threads should suspend themself at user boundary except
the singler. we can not use SINGLE_NO_EXIT because we want to start from
a clean state if execve() is successful, suspending other threads at unknown
point and later resuming them from there and forcing them to exit at user
boundary may cause the process to start from a dirty state. If execve() is
successful, current thread upgrades to SINGLE_EXIT mode and forces other
threads to suicide at user boundary, otherwise, other threads will be resumed
and their interrupted syscall will be restarted.
Reviewed by: julian
2004-10-06 00:40:41 +00:00
|
|
|
struct thread *td;
|
2005-01-29 23:12:00 +00:00
|
|
|
struct image_args *args;
|
In original kern_execve() code, at the start of the function, it forces
all other threads to suicide, problem is execve() could be failed, and
a failed execve() would change threaded process to unthreaded, this side
effect is unexpected.
The new code introduces a new single threading mode SINGLE_BOUNDARY, in
the mode, all threads should suspend themself at user boundary except
the singler. we can not use SINGLE_NO_EXIT because we want to start from
a clean state if execve() is successful, suspending other threads at unknown
point and later resuming them from there and forcing them to exit at user
boundary may cause the process to start from a dirty state. If execve() is
successful, current thread upgrades to SINGLE_EXIT mode and forces other
threads to suicide at user boundary, otherwise, other threads will be resumed
and their interrupted syscall will be restarted.
Reviewed by: julian
2004-10-06 00:40:41 +00:00
|
|
|
struct mac *mac_p;
|
|
|
|
|
{
|
|
|
|
|
struct proc *p = td->td_proc;
|
|
|
|
|
int error;
|
|
|
|
|
|
2006-09-01 11:45:40 +00:00
|
|
|
AUDIT_ARG(argv, args->begin_argv, args->argc,
|
|
|
|
|
args->begin_envv - args->begin_argv);
|
|
|
|
|
AUDIT_ARG(envv, args->begin_envv, args->envc,
|
|
|
|
|
args->endp - args->begin_envv);
|
In original kern_execve() code, at the start of the function, it forces
all other threads to suicide, problem is execve() could be failed, and
a failed execve() would change threaded process to unthreaded, this side
effect is unexpected.
The new code introduces a new single threading mode SINGLE_BOUNDARY, in
the mode, all threads should suspend themself at user boundary except
the singler. we can not use SINGLE_NO_EXIT because we want to start from
a clean state if execve() is successful, suspending other threads at unknown
point and later resuming them from there and forcing them to exit at user
boundary may cause the process to start from a dirty state. If execve() is
successful, current thread upgrades to SINGLE_EXIT mode and forces other
threads to suicide at user boundary, otherwise, other threads will be resumed
and their interrupted syscall will be restarted.
Reviewed by: julian
2004-10-06 00:40:41 +00:00
|
|
|
if (p->p_flag & P_HADTHREADS) {
|
|
|
|
|
PROC_LOCK(p);
|
|
|
|
|
if (thread_single(SINGLE_BOUNDARY)) {
|
|
|
|
|
PROC_UNLOCK(p);
|
2006-03-08 20:21:54 +00:00
|
|
|
exec_free_args(args);
|
In original kern_execve() code, at the start of the function, it forces
all other threads to suicide, problem is execve() could be failed, and
a failed execve() would change threaded process to unthreaded, this side
effect is unexpected.
The new code introduces a new single threading mode SINGLE_BOUNDARY, in
the mode, all threads should suspend themself at user boundary except
the singler. we can not use SINGLE_NO_EXIT because we want to start from
a clean state if execve() is successful, suspending other threads at unknown
point and later resuming them from there and forcing them to exit at user
boundary may cause the process to start from a dirty state. If execve() is
successful, current thread upgrades to SINGLE_EXIT mode and forces other
threads to suicide at user boundary, otherwise, other threads will be resumed
and their interrupted syscall will be restarted.
Reviewed by: julian
2004-10-06 00:40:41 +00:00
|
|
|
return (ERESTART); /* Try again later. */
|
|
|
|
|
}
|
|
|
|
|
PROC_UNLOCK(p);
|
|
|
|
|
}
|
|
|
|
|
|
2005-01-29 23:12:00 +00:00
|
|
|
error = do_execve(td, args, mac_p);
|
In original kern_execve() code, at the start of the function, it forces
all other threads to suicide, problem is execve() could be failed, and
a failed execve() would change threaded process to unthreaded, this side
effect is unexpected.
The new code introduces a new single threading mode SINGLE_BOUNDARY, in
the mode, all threads should suspend themself at user boundary except
the singler. we can not use SINGLE_NO_EXIT because we want to start from
a clean state if execve() is successful, suspending other threads at unknown
point and later resuming them from there and forcing them to exit at user
boundary may cause the process to start from a dirty state. If execve() is
successful, current thread upgrades to SINGLE_EXIT mode and forces other
threads to suicide at user boundary, otherwise, other threads will be resumed
and their interrupted syscall will be restarted.
Reviewed by: julian
2004-10-06 00:40:41 +00:00
|
|
|
|
|
|
|
|
if (p->p_flag & P_HADTHREADS) {
|
|
|
|
|
PROC_LOCK(p);
|
|
|
|
|
/*
|
|
|
|
|
* If success, we upgrade to SINGLE_EXIT state to
|
|
|
|
|
* force other threads to suicide.
|
|
|
|
|
*/
|
|
|
|
|
if (error == 0)
|
2005-01-29 23:12:00 +00:00
|
|
|
thread_single(SINGLE_EXIT);
|
In original kern_execve() code, at the start of the function, it forces
all other threads to suicide, problem is execve() could be failed, and
a failed execve() would change threaded process to unthreaded, this side
effect is unexpected.
The new code introduces a new single threading mode SINGLE_BOUNDARY, in
the mode, all threads should suspend themself at user boundary except
the singler. we can not use SINGLE_NO_EXIT because we want to start from
a clean state if execve() is successful, suspending other threads at unknown
point and later resuming them from there and forcing them to exit at user
boundary may cause the process to start from a dirty state. If execve() is
successful, current thread upgrades to SINGLE_EXIT mode and forces other
threads to suicide at user boundary, otherwise, other threads will be resumed
and their interrupted syscall will be restarted.
Reviewed by: julian
2004-10-06 00:40:41 +00:00
|
|
|
else
|
|
|
|
|
thread_single_end();
|
|
|
|
|
PROC_UNLOCK(p);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
|
1994-05-25 09:21:21 +00:00
|
|
|
/*
|
Remove reference to struct execve_args from struct imgact, which
describes an image activation instance. Instead, make use of the
existing fname structure entry, and introduce two new entries,
userspace_argv, and userspace_envv. With the addition of
mac_execve(), this divorces the image structure from the specifics
of the execve() system call, removes a redundant pointer, etc.
No semantic change from current behavior, but it means that the
structure doesn't depend on syscalls.master-generated includes.
There seems to be some redundant initialization of imgact entries,
which I have maintained, but which could probably use some cleaning
up at some point.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-11-05 01:59:56 +00:00
|
|
|
* In-kernel implementation of execve(). All arguments are assumed to be
|
|
|
|
|
* userspace pointers from the passed thread.
|
2001-09-01 03:04:31 +00:00
|
|
|
*
|
|
|
|
|
* MPSAFE
|
1994-05-25 09:21:21 +00:00
|
|
|
*/
|
Remove reference to struct execve_args from struct imgact, which
describes an image activation instance. Instead, make use of the
existing fname structure entry, and introduce two new entries,
userspace_argv, and userspace_envv. With the addition of
mac_execve(), this divorces the image structure from the specifics
of the execve() system call, removes a redundant pointer, etc.
No semantic change from current behavior, but it means that the
structure doesn't depend on syscalls.master-generated includes.
There seems to be some redundant initialization of imgact entries,
which I have maintained, but which could probably use some cleaning
up at some point.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-11-05 01:59:56 +00:00
|
|
|
static int
|
2005-01-29 23:12:00 +00:00
|
|
|
do_execve(td, args, mac_p)
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
2005-01-29 23:12:00 +00:00
|
|
|
struct image_args *args;
|
2002-11-05 17:51:56 +00:00
|
|
|
struct mac *mac_p;
|
1994-05-25 09:21:21 +00:00
|
|
|
{
|
2001-09-12 08:38:13 +00:00
|
|
|
struct proc *p = td->td_proc;
|
1994-05-25 09:21:21 +00:00
|
|
|
struct nameidata nd, *ndp;
|
2002-05-02 15:00:14 +00:00
|
|
|
struct ucred *newcred = NULL, *oldcred;
|
2002-06-19 06:39:25 +00:00
|
|
|
struct uidinfo *euip;
|
1999-12-27 10:42:55 +00:00
|
|
|
register_t *stack_base;
|
1994-09-25 19:34:02 +00:00
|
|
|
int error, len, i;
|
1995-11-06 12:52:37 +00:00
|
|
|
struct image_params image_params, *imgp;
|
2005-10-12 06:56:00 +00:00
|
|
|
struct vattr attr;
|
2002-03-19 21:25:46 +00:00
|
|
|
int (*img_first)(struct image_params *);
|
2002-06-20 17:27:28 +00:00
|
|
|
struct pargs *oldargs = NULL, *newargs = NULL;
|
- Merge struct procsig with struct sigacts.
- Move struct sigacts out of the u-area and malloc() it using the
M_SUBPROC malloc bucket.
- Add a small sigacts_*() API for managing sigacts structures: sigacts_alloc(),
sigacts_free(), sigacts_copy(), sigacts_share(), and sigacts_shared().
- Remove the p_sigignore, p_sigacts, and p_sigcatch macros.
- Add a mutex to struct sigacts that protects all the members of the struct.
- Add sigacts locking.
- Remove Giant from nosys(), kill(), killpg(), and kern_sigaction() now
that sigacts is locked.
- Several in-kernel functions such as psignal(), tdsignal(), trapsignal(),
and thread_stopped() are now MP safe.
Reviewed by: arch@
Approved by: re (rwatson)
2003-05-13 20:36:02 +00:00
|
|
|
struct sigacts *oldsigacts, *newsigacts;
|
2002-06-07 05:41:27 +00:00
|
|
|
#ifdef KTRACE
|
|
|
|
|
struct vnode *tracevp = NULL;
|
2003-03-13 18:24:22 +00:00
|
|
|
struct ucred *tracecred = NULL;
|
2002-06-07 05:41:27 +00:00
|
|
|
#endif
|
|
|
|
|
struct vnode *textvp = NULL;
|
2002-07-27 18:06:49 +00:00
|
|
|
int credential_changing;
|
2005-05-03 10:55:05 +00:00
|
|
|
int vfslocked;
|
2002-08-13 06:55:28 +00:00
|
|
|
int textset;
|
2002-11-05 14:57:49 +00:00
|
|
|
#ifdef MAC
|
Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c). This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE. This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time. This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change. Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.
Suggestions from: bmilekic
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
|
|
|
struct label *interplabel = NULL;
|
|
|
|
|
int will_transition;
|
2002-11-05 14:57:49 +00:00
|
|
|
#endif
|
2005-06-30 19:01:26 +00:00
|
|
|
#ifdef HWPMC_HOOKS
|
|
|
|
|
struct pmckern_procexec pe;
|
|
|
|
|
#endif
|
1994-05-25 09:21:21 +00:00
|
|
|
|
2005-05-03 16:24:59 +00:00
|
|
|
vfslocked = 0;
|
1995-11-06 12:52:37 +00:00
|
|
|
imgp = &image_params;
|
1994-05-25 09:21:21 +00:00
|
|
|
|
2001-10-27 11:11:25 +00:00
|
|
|
/*
|
|
|
|
|
* Lock the process and set the P_INEXEC flag to indicate that
|
|
|
|
|
* it should be left alone until we're done here. This is
|
|
|
|
|
* necessary to avoid race conditions - e.g. in ptrace() -
|
|
|
|
|
* that might allow a local user to illicitly obtain elevated
|
|
|
|
|
* privileges.
|
|
|
|
|
*/
|
|
|
|
|
PROC_LOCK(p);
|
|
|
|
|
KASSERT((p->p_flag & P_INEXEC) == 0,
|
2001-12-10 05:40:12 +00:00
|
|
|
("%s(): process already has P_INEXEC flag", __func__));
|
2001-10-27 11:11:25 +00:00
|
|
|
p->p_flag |= P_INEXEC;
|
|
|
|
|
PROC_UNLOCK(p);
|
2001-09-12 08:38:13 +00:00
|
|
|
|
1994-05-25 09:21:21 +00:00
|
|
|
/*
|
1995-11-06 12:52:37 +00:00
|
|
|
* Initialize part of the common data
|
1994-05-25 09:21:21 +00:00
|
|
|
*/
|
1995-11-06 12:52:37 +00:00
|
|
|
imgp->proc = p;
|
2002-11-05 17:51:56 +00:00
|
|
|
imgp->execlabel = NULL;
|
1995-11-06 12:52:37 +00:00
|
|
|
imgp->attr = &attr;
|
|
|
|
|
imgp->entry_addr = 0;
|
|
|
|
|
imgp->vmspace_destroyed = 0;
|
|
|
|
|
imgp->interpreted = 0;
|
2005-02-25 11:49:42 +00:00
|
|
|
imgp->interpreter_name = args->buf + PATH_MAX + ARG_MAX;
|
1996-03-10 08:42:54 +00:00
|
|
|
imgp->auxargs = NULL;
|
1998-01-11 21:35:38 +00:00
|
|
|
imgp->vp = NULL;
|
2002-07-06 07:00:01 +00:00
|
|
|
imgp->object = NULL;
|
1998-01-11 21:35:38 +00:00
|
|
|
imgp->firstpage = NULL;
|
1999-04-03 22:20:03 +00:00
|
|
|
imgp->ps_strings = 0;
|
2000-09-26 05:09:21 +00:00
|
|
|
imgp->auxarg_size = 0;
|
2005-01-29 23:12:00 +00:00
|
|
|
imgp->args = args;
|
1994-05-25 09:21:21 +00:00
|
|
|
|
2002-11-05 17:51:56 +00:00
|
|
|
#ifdef MAC
|
Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c). This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE. This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time. This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change. Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.
Suggestions from: bmilekic
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
|
|
|
error = mac_execve_enter(imgp, mac_p);
|
2005-05-03 16:24:59 +00:00
|
|
|
if (error)
|
2002-11-05 17:51:56 +00:00
|
|
|
goto exec_fail;
|
|
|
|
|
#endif
|
|
|
|
|
|
2004-04-23 03:01:40 +00:00
|
|
|
imgp->image_header = NULL;
|
1994-05-25 09:21:21 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Translate the file name. namei() returns a vnode pointer
|
|
|
|
|
* in ni_vp amoung other things.
|
2006-09-01 11:45:40 +00:00
|
|
|
*
|
|
|
|
|
* XXXAUDIT: It would be desirable to also audit the name of the
|
|
|
|
|
* interpreter if this is an interpreted binary.
|
1994-05-25 09:21:21 +00:00
|
|
|
*/
|
|
|
|
|
ndp = &nd;
|
2006-05-28 08:28:47 +00:00
|
|
|
NDINIT(ndp, LOOKUP, ISOPEN | LOCKLEAF | FOLLOW | SAVENAME | MPSAFE |
|
|
|
|
|
AUDITVNODE1, UIO_SYSSPACE, args->fname, td);
|
1994-05-25 09:21:21 +00:00
|
|
|
|
|
|
|
|
interpret:
|
|
|
|
|
error = namei(ndp);
|
2005-01-29 23:12:00 +00:00
|
|
|
if (error)
|
1995-05-30 08:16:23 +00:00
|
|
|
goto exec_fail;
|
1994-05-25 09:21:21 +00:00
|
|
|
|
2005-05-03 10:55:05 +00:00
|
|
|
vfslocked = NDHASGIANT(ndp);
|
1995-11-06 12:52:37 +00:00
|
|
|
imgp->vp = ndp->ni_vp;
|
1994-05-25 09:21:21 +00:00
|
|
|
|
1995-03-19 23:08:12 +00:00
|
|
|
/*
|
1995-03-19 23:27:57 +00:00
|
|
|
* Check file permissions (also 'opens' file)
|
1995-03-19 23:08:12 +00:00
|
|
|
*/
|
1995-11-06 12:52:37 +00:00
|
|
|
error = exec_check_permissions(imgp);
|
2002-08-13 06:55:28 +00:00
|
|
|
if (error)
|
1994-05-25 09:21:21 +00:00
|
|
|
goto exec_fail_dealloc;
|
2002-08-13 06:55:28 +00:00
|
|
|
|
2005-01-25 00:40:01 +00:00
|
|
|
imgp->object = imgp->vp->v_object;
|
|
|
|
|
if (imgp->object != NULL)
|
2002-08-13 06:55:28 +00:00
|
|
|
vm_object_reference(imgp->object);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Set VV_TEXT now so no one can write to the executable while we're
|
|
|
|
|
* activating it.
|
|
|
|
|
*
|
|
|
|
|
* Remember if this was set before and unset it in case this is not
|
|
|
|
|
* actually an executable image.
|
|
|
|
|
*/
|
|
|
|
|
textset = imgp->vp->v_vflag & VV_TEXT;
|
|
|
|
|
imgp->vp->v_vflag |= VV_TEXT;
|
1994-05-25 09:21:21 +00:00
|
|
|
|
1998-01-11 21:35:38 +00:00
|
|
|
error = exec_map_first_page(imgp);
|
1997-04-04 04:17:11 +00:00
|
|
|
if (error)
|
1994-05-25 09:21:21 +00:00
|
|
|
goto exec_fail_dealloc;
|
|
|
|
|
|
|
|
|
|
/*
|
2000-04-26 20:58:40 +00:00
|
|
|
* If the current process has a special image activator it
|
2005-01-29 23:12:00 +00:00
|
|
|
* wants to try first, call it. For example, emulating shell
|
2000-04-26 20:58:40 +00:00
|
|
|
* scripts differently.
|
1994-05-25 09:21:21 +00:00
|
|
|
*/
|
2000-04-26 20:58:40 +00:00
|
|
|
error = -1;
|
|
|
|
|
if ((img_first = imgp->proc->p_sysent->sv_imgact_try) != NULL)
|
|
|
|
|
error = img_first(imgp);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Loop through the list of image activators, calling each one.
|
|
|
|
|
* An activator returns -1 if there is no match, 0 on success,
|
|
|
|
|
* and an error otherwise.
|
|
|
|
|
*/
|
|
|
|
|
for (i = 0; error == -1 && execsw[i]; ++i) {
|
|
|
|
|
if (execsw[i]->ex_imgact == NULL ||
|
|
|
|
|
execsw[i]->ex_imgact == img_first) {
|
1994-05-25 09:21:21 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
2000-04-26 20:58:40 +00:00
|
|
|
error = (*execsw[i]->ex_imgact)(imgp);
|
1994-05-25 09:21:21 +00:00
|
|
|
}
|
2000-04-26 20:58:40 +00:00
|
|
|
|
|
|
|
|
if (error) {
|
2002-08-13 06:55:28 +00:00
|
|
|
if (error == -1) {
|
|
|
|
|
if (textset == 0)
|
|
|
|
|
imgp->vp->v_vflag &= ~VV_TEXT;
|
2000-04-26 20:58:40 +00:00
|
|
|
error = ENOEXEC;
|
2002-08-13 06:55:28 +00:00
|
|
|
}
|
1994-05-25 09:21:21 +00:00
|
|
|
goto exec_fail_dealloc;
|
|
|
|
|
}
|
|
|
|
|
|
2000-04-26 20:58:40 +00:00
|
|
|
/*
|
|
|
|
|
* Special interpreter operation, cleanup and loop up to try to
|
|
|
|
|
* activate the interpreter.
|
|
|
|
|
*/
|
|
|
|
|
if (imgp->interpreted) {
|
|
|
|
|
exec_unmap_first_page(imgp);
|
2002-08-13 06:55:28 +00:00
|
|
|
/*
|
|
|
|
|
* VV_TEXT needs to be unset for scripts. There is a short
|
|
|
|
|
* period before we determine that something is a script where
|
|
|
|
|
* VV_TEXT will be set. The vnode lock is held over this
|
|
|
|
|
* entire period so nothing should illegitimately be blocked.
|
|
|
|
|
*/
|
|
|
|
|
imgp->vp->v_vflag &= ~VV_TEXT;
|
2000-04-26 20:58:40 +00:00
|
|
|
/* free name buffer and old vnode */
|
|
|
|
|
NDFREE(ndp, NDF_ONLY_PNBUF);
|
2002-11-05 17:51:56 +00:00
|
|
|
#ifdef MAC
|
Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c). This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE. This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time. This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change. Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.
Suggestions from: bmilekic
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
|
|
|
interplabel = mac_vnode_label_alloc();
|
|
|
|
|
mac_copy_vnode_label(ndp->ni_vp->v_label, interplabel);
|
2002-11-05 17:51:56 +00:00
|
|
|
#endif
|
2002-08-13 06:55:28 +00:00
|
|
|
vput(ndp->ni_vp);
|
2002-07-06 07:00:01 +00:00
|
|
|
vm_object_deallocate(imgp->object);
|
|
|
|
|
imgp->object = NULL;
|
2005-05-03 10:55:05 +00:00
|
|
|
VFS_UNLOCK_GIANT(vfslocked);
|
2005-05-03 16:24:59 +00:00
|
|
|
vfslocked = 0;
|
2000-04-26 20:58:40 +00:00
|
|
|
/* set new name to that of the interpreter */
|
2005-05-03 10:55:05 +00:00
|
|
|
NDINIT(ndp, LOOKUP, LOCKLEAF | FOLLOW | SAVENAME | MPSAFE,
|
2001-09-12 08:38:13 +00:00
|
|
|
UIO_SYSSPACE, imgp->interpreter_name, td);
|
2000-04-26 20:58:40 +00:00
|
|
|
goto interpret;
|
|
|
|
|
}
|
|
|
|
|
|
1994-05-25 09:21:21 +00:00
|
|
|
/*
|
|
|
|
|
* Copy out strings (args and env) and initialize stack base
|
|
|
|
|
*/
|
2002-07-20 02:56:12 +00:00
|
|
|
if (p->p_sysent->sv_copyout_strings)
|
|
|
|
|
stack_base = (*p->p_sysent->sv_copyout_strings)(imgp);
|
|
|
|
|
else
|
|
|
|
|
stack_base = exec_copyout_strings(imgp);
|
1994-05-25 09:21:21 +00:00
|
|
|
|
|
|
|
|
/*
|
1995-02-14 19:23:22 +00:00
|
|
|
* If custom stack fixup routine present for this process
|
|
|
|
|
* let it do the stack setup.
|
|
|
|
|
* Else stuff argument count as first item on stack
|
1994-05-25 09:21:21 +00:00
|
|
|
*/
|
2003-12-28 04:37:59 +00:00
|
|
|
if (p->p_sysent->sv_fixup != NULL)
|
1995-11-06 12:52:37 +00:00
|
|
|
(*p->p_sysent->sv_fixup)(&stack_base, imgp);
|
1995-02-14 19:23:22 +00:00
|
|
|
else
|
2005-01-29 23:12:00 +00:00
|
|
|
suword(--stack_base, imgp->args->argc);
|
1994-05-25 09:21:21 +00:00
|
|
|
|
1997-08-04 05:39:24 +00:00
|
|
|
/*
|
|
|
|
|
* For security and other reasons, the file descriptor table cannot
|
|
|
|
|
* be shared after an exec.
|
|
|
|
|
*/
|
2004-12-14 07:20:03 +00:00
|
|
|
fdunshare(p, td);
|
1997-08-04 05:39:24 +00:00
|
|
|
|
2002-05-02 15:00:14 +00:00
|
|
|
/*
|
|
|
|
|
* Malloc things before we need locks.
|
|
|
|
|
*/
|
|
|
|
|
newcred = crget();
|
2002-06-19 06:39:25 +00:00
|
|
|
euip = uifind(attr.va_uid);
|
2005-01-29 23:12:00 +00:00
|
|
|
i = imgp->args->begin_envv - imgp->args->begin_argv;
|
2005-10-01 08:33:56 +00:00
|
|
|
/* Cache arguments if they fit inside our allowance */
|
|
|
|
|
if (ps_arg_cache_limit >= i + sizeof(struct pargs)) {
|
2002-05-02 15:00:14 +00:00
|
|
|
newargs = pargs_alloc(i);
|
2005-10-01 08:33:56 +00:00
|
|
|
bcopy(imgp->args->begin_argv, newargs->ar_args, i);
|
|
|
|
|
}
|
2002-05-02 15:00:14 +00:00
|
|
|
|
|
|
|
|
/* close files on exec */
|
2006-05-05 20:25:05 +00:00
|
|
|
VOP_UNLOCK(imgp->vp, 0, td);
|
2002-05-02 15:00:14 +00:00
|
|
|
fdcloseexec(td);
|
2006-05-05 20:25:05 +00:00
|
|
|
vn_lock(imgp->vp, LK_EXCLUSIVE | LK_RETRY, td);
|
2002-05-02 15:00:14 +00:00
|
|
|
|
2002-08-13 06:55:28 +00:00
|
|
|
/* Get a reference to the vnode prior to locking the proc */
|
|
|
|
|
VREF(ndp->ni_vp);
|
|
|
|
|
|
2001-07-09 19:01:42 +00:00
|
|
|
/*
|
|
|
|
|
* For security and other reasons, signal handlers cannot
|
2001-10-09 17:25:30 +00:00
|
|
|
* be shared after an exec. The new process gets a copy of the old
|
2001-07-11 02:04:43 +00:00
|
|
|
* handlers. In execsigs(), the new process will have its signals
|
2001-07-09 19:01:42 +00:00
|
|
|
* reset.
|
|
|
|
|
*/
|
2002-05-02 15:00:14 +00:00
|
|
|
PROC_LOCK(p);
|
- Merge struct procsig with struct sigacts.
- Move struct sigacts out of the u-area and malloc() it using the
M_SUBPROC malloc bucket.
- Add a small sigacts_*() API for managing sigacts structures: sigacts_alloc(),
sigacts_free(), sigacts_copy(), sigacts_share(), and sigacts_shared().
- Remove the p_sigignore, p_sigacts, and p_sigcatch macros.
- Add a mutex to struct sigacts that protects all the members of the struct.
- Add sigacts locking.
- Remove Giant from nosys(), kill(), killpg(), and kern_sigaction() now
that sigacts is locked.
- Several in-kernel functions such as psignal(), tdsignal(), trapsignal(),
and thread_stopped() are now MP safe.
Reviewed by: arch@
Approved by: re (rwatson)
2003-05-13 20:36:02 +00:00
|
|
|
if (sigacts_shared(p->p_sigacts)) {
|
|
|
|
|
oldsigacts = p->p_sigacts;
|
2002-05-02 15:00:14 +00:00
|
|
|
PROC_UNLOCK(p);
|
- Merge struct procsig with struct sigacts.
- Move struct sigacts out of the u-area and malloc() it using the
M_SUBPROC malloc bucket.
- Add a small sigacts_*() API for managing sigacts structures: sigacts_alloc(),
sigacts_free(), sigacts_copy(), sigacts_share(), and sigacts_shared().
- Remove the p_sigignore, p_sigacts, and p_sigcatch macros.
- Add a mutex to struct sigacts that protects all the members of the struct.
- Add sigacts locking.
- Remove Giant from nosys(), kill(), killpg(), and kern_sigaction() now
that sigacts is locked.
- Several in-kernel functions such as psignal(), tdsignal(), trapsignal(),
and thread_stopped() are now MP safe.
Reviewed by: arch@
Approved by: re (rwatson)
2003-05-13 20:36:02 +00:00
|
|
|
newsigacts = sigacts_alloc();
|
|
|
|
|
sigacts_copy(newsigacts, oldsigacts);
|
2002-05-02 15:00:14 +00:00
|
|
|
PROC_LOCK(p);
|
- Merge struct procsig with struct sigacts.
- Move struct sigacts out of the u-area and malloc() it using the
M_SUBPROC malloc bucket.
- Add a small sigacts_*() API for managing sigacts structures: sigacts_alloc(),
sigacts_free(), sigacts_copy(), sigacts_share(), and sigacts_shared().
- Remove the p_sigignore, p_sigacts, and p_sigcatch macros.
- Add a mutex to struct sigacts that protects all the members of the struct.
- Add sigacts locking.
- Remove Giant from nosys(), kill(), killpg(), and kern_sigaction() now
that sigacts is locked.
- Several in-kernel functions such as psignal(), tdsignal(), trapsignal(),
and thread_stopped() are now MP safe.
Reviewed by: arch@
Approved by: re (rwatson)
2003-05-13 20:36:02 +00:00
|
|
|
p->p_sigacts = newsigacts;
|
|
|
|
|
} else
|
|
|
|
|
oldsigacts = NULL;
|
2001-07-09 19:01:42 +00:00
|
|
|
|
1999-08-11 20:35:38 +00:00
|
|
|
/* Stop profiling */
|
|
|
|
|
stopprofclock(p);
|
|
|
|
|
|
1994-05-25 09:21:21 +00:00
|
|
|
/* reset caught signals */
|
|
|
|
|
execsigs(p);
|
|
|
|
|
|
|
|
|
|
/* name this process - nameiexec(p, ndp) */
|
|
|
|
|
len = min(ndp->ni_cnd.cn_namelen,MAXCOMLEN);
|
|
|
|
|
bcopy(ndp->ni_cnd.cn_nameptr, p->p_comm, len);
|
|
|
|
|
p->p_comm[len] = 0;
|
1995-05-30 08:16:23 +00:00
|
|
|
|
1994-05-25 09:21:21 +00:00
|
|
|
/*
|
1996-04-29 15:07:59 +00:00
|
|
|
* mark as execed, wakeup the process that vforked (if any) and tell
|
1998-04-17 22:37:19 +00:00
|
|
|
* it that it now has its own resources back
|
1994-05-25 09:21:21 +00:00
|
|
|
*/
|
|
|
|
|
p->p_flag |= P_EXEC;
|
|
|
|
|
if (p->p_pptr && (p->p_flag & P_PPWAIT)) {
|
|
|
|
|
p->p_flag &= ~P_PPWAIT;
|
2002-06-29 01:50:25 +00:00
|
|
|
wakeup(p->p_pptr);
|
1994-05-25 09:21:21 +00:00
|
|
|
}
|
1995-05-30 08:16:23 +00:00
|
|
|
|
1994-05-25 09:21:21 +00:00
|
|
|
/*
|
1997-08-04 05:39:24 +00:00
|
|
|
* Implement image setuid/setgid.
|
|
|
|
|
*
|
|
|
|
|
* Don't honor setuid/setgid if the filesystem prohibits it or if
|
|
|
|
|
* the process is being traced.
|
2002-11-05 17:51:56 +00:00
|
|
|
*
|
|
|
|
|
* XXXMAC: For the time being, use NOSUID to also prohibit
|
|
|
|
|
* transitions on the file system.
|
1994-05-25 09:21:21 +00:00
|
|
|
*/
|
o Merge contents of struct pcred into struct ucred. Specifically, add the
real uid, saved uid, real gid, and saved gid to ucred, as well as the
pcred->pc_uidinfo, which was associated with the real uid, only rename
it to cr_ruidinfo so as not to conflict with cr_uidinfo, which
corresponds to the effective uid.
o Remove p_cred from struct proc; add p_ucred to struct proc, replacing
original macro that pointed.
p->p_ucred to p->p_cred->pc_ucred.
o Universally update code so that it makes use of ucred instead of pcred,
p->p_ucred instead of p->p_pcred, cr_ruidinfo instead of p_uidinfo,
cr_{r,sv}{u,g}id instead of p_*, etc.
o Remove pcred0 and its initialization from init_main.c; initialize
cr_ruidinfo there.
o Restruction many credential modification chunks to always crdup while
we figure out locking and optimizations; generally speaking, this
means moving to a structure like this:
newcred = crdup(oldcred);
...
p->p_ucred = newcred;
crfree(oldcred);
It's not race-free, but better than nothing. There are also races
in sys_process.c, all inter-process authorization, fork, exec, and
exit.
o Remove sigio->sio_ruid since sigio->sio_ucred now contains the ruid;
remove comments indicating that the old arrangement was a problem.
o Restructure exec1() a little to use newcred/oldcred arrangement, and
use improved uid management primitives.
o Clean up exit1() so as to do less work in credential cleanup due to
pcred removal.
o Clean up fork1() so as to do less work in credential cleanup and
allocation.
o Clean up ktrcanset() to take into account changes, and move to using
suser_xxx() instead of performing a direct uid==0 comparision.
o Improve commenting in various kern_prot.c credential modification
calls to better document current behavior. In a couple of places,
current behavior is a little questionable and we need to check
POSIX.1 to make sure it's "right". More commenting work still
remains to be done.
o Update credential management calls, such as crfree(), to take into
account new ruidinfo reference.
o Modify or add the following uid and gid helper routines:
change_euid()
change_egid()
change_ruid()
change_rgid()
change_svuid()
change_svgid()
In each case, the call now acts on a credential not a process, and as
such no longer requires more complicated process locking/etc. They
now assume the caller will do any necessary allocation of an
exclusive credential reference. Each is commented to document its
reference requirements.
o CANSIGIO() is simplified to require only credentials, not processes
and pcreds.
o Remove lots of (p_pcred==NULL) checks.
o Add an XXX to authorization code in nfs_lock.c, since it's
questionable, and needs to be considered carefully.
o Simplify posix4 authorization code to require only credentials, not
processes and pcreds. Note that this authorization, as well as
CANSIGIO(), needs to be updated to use the p_cansignal() and
p_cansched() centralized authorization routines, as they currently
do not take into account some desirable restrictions that are handled
by the centralized routines, as well as being inconsistent with other
similar authorization instances.
o Update libkvm to take these changes into account.
Obtained from: TrustedBSD Project
Reviewed by: green, bde, jhb, freebsd-arch, freebsd-audit
2001-05-25 16:59:11 +00:00
|
|
|
oldcred = p->p_ucred;
|
2002-07-27 18:06:49 +00:00
|
|
|
credential_changing = 0;
|
|
|
|
|
credential_changing |= (attr.va_mode & VSUID) && oldcred->cr_uid !=
|
|
|
|
|
attr.va_uid;
|
|
|
|
|
credential_changing |= (attr.va_mode & VSGID) && oldcred->cr_gid !=
|
|
|
|
|
attr.va_gid;
|
2002-11-05 14:57:49 +00:00
|
|
|
#ifdef MAC
|
2002-11-05 17:51:56 +00:00
|
|
|
will_transition = mac_execve_will_transition(oldcred, imgp->vp,
|
Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c). This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE. This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time. This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change. Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.
Suggestions from: bmilekic
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
|
|
|
interplabel, imgp);
|
2002-11-05 14:57:49 +00:00
|
|
|
credential_changing |= will_transition;
|
|
|
|
|
#endif
|
2002-07-27 18:06:49 +00:00
|
|
|
|
|
|
|
|
if (credential_changing &&
|
1997-08-04 05:39:24 +00:00
|
|
|
(imgp->vp->v_mount->mnt_flag & MNT_NOSUID) == 0 &&
|
1995-11-06 12:52:37 +00:00
|
|
|
(p->p_flag & P_TRACED) == 0) {
|
|
|
|
|
/*
|
|
|
|
|
* Turn off syscall tracing for set-id programs, except for
|
2001-06-16 23:34:23 +00:00
|
|
|
* root. Record any set-id flags first to make sure that
|
|
|
|
|
* we do not regain any tracing during a possible block.
|
1995-11-06 12:52:37 +00:00
|
|
|
*/
|
2001-06-16 23:34:23 +00:00
|
|
|
setsugid(p);
|
2002-06-07 05:41:27 +00:00
|
|
|
#ifdef KTRACE
|
2004-07-26 07:24:04 +00:00
|
|
|
if (p->p_tracevp != NULL && suser_cred(oldcred, SUSER_ALLOWJAIL)) {
|
2002-06-07 05:41:27 +00:00
|
|
|
mtx_lock(&ktrace_mtx);
|
2002-05-02 15:00:14 +00:00
|
|
|
p->p_traceflag = 0;
|
2003-03-13 18:24:22 +00:00
|
|
|
tracevp = p->p_tracevp;
|
|
|
|
|
p->p_tracevp = NULL;
|
|
|
|
|
tracecred = p->p_tracecred;
|
|
|
|
|
p->p_tracecred = NULL;
|
2002-06-07 05:41:27 +00:00
|
|
|
mtx_unlock(&ktrace_mtx);
|
1995-11-06 12:52:37 +00:00
|
|
|
}
|
2002-06-07 05:41:27 +00:00
|
|
|
#endif
|
2002-09-13 09:31:56 +00:00
|
|
|
/*
|
2002-09-14 18:55:11 +00:00
|
|
|
* Close any file descriptors 0..2 that reference procfs,
|
|
|
|
|
* then make sure file descriptors 0..2 are in use.
|
2002-09-13 09:31:56 +00:00
|
|
|
*
|
2002-09-14 18:55:11 +00:00
|
|
|
* setugidsafety() may call closef() and then pfind()
|
|
|
|
|
* which may grab the process lock.
|
2002-09-13 09:31:56 +00:00
|
|
|
* fdcheckstd() may call falloc() which may block to
|
|
|
|
|
* allocate memory, so temporarily drop the process lock.
|
|
|
|
|
*/
|
|
|
|
|
PROC_UNLOCK(p);
|
2002-09-14 18:55:11 +00:00
|
|
|
setugidsafety(td);
|
2006-05-05 20:25:05 +00:00
|
|
|
VOP_UNLOCK(imgp->vp, 0, td);
|
2002-04-19 00:45:29 +00:00
|
|
|
error = fdcheckstd(td);
|
2006-05-05 20:25:05 +00:00
|
|
|
vn_lock(imgp->vp, LK_EXCLUSIVE | LK_RETRY, td);
|
2002-07-13 03:13:15 +00:00
|
|
|
if (error != 0)
|
2002-06-20 17:27:28 +00:00
|
|
|
goto done1;
|
2002-10-11 21:04:01 +00:00
|
|
|
PROC_LOCK(p);
|
1995-11-06 12:52:37 +00:00
|
|
|
/*
|
|
|
|
|
* Set the new credentials.
|
|
|
|
|
*/
|
2002-05-02 15:00:14 +00:00
|
|
|
crcopy(newcred, oldcred);
|
1995-11-06 12:52:37 +00:00
|
|
|
if (attr.va_mode & VSUID)
|
2002-06-19 06:39:25 +00:00
|
|
|
change_euid(newcred, euip);
|
1995-11-06 12:52:37 +00:00
|
|
|
if (attr.va_mode & VSGID)
|
o Merge contents of struct pcred into struct ucred. Specifically, add the
real uid, saved uid, real gid, and saved gid to ucred, as well as the
pcred->pc_uidinfo, which was associated with the real uid, only rename
it to cr_ruidinfo so as not to conflict with cr_uidinfo, which
corresponds to the effective uid.
o Remove p_cred from struct proc; add p_ucred to struct proc, replacing
original macro that pointed.
p->p_ucred to p->p_cred->pc_ucred.
o Universally update code so that it makes use of ucred instead of pcred,
p->p_ucred instead of p->p_pcred, cr_ruidinfo instead of p_uidinfo,
cr_{r,sv}{u,g}id instead of p_*, etc.
o Remove pcred0 and its initialization from init_main.c; initialize
cr_ruidinfo there.
o Restruction many credential modification chunks to always crdup while
we figure out locking and optimizations; generally speaking, this
means moving to a structure like this:
newcred = crdup(oldcred);
...
p->p_ucred = newcred;
crfree(oldcred);
It's not race-free, but better than nothing. There are also races
in sys_process.c, all inter-process authorization, fork, exec, and
exit.
o Remove sigio->sio_ruid since sigio->sio_ucred now contains the ruid;
remove comments indicating that the old arrangement was a problem.
o Restructure exec1() a little to use newcred/oldcred arrangement, and
use improved uid management primitives.
o Clean up exit1() so as to do less work in credential cleanup due to
pcred removal.
o Clean up fork1() so as to do less work in credential cleanup and
allocation.
o Clean up ktrcanset() to take into account changes, and move to using
suser_xxx() instead of performing a direct uid==0 comparision.
o Improve commenting in various kern_prot.c credential modification
calls to better document current behavior. In a couple of places,
current behavior is a little questionable and we need to check
POSIX.1 to make sure it's "right". More commenting work still
remains to be done.
o Update credential management calls, such as crfree(), to take into
account new ruidinfo reference.
o Modify or add the following uid and gid helper routines:
change_euid()
change_egid()
change_ruid()
change_rgid()
change_svuid()
change_svgid()
In each case, the call now acts on a credential not a process, and as
such no longer requires more complicated process locking/etc. They
now assume the caller will do any necessary allocation of an
exclusive credential reference. Each is commented to document its
reference requirements.
o CANSIGIO() is simplified to require only credentials, not processes
and pcreds.
o Remove lots of (p_pcred==NULL) checks.
o Add an XXX to authorization code in nfs_lock.c, since it's
questionable, and needs to be considered carefully.
o Simplify posix4 authorization code to require only credentials, not
processes and pcreds. Note that this authorization, as well as
CANSIGIO(), needs to be updated to use the p_cansignal() and
p_cansched() centralized authorization routines, as they currently
do not take into account some desirable restrictions that are handled
by the centralized routines, as well as being inconsistent with other
similar authorization instances.
o Update libkvm to take these changes into account.
Obtained from: TrustedBSD Project
Reviewed by: green, bde, jhb, freebsd-arch, freebsd-audit
2001-05-25 16:59:11 +00:00
|
|
|
change_egid(newcred, attr.va_gid);
|
2002-11-05 14:57:49 +00:00
|
|
|
#ifdef MAC
|
2002-11-05 17:51:56 +00:00
|
|
|
if (will_transition) {
|
|
|
|
|
mac_execve_transition(oldcred, newcred, imgp->vp,
|
Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c). This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE. This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time. This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change. Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.
Suggestions from: bmilekic
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
|
|
|
interplabel, imgp);
|
2002-11-05 17:51:56 +00:00
|
|
|
}
|
2002-11-05 14:57:49 +00:00
|
|
|
#endif
|
2002-05-02 15:00:14 +00:00
|
|
|
/*
|
|
|
|
|
* Implement correct POSIX saved-id behavior.
|
2002-11-05 14:57:49 +00:00
|
|
|
*
|
|
|
|
|
* XXXMAC: Note that the current logic will save the
|
|
|
|
|
* uid and gid if a MAC domain transition occurs, even
|
|
|
|
|
* though maybe it shouldn't.
|
2002-05-02 15:00:14 +00:00
|
|
|
*/
|
|
|
|
|
change_svuid(newcred, newcred->cr_uid);
|
|
|
|
|
change_svgid(newcred, newcred->cr_gid);
|
|
|
|
|
p->p_ucred = newcred;
|
|
|
|
|
newcred = NULL;
|
1995-11-06 12:52:37 +00:00
|
|
|
} else {
|
o Merge contents of struct pcred into struct ucred. Specifically, add the
real uid, saved uid, real gid, and saved gid to ucred, as well as the
pcred->pc_uidinfo, which was associated with the real uid, only rename
it to cr_ruidinfo so as not to conflict with cr_uidinfo, which
corresponds to the effective uid.
o Remove p_cred from struct proc; add p_ucred to struct proc, replacing
original macro that pointed.
p->p_ucred to p->p_cred->pc_ucred.
o Universally update code so that it makes use of ucred instead of pcred,
p->p_ucred instead of p->p_pcred, cr_ruidinfo instead of p_uidinfo,
cr_{r,sv}{u,g}id instead of p_*, etc.
o Remove pcred0 and its initialization from init_main.c; initialize
cr_ruidinfo there.
o Restruction many credential modification chunks to always crdup while
we figure out locking and optimizations; generally speaking, this
means moving to a structure like this:
newcred = crdup(oldcred);
...
p->p_ucred = newcred;
crfree(oldcred);
It's not race-free, but better than nothing. There are also races
in sys_process.c, all inter-process authorization, fork, exec, and
exit.
o Remove sigio->sio_ruid since sigio->sio_ucred now contains the ruid;
remove comments indicating that the old arrangement was a problem.
o Restructure exec1() a little to use newcred/oldcred arrangement, and
use improved uid management primitives.
o Clean up exit1() so as to do less work in credential cleanup due to
pcred removal.
o Clean up fork1() so as to do less work in credential cleanup and
allocation.
o Clean up ktrcanset() to take into account changes, and move to using
suser_xxx() instead of performing a direct uid==0 comparision.
o Improve commenting in various kern_prot.c credential modification
calls to better document current behavior. In a couple of places,
current behavior is a little questionable and we need to check
POSIX.1 to make sure it's "right". More commenting work still
remains to be done.
o Update credential management calls, such as crfree(), to take into
account new ruidinfo reference.
o Modify or add the following uid and gid helper routines:
change_euid()
change_egid()
change_ruid()
change_rgid()
change_svuid()
change_svgid()
In each case, the call now acts on a credential not a process, and as
such no longer requires more complicated process locking/etc. They
now assume the caller will do any necessary allocation of an
exclusive credential reference. Each is commented to document its
reference requirements.
o CANSIGIO() is simplified to require only credentials, not processes
and pcreds.
o Remove lots of (p_pcred==NULL) checks.
o Add an XXX to authorization code in nfs_lock.c, since it's
questionable, and needs to be considered carefully.
o Simplify posix4 authorization code to require only credentials, not
processes and pcreds. Note that this authorization, as well as
CANSIGIO(), needs to be updated to use the p_cansignal() and
p_cansched() centralized authorization routines, as they currently
do not take into account some desirable restrictions that are handled
by the centralized routines, as well as being inconsistent with other
similar authorization instances.
o Update libkvm to take these changes into account.
Obtained from: TrustedBSD Project
Reviewed by: green, bde, jhb, freebsd-arch, freebsd-audit
2001-05-25 16:59:11 +00:00
|
|
|
if (oldcred->cr_uid == oldcred->cr_ruid &&
|
|
|
|
|
oldcred->cr_gid == oldcred->cr_rgid)
|
1997-02-19 03:51:34 +00:00
|
|
|
p->p_flag &= ~P_SUGID;
|
2002-05-02 15:00:14 +00:00
|
|
|
/*
|
|
|
|
|
* Implement correct POSIX saved-id behavior.
|
|
|
|
|
*
|
|
|
|
|
* XXX: It's not clear that the existing behavior is
|
|
|
|
|
* POSIX-compliant. A number of sources indicate that the
|
|
|
|
|
* saved uid/gid should only be updated if the new ruid is
|
|
|
|
|
* not equal to the old ruid, or the new euid is not equal
|
|
|
|
|
* to the old euid and the new euid is not equal to the old
|
|
|
|
|
* ruid. The FreeBSD code always updates the saved uid/gid.
|
|
|
|
|
* Also, this code uses the new (replaced) euid and egid as
|
|
|
|
|
* the source, which may or may not be the right ones to use.
|
|
|
|
|
*/
|
2001-05-26 19:59:44 +00:00
|
|
|
if (oldcred->cr_svuid != oldcred->cr_uid ||
|
|
|
|
|
oldcred->cr_svgid != oldcred->cr_gid) {
|
2002-05-02 15:00:14 +00:00
|
|
|
crcopy(newcred, oldcred);
|
2001-05-26 19:59:44 +00:00
|
|
|
change_svuid(newcred, newcred->cr_uid);
|
|
|
|
|
change_svgid(newcred, newcred->cr_gid);
|
2002-05-02 15:00:14 +00:00
|
|
|
p->p_ucred = newcred;
|
|
|
|
|
newcred = NULL;
|
2001-05-26 19:59:44 +00:00
|
|
|
}
|
o Merge contents of struct pcred into struct ucred. Specifically, add the
real uid, saved uid, real gid, and saved gid to ucred, as well as the
pcred->pc_uidinfo, which was associated with the real uid, only rename
it to cr_ruidinfo so as not to conflict with cr_uidinfo, which
corresponds to the effective uid.
o Remove p_cred from struct proc; add p_ucred to struct proc, replacing
original macro that pointed.
p->p_ucred to p->p_cred->pc_ucred.
o Universally update code so that it makes use of ucred instead of pcred,
p->p_ucred instead of p->p_pcred, cr_ruidinfo instead of p_uidinfo,
cr_{r,sv}{u,g}id instead of p_*, etc.
o Remove pcred0 and its initialization from init_main.c; initialize
cr_ruidinfo there.
o Restruction many credential modification chunks to always crdup while
we figure out locking and optimizations; generally speaking, this
means moving to a structure like this:
newcred = crdup(oldcred);
...
p->p_ucred = newcred;
crfree(oldcred);
It's not race-free, but better than nothing. There are also races
in sys_process.c, all inter-process authorization, fork, exec, and
exit.
o Remove sigio->sio_ruid since sigio->sio_ucred now contains the ruid;
remove comments indicating that the old arrangement was a problem.
o Restructure exec1() a little to use newcred/oldcred arrangement, and
use improved uid management primitives.
o Clean up exit1() so as to do less work in credential cleanup due to
pcred removal.
o Clean up fork1() so as to do less work in credential cleanup and
allocation.
o Clean up ktrcanset() to take into account changes, and move to using
suser_xxx() instead of performing a direct uid==0 comparision.
o Improve commenting in various kern_prot.c credential modification
calls to better document current behavior. In a couple of places,
current behavior is a little questionable and we need to check
POSIX.1 to make sure it's "right". More commenting work still
remains to be done.
o Update credential management calls, such as crfree(), to take into
account new ruidinfo reference.
o Modify or add the following uid and gid helper routines:
change_euid()
change_egid()
change_ruid()
change_rgid()
change_svuid()
change_svgid()
In each case, the call now acts on a credential not a process, and as
such no longer requires more complicated process locking/etc. They
now assume the caller will do any necessary allocation of an
exclusive credential reference. Each is commented to document its
reference requirements.
o CANSIGIO() is simplified to require only credentials, not processes
and pcreds.
o Remove lots of (p_pcred==NULL) checks.
o Add an XXX to authorization code in nfs_lock.c, since it's
questionable, and needs to be considered carefully.
o Simplify posix4 authorization code to require only credentials, not
processes and pcreds. Note that this authorization, as well as
CANSIGIO(), needs to be updated to use the p_cansignal() and
p_cansched() centralized authorization routines, as they currently
do not take into account some desirable restrictions that are handled
by the centralized routines, as well as being inconsistent with other
similar authorization instances.
o Update libkvm to take these changes into account.
Obtained from: TrustedBSD Project
Reviewed by: green, bde, jhb, freebsd-arch, freebsd-audit
2001-05-25 16:59:11 +00:00
|
|
|
}
|
1994-05-25 09:21:21 +00:00
|
|
|
|
1994-09-24 16:58:43 +00:00
|
|
|
/*
|
2002-08-13 06:55:28 +00:00
|
|
|
* Store the vp for use in procfs. This vnode was referenced prior
|
|
|
|
|
* to locking the proc lock.
|
1994-09-24 16:58:43 +00:00
|
|
|
*/
|
2002-05-02 15:00:14 +00:00
|
|
|
textvp = p->p_textvp;
|
1994-09-24 16:58:43 +00:00
|
|
|
p->p_textvp = ndp->ni_vp;
|
|
|
|
|
|
2000-04-16 18:53:38 +00:00
|
|
|
/*
|
2001-10-27 11:11:25 +00:00
|
|
|
* Notify others that we exec'd, and clear the P_INEXEC flag
|
|
|
|
|
* as we're now a bona fide freshly-execed process.
|
2000-04-16 18:53:38 +00:00
|
|
|
*/
|
2004-08-15 06:24:42 +00:00
|
|
|
KNOTE_LOCKED(&p->p_klist, NOTE_EXEC);
|
2001-10-27 11:11:25 +00:00
|
|
|
p->p_flag &= ~P_INEXEC;
|
2000-04-16 18:53:38 +00:00
|
|
|
|
1994-05-25 09:21:21 +00:00
|
|
|
/*
|
|
|
|
|
* If tracing the process, trap to debugger so breakpoints
|
2001-10-27 11:11:25 +00:00
|
|
|
* can be set before the program executes.
|
In original kern_execve() code, at the start of the function, it forces
all other threads to suicide, problem is execve() could be failed, and
a failed execve() would change threaded process to unthreaded, this side
effect is unexpected.
The new code introduces a new single threading mode SINGLE_BOUNDARY, in
the mode, all threads should suspend themself at user boundary except
the singler. we can not use SINGLE_NO_EXIT because we want to start from
a clean state if execve() is successful, suspending other threads at unknown
point and later resuming them from there and forcing them to exit at user
boundary may cause the process to start from a dirty state. If execve() is
successful, current thread upgrades to SINGLE_EXIT mode and forces other
threads to suicide at user boundary, otherwise, other threads will be resumed
and their interrupted syscall will be restarted.
Reviewed by: julian
2004-10-06 00:40:41 +00:00
|
|
|
* Use tdsignal to deliver signal to current thread, use
|
|
|
|
|
* psignal may cause the signal to be delivered to wrong thread
|
|
|
|
|
* because that thread will exit, remember we are going to enter
|
|
|
|
|
* single thread mode.
|
1994-05-25 09:21:21 +00:00
|
|
|
*/
|
|
|
|
|
if (p->p_flag & P_TRACED)
|
2005-11-03 04:49:16 +00:00
|
|
|
tdsignal(p, td, SIGTRAP, NULL);
|
1994-05-25 09:21:21 +00:00
|
|
|
|
|
|
|
|
/* clear "fork but no exec" flag, as we _are_ execing */
|
|
|
|
|
p->p_acflag &= ~AFORK;
|
|
|
|
|
|
2005-10-01 08:33:56 +00:00
|
|
|
/*
|
2005-10-04 04:02:33 +00:00
|
|
|
* Free any previous argument cache and replace it with
|
2005-10-01 08:33:56 +00:00
|
|
|
* the new argument cache, if any.
|
|
|
|
|
*/
|
2002-05-02 15:00:14 +00:00
|
|
|
oldargs = p->p_args;
|
2005-10-01 08:33:56 +00:00
|
|
|
p->p_args = newargs;
|
|
|
|
|
newargs = NULL;
|
2005-04-19 04:01:25 +00:00
|
|
|
|
|
|
|
|
#ifdef HWPMC_HOOKS
|
|
|
|
|
/*
|
2005-06-09 19:45:09 +00:00
|
|
|
* Check if system-wide sampling is in effect or if the
|
|
|
|
|
* current process is using PMCs. If so, do exec() time
|
2005-04-19 04:01:25 +00:00
|
|
|
* processing. This processing needs to happen AFTER the
|
|
|
|
|
* P_INEXEC flag is cleared.
|
|
|
|
|
*
|
|
|
|
|
* The proc lock needs to be released before taking the PMC
|
|
|
|
|
* SX.
|
|
|
|
|
*/
|
2005-06-09 19:45:09 +00:00
|
|
|
if (PMC_SYSTEM_SAMPLING_ACTIVE() || PMC_PROC_IS_USING_PMCS(p)) {
|
2005-04-19 04:01:25 +00:00
|
|
|
PROC_UNLOCK(p);
|
2005-06-30 19:01:26 +00:00
|
|
|
pe.pm_credentialschanged = credential_changing;
|
|
|
|
|
pe.pm_entryaddr = imgp->entry_addr;
|
|
|
|
|
|
|
|
|
|
PMC_CALL_HOOK_X(td, PMC_FN_PROCESS_EXEC, (void *) &pe);
|
2005-04-19 04:01:25 +00:00
|
|
|
} else
|
|
|
|
|
PROC_UNLOCK(p);
|
|
|
|
|
#else /* !HWPMC_HOOKS */
|
2002-05-02 15:00:14 +00:00
|
|
|
PROC_UNLOCK(p);
|
2005-04-19 04:01:25 +00:00
|
|
|
#endif
|
2002-05-02 15:00:14 +00:00
|
|
|
|
2002-10-11 21:04:01 +00:00
|
|
|
/* Set values passed into the program in registers. */
|
|
|
|
|
if (p->p_sysent->sv_setregs)
|
|
|
|
|
(*p->p_sysent->sv_setregs)(td, imgp->entry_addr,
|
|
|
|
|
(u_long)(uintptr_t)stack_base, imgp->ps_strings);
|
|
|
|
|
else
|
|
|
|
|
exec_setregs(td, imgp->entry_addr,
|
|
|
|
|
(u_long)(uintptr_t)stack_base, imgp->ps_strings);
|
2002-08-13 06:55:28 +00:00
|
|
|
|
2005-10-12 06:56:00 +00:00
|
|
|
vfs_mark_atime(imgp->vp, td);
|
2005-05-31 19:39:52 +00:00
|
|
|
|
2002-10-11 21:04:01 +00:00
|
|
|
done1:
|
2002-05-02 15:00:14 +00:00
|
|
|
/*
|
|
|
|
|
* Free any resources malloc'd earlier that we didn't use.
|
|
|
|
|
*/
|
2002-06-19 06:39:25 +00:00
|
|
|
uifree(euip);
|
2002-05-02 15:00:14 +00:00
|
|
|
if (newcred == NULL)
|
|
|
|
|
crfree(oldcred);
|
|
|
|
|
else
|
|
|
|
|
crfree(newcred);
|
2006-05-05 20:25:05 +00:00
|
|
|
VOP_UNLOCK(imgp->vp, 0, td);
|
2002-05-02 15:00:14 +00:00
|
|
|
/*
|
|
|
|
|
* Handle deferred decrement of ref counts.
|
|
|
|
|
*/
|
2006-02-02 08:39:39 +00:00
|
|
|
if (textvp != NULL) {
|
|
|
|
|
int tvfslocked;
|
|
|
|
|
|
|
|
|
|
tvfslocked = VFS_LOCK_GIANT(textvp->v_mount);
|
2002-05-02 15:00:14 +00:00
|
|
|
vrele(textvp);
|
2006-02-02 08:39:39 +00:00
|
|
|
VFS_UNLOCK_GIANT(tvfslocked);
|
|
|
|
|
}
|
2002-08-13 06:55:28 +00:00
|
|
|
if (ndp->ni_vp && error != 0)
|
|
|
|
|
vrele(ndp->ni_vp);
|
2002-06-07 05:41:27 +00:00
|
|
|
#ifdef KTRACE
|
2002-05-02 15:00:14 +00:00
|
|
|
if (tracevp != NULL)
|
|
|
|
|
vrele(tracevp);
|
2003-03-13 18:24:22 +00:00
|
|
|
if (tracecred != NULL)
|
|
|
|
|
crfree(tracecred);
|
2002-06-07 05:41:27 +00:00
|
|
|
#endif
|
2006-05-05 20:25:05 +00:00
|
|
|
vn_lock(imgp->vp, LK_EXCLUSIVE | LK_RETRY, td);
|
2002-06-20 17:27:28 +00:00
|
|
|
if (oldargs != NULL)
|
|
|
|
|
pargs_drop(oldargs);
|
|
|
|
|
if (newargs != NULL)
|
|
|
|
|
pargs_drop(newargs);
|
- Merge struct procsig with struct sigacts.
- Move struct sigacts out of the u-area and malloc() it using the
M_SUBPROC malloc bucket.
- Add a small sigacts_*() API for managing sigacts structures: sigacts_alloc(),
sigacts_free(), sigacts_copy(), sigacts_share(), and sigacts_shared().
- Remove the p_sigignore, p_sigacts, and p_sigcatch macros.
- Add a mutex to struct sigacts that protects all the members of the struct.
- Add sigacts locking.
- Remove Giant from nosys(), kill(), killpg(), and kern_sigaction() now
that sigacts is locked.
- Several in-kernel functions such as psignal(), tdsignal(), trapsignal(),
and thread_stopped() are now MP safe.
Reviewed by: arch@
Approved by: re (rwatson)
2003-05-13 20:36:02 +00:00
|
|
|
if (oldsigacts != NULL)
|
|
|
|
|
sigacts_free(oldsigacts);
|
1999-11-16 20:31:58 +00:00
|
|
|
|
1998-01-11 21:35:38 +00:00
|
|
|
exec_fail_dealloc:
|
|
|
|
|
|
1994-05-25 09:21:21 +00:00
|
|
|
/*
|
|
|
|
|
* free various allocated resources
|
|
|
|
|
*/
|
2003-12-28 04:37:59 +00:00
|
|
|
if (imgp->firstpage != NULL)
|
1998-01-11 21:35:38 +00:00
|
|
|
exec_unmap_first_page(imgp);
|
1994-05-25 09:21:21 +00:00
|
|
|
|
2003-12-28 04:37:59 +00:00
|
|
|
if (imgp->vp != NULL) {
|
1999-12-15 23:02:35 +00:00
|
|
|
NDFREE(ndp, NDF_ONLY_PNBUF);
|
2002-08-13 06:55:28 +00:00
|
|
|
vput(imgp->vp);
|
1997-04-04 07:30:06 +00:00
|
|
|
}
|
1994-05-25 09:21:21 +00:00
|
|
|
|
2003-12-28 04:37:59 +00:00
|
|
|
if (imgp->object != NULL)
|
2002-07-06 07:00:01 +00:00
|
|
|
vm_object_deallocate(imgp->object);
|
|
|
|
|
|
2002-11-26 17:30:55 +00:00
|
|
|
if (error == 0) {
|
|
|
|
|
/*
|
|
|
|
|
* Stop the process here if its stop event mask has
|
|
|
|
|
* the S_EXEC bit set.
|
|
|
|
|
*/
|
|
|
|
|
STOPEVENT(p, S_EXEC, 0);
|
2001-09-01 03:04:31 +00:00
|
|
|
goto done2;
|
2002-11-26 17:30:55 +00:00
|
|
|
}
|
1998-01-11 21:35:38 +00:00
|
|
|
|
1994-05-25 09:21:21 +00:00
|
|
|
exec_fail:
|
2001-10-27 11:11:25 +00:00
|
|
|
/* we're done here, clear P_INEXEC */
|
|
|
|
|
PROC_LOCK(p);
|
|
|
|
|
p->p_flag &= ~P_INEXEC;
|
|
|
|
|
PROC_UNLOCK(p);
|
2005-01-29 23:12:00 +00:00
|
|
|
|
2001-09-01 03:04:31 +00:00
|
|
|
done2:
|
2002-11-05 17:51:56 +00:00
|
|
|
#ifdef MAC
|
|
|
|
|
mac_execve_exit(imgp);
|
Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c). This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE. This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time. This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change. Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.
Suggestions from: bmilekic
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
|
|
|
if (interplabel != NULL)
|
|
|
|
|
mac_vnode_label_free(interplabel);
|
2002-11-05 17:51:56 +00:00
|
|
|
#endif
|
2005-05-03 10:55:05 +00:00
|
|
|
VFS_UNLOCK_GIANT(vfslocked);
|
2006-02-06 22:06:54 +00:00
|
|
|
exec_free_args(args);
|
|
|
|
|
|
|
|
|
|
if (error && imgp->vmspace_destroyed) {
|
|
|
|
|
/* sorry, no more process anymore. exit gracefully */
|
|
|
|
|
exit1(td, W_EXITCODE(0, SIGABRT));
|
|
|
|
|
/* NOT REACHED */
|
|
|
|
|
}
|
2001-10-27 11:11:25 +00:00
|
|
|
return (error);
|
1994-05-25 09:21:21 +00:00
|
|
|
}
|
|
|
|
|
|
1998-01-11 21:35:38 +00:00
|
|
|
int
|
|
|
|
|
exec_map_first_page(imgp)
|
|
|
|
|
struct image_params *imgp;
|
|
|
|
|
{
|
2001-05-21 18:30:50 +00:00
|
|
|
int rv, i;
|
1998-02-05 03:32:49 +00:00
|
|
|
int initial_pagein;
|
|
|
|
|
vm_page_t ma[VM_INITIAL_PAGEIN];
|
1998-01-11 21:35:38 +00:00
|
|
|
vm_object_t object;
|
|
|
|
|
|
2003-12-28 04:37:59 +00:00
|
|
|
if (imgp->firstpage != NULL)
|
1998-01-11 21:35:38 +00:00
|
|
|
exec_unmap_first_page(imgp);
|
|
|
|
|
|
2005-01-25 00:40:01 +00:00
|
|
|
object = imgp->vp->v_object;
|
2005-05-01 00:58:19 +00:00
|
|
|
if (object == NULL)
|
|
|
|
|
return (EACCES);
|
2003-06-08 07:14:30 +00:00
|
|
|
VM_OBJECT_LOCK(object);
|
1998-02-05 03:32:49 +00:00
|
|
|
ma[0] = vm_page_grab(object, 0, VM_ALLOC_NORMAL | VM_ALLOC_RETRY);
|
|
|
|
|
if ((ma[0]->valid & VM_PAGE_BITS_ALL) != VM_PAGE_BITS_ALL) {
|
|
|
|
|
initial_pagein = VM_INITIAL_PAGEIN;
|
|
|
|
|
if (initial_pagein > object->size)
|
|
|
|
|
initial_pagein = object->size;
|
|
|
|
|
for (i = 1; i < initial_pagein; i++) {
|
1999-01-27 21:50:00 +00:00
|
|
|
if ((ma[i] = vm_page_lookup(object, i)) != NULL) {
|
2003-10-04 22:47:20 +00:00
|
|
|
if (ma[i]->valid)
|
|
|
|
|
break;
|
2006-10-22 04:28:14 +00:00
|
|
|
if ((ma[i]->oflags & VPO_BUSY) || ma[i]->busy)
|
1998-02-05 03:32:49 +00:00
|
|
|
break;
|
1998-09-04 08:06:57 +00:00
|
|
|
vm_page_busy(ma[i]);
|
1998-02-05 03:32:49 +00:00
|
|
|
} else {
|
2002-08-25 20:48:45 +00:00
|
|
|
ma[i] = vm_page_alloc(object, i,
|
|
|
|
|
VM_ALLOC_NORMAL);
|
1998-02-05 03:32:49 +00:00
|
|
|
if (ma[i] == NULL)
|
|
|
|
|
break;
|
|
|
|
|
}
|
1998-01-11 21:35:38 +00:00
|
|
|
}
|
1998-02-05 03:32:49 +00:00
|
|
|
initial_pagein = i;
|
|
|
|
|
rv = vm_pager_get_pages(object, ma, initial_pagein, 0);
|
|
|
|
|
ma[0] = vm_page_lookup(object, 0);
|
2002-08-25 20:48:45 +00:00
|
|
|
if ((rv != VM_PAGER_OK) || (ma[0] == NULL) ||
|
|
|
|
|
(ma[0]->valid == 0)) {
|
1998-06-07 17:13:14 +00:00
|
|
|
if (ma[0]) {
|
2003-10-04 22:47:20 +00:00
|
|
|
vm_page_lock_queues();
|
1998-06-07 17:13:14 +00:00
|
|
|
vm_page_free(ma[0]);
|
2003-10-04 22:47:20 +00:00
|
|
|
vm_page_unlock_queues();
|
1998-06-07 17:13:14 +00:00
|
|
|
}
|
2003-06-09 19:37:14 +00:00
|
|
|
VM_OBJECT_UNLOCK(object);
|
2002-08-24 22:01:40 +00:00
|
|
|
return (EIO);
|
1998-01-11 21:35:38 +00:00
|
|
|
}
|
|
|
|
|
}
|
2003-10-04 22:47:20 +00:00
|
|
|
vm_page_lock_queues();
|
2004-04-11 19:57:11 +00:00
|
|
|
vm_page_hold(ma[0]);
|
2002-07-11 18:48:05 +00:00
|
|
|
vm_page_unlock_queues();
|
2006-10-22 21:18:48 +00:00
|
|
|
vm_page_wakeup(ma[0]);
|
2003-10-04 22:47:20 +00:00
|
|
|
VM_OBJECT_UNLOCK(object);
|
1998-01-11 21:35:38 +00:00
|
|
|
|
2004-04-23 03:01:40 +00:00
|
|
|
imgp->firstpage = sf_buf_alloc(ma[0], 0);
|
|
|
|
|
imgp->image_header = (char *)sf_buf_kva(imgp->firstpage);
|
1998-01-11 21:35:38 +00:00
|
|
|
|
2002-08-24 22:01:40 +00:00
|
|
|
return (0);
|
1998-01-11 21:35:38 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
exec_unmap_first_page(imgp)
|
|
|
|
|
struct image_params *imgp;
|
|
|
|
|
{
|
2004-04-23 03:01:40 +00:00
|
|
|
vm_page_t m;
|
2001-05-19 01:28:09 +00:00
|
|
|
|
2003-12-28 04:37:59 +00:00
|
|
|
if (imgp->firstpage != NULL) {
|
2004-04-23 03:01:40 +00:00
|
|
|
m = sf_buf_page(imgp->firstpage);
|
|
|
|
|
sf_buf_free(imgp->firstpage);
|
|
|
|
|
imgp->firstpage = NULL;
|
2002-07-11 18:48:05 +00:00
|
|
|
vm_page_lock_queues();
|
2004-04-23 03:01:40 +00:00
|
|
|
vm_page_unhold(m);
|
2002-07-11 18:48:05 +00:00
|
|
|
vm_page_unlock_queues();
|
1998-01-11 21:35:38 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
1994-05-25 09:21:21 +00:00
|
|
|
/*
|
|
|
|
|
* Destroy old address space, and allocate a new stack
|
|
|
|
|
* The new stack is only SGROWSIZ large because it is grown
|
|
|
|
|
* automatically in trap.c.
|
|
|
|
|
*/
|
|
|
|
|
int
|
2002-09-21 22:07:17 +00:00
|
|
|
exec_new_vmspace(imgp, sv)
|
1995-11-06 12:52:37 +00:00
|
|
|
struct image_params *imgp;
|
2002-09-21 22:07:17 +00:00
|
|
|
struct sysentvec *sv;
|
1994-05-25 09:21:21 +00:00
|
|
|
{
|
|
|
|
|
int error;
|
2002-03-31 00:05:30 +00:00
|
|
|
struct proc *p = imgp->proc;
|
|
|
|
|
struct vmspace *vmspace = p->p_vmspace;
|
2002-09-21 22:07:17 +00:00
|
|
|
vm_offset_t stack_addr;
|
|
|
|
|
vm_map_t map;
|
1994-05-25 09:21:21 +00:00
|
|
|
|
1995-11-06 12:52:37 +00:00
|
|
|
imgp->vmspace_destroyed = 1;
|
2006-08-15 12:10:57 +00:00
|
|
|
imgp->sysent = sv;
|
1994-05-25 09:21:21 +00:00
|
|
|
|
2004-03-14 02:06:28 +00:00
|
|
|
/* Called with Giant held, do not depend on it! */
|
2006-08-15 12:10:57 +00:00
|
|
|
EVENTHANDLER_INVOKE(process_exec, p, imgp);
|
2002-01-13 19:36:35 +00:00
|
|
|
|
2003-09-25 01:10:26 +00:00
|
|
|
/*
|
|
|
|
|
* Here is as good a place as any to do any resource limit cleanups.
|
|
|
|
|
* This is needed if a 64 bit binary exec's a 32 bit binary - the
|
|
|
|
|
* data size limit may need to be changed to a value that makes
|
|
|
|
|
* sense for the 32 bit binary.
|
|
|
|
|
*/
|
2003-12-28 04:37:59 +00:00
|
|
|
if (sv->sv_fixlimits != NULL)
|
2005-11-02 21:18:07 +00:00
|
|
|
sv->sv_fixlimits(p);
|
2003-09-25 01:10:26 +00:00
|
|
|
|
1997-04-11 23:37:23 +00:00
|
|
|
/*
|
|
|
|
|
* Blow away entire process VM, if address space not shared,
|
|
|
|
|
* otherwise, create a new VM space so that other threads are
|
|
|
|
|
* not disrupted
|
|
|
|
|
*/
|
2002-09-21 22:07:17 +00:00
|
|
|
map = &vmspace->vm_map;
|
|
|
|
|
if (vmspace->vm_refcnt == 1 && vm_map_min(map) == sv->sv_minuser &&
|
|
|
|
|
vm_map_max(map) == sv->sv_maxuser) {
|
2003-01-13 23:04:32 +00:00
|
|
|
shmexit(vmspace);
|
2006-04-03 21:16:10 +00:00
|
|
|
pmap_remove_pages(vmspace_pmap(vmspace));
|
2002-09-21 22:07:17 +00:00
|
|
|
vm_map_remove(map, vm_map_min(map), vm_map_max(map));
|
1997-04-11 23:37:23 +00:00
|
|
|
} else {
|
2002-09-21 22:07:17 +00:00
|
|
|
vmspace_exec(p, sv->sv_minuser, sv->sv_maxuser);
|
2002-03-31 00:05:30 +00:00
|
|
|
vmspace = p->p_vmspace;
|
2002-09-21 22:07:17 +00:00
|
|
|
map = &vmspace->vm_map;
|
1997-04-11 23:37:23 +00:00
|
|
|
}
|
1994-05-25 09:21:21 +00:00
|
|
|
|
|
|
|
|
/* Allocate a new stack */
|
2003-09-27 22:28:14 +00:00
|
|
|
stack_addr = sv->sv_usrstack - maxssiz;
|
2002-09-21 22:07:17 +00:00
|
|
|
error = vm_map_stack(map, stack_addr, (vm_size_t)maxssiz,
|
2003-09-27 22:28:14 +00:00
|
|
|
sv->sv_stackprot, VM_PROT_ALL, MAP_STACK_GROWS_DOWN);
|
1999-01-06 23:05:42 +00:00
|
|
|
if (error)
|
|
|
|
|
return (error);
|
|
|
|
|
|
2000-10-12 14:24:03 +00:00
|
|
|
#ifdef __ia64__
|
2003-09-27 22:28:14 +00:00
|
|
|
/* Allocate a new register stack */
|
2003-10-20 05:34:10 +00:00
|
|
|
stack_addr = IA64_BACKINGSTORE;
|
2003-09-27 22:28:14 +00:00
|
|
|
error = vm_map_stack(map, stack_addr, (vm_size_t)maxssiz,
|
|
|
|
|
sv->sv_stackprot, VM_PROT_ALL, MAP_STACK_GROWS_UP);
|
|
|
|
|
if (error)
|
|
|
|
|
return (error);
|
2000-10-12 14:24:03 +00:00
|
|
|
#endif
|
|
|
|
|
|
1999-01-06 23:05:42 +00:00
|
|
|
/* vm_ssize and vm_maxsaddr are somewhat antiquated concepts in the
|
|
|
|
|
* VM_STACK case, but they are still used to monitor the size of the
|
|
|
|
|
* process stack so we can check the stack rlimit.
|
|
|
|
|
*/
|
2001-10-10 23:06:54 +00:00
|
|
|
vmspace->vm_ssize = sgrowsiz >> PAGE_SHIFT;
|
2002-09-21 22:07:17 +00:00
|
|
|
vmspace->vm_maxsaddr = (char *)sv->sv_usrstack - maxssiz;
|
1994-05-25 09:21:21 +00:00
|
|
|
|
2002-08-24 22:01:40 +00:00
|
|
|
return (0);
|
1994-05-25 09:21:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Copy out argument and environment strings from the old process
|
|
|
|
|
* address space into the temporary string buffer.
|
|
|
|
|
*/
|
|
|
|
|
int
|
2005-01-29 23:12:00 +00:00
|
|
|
exec_copyin_args(struct image_args *args, char *fname,
|
|
|
|
|
enum uio_seg segflg, char **argv, char **envv)
|
1994-05-25 09:21:21 +00:00
|
|
|
{
|
2005-01-29 23:12:00 +00:00
|
|
|
char *argp, *envp;
|
|
|
|
|
int error;
|
|
|
|
|
size_t length;
|
|
|
|
|
|
|
|
|
|
error = 0;
|
1994-05-25 09:21:21 +00:00
|
|
|
|
2005-01-29 23:12:00 +00:00
|
|
|
bzero(args, sizeof(*args));
|
|
|
|
|
if (argv == NULL)
|
|
|
|
|
return (EFAULT);
|
1994-05-25 09:21:21 +00:00
|
|
|
/*
|
2005-01-29 23:12:00 +00:00
|
|
|
* Allocate temporary demand zeroed space for argument and
|
2005-02-25 11:49:42 +00:00
|
|
|
* environment strings:
|
|
|
|
|
*
|
|
|
|
|
* o ARG_MAX for argument and environment;
|
|
|
|
|
* o MAXSHELLCMDLEN for the name of interpreters.
|
1994-05-25 09:21:21 +00:00
|
|
|
*/
|
2005-02-25 11:49:42 +00:00
|
|
|
args->buf = (char *) kmem_alloc_wait(exec_map,
|
|
|
|
|
PATH_MAX + ARG_MAX + MAXSHELLCMDLEN);
|
2005-01-29 23:12:00 +00:00
|
|
|
if (args->buf == NULL)
|
|
|
|
|
return (ENOMEM);
|
|
|
|
|
args->begin_argv = args->buf;
|
|
|
|
|
args->endp = args->begin_argv;
|
|
|
|
|
args->stringspace = ARG_MAX;
|
1994-05-25 09:21:21 +00:00
|
|
|
|
2005-01-29 23:12:00 +00:00
|
|
|
args->fname = args->buf + ARG_MAX;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Copy the file name.
|
|
|
|
|
*/
|
|
|
|
|
error = (segflg == UIO_SYSSPACE) ?
|
|
|
|
|
copystr(fname, args->fname, PATH_MAX, &length) :
|
|
|
|
|
copyinstr(fname, args->fname, PATH_MAX, &length);
|
2005-01-29 23:47:36 +00:00
|
|
|
if (error != 0)
|
2006-03-08 20:21:54 +00:00
|
|
|
goto err_exit;
|
1994-05-25 09:21:21 +00:00
|
|
|
|
2005-01-29 23:12:00 +00:00
|
|
|
/*
|
|
|
|
|
* extract arguments first
|
|
|
|
|
*/
|
|
|
|
|
while ((argp = (caddr_t) (intptr_t) fuword(argv++))) {
|
2006-03-08 20:21:54 +00:00
|
|
|
if (argp == (caddr_t) -1) {
|
|
|
|
|
error = EFAULT;
|
|
|
|
|
goto err_exit;
|
|
|
|
|
}
|
2005-01-29 23:12:00 +00:00
|
|
|
if ((error = copyinstr(argp, args->endp,
|
|
|
|
|
args->stringspace, &length))) {
|
2006-03-08 20:21:54 +00:00
|
|
|
if (error == ENAMETOOLONG)
|
|
|
|
|
error = E2BIG;
|
|
|
|
|
goto err_exit;
|
1994-05-25 09:21:21 +00:00
|
|
|
}
|
2005-01-29 23:12:00 +00:00
|
|
|
args->stringspace -= length;
|
|
|
|
|
args->endp += length;
|
|
|
|
|
args->argc++;
|
|
|
|
|
}
|
1994-05-25 09:21:21 +00:00
|
|
|
|
2005-01-29 23:12:00 +00:00
|
|
|
args->begin_envv = args->endp;
|
1999-11-16 20:31:58 +00:00
|
|
|
|
1994-05-25 09:21:21 +00:00
|
|
|
/*
|
|
|
|
|
* extract environment strings
|
|
|
|
|
*/
|
1994-08-24 10:53:53 +00:00
|
|
|
if (envv) {
|
2002-08-24 22:55:16 +00:00
|
|
|
while ((envp = (caddr_t)(intptr_t)fuword(envv++))) {
|
2006-03-08 20:21:54 +00:00
|
|
|
if (envp == (caddr_t)-1) {
|
|
|
|
|
error = EFAULT;
|
|
|
|
|
goto err_exit;
|
|
|
|
|
}
|
2005-01-29 23:12:00 +00:00
|
|
|
if ((error = copyinstr(envp, args->endp,
|
|
|
|
|
args->stringspace, &length))) {
|
1994-08-24 10:53:53 +00:00
|
|
|
if (error == ENAMETOOLONG)
|
2006-03-08 20:21:54 +00:00
|
|
|
error = E2BIG;
|
|
|
|
|
goto err_exit;
|
1994-08-24 10:53:53 +00:00
|
|
|
}
|
2005-01-29 23:12:00 +00:00
|
|
|
args->stringspace -= length;
|
|
|
|
|
args->endp += length;
|
|
|
|
|
args->envc++;
|
1994-05-25 09:21:21 +00:00
|
|
|
}
|
1994-08-24 10:53:53 +00:00
|
|
|
}
|
1994-05-25 09:21:21 +00:00
|
|
|
|
|
|
|
|
return (0);
|
2006-03-08 20:21:54 +00:00
|
|
|
|
|
|
|
|
err_exit:
|
|
|
|
|
exec_free_args(args);
|
|
|
|
|
return (error);
|
1994-05-25 09:21:21 +00:00
|
|
|
}
|
|
|
|
|
|
2006-02-06 22:06:54 +00:00
|
|
|
static void
|
2005-01-29 23:12:00 +00:00
|
|
|
exec_free_args(struct image_args *args)
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
if (args->buf) {
|
2005-02-25 11:49:42 +00:00
|
|
|
kmem_free_wakeup(exec_map, (vm_offset_t)args->buf,
|
|
|
|
|
PATH_MAX + ARG_MAX + MAXSHELLCMDLEN);
|
2005-01-29 23:12:00 +00:00
|
|
|
args->buf = NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
1994-05-25 09:21:21 +00:00
|
|
|
/*
|
|
|
|
|
* Copy strings out to the new process address space, constructing
|
|
|
|
|
* new arg and env vector tables. Return a pointer to the base
|
|
|
|
|
* so that it can be used as the initial stack pointer.
|
|
|
|
|
*/
|
1999-12-27 10:42:55 +00:00
|
|
|
register_t *
|
1995-11-06 12:52:37 +00:00
|
|
|
exec_copyout_strings(imgp)
|
|
|
|
|
struct image_params *imgp;
|
1994-05-25 09:21:21 +00:00
|
|
|
{
|
|
|
|
|
int argc, envc;
|
|
|
|
|
char **vectp;
|
|
|
|
|
char *stringp, *destp;
|
1999-12-27 10:42:55 +00:00
|
|
|
register_t *stack_base;
|
1994-08-06 09:06:31 +00:00
|
|
|
struct ps_strings *arginfo;
|
2002-08-29 01:28:27 +00:00
|
|
|
struct proc *p;
|
Mega-commit for Linux emulator update.. This has been stress tested under
netscape-2.0 for Linux running all the Java stuff. The scrollbars are now
working, at least on my machine. (whew! :-)
I'm uncomfortable with the size of this commit, but it's too
inter-dependant to easily seperate out.
The main changes:
COMPAT_LINUX is *GONE*. Most of the code has been moved out of the i386
machine dependent section into the linux emulator itself. The int 0x80
syscall code was almost identical to the lcall 7,0 code and a minor tweak
allows them to both be used with the same C code. All kernels can now
just modload the lkm and it'll DTRT without having to rebuild the kernel
first. Like IBCS2, you can statically compile it in with "options LINUX".
A pile of new syscalls implemented, including getdents(), llseek(),
readv(), writev(), msync(), personality(). The Linux-ELF libraries want
to use some of these.
linux_select() now obeys Linux semantics, ie: returns the time remaining
of the timeout value rather than leaving it the original value.
Quite a few bugs removed, including incorrect arguments being used in
syscalls.. eg: mixups between passing the sigset as an int, vs passing
it as a pointer and doing a copyin(), missing return values, unhandled
cases, SIOC* ioctls, etc.
The build for the code has changed. i386/conf/files now knows how
to build linux_genassym and generate linux_assym.h on the fly.
Supporting changes elsewhere in the kernel:
The user-mode signal trampoline has moved from the U area to immediately
below the top of the stack (below PS_STRINGS). This allows the different
binary emulations to have their own signal trampoline code (which gets rid
of the hardwired syscall 103 (sigreturn on BSD, syslog on Linux)) and so
that the emulator can provide the exact "struct sigcontext *" argument to
the program's signal handlers.
The sigstack's "ss_flags" now uses SS_DISABLE and SS_ONSTACK flags, which
have the same values as the re-used SA_DISABLE and SA_ONSTACK which are
intended for sigaction only. This enables the support of a SA_RESETHAND
flag to sigaction to implement the gross SYSV and Linux SA_ONESHOT signal
semantics where the signal handler is reset when it's triggered.
makesyscalls.sh no longer appends the struct sysentvec on the end of the
generated init_sysent.c code. It's a lot saner to have it in a seperate
file rather than trying to update the structure inside the awk script. :-)
At exec time, the dozen bytes or so of signal trampoline code are copied
to the top of the user's stack, rather than obtaining the trampoline code
the old way by getting a clone of the parent's user area. This allows
Linux and native binaries to freely exec each other without getting
trampolines mixed up.
1996-03-02 19:38:20 +00:00
|
|
|
int szsigcode;
|
1994-05-25 09:21:21 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Calculate string base and vector table pointers.
|
Mega-commit for Linux emulator update.. This has been stress tested under
netscape-2.0 for Linux running all the Java stuff. The scrollbars are now
working, at least on my machine. (whew! :-)
I'm uncomfortable with the size of this commit, but it's too
inter-dependant to easily seperate out.
The main changes:
COMPAT_LINUX is *GONE*. Most of the code has been moved out of the i386
machine dependent section into the linux emulator itself. The int 0x80
syscall code was almost identical to the lcall 7,0 code and a minor tweak
allows them to both be used with the same C code. All kernels can now
just modload the lkm and it'll DTRT without having to rebuild the kernel
first. Like IBCS2, you can statically compile it in with "options LINUX".
A pile of new syscalls implemented, including getdents(), llseek(),
readv(), writev(), msync(), personality(). The Linux-ELF libraries want
to use some of these.
linux_select() now obeys Linux semantics, ie: returns the time remaining
of the timeout value rather than leaving it the original value.
Quite a few bugs removed, including incorrect arguments being used in
syscalls.. eg: mixups between passing the sigset as an int, vs passing
it as a pointer and doing a copyin(), missing return values, unhandled
cases, SIOC* ioctls, etc.
The build for the code has changed. i386/conf/files now knows how
to build linux_genassym and generate linux_assym.h on the fly.
Supporting changes elsewhere in the kernel:
The user-mode signal trampoline has moved from the U area to immediately
below the top of the stack (below PS_STRINGS). This allows the different
binary emulations to have their own signal trampoline code (which gets rid
of the hardwired syscall 103 (sigreturn on BSD, syslog on Linux)) and so
that the emulator can provide the exact "struct sigcontext *" argument to
the program's signal handlers.
The sigstack's "ss_flags" now uses SS_DISABLE and SS_ONSTACK flags, which
have the same values as the re-used SA_DISABLE and SA_ONSTACK which are
intended for sigaction only. This enables the support of a SA_RESETHAND
flag to sigaction to implement the gross SYSV and Linux SA_ONESHOT signal
semantics where the signal handler is reset when it's triggered.
makesyscalls.sh no longer appends the struct sysentvec on the end of the
generated init_sysent.c code. It's a lot saner to have it in a seperate
file rather than trying to update the structure inside the awk script. :-)
At exec time, the dozen bytes or so of signal trampoline code are copied
to the top of the user's stack, rather than obtaining the trampoline code
the old way by getting a clone of the parent's user area. This allows
Linux and native binaries to freely exec each other without getting
trampolines mixed up.
1996-03-02 19:38:20 +00:00
|
|
|
* Also deal with signal trampoline code for this exec type.
|
1994-05-25 09:21:21 +00:00
|
|
|
*/
|
2002-08-29 01:28:27 +00:00
|
|
|
p = imgp->proc;
|
|
|
|
|
szsigcode = 0;
|
2002-09-21 22:07:17 +00:00
|
|
|
arginfo = (struct ps_strings *)p->p_sysent->sv_psstrings;
|
2002-08-29 01:28:27 +00:00
|
|
|
if (p->p_sysent->sv_szsigcode != NULL)
|
|
|
|
|
szsigcode = *(p->p_sysent->sv_szsigcode);
|
Mega-commit for Linux emulator update.. This has been stress tested under
netscape-2.0 for Linux running all the Java stuff. The scrollbars are now
working, at least on my machine. (whew! :-)
I'm uncomfortable with the size of this commit, but it's too
inter-dependant to easily seperate out.
The main changes:
COMPAT_LINUX is *GONE*. Most of the code has been moved out of the i386
machine dependent section into the linux emulator itself. The int 0x80
syscall code was almost identical to the lcall 7,0 code and a minor tweak
allows them to both be used with the same C code. All kernels can now
just modload the lkm and it'll DTRT without having to rebuild the kernel
first. Like IBCS2, you can statically compile it in with "options LINUX".
A pile of new syscalls implemented, including getdents(), llseek(),
readv(), writev(), msync(), personality(). The Linux-ELF libraries want
to use some of these.
linux_select() now obeys Linux semantics, ie: returns the time remaining
of the timeout value rather than leaving it the original value.
Quite a few bugs removed, including incorrect arguments being used in
syscalls.. eg: mixups between passing the sigset as an int, vs passing
it as a pointer and doing a copyin(), missing return values, unhandled
cases, SIOC* ioctls, etc.
The build for the code has changed. i386/conf/files now knows how
to build linux_genassym and generate linux_assym.h on the fly.
Supporting changes elsewhere in the kernel:
The user-mode signal trampoline has moved from the U area to immediately
below the top of the stack (below PS_STRINGS). This allows the different
binary emulations to have their own signal trampoline code (which gets rid
of the hardwired syscall 103 (sigreturn on BSD, syslog on Linux)) and so
that the emulator can provide the exact "struct sigcontext *" argument to
the program's signal handlers.
The sigstack's "ss_flags" now uses SS_DISABLE and SS_ONSTACK flags, which
have the same values as the re-used SA_DISABLE and SA_ONSTACK which are
intended for sigaction only. This enables the support of a SA_RESETHAND
flag to sigaction to implement the gross SYSV and Linux SA_ONESHOT signal
semantics where the signal handler is reset when it's triggered.
makesyscalls.sh no longer appends the struct sysentvec on the end of the
generated init_sysent.c code. It's a lot saner to have it in a seperate
file rather than trying to update the structure inside the awk script. :-)
At exec time, the dozen bytes or so of signal trampoline code are copied
to the top of the user's stack, rather than obtaining the trampoline code
the old way by getting a clone of the parent's user area. This allows
Linux and native binaries to freely exec each other without getting
trampolines mixed up.
1996-03-02 19:38:20 +00:00
|
|
|
destp = (caddr_t)arginfo - szsigcode - SPARE_USRSPACE -
|
2005-01-29 23:12:00 +00:00
|
|
|
roundup((ARG_MAX - imgp->args->stringspace), sizeof(char *));
|
1995-12-09 04:29:11 +00:00
|
|
|
|
Mega-commit for Linux emulator update.. This has been stress tested under
netscape-2.0 for Linux running all the Java stuff. The scrollbars are now
working, at least on my machine. (whew! :-)
I'm uncomfortable with the size of this commit, but it's too
inter-dependant to easily seperate out.
The main changes:
COMPAT_LINUX is *GONE*. Most of the code has been moved out of the i386
machine dependent section into the linux emulator itself. The int 0x80
syscall code was almost identical to the lcall 7,0 code and a minor tweak
allows them to both be used with the same C code. All kernels can now
just modload the lkm and it'll DTRT without having to rebuild the kernel
first. Like IBCS2, you can statically compile it in with "options LINUX".
A pile of new syscalls implemented, including getdents(), llseek(),
readv(), writev(), msync(), personality(). The Linux-ELF libraries want
to use some of these.
linux_select() now obeys Linux semantics, ie: returns the time remaining
of the timeout value rather than leaving it the original value.
Quite a few bugs removed, including incorrect arguments being used in
syscalls.. eg: mixups between passing the sigset as an int, vs passing
it as a pointer and doing a copyin(), missing return values, unhandled
cases, SIOC* ioctls, etc.
The build for the code has changed. i386/conf/files now knows how
to build linux_genassym and generate linux_assym.h on the fly.
Supporting changes elsewhere in the kernel:
The user-mode signal trampoline has moved from the U area to immediately
below the top of the stack (below PS_STRINGS). This allows the different
binary emulations to have their own signal trampoline code (which gets rid
of the hardwired syscall 103 (sigreturn on BSD, syslog on Linux)) and so
that the emulator can provide the exact "struct sigcontext *" argument to
the program's signal handlers.
The sigstack's "ss_flags" now uses SS_DISABLE and SS_ONSTACK flags, which
have the same values as the re-used SA_DISABLE and SA_ONSTACK which are
intended for sigaction only. This enables the support of a SA_RESETHAND
flag to sigaction to implement the gross SYSV and Linux SA_ONESHOT signal
semantics where the signal handler is reset when it's triggered.
makesyscalls.sh no longer appends the struct sysentvec on the end of the
generated init_sysent.c code. It's a lot saner to have it in a seperate
file rather than trying to update the structure inside the awk script. :-)
At exec time, the dozen bytes or so of signal trampoline code are copied
to the top of the user's stack, rather than obtaining the trampoline code
the old way by getting a clone of the parent's user area. This allows
Linux and native binaries to freely exec each other without getting
trampolines mixed up.
1996-03-02 19:38:20 +00:00
|
|
|
/*
|
|
|
|
|
* install sigcode
|
|
|
|
|
*/
|
|
|
|
|
if (szsigcode)
|
2002-08-29 01:28:27 +00:00
|
|
|
copyout(p->p_sysent->sv_sigcode, ((caddr_t)arginfo -
|
|
|
|
|
szsigcode), szsigcode);
|
Mega-commit for Linux emulator update.. This has been stress tested under
netscape-2.0 for Linux running all the Java stuff. The scrollbars are now
working, at least on my machine. (whew! :-)
I'm uncomfortable with the size of this commit, but it's too
inter-dependant to easily seperate out.
The main changes:
COMPAT_LINUX is *GONE*. Most of the code has been moved out of the i386
machine dependent section into the linux emulator itself. The int 0x80
syscall code was almost identical to the lcall 7,0 code and a minor tweak
allows them to both be used with the same C code. All kernels can now
just modload the lkm and it'll DTRT without having to rebuild the kernel
first. Like IBCS2, you can statically compile it in with "options LINUX".
A pile of new syscalls implemented, including getdents(), llseek(),
readv(), writev(), msync(), personality(). The Linux-ELF libraries want
to use some of these.
linux_select() now obeys Linux semantics, ie: returns the time remaining
of the timeout value rather than leaving it the original value.
Quite a few bugs removed, including incorrect arguments being used in
syscalls.. eg: mixups between passing the sigset as an int, vs passing
it as a pointer and doing a copyin(), missing return values, unhandled
cases, SIOC* ioctls, etc.
The build for the code has changed. i386/conf/files now knows how
to build linux_genassym and generate linux_assym.h on the fly.
Supporting changes elsewhere in the kernel:
The user-mode signal trampoline has moved from the U area to immediately
below the top of the stack (below PS_STRINGS). This allows the different
binary emulations to have their own signal trampoline code (which gets rid
of the hardwired syscall 103 (sigreturn on BSD, syslog on Linux)) and so
that the emulator can provide the exact "struct sigcontext *" argument to
the program's signal handlers.
The sigstack's "ss_flags" now uses SS_DISABLE and SS_ONSTACK flags, which
have the same values as the re-used SA_DISABLE and SA_ONSTACK which are
intended for sigaction only. This enables the support of a SA_RESETHAND
flag to sigaction to implement the gross SYSV and Linux SA_ONESHOT signal
semantics where the signal handler is reset when it's triggered.
makesyscalls.sh no longer appends the struct sysentvec on the end of the
generated init_sysent.c code. It's a lot saner to have it in a seperate
file rather than trying to update the structure inside the awk script. :-)
At exec time, the dozen bytes or so of signal trampoline code are copied
to the top of the user's stack, rather than obtaining the trampoline code
the old way by getting a clone of the parent's user area. This allows
Linux and native binaries to freely exec each other without getting
trampolines mixed up.
1996-03-02 19:38:20 +00:00
|
|
|
|
1996-03-10 08:42:54 +00:00
|
|
|
/*
|
|
|
|
|
* If we have a valid auxargs ptr, prepare some room
|
|
|
|
|
* on the stack.
|
|
|
|
|
*/
|
2000-09-26 05:09:21 +00:00
|
|
|
if (imgp->auxargs) {
|
|
|
|
|
/*
|
|
|
|
|
* 'AT_COUNT*2' is size for the ELF Auxargs data. This is for
|
|
|
|
|
* lower compatibility.
|
|
|
|
|
*/
|
2002-08-25 20:48:45 +00:00
|
|
|
imgp->auxarg_size = (imgp->auxarg_size) ? imgp->auxarg_size :
|
|
|
|
|
(AT_COUNT * 2);
|
2000-09-26 05:09:21 +00:00
|
|
|
/*
|
|
|
|
|
* The '+ 2' is for the null pointers at the end of each of
|
|
|
|
|
* the arg and env vector sets,and imgp->auxarg_size is room
|
|
|
|
|
* for argument of Runtime loader.
|
|
|
|
|
*/
|
2005-01-29 23:12:00 +00:00
|
|
|
vectp = (char **)(destp - (imgp->args->argc +
|
|
|
|
|
imgp->args->envc + 2 + imgp->auxarg_size) *
|
|
|
|
|
sizeof(char *));
|
2000-09-26 05:09:21 +00:00
|
|
|
|
2005-01-29 23:12:00 +00:00
|
|
|
} else {
|
2000-09-26 05:09:21 +00:00
|
|
|
/*
|
|
|
|
|
* The '+ 2' is for the null pointers at the end of each of
|
|
|
|
|
* the arg and env vector sets
|
|
|
|
|
*/
|
2005-01-29 23:12:00 +00:00
|
|
|
vectp = (char **)(destp - (imgp->args->argc + imgp->args->envc + 2) *
|
2002-08-25 20:48:45 +00:00
|
|
|
sizeof(char *));
|
2005-01-29 23:12:00 +00:00
|
|
|
}
|
1994-05-25 09:21:21 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* vectp also becomes our initial stack base
|
|
|
|
|
*/
|
1999-12-27 10:42:55 +00:00
|
|
|
stack_base = (register_t *)vectp;
|
1994-05-25 09:21:21 +00:00
|
|
|
|
2005-01-29 23:12:00 +00:00
|
|
|
stringp = imgp->args->begin_argv;
|
|
|
|
|
argc = imgp->args->argc;
|
|
|
|
|
envc = imgp->args->envc;
|
1994-05-25 09:21:21 +00:00
|
|
|
|
1995-03-01 04:09:50 +00:00
|
|
|
/*
|
|
|
|
|
* Copy out strings - arguments and environment.
|
|
|
|
|
*/
|
2005-01-29 23:12:00 +00:00
|
|
|
copyout(stringp, destp, ARG_MAX - imgp->args->stringspace);
|
1995-03-01 04:09:50 +00:00
|
|
|
|
1994-08-06 09:06:31 +00:00
|
|
|
/*
|
|
|
|
|
* Fill in "ps_strings" struct for ps, w, etc.
|
|
|
|
|
*/
|
1998-07-15 06:19:33 +00:00
|
|
|
suword(&arginfo->ps_argvstr, (long)(intptr_t)vectp);
|
1995-03-01 04:09:50 +00:00
|
|
|
suword(&arginfo->ps_nargvstr, argc);
|
1994-08-06 09:06:31 +00:00
|
|
|
|
|
|
|
|
/*
|
1995-03-01 04:09:50 +00:00
|
|
|
* Fill in argument portion of vector table.
|
1994-08-06 09:06:31 +00:00
|
|
|
*/
|
1994-05-25 09:21:21 +00:00
|
|
|
for (; argc > 0; --argc) {
|
1998-07-15 06:19:33 +00:00
|
|
|
suword(vectp++, (long)(intptr_t)destp);
|
1995-03-01 04:09:50 +00:00
|
|
|
while (*stringp++ != 0)
|
|
|
|
|
destp++;
|
|
|
|
|
destp++;
|
1994-05-25 09:21:21 +00:00
|
|
|
}
|
|
|
|
|
|
2001-02-06 11:21:58 +00:00
|
|
|
/* a null vector table pointer separates the argp's from the envp's */
|
1996-07-12 04:12:25 +00:00
|
|
|
suword(vectp++, 0);
|
1994-05-25 09:21:21 +00:00
|
|
|
|
1998-07-15 06:19:33 +00:00
|
|
|
suword(&arginfo->ps_envstr, (long)(intptr_t)vectp);
|
1995-03-01 04:09:50 +00:00
|
|
|
suword(&arginfo->ps_nenvstr, envc);
|
1994-08-06 09:06:31 +00:00
|
|
|
|
|
|
|
|
/*
|
1995-03-01 04:09:50 +00:00
|
|
|
* Fill in environment portion of vector table.
|
1994-08-06 09:06:31 +00:00
|
|
|
*/
|
1994-05-25 09:21:21 +00:00
|
|
|
for (; envc > 0; --envc) {
|
1998-07-15 06:19:33 +00:00
|
|
|
suword(vectp++, (long)(intptr_t)destp);
|
1995-03-01 04:09:50 +00:00
|
|
|
while (*stringp++ != 0)
|
|
|
|
|
destp++;
|
|
|
|
|
destp++;
|
1994-05-25 09:21:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* end of vector table is a null pointer */
|
1996-07-12 04:12:25 +00:00
|
|
|
suword(vectp, 0);
|
1994-05-25 09:21:21 +00:00
|
|
|
|
|
|
|
|
return (stack_base);
|
|
|
|
|
}
|
1994-05-24 10:09:53 +00:00
|
|
|
|
|
|
|
|
/*
|
1994-05-25 09:21:21 +00:00
|
|
|
* Check permissions of file to execute.
|
2000-11-30 21:06:05 +00:00
|
|
|
* Called with imgp->vp locked.
|
1994-05-25 09:21:21 +00:00
|
|
|
* Return 0 for success or error code on failure.
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
1998-03-02 05:47:58 +00:00
|
|
|
int
|
1995-11-06 12:52:37 +00:00
|
|
|
exec_check_permissions(imgp)
|
|
|
|
|
struct image_params *imgp;
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
1995-11-06 12:52:37 +00:00
|
|
|
struct vnode *vp = imgp->vp;
|
|
|
|
|
struct vattr *attr = imgp->attr;
|
2002-02-27 18:32:23 +00:00
|
|
|
struct thread *td;
|
1994-05-25 09:21:21 +00:00
|
|
|
int error;
|
|
|
|
|
|
2002-02-27 18:32:23 +00:00
|
|
|
td = curthread; /* XXXKSE */
|
2002-08-01 14:31:58 +00:00
|
|
|
|
2003-01-21 03:26:28 +00:00
|
|
|
/* Get file attributes */
|
|
|
|
|
error = VOP_GETATTR(vp, attr, td->td_ucred, td);
|
|
|
|
|
if (error)
|
|
|
|
|
return (error);
|
|
|
|
|
|
2002-08-01 14:31:58 +00:00
|
|
|
#ifdef MAC
|
2002-11-05 17:51:56 +00:00
|
|
|
error = mac_check_vnode_exec(td->td_ucred, imgp->vp, imgp);
|
2002-08-01 14:31:58 +00:00
|
|
|
if (error)
|
|
|
|
|
return (error);
|
|
|
|
|
#endif
|
|
|
|
|
|
1994-05-25 09:21:21 +00:00
|
|
|
/*
|
|
|
|
|
* 1) Check if file execution is disabled for the filesystem that this
|
|
|
|
|
* file resides on.
|
|
|
|
|
* 2) Insure that at least one execute bit is on - otherwise root
|
|
|
|
|
* will always succeed, and we don't want to happen unless the
|
|
|
|
|
* file really is executable.
|
|
|
|
|
* 3) Insure that the file is a regular file.
|
|
|
|
|
*/
|
1995-11-06 12:52:37 +00:00
|
|
|
if ((vp->v_mount->mnt_flag & MNT_NOEXEC) ||
|
1994-05-25 09:21:21 +00:00
|
|
|
((attr->va_mode & 0111) == 0) ||
|
2002-02-27 18:32:23 +00:00
|
|
|
(attr->va_type != VREG))
|
1994-05-25 09:21:21 +00:00
|
|
|
return (EACCES);
|
1994-05-24 10:09:53 +00:00
|
|
|
|
|
|
|
|
/*
|
1994-05-25 09:21:21 +00:00
|
|
|
* Zero length files can't be exec'd
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
1994-05-25 09:21:21 +00:00
|
|
|
if (attr->va_size == 0)
|
|
|
|
|
return (ENOEXEC);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Check for execute permission to file based on current credentials.
|
|
|
|
|
*/
|
2002-02-27 18:32:23 +00:00
|
|
|
error = VOP_ACCESS(vp, VEXEC, td->td_ucred, td);
|
1994-05-25 09:21:21 +00:00
|
|
|
if (error)
|
|
|
|
|
return (error);
|
|
|
|
|
|
1997-04-04 04:17:11 +00:00
|
|
|
/*
|
|
|
|
|
* Check number of open-for-writes on the file and deny execution
|
|
|
|
|
* if there are any.
|
|
|
|
|
*/
|
|
|
|
|
if (vp->v_writecount)
|
|
|
|
|
return (ETXTBSY);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Call filesystem specific open routine (which does nothing in the
|
|
|
|
|
* general case).
|
|
|
|
|
*/
|
2003-07-26 07:32:23 +00:00
|
|
|
error = VOP_OPEN(vp, FREAD, td->td_ucred, td, -1);
|
2002-02-27 18:32:23 +00:00
|
|
|
return (error);
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
1998-10-16 03:55:01 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Exec handler registration
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
exec_register(execsw_arg)
|
|
|
|
|
const struct execsw *execsw_arg;
|
|
|
|
|
{
|
|
|
|
|
const struct execsw **es, **xs, **newexecsw;
|
|
|
|
|
int count = 2; /* New slot and trailing NULL */
|
|
|
|
|
|
|
|
|
|
if (execsw)
|
|
|
|
|
for (es = execsw; *es; es++)
|
|
|
|
|
count++;
|
2003-02-19 05:47:46 +00:00
|
|
|
newexecsw = malloc(count * sizeof(*es), M_TEMP, M_WAITOK);
|
1998-10-16 03:55:01 +00:00
|
|
|
if (newexecsw == NULL)
|
2002-08-24 22:01:40 +00:00
|
|
|
return (ENOMEM);
|
1998-10-16 03:55:01 +00:00
|
|
|
xs = newexecsw;
|
|
|
|
|
if (execsw)
|
|
|
|
|
for (es = execsw; *es; es++)
|
|
|
|
|
*xs++ = *es;
|
|
|
|
|
*xs++ = execsw_arg;
|
|
|
|
|
*xs = NULL;
|
|
|
|
|
if (execsw)
|
|
|
|
|
free(execsw, M_TEMP);
|
|
|
|
|
execsw = newexecsw;
|
2002-08-24 22:01:40 +00:00
|
|
|
return (0);
|
1998-10-16 03:55:01 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
|
exec_unregister(execsw_arg)
|
|
|
|
|
const struct execsw *execsw_arg;
|
|
|
|
|
{
|
|
|
|
|
const struct execsw **es, **xs, **newexecsw;
|
|
|
|
|
int count = 1;
|
|
|
|
|
|
|
|
|
|
if (execsw == NULL)
|
|
|
|
|
panic("unregister with no handlers left?\n");
|
|
|
|
|
|
|
|
|
|
for (es = execsw; *es; es++) {
|
|
|
|
|
if (*es == execsw_arg)
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (*es == NULL)
|
2002-08-24 22:01:40 +00:00
|
|
|
return (ENOENT);
|
1998-10-16 03:55:01 +00:00
|
|
|
for (es = execsw; *es; es++)
|
|
|
|
|
if (*es != execsw_arg)
|
|
|
|
|
count++;
|
2003-02-19 05:47:46 +00:00
|
|
|
newexecsw = malloc(count * sizeof(*es), M_TEMP, M_WAITOK);
|
1998-10-16 03:55:01 +00:00
|
|
|
if (newexecsw == NULL)
|
2002-08-24 22:01:40 +00:00
|
|
|
return (ENOMEM);
|
1998-10-16 03:55:01 +00:00
|
|
|
xs = newexecsw;
|
|
|
|
|
for (es = execsw; *es; es++)
|
|
|
|
|
if (*es != execsw_arg)
|
|
|
|
|
*xs++ = *es;
|
|
|
|
|
*xs = NULL;
|
|
|
|
|
if (execsw)
|
|
|
|
|
free(execsw, M_TEMP);
|
|
|
|
|
execsw = newexecsw;
|
2002-08-24 22:01:40 +00:00
|
|
|
return (0);
|
1998-10-16 03:55:01 +00:00
|
|
|
}
|
