From 2d423f7671fe452486932c8e41e7d3547afe82aa Mon Sep 17 00:00:00 2001
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Thu, 14 Jan 2021 15:38:29 +0200
Subject: [PATCH] sysent: allow ABI to disable setid on exec.

Reviewed by:	dchagin
Tested by:	trasz
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D28154
---
 sys/kern/kern_exec.c | 4 ++++
 sys/sys/sysent.h     | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index 356c30ee030c..b091d6061616 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -778,6 +778,10 @@ do_execve(struct thread *td, struct image_args *args, struct mac *mac_p,
 		signotify(td);
 	}
 
+	if (imgp->sysent->sv_setid_allowed != NULL &&
+	    !(*imgp->sysent->sv_setid_allowed)(td, imgp))
+		execve_nosetid(imgp);
+
 	/*
 	 * Implement image setuid/setgid installation.
 	 */
diff --git a/sys/sys/sysent.h b/sys/sys/sysent.h
index e6db2ec3dfb1..4a707b41e020 100644
--- a/sys/sys/sysent.h
+++ b/sys/sys/sysent.h
@@ -148,6 +148,8 @@ struct sysentvec {
 	void		(*sv_onexec)(struct proc *, struct image_params *);
 	void		(*sv_onexit)(struct proc *);
 	void		(*sv_ontdexit)(struct thread *td);
+	bool		(*sv_setid_allowed)(struct thread *td,
+			    struct image_params *imgp);
 };
 
 #define	SV_ILP32	0x000100	/* 32-bit executable. */