4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
23 * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved.
26 /* Copyright (c) 1988 AT&T */
27 /* All Rights Reserved */
29 * Copyright 2016 Joyent, Inc.
32 #include <sys/types.h>
33 #include <sys/param.h>
34 #include <sys/sysmacros.h>
35 #include <sys/systm.h>
36 #include <sys/signal.h>
37 #include <sys/cred_impl.h>
38 #include <sys/policy.h>
40 #include <sys/errno.h>
43 #include <sys/vnode.h>
46 #include <sys/cpuvar.h>
48 #include <sys/cmn_err.h>
49 #include <sys/debug.h>
50 #include <sys/pathname.h>
53 #include <sys/vtrace.h>
55 #include <sys/exechdr.h>
57 #include <sys/prsystm.h>
58 #include <sys/modctl.h>
59 #include <sys/vmparam.h>
61 #include <sys/schedctl.h>
62 #include <sys/utrap.h>
63 #include <sys/systeminfo.h>
64 #include <sys/stack.h>
66 #include <sys/dtrace.h>
67 #include <sys/lwpchan_impl.h>
70 #include <sys/brand.h>
72 #include <sys/random.h>
80 #include <vm/seg_vn.h>
82 #define PRIV_RESET 0x01 /* needs to reset privs */
83 #define PRIV_SETID 0x02 /* needs to change uids */
84 #define PRIV_SETUGID 0x04 /* is setuid/setgid/forced privs */
85 #define PRIV_INCREASE 0x08 /* child runs with more privs */
86 #define PRIV_FORCED 0x20 /* has forced privileges */
88 static int execsetid(struct vnode
*, struct vattr
*, uid_t
*, uid_t
*,
89 priv_set_t
*, cred_t
*, const char *);
90 static int hold_execsw(struct execsw
*);
92 uint_t auxv_hwcap
= 0; /* auxv AT_SUN_HWCAP value; determined on the fly */
93 uint_t auxv_hwcap_2
= 0; /* AT_SUN_HWCAP2 */
94 #if defined(_SYSCALL32_IMPL)
95 uint_t auxv_hwcap32
= 0; /* 32-bit version of auxv_hwcap */
96 uint_t auxv_hwcap32_2
= 0; /* 32-bit version of auxv_hwcap2 */
99 #define PSUIDFLAGS (SNOCD|SUGID)
102 * These are consumed within the specific exec modules, but are defined here
105 * 1) The exec modules are unloadable, which would make this near useless.
107 * 2) We want them to be common across all of them, should more than ELF come
110 * All must be powers of 2.
112 size_t aslr_max_brk_skew
= 16 * 1024 * 1024; /* 16MB */
113 #pragma weak exec_stackgap = aslr_max_stack_skew /* Old, compatible name */
114 size_t aslr_max_stack_skew
= 64 * 1024; /* 64KB */
117 * exece() - system call wrapper around exec_common()
120 exece(const char *fname
, const char **argp
, const char **envp
)
124 error
= exec_common(fname
, argp
, envp
, EBA_NONE
);
125 return (error
? (set_errno(error
)) : 0);
129 exec_common(const char *fname
, const char **argp
, const char **envp
,
132 vnode_t
*vp
= NULL
, *dir
= NULL
, *tmpvp
= NULL
;
133 proc_t
*p
= ttoproc(curthread
);
134 klwp_t
*lwp
= ttolwp(curthread
);
135 struct user
*up
= PTOU(p
);
136 long execsz
; /* temporary count of exec size */
139 char exec_file
[MAXCOMLEN
+1];
141 struct pathname resolvepn
;
144 k_sigset_t savedmask
;
145 lwpdir_t
*lwpdir
= NULL
;
147 lwpdir_t
*old_lwpdir
= NULL
;
148 uint_t old_lwpdir_sz
;
149 tidhash_t
*old_tidhash
;
150 uint_t old_tidhash_sz
;
151 ret_tidhash_t
*ret_tidhash
;
153 boolean_t brandme
= B_FALSE
;
156 * exec() is not supported for the /proc agent lwp.
158 if (curthread
== p
->p_agenttp
)
161 if (brand_action
!= EBA_NONE
) {
163 * Brand actions are not supported for processes that are not
164 * running in a branded zone.
166 if (!ZONE_IS_BRANDED(p
->p_zone
))
169 if (brand_action
== EBA_NATIVE
) {
170 /* Only branded processes can be unbranded */
171 if (!PROC_IS_BRANDED(p
))
174 /* Only unbranded processes can be branded */
175 if (PROC_IS_BRANDED(p
))
181 * If this is a native zone, or if the process is already
182 * branded, then we don't need to do anything. If this is
183 * a native process in a branded zone, we need to brand the
184 * process as it exec()s the new binary.
186 if (ZONE_IS_BRANDED(p
->p_zone
) && !PROC_IS_BRANDED(p
))
191 * Inform /proc that an exec() has started.
192 * Hold signals that are ignored by default so that we will
193 * not be interrupted by a signal that will be ignored after
194 * successful completion of gexec().
196 mutex_enter(&p
->p_lock
);
198 schedctl_finish_sigblock(curthread
);
199 savedmask
= curthread
->t_hold
;
200 sigorset(&curthread
->t_hold
, &ignoredefault
);
201 mutex_exit(&p
->p_lock
);
204 * Look up path name and remember last component for later.
205 * To help coreadm expand its %d token, we attempt to save
206 * the directory containing the executable in p_execdir. The
207 * first call to lookuppn() may fail and return EINVAL because
208 * dirvpp is non-NULL. In that case, we make a second call to
209 * lookuppn() with dirvpp set to NULL; p_execdir will be NULL,
210 * but coreadm is allowed to expand %d to the empty string and
211 * there are other cases in which that failure may occur.
213 if ((error
= pn_get((char *)fname
, UIO_USERSPACE
, &pn
)) != 0)
215 pn_alloc(&resolvepn
);
216 if ((error
= lookuppn(&pn
, &resolvepn
, FOLLOW
, &dir
, &vp
)) != 0) {
223 if ((error
= pn_get((char *)fname
, UIO_USERSPACE
, &pn
)) != 0)
225 pn_alloc(&resolvepn
);
226 if ((error
= lookuppn(&pn
, &resolvepn
, FOLLOW
, NULLVPP
,
242 if ((error
= secpolicy_basic_exec(CRED(), vp
)) != 0) {
252 * We do not allow executing files in attribute directories.
253 * We test this by determining whether the resolved path
254 * contains a "/" when we're in an attribute directory;
255 * only if the pathname does not contain a "/" the resolved path
256 * points to a file in the current working (attribute) directory.
258 if ((p
->p_user
.u_cdir
->v_flag
& V_XATTRDIR
) != 0 &&
259 strchr(resolvepn
.pn_path
, '/') == NULL
) {
269 bzero(exec_file
, MAXCOMLEN
+1);
270 (void) strncpy(exec_file
, pn
.pn_path
, MAXCOMLEN
);
271 bzero(&args
, sizeof (args
));
272 args
.pathname
= resolvepn
.pn_path
;
273 /* don't free resolvepn until we are done with args */
277 * If we're running in a profile shell, then call pfexecd.
279 if ((CR_FLAGS(p
->p_cred
) & PRIV_PFEXEC
) != 0) {
280 error
= pfexec_call(p
->p_cred
, &resolvepn
, &args
.pfcred
,
283 /* Returning errno in case we're not allowed to execute. */
292 /* Don't change the credentials when using old ptrace. */
293 if (args
.pfcred
!= NULL
&&
294 (p
->p_proc_flag
& P_PR_PTRACE
) != 0) {
297 args
.scrubenv
= B_FALSE
;
302 * Specific exec handlers, or policies determined via
303 * /etc/system may override the historical default.
305 args
.stk_prot
= PROT_ZFOD
;
306 args
.dat_prot
= PROT_ZFOD
;
308 CPU_STATS_ADD_K(sys
, sysexec
, 1);
309 DTRACE_PROC1(exec
, char *, args
.pathname
);
315 /* If necessary, brand this process before we start the exec. */
319 if ((error
= gexec(&vp
, &ua
, &args
, NULL
, 0, &execsz
,
320 exec_file
, p
->p_cred
, brand_action
)) != 0) {
322 brand_clearbrand(p
, B_FALSE
);
331 * Free floating point registers (sun4u only)
334 lwp_freeregs(lwp
, 1);
337 * Free thread and process context ops.
339 if (curthread
->t_ctx
)
340 freectx(curthread
, 1);
345 * Remember file name for accounting; clear any cached DTrace predicate.
347 up
->u_acflag
&= ~AFORK
;
348 bcopy(exec_file
, up
->u_comm
, MAXCOMLEN
+1);
349 curthread
->t_predcache
= 0;
352 * Clear contract template state
354 lwp_ctmpl_clear(lwp
);
357 * Save the directory in which we found the executable for expanding
358 * the %d token used in core file patterns.
360 mutex_enter(&p
->p_lock
);
361 tmpvp
= p
->p_execdir
;
363 if (p
->p_execdir
!= NULL
)
364 VN_HOLD(p
->p_execdir
);
365 mutex_exit(&p
->p_lock
);
371 * Reset stack state to the user stack, clear set of signals
372 * caught on the signal stack, and reset list of signals that
373 * restart system calls; the new program's environment should
374 * not be affected by detritus from the old program. Any
375 * pending held signals remain held, so don't clear t_hold.
377 mutex_enter(&p
->p_lock
);
378 lwp
->lwp_oldcontext
= 0;
380 lwp
->lwp_old_stk_ctl
= 0;
381 sigemptyset(&up
->u_signodefer
);
382 sigemptyset(&up
->u_sigonstack
);
383 sigemptyset(&up
->u_sigresethand
);
384 lwp
->lwp_sigaltstack
.ss_sp
= 0;
385 lwp
->lwp_sigaltstack
.ss_size
= 0;
386 lwp
->lwp_sigaltstack
.ss_flags
= SS_DISABLE
;
389 * Make saved resource limit == current resource limit.
391 for (i
= 0; i
< RLIM_NLIMITS
; i
++) {
394 (void) rctl_rlimit_get(rctlproc_legacy
[i
], p
,
395 &up
->u_saved_rlimit
[i
]);
400 * If the action was to catch the signal, then the action
401 * must be reset to SIG_DFL.
404 p
->p_flag
&= ~(SNOWAIT
|SJCTL
);
405 p
->p_flag
|= (SEXECED
|SMSACCT
|SMSFORK
);
406 up
->u_signal
[SIGCLD
- 1] = SIG_DFL
;
409 * Delete the dot4 sigqueues/signotifies.
413 mutex_exit(&p
->p_lock
);
415 mutex_enter(&p
->p_pflock
);
416 p
->p_prof
.pr_base
= NULL
;
417 p
->p_prof
.pr_size
= 0;
418 p
->p_prof
.pr_off
= 0;
419 p
->p_prof
.pr_scale
= 0;
420 p
->p_prof
.pr_samples
= 0;
421 mutex_exit(&p
->p_pflock
);
423 ASSERT(curthread
->t_schedctl
== NULL
);
426 if (p
->p_utraps
!= NULL
)
431 * Close all close-on-exec files.
433 close_exec(P_FINFO(p
));
434 TRACE_2(TR_FAC_PROC
, TR_PROC_EXEC
, "proc_exec:p %p up %p", p
, up
);
436 /* Unbrand ourself if necessary. */
437 if (PROC_IS_BRANDED(p
) && (brand_action
== EBA_NATIVE
))
438 brand_clearbrand(p
, B_FALSE
);
442 /* Mark this as an executable vnode */
443 mutex_enter(&vp
->v_lock
);
444 vp
->v_flag
|= VVMEXEC
;
445 mutex_exit(&vp
->v_lock
);
453 * Allocate a new lwp directory and lwpid hash table if necessary.
455 if (curthread
->t_tid
!= 1 || p
->p_lwpdir_sz
!= 2) {
456 lwpdir
= kmem_zalloc(2 * sizeof (lwpdir_t
), KM_SLEEP
);
457 lwpdir
->ld_next
= lwpdir
+ 1;
458 tidhash
= kmem_zalloc(2 * sizeof (tidhash_t
), KM_SLEEP
);
459 if (p
->p_lwpdir
!= NULL
)
460 lep
= p
->p_lwpdir
[curthread
->t_dslot
].ld_entry
;
462 lep
= kmem_zalloc(sizeof (*lep
), KM_SLEEP
);
465 if (PROC_IS_BRANDED(p
))
468 mutex_enter(&p
->p_lock
);
472 * Reset lwp id to the default value of 1.
473 * This is a single-threaded process now
474 * and lwp #1 is lwp_wait()able by default.
475 * The t_unpark flag should not be inherited.
477 ASSERT(p
->p_lwpcnt
== 1 && p
->p_zombcnt
== 0);
478 curthread
->t_tid
= 1;
480 ASSERT(curthread
->t_lpl
!= NULL
);
481 p
->p_t1_lgrpid
= curthread
->t_lpl
->lpl_lgrpid
;
483 if (p
->p_tr_lgrpid
!= LGRP_NONE
&& p
->p_tr_lgrpid
!= p
->p_t1_lgrpid
) {
484 lgrp_update_trthr_migrations(1);
486 curthread
->t_unpark
= 0;
487 curthread
->t_proc_flag
|= TP_TWAIT
;
488 curthread
->t_proc_flag
&= ~TP_DAEMON
; /* daemons shouldn't exec */
489 p
->p_lwpdaemon
= 0; /* but oh well ... */
493 * Install the newly-allocated lwp directory and lwpid hash table
494 * and insert the current thread into the new hash table.
496 if (lwpdir
!= NULL
) {
497 old_lwpdir
= p
->p_lwpdir
;
498 old_lwpdir_sz
= p
->p_lwpdir_sz
;
499 old_tidhash
= p
->p_tidhash
;
500 old_tidhash_sz
= p
->p_tidhash_sz
;
501 p
->p_lwpdir
= p
->p_lwpfree
= lwpdir
;
503 lep
->le_thread
= curthread
;
504 lep
->le_lwpid
= curthread
->t_tid
;
505 lep
->le_start
= curthread
->t_start
;
506 lwp_hash_in(p
, lep
, tidhash
, 2, 0);
507 p
->p_tidhash
= tidhash
;
510 ret_tidhash
= p
->p_ret_tidhash
;
511 p
->p_ret_tidhash
= NULL
;
514 * Restore the saved signal mask and
515 * inform /proc that the exec() has finished.
517 curthread
->t_hold
= savedmask
;
519 mutex_exit(&p
->p_lock
);
521 kmem_free(old_lwpdir
, old_lwpdir_sz
* sizeof (lwpdir_t
));
522 kmem_free(old_tidhash
, old_tidhash_sz
* sizeof (tidhash_t
));
524 while (ret_tidhash
!= NULL
) {
525 ret_tidhash_t
*next
= ret_tidhash
->rth_next
;
526 kmem_free(ret_tidhash
->rth_tidhash
,
527 ret_tidhash
->rth_tidhash_sz
* sizeof (tidhash_t
));
528 kmem_free(ret_tidhash
, sizeof (*ret_tidhash
));
533 DTRACE_PROC(exec__success
);
537 DTRACE_PROC1(exec__failure
, int, error
);
538 out
: /* error return */
539 mutex_enter(&p
->p_lock
);
540 curthread
->t_hold
= savedmask
;
542 mutex_exit(&p
->p_lock
);
549 * Perform generic exec duties and switchout to object-file specific
557 struct intpdata
*idatap
,
564 struct vnode
*vp
, *execvp
= NULL
;
565 proc_t
*pp
= ttoproc(curthread
);
572 char magbuf
[MAGIC_BYTES
];
574 cred_t
*oldcred
, *newcred
= NULL
;
578 secflagset_t old_secflags
;
580 secflags_copy(&old_secflags
, &pp
->p_secflags
.psf_effective
);
583 * If the SNOCD or SUGID flag is set, turn it off and remember the
584 * previous setting so we can restore it if we encounter an error.
586 if (level
== 0 && (pp
->p_flag
& PSUIDFLAGS
)) {
587 mutex_enter(&pp
->p_lock
);
588 suidflags
= pp
->p_flag
& PSUIDFLAGS
;
589 pp
->p_flag
&= ~PSUIDFLAGS
;
590 mutex_exit(&pp
->p_lock
);
593 if ((error
= execpermissions(*vpp
, &vattr
, args
)) != 0)
596 /* need to open vnode for stateful file systems */
597 if ((error
= fop_open(vpp
, FREAD
, CRED(), NULL
)) != 0)
602 * Note: to support binary compatibility with SunOS a.out
603 * executables, we read in the first four bytes, as the
604 * magic number is in bytes 2-3.
606 if (error
= vn_rdwr(UIO_READ
, vp
, magbuf
, sizeof (magbuf
),
607 (offset_t
)0, UIO_SYSSPACE
, 0, (rlim64_t
)0, CRED(), &resid
))
612 if ((eswp
= findexec_by_hdr(magbuf
)) == NULL
)
616 (privflags
= execsetid(vp
, &vattr
, &uid
, &gid
, &fset
,
617 args
->pfcred
== NULL
? cred
: args
->pfcred
, args
->pathname
)) != 0) {
619 /* Pfcred is a credential with a ref count of 1 */
621 if (args
->pfcred
!= NULL
) {
622 privflags
|= PRIV_INCREASE
|PRIV_RESET
;
623 newcred
= cred
= args
->pfcred
;
625 newcred
= cred
= crdup(cred
);
628 /* If we can, drop the PA bit */
629 if ((privflags
& PRIV_RESET
) != 0)
630 priv_adjust_PA(cred
);
632 if (privflags
& PRIV_SETID
) {
640 * Implement the privilege updates:
646 * E' = P' = (I' + F) & A
648 * But if running under ptrace, we cap I and F with P.
650 if ((privflags
& (PRIV_RESET
|PRIV_FORCED
)) != 0) {
651 if ((privflags
& PRIV_INCREASE
) != 0 &&
652 (pp
->p_proc_flag
& P_PR_PTRACE
) != 0) {
653 priv_intersect(&CR_OPPRIV(cred
),
655 priv_intersect(&CR_OPPRIV(cred
), &fset
);
657 priv_intersect(&CR_LPRIV(cred
), &CR_IPRIV(cred
));
658 CR_EPRIV(cred
) = CR_PPRIV(cred
) = CR_IPRIV(cred
);
659 if (privflags
& PRIV_FORCED
) {
661 priv_union(&fset
, &CR_EPRIV(cred
));
662 priv_union(&fset
, &CR_PPRIV(cred
));
664 priv_adjust_PA(cred
);
666 } else if (level
== 0 && args
->pfcred
!= NULL
) {
667 newcred
= cred
= args
->pfcred
;
668 privflags
|= PRIV_INCREASE
;
669 /* pfcred is not forced to adhere to these settings */
670 priv_intersect(&CR_LPRIV(cred
), &CR_IPRIV(cred
));
671 CR_EPRIV(cred
) = CR_PPRIV(cred
) = CR_IPRIV(cred
);
672 priv_adjust_PA(cred
);
675 /* The new image gets the inheritable secflags as its secflags */
676 secflags_promote(pp
);
678 /* SunOS 4.x buy-back */
679 if ((vp
->v_vfsp
->vfs_flag
& VFS_NOSETUID
) &&
680 (vattr
.va_mode
& (VSUID
|VSGID
))) {
681 char path
[MAXNAMELEN
];
682 refstr_t
*mntpt
= NULL
;
685 bzero(path
, sizeof (path
));
686 zone_hold(pp
->p_zone
);
688 ret
= vnodetopath(pp
->p_zone
->zone_rootvp
, vp
, path
,
689 sizeof (path
), cred
);
691 /* fallback to mountpoint if a path can't be found */
692 if ((ret
!= 0) || (ret
== 0 && path
[0] == '\0'))
693 mntpt
= vfs_getmntpoint(vp
->v_vfsp
);
696 zcmn_err(pp
->p_zone
->zone_id
, CE_NOTE
,
697 "!uid %d: setuid execution not allowed, "
698 "file=%s", cred
->cr_uid
, path
);
700 zcmn_err(pp
->p_zone
->zone_id
, CE_NOTE
,
701 "!uid %d: setuid execution not allowed, "
702 "fs=%s, file=%s", cred
->cr_uid
,
703 ZONE_PATH_TRANSLATE(refstr_value(mntpt
),
704 pp
->p_zone
), exec_file
);
706 if (!INGLOBALZONE(pp
)) {
707 /* zone_rootpath always has trailing / */
709 cmn_err(CE_NOTE
, "!zone: %s, uid: %d "
710 "setuid execution not allowed, file=%s%s",
711 pp
->p_zone
->zone_name
, cred
->cr_uid
,
712 pp
->p_zone
->zone_rootpath
, path
+ 1);
714 cmn_err(CE_NOTE
, "!zone: %s, uid: %d "
715 "setuid execution not allowed, fs=%s, "
716 "file=%s", pp
->p_zone
->zone_name
,
717 cred
->cr_uid
, refstr_value(mntpt
),
724 zone_rele(pp
->p_zone
);
728 * execsetid() told us whether or not we had to change the
729 * credentials of the process. In privflags, it told us
730 * whether we gained any privileges or executed a set-uid executable.
732 setid
= (privflags
& (PRIV_SETUGID
|PRIV_INCREASE
|PRIV_FORCED
));
735 * Use /etc/system variable to determine if the stack
736 * should be marked as executable by default.
738 if ((noexec_user_stack
!= 0) ||
739 secflag_enabled(pp
, PROC_SEC_NOEXECSTACK
))
740 args
->stk_prot
&= ~PROT_EXEC
;
742 args
->execswp
= eswp
; /* Save execsw pointer in uarg for exec_func */
746 * Traditionally, the setid flags told the sub processes whether
747 * the file just executed was set-uid or set-gid; this caused
748 * some confusion as the 'setid' flag did not match the SUGID
749 * process flag which is only set when the uids/gids do not match.
750 * A script set-gid/set-uid to the real uid/gid would start with
751 * /dev/fd/X but an executable would happily trust LD_LIBRARY_PATH.
752 * Now we flag those cases where the calling process cannot
753 * be trusted to influence the newly exec'ed process, either
754 * because it runs with more privileges or when the uids/gids
755 * do in fact not match.
756 * This also makes the runtime linker agree with the on exec
757 * values of SNOCD and SUGID.
760 if (cred
->cr_uid
!= cred
->cr_ruid
|| (cred
->cr_rgid
!= cred
->cr_gid
&&
761 !supgroupmember(cred
->cr_gid
, cred
))) {
762 setidfl
|= EXECSETID_UGIDS
;
764 if (setid
& PRIV_SETUGID
)
765 setidfl
|= EXECSETID_SETID
;
766 if (setid
& PRIV_FORCED
)
767 setidfl
|= EXECSETID_PRIVS
;
773 error
= (*eswp
->exec_func
)(vp
, uap
, args
, idatap
, level
, execsz
,
774 setidfl
, exec_file
, cred
, brand_action
);
775 rw_exit(eswp
->exec_lock
);
780 * If this process's p_exec has been set to the vp of
781 * the executable by exec_func, we will return without
782 * calling fop_close because proc_exit will close it
785 if (pp
->p_exec
== vp
)
794 if (execvp
!= NULL
) {
796 * Close the previous executable only if we are
799 (void) fop_close(execvp
, FREAD
, 1, (offset_t
)0,
803 mutex_enter(&pp
->p_crlock
);
805 oruid
= pp
->p_cred
->cr_ruid
;
807 if (newcred
!= NULL
) {
809 * Free the old credentials, and set the new ones.
810 * Do this for both the process and the (single) thread.
813 pp
->p_cred
= cred
; /* cred already held for proc */
814 crhold(cred
); /* hold new cred for thread */
816 * DTrace accesses t_cred in probe context. t_cred
817 * must always be either NULL, or point to a valid,
818 * allocated cred structure.
820 oldcred
= curthread
->t_cred
;
821 curthread
->t_cred
= cred
;
824 if (priv_basic_test
>= 0 &&
825 !PRIV_ISMEMBER(&CR_IPRIV(newcred
),
827 pid_t pid
= pp
->p_pid
;
828 char *fn
= PTOU(pp
)->u_comm
;
830 cmn_err(CE_WARN
, "%s[%d]: exec: basic_test "
831 "privilege removed from E/I", fn
, pid
);
835 * On emerging from a successful exec(), the saved
836 * uid and gid equal the effective uid and gid.
838 cred
->cr_suid
= cred
->cr_uid
;
839 cred
->cr_sgid
= cred
->cr_gid
;
842 * If the real and effective ids do not match, this
843 * is a setuid process that should not dump core.
844 * The group comparison is tricky; we prevent the code
845 * from flagging SNOCD when executing with an effective gid
846 * which is a supplementary group.
848 if (cred
->cr_ruid
!= cred
->cr_uid
||
849 (cred
->cr_rgid
!= cred
->cr_gid
&&
850 !supgroupmember(cred
->cr_gid
, cred
)) ||
851 (privflags
& PRIV_INCREASE
) != 0)
852 suidflags
= PSUIDFLAGS
;
856 mutex_exit(&pp
->p_crlock
);
857 if (newcred
!= NULL
&& oruid
!= newcred
->cr_ruid
) {
858 /* Note that the process remains in the same zone. */
859 mutex_enter(&pidlock
);
860 upcount_dec(oruid
, crgetzoneid(newcred
));
861 upcount_inc(newcred
->cr_ruid
, crgetzoneid(newcred
));
862 mutex_exit(&pidlock
);
865 mutex_enter(&pp
->p_lock
);
866 pp
->p_flag
|= suidflags
;
867 mutex_exit(&pp
->p_lock
);
869 if (setid
&& (pp
->p_proc_flag
& P_PR_PTRACE
) == 0) {
871 * If process is traced via /proc, arrange to
872 * invalidate the associated /proc vnode.
874 if (pp
->p_plist
|| (pp
->p_proc_flag
& P_PR_TRACE
))
875 args
->traceinval
= 1;
877 if (pp
->p_proc_flag
& P_PR_PTRACE
)
878 psignal(pp
, SIGTRAP
);
879 if (args
->traceinval
)
880 prinvalidate(&pp
->p_user
);
887 (void) fop_close(vp
, FREAD
, 1, (offset_t
)0, cred
, NULL
);
895 mutex_enter(&pp
->p_lock
);
897 pp
->p_flag
|= suidflags
;
900 * Restore the effective secflags, to maintain the invariant they
901 * never change for a given process
903 secflags_copy(&pp
->p_secflags
.psf_effective
, &old_secflags
);
904 mutex_exit(&pp
->p_lock
);
909 extern char *execswnames
[];
912 allocate_execsw(char *name
, char *magic
, size_t magic_size
)
918 mutex_enter(&execsw_lock
);
919 for (i
= 0; i
< nexectype
; i
++) {
920 if (execswnames
[i
] == NULL
) {
921 ename
= kmem_alloc(strlen(name
) + 1, KM_SLEEP
);
922 (void) strcpy(ename
, name
);
923 execswnames
[i
] = ename
;
925 * Set the magic number last so that we
926 * don't need to hold the execsw_lock in
929 magicp
= kmem_alloc(magic_size
, KM_SLEEP
);
930 for (j
= 0; j
< magic_size
; j
++)
931 magicp
[j
] = magic
[j
];
932 execsw
[i
].exec_magic
= magicp
;
933 mutex_exit(&execsw_lock
);
937 mutex_exit(&execsw_lock
);
942 * Find the exec switch table entry with the corresponding magic string.
945 findexecsw(char *magic
)
949 for (eswp
= execsw
; eswp
< &execsw
[nexectype
]; eswp
++) {
950 ASSERT(eswp
->exec_maglen
<= MAGIC_BYTES
);
951 if (magic
&& eswp
->exec_maglen
!= 0 &&
952 bcmp(magic
, eswp
->exec_magic
, eswp
->exec_maglen
) == 0)
959 * Find the execsw[] index for the given exec header string by looking for the
960 * magic string at a specified offset and length for each kind of executable
961 * file format until one matches. If no execsw[] entry is found, try to
962 * autoload a module for this magic string.
965 findexec_by_hdr(char *header
)
969 for (eswp
= execsw
; eswp
< &execsw
[nexectype
]; eswp
++) {
970 ASSERT(eswp
->exec_maglen
<= MAGIC_BYTES
);
971 if (header
&& eswp
->exec_maglen
!= 0 &&
972 bcmp(&header
[eswp
->exec_magoff
], eswp
->exec_magic
,
973 eswp
->exec_maglen
) == 0) {
974 if (hold_execsw(eswp
) != 0)
979 return (NULL
); /* couldn't find the type */
983 * Find the execsw[] index for the given magic string. If no execsw[] entry
984 * is found, try to autoload a module for this magic string.
987 findexec_by_magic(char *magic
)
991 for (eswp
= execsw
; eswp
< &execsw
[nexectype
]; eswp
++) {
992 ASSERT(eswp
->exec_maglen
<= MAGIC_BYTES
);
993 if (magic
&& eswp
->exec_maglen
!= 0 &&
994 bcmp(magic
, eswp
->exec_magic
, eswp
->exec_maglen
) == 0) {
995 if (hold_execsw(eswp
) != 0)
1000 return (NULL
); /* couldn't find the type */
1004 hold_execsw(struct execsw
*eswp
)
1008 rw_enter(eswp
->exec_lock
, RW_READER
);
1009 while (!LOADED_EXEC(eswp
)) {
1010 rw_exit(eswp
->exec_lock
);
1011 name
= execswnames
[eswp
-execsw
];
1013 if (modload("exec", name
) == -1)
1015 rw_enter(eswp
->exec_lock
, RW_READER
);
1021 execsetid(struct vnode
*vp
, struct vattr
*vattrp
, uid_t
*uidp
, uid_t
*gidp
,
1022 priv_set_t
*fset
, cred_t
*cr
, const char *pathname
)
1024 proc_t
*pp
= ttoproc(curthread
);
1029 * Remember credentials.
1034 /* Will try to reset the PRIV_AWARE bit later. */
1035 if ((CR_FLAGS(cr
) & (PRIV_AWARE
|PRIV_AWARE_INHERIT
)) == PRIV_AWARE
)
1036 privflags
|= PRIV_RESET
;
1038 if ((vp
->v_vfsp
->vfs_flag
& VFS_NOSETUID
) == 0) {
1040 * If it's a set-uid root program we perform the
1041 * forced privilege look-aside. This has three possible
1043 * no look aside information -> treat as before
1044 * look aside in Limit set -> apply forced privs
1045 * look aside not in Limit set -> ignore set-uid root
1047 * Ordinary set-uid root execution only allowed if the limit
1048 * set holds all unsafe privileges.
1050 if (vattrp
->va_mode
& VSUID
) {
1051 if (vattrp
->va_uid
== 0) {
1052 int res
= get_forced_privs(cr
, pathname
, fset
);
1056 if (priv_issubset(&priv_unsafe
,
1058 uid
= vattrp
->va_uid
;
1059 privflags
|= PRIV_SETUGID
;
1063 privflags
|= PRIV_FORCED
|PRIV_INCREASE
;
1069 uid
= vattrp
->va_uid
;
1070 privflags
|= PRIV_SETUGID
;
1073 if (vattrp
->va_mode
& VSGID
) {
1074 gid
= vattrp
->va_gid
;
1075 privflags
|= PRIV_SETUGID
;
1080 * Do we need to change our credential anyway?
1081 * This is the case when E != I or P != I, as
1082 * we need to do the assignments (with F empty and A full)
1083 * Or when I is not a subset of L; in that case we need to
1088 * E' = P' = (I' + F) & A
1092 if (!priv_isequalset(&CR_EPRIV(cr
), &CR_IPRIV(cr
)) ||
1093 !priv_issubset(&CR_IPRIV(cr
), &CR_LPRIV(cr
)) ||
1094 !priv_isequalset(&CR_PPRIV(cr
), &CR_IPRIV(cr
)))
1095 privflags
|= PRIV_RESET
;
1097 /* Child has more privileges than parent */
1098 if (!priv_issubset(&CR_IPRIV(cr
), &CR_PPRIV(cr
)))
1099 privflags
|= PRIV_INCREASE
;
1102 * Set setuid/setgid protections if no ptrace() compatibility.
1103 * For privileged processes, honor setuid/setgid even in
1104 * the presence of ptrace() compatibility.
1106 if (((pp
->p_proc_flag
& P_PR_PTRACE
) == 0 ||
1107 PRIV_POLICY_ONLY(cr
, PRIV_PROC_OWNER
, (uid
== 0))) &&
1108 (cr
->cr_uid
!= uid
||
1109 cr
->cr_gid
!= gid
||
1110 cr
->cr_suid
!= uid
||
1111 cr
->cr_sgid
!= gid
)) {
1114 privflags
|= PRIV_SETID
;
1120 execpermissions(struct vnode
*vp
, struct vattr
*vattrp
, struct uarg
*args
)
1123 proc_t
*p
= ttoproc(curthread
);
1125 vattrp
->va_mask
= AT_MODE
| AT_UID
| AT_GID
| AT_SIZE
;
1126 if (error
= fop_getattr(vp
, vattrp
, ATTR_EXEC
, p
->p_cred
, NULL
))
1129 * Check the access mode.
1130 * If VPROC, ask /proc if the file is an object file.
1132 if ((error
= fop_access(vp
, VEXEC
, 0, p
->p_cred
, NULL
)) != 0 ||
1133 !(vp
->v_type
== VREG
|| (vp
->v_type
== VPROC
&& pr_isobject(vp
))) ||
1134 (vp
->v_vfsp
->vfs_flag
& VFS_NOEXEC
) != 0 ||
1135 (vattrp
->va_mode
& (VEXEC
|(VEXEC
>>3)|(VEXEC
>>6))) == 0) {
1141 if ((p
->p_plist
|| (p
->p_proc_flag
& (P_PR_PTRACE
|P_PR_TRACE
))) &&
1142 (error
= fop_access(vp
, VREAD
, 0, p
->p_cred
, NULL
))) {
1144 * If process is under ptrace(2) compatibility,
1147 if (p
->p_proc_flag
& P_PR_PTRACE
)
1150 * Process is traced via /proc.
1151 * Arrange to invalidate the /proc vnode.
1153 args
->traceinval
= 1;
1163 * Map a section of an executable file into the user's
1167 execmap(struct vnode
*vp
, caddr_t addr
, size_t len
, size_t zfodlen
,
1168 off_t offset
, int prot
, int page
, uint_t szc
)
1172 caddr_t zfodbase
, oldaddr
;
1176 proc_t
*p
= ttoproc(curthread
);
1179 addr
= (caddr_t
)((uintptr_t)addr
& (uintptr_t)PAGEMASK
);
1182 len
+= ((size_t)oldaddr
- (size_t)addr
);
1184 offset
= (off_t
)((uintptr_t)offset
& PAGEMASK
);
1186 spgcnt_t prefltmem
, availm
, npages
;
1188 uint_t mflag
= MAP_PRIVATE
| MAP_FIXED
;
1190 if ((prot
& (PROT_WRITE
| PROT_EXEC
)) == PROT_EXEC
) {
1193 mflag
|= MAP_INITDATA
;
1196 if (valid_usr_range(addr
, len
, prot
, p
->p_as
,
1197 p
->p_as
->a_userlimit
) != RANGE_OKAY
) {
1201 if (error
= fop_map(vp
, (offset_t
)offset
,
1202 p
->p_as
, &addr
, len
, prot
, PROT_ALL
,
1203 mflag
, CRED(), NULL
))
1207 * If the segment can fit, then we prefault
1208 * the entire segment in. This is based on the
1209 * model that says the best working set of a
1210 * small program is all of its pages.
1212 npages
= (spgcnt_t
)btopr(len
);
1213 prefltmem
= freemem
- desfree
;
1215 (npages
< prefltmem
&& len
< PGTHRESH
) ? 1 : 0;
1218 * If we aren't prefaulting the segment,
1219 * increment "deficit", if necessary to ensure
1220 * that pages will become available when this
1221 * process starts executing.
1223 availm
= freemem
- lotsfree
;
1224 if (preread
== 0 && npages
> availm
&&
1225 deficit
< lotsfree
) {
1226 deficit
+= MIN((pgcnt_t
)(npages
- availm
),
1227 lotsfree
- deficit
);
1231 TRACE_2(TR_FAC_PROC
, TR_EXECMAP_PREREAD
,
1232 "execmap preread:freemem %d size %lu",
1234 (void) as_fault(p
->p_as
->a_hat
, p
->p_as
,
1235 (caddr_t
)addr
, len
, F_INVAL
, S_READ
);
1238 if (valid_usr_range(addr
, len
, prot
, p
->p_as
,
1239 p
->p_as
->a_userlimit
) != RANGE_OKAY
) {
1244 if (error
= as_map(p
->p_as
, addr
, len
,
1245 segvn_create
, zfod_argsp
))
1248 * Read in the segment in one big chunk.
1250 if (error
= vn_rdwr(UIO_READ
, vp
, (caddr_t
)oldaddr
,
1251 oldlen
, (offset_t
)oldoffset
, UIO_USERSPACE
, 0,
1252 (rlim64_t
)0, CRED(), (ssize_t
*)0))
1255 * Now set protections.
1257 if (prot
!= PROT_ZFOD
) {
1258 (void) as_setprot(p
->p_as
, (caddr_t
)addr
,
1265 struct as
*as
= curproc
->p_as
;
1269 end
= (size_t)addr
+ len
;
1270 zfodbase
= (caddr_t
)roundup(end
, PAGESIZE
);
1271 zfoddiff
= (uintptr_t)zfodbase
- end
;
1274 * Before we go to zero the remaining space on the last
1275 * page, make sure we have write permission.
1277 * Normal illumos binaries don't even hit the case
1278 * where we have to change permission on the last page
1279 * since their protection is typically either
1280 * PROT_USER | PROT_WRITE | PROT_READ
1282 * PROT_ZFOD (same as PROT_ALL).
1284 * We need to be careful how we zero-fill the last page
1285 * if the segment protection does not include
1286 * PROT_WRITE. Using as_setprot() can cause the VM
1287 * segment code to call segvn_vpage(), which must
1288 * allocate a page struct for each page in the segment.
1289 * If we have a very large segment, this may fail, so
1290 * we have to check for that, even though we ignore
1291 * other return values from as_setprot.
1294 AS_LOCK_ENTER(as
, RW_READER
);
1295 seg
= as_segat(curproc
->p_as
, (caddr_t
)end
);
1297 (void) segop_getprot(seg
, (caddr_t
)end
,
1298 zfoddiff
- 1, &zprot
);
1301 if (seg
!= NULL
&& (zprot
& PROT_WRITE
) == 0) {
1302 if (as_setprot(as
, (caddr_t
)end
, zfoddiff
- 1,
1303 zprot
| PROT_WRITE
) == ENOMEM
) {
1309 if (on_fault(&ljb
)) {
1311 if (seg
!= NULL
&& (zprot
& PROT_WRITE
) == 0)
1312 (void) as_setprot(as
, (caddr_t
)end
,
1313 zfoddiff
- 1, zprot
);
1317 uzero((void *)end
, zfoddiff
);
1319 if (seg
!= NULL
&& (zprot
& PROT_WRITE
) == 0)
1320 (void) as_setprot(as
, (caddr_t
)end
,
1321 zfoddiff
- 1, zprot
);
1323 if (zfodlen
> zfoddiff
) {
1324 struct segvn_crargs crargs
=
1325 SEGVN_ZFOD_ARGS(PROT_ZFOD
, PROT_ALL
);
1327 zfodlen
-= zfoddiff
;
1328 if (valid_usr_range(zfodbase
, zfodlen
, prot
, p
->p_as
,
1329 p
->p_as
->a_userlimit
) != RANGE_OKAY
) {
1335 * ASSERT alignment because the mapelfexec()
1336 * caller for the szc > 0 case extended zfod
1337 * so it's end is pgsz aligned.
1339 size_t pgsz
= page_get_pagesize(szc
);
1340 ASSERT(IS_P2ALIGNED(zfodbase
+ zfodlen
, pgsz
));
1342 if (IS_P2ALIGNED(zfodbase
, pgsz
)) {
1345 crargs
.szc
= AS_MAP_HEAP
;
1348 crargs
.szc
= AS_MAP_NO_LPOOB
;
1350 if (error
= as_map(p
->p_as
, (caddr_t
)zfodbase
,
1351 zfodlen
, segvn_create
, &crargs
))
1353 if (prot
!= PROT_ZFOD
) {
1354 (void) as_setprot(p
->p_as
, (caddr_t
)zfodbase
,
1365 setexecenv(struct execenv
*ep
)
1367 proc_t
*p
= ttoproc(curthread
);
1368 klwp_t
*lwp
= ttolwp(curthread
);
1371 p
->p_bssbase
= ep
->ex_bssbase
;
1372 p
->p_brkbase
= ep
->ex_brkbase
;
1373 p
->p_brksize
= ep
->ex_brksize
;
1375 VN_RELE(p
->p_exec
); /* out with the old */
1376 vp
= p
->p_exec
= ep
->ex_vp
;
1378 VN_HOLD(vp
); /* in with the new */
1380 lwp
->lwp_sigaltstack
.ss_sp
= 0;
1381 lwp
->lwp_sigaltstack
.ss_size
= 0;
1382 lwp
->lwp_sigaltstack
.ss_flags
= SS_DISABLE
;
1386 execopen(struct vnode
**vpp
, int *fdp
)
1388 struct vnode
*vp
= *vpp
;
1391 int filemode
= FREAD
;
1393 VN_HOLD(vp
); /* open reference */
1394 if (error
= falloc(NULL
, filemode
, &fp
, fdp
)) {
1396 *fdp
= -1; /* just in case falloc changed value */
1399 if (error
= fop_open(&vp
, filemode
, CRED(), NULL
)) {
1406 *vpp
= vp
; /* vnode should not have changed */
1408 mutex_exit(&fp
->f_tlock
);
1416 return (closeandsetf(fd
, NULL
));
1421 * noexec stub function.
1429 struct intpdata
*idatap
,
1436 cmn_err(CE_WARN
, "missing exec capability for %s", uap
->fname
);
1441 * Support routines for building a user stack.
1443 * execve(path, argv, envp) must construct a new stack with the specified
1444 * arguments and environment variables (see exec_args() for a description
1445 * of the user stack layout). To do this, we copy the arguments and
1446 * environment variables from the old user address space into the kernel,
1447 * free the old as, create the new as, and copy our buffered information
1448 * to the new stack. Our kernel buffer has the following structure:
1450 * +-----------------------+ <--- stk_base + stk_size
1451 * | string offsets |
1452 * +-----------------------+ <--- stk_offp
1454 * | STK_AVAIL() space |
1456 * +-----------------------+ <--- stk_strp
1458 * +-----------------------+ <--- stk_base
1460 * When we add a string, we store the string's contents (including the null
1461 * terminator) at stk_strp, and we store the offset of the string relative to
1462 * stk_base at --stk_offp. At strings are added, stk_strp increases and
1463 * stk_offp decreases. The amount of space remaining, STK_AVAIL(), is just
1464 * the difference between these pointers. If we run out of space, we return
1465 * an error and exec_args() starts all over again with a buffer twice as large.
1466 * When we're all done, the kernel buffer looks like this:
1468 * +-----------------------+ <--- stk_base + stk_size
1469 * | argv[0] offset |
1470 * +-----------------------+
1472 * +-----------------------+
1473 * | argv[argc-1] offset |
1474 * +-----------------------+
1475 * | envp[0] offset |
1476 * +-----------------------+
1478 * +-----------------------+
1479 * | envp[envc-1] offset |
1480 * +-----------------------+
1481 * | AT_SUN_PLATFORM offset|
1482 * +-----------------------+
1483 * | AT_SUN_EXECNAME offset|
1484 * +-----------------------+ <--- stk_offp
1486 * | STK_AVAIL() space |
1488 * +-----------------------+ <--- stk_strp
1489 * | AT_SUN_EXECNAME offset|
1490 * +-----------------------+
1491 * | AT_SUN_PLATFORM offset|
1492 * +-----------------------+
1493 * | envp[envc-1] string |
1494 * +-----------------------+
1496 * +-----------------------+
1497 * | envp[0] string |
1498 * +-----------------------+
1499 * | argv[argc-1] string |
1500 * +-----------------------+
1502 * +-----------------------+
1503 * | argv[0] string |
1504 * +-----------------------+ <--- stk_base
1507 #define STK_AVAIL(args) ((char *)(args)->stk_offp - (args)->stk_strp)
1510 * Add a string to the stack.
1513 stk_add(uarg_t
*args
, const char *sp
, enum uio_seg segflg
)
1518 if (STK_AVAIL(args
) < sizeof (int))
1520 *--args
->stk_offp
= args
->stk_strp
- args
->stk_base
;
1522 if (segflg
== UIO_USERSPACE
) {
1523 error
= copyinstr(sp
, args
->stk_strp
, STK_AVAIL(args
), &len
);
1527 len
= strlen(sp
) + 1;
1528 if (len
> STK_AVAIL(args
))
1530 bcopy(sp
, args
->stk_strp
, len
);
1533 args
->stk_strp
+= len
;
1539 stk_getptr(uarg_t
*args
, char *src
, char **dst
)
1543 if (args
->from_model
== DATAMODEL_NATIVE
) {
1545 error
= fulword(src
, &ptr
);
1546 *dst
= (caddr_t
)ptr
;
1549 error
= fuword32(src
, &ptr
);
1550 *dst
= (caddr_t
)(uintptr_t)ptr
;
1556 stk_putptr(uarg_t
*args
, char *addr
, char *value
)
1558 if (args
->to_model
== DATAMODEL_NATIVE
)
1559 return (sulword(addr
, (ulong_t
)value
));
1561 return (suword32(addr
, (uint32_t)(uintptr_t)value
));
1565 stk_copyin(execa_t
*uap
, uarg_t
*args
, intpdata_t
*intp
, void **auxvpp
)
1570 size_t ptrsize
= args
->from_ptrsize
;
1572 char *argv
= (char *)uap
->argp
;
1573 char *envp
= (char *)uap
->envp
;
1576 * Copy interpreter's name and argument to argv[0] and argv[1].
1577 * In the rare case that we have nested interpreters then those names
1578 * and arguments are also copied to the subsequent slots in argv.
1580 if (intp
!= NULL
&& intp
->intp_name
[0] != NULL
) {
1583 for (i
= 0; i
< INTP_MAXDEPTH
; i
++) {
1584 if (intp
->intp_name
[i
] == NULL
)
1586 error
= stk_add(args
, intp
->intp_name
[i
], UIO_SYSSPACE
);
1589 if (intp
->intp_arg
[i
] != NULL
) {
1590 error
= stk_add(args
, intp
->intp_arg
[i
],
1597 if (args
->fname
!= NULL
)
1598 error
= stk_add(args
, args
->fname
, UIO_SYSSPACE
);
1600 error
= stk_add(args
, uap
->fname
, UIO_USERSPACE
);
1605 * Check for an empty argv[].
1607 if (stk_getptr(args
, argv
, &sp
))
1612 argv
+= ptrsize
; /* ignore original argv[0] */
1615 if (argv_empty
== 0) {
1617 * Add argv[] strings to the stack.
1620 if (stk_getptr(args
, argv
, &sp
))
1624 if ((error
= stk_add(args
, sp
, UIO_USERSPACE
)) != 0)
1629 argc
= (int *)(args
->stk_base
+ args
->stk_size
) - args
->stk_offp
;
1630 args
->arglen
= args
->stk_strp
- args
->stk_base
;
1633 * Add environ[] strings to the stack.
1637 char *tmp
= args
->stk_strp
;
1638 if (stk_getptr(args
, envp
, &sp
))
1642 if ((error
= stk_add(args
, sp
, UIO_USERSPACE
)) != 0)
1644 if (args
->scrubenv
&& strncmp(tmp
, "LD_", 3) == 0) {
1645 /* Undo the copied string */
1646 args
->stk_strp
= tmp
;
1647 *(args
->stk_offp
++) = 0;
1652 args
->na
= (int *)(args
->stk_base
+ args
->stk_size
) - args
->stk_offp
;
1653 args
->ne
= args
->na
- argc
;
1656 * Add AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME, and
1657 * AT_SUN_EMULATOR strings to the stack.
1659 if (auxvpp
!= NULL
&& *auxvpp
!= NULL
) {
1660 if ((error
= stk_add(args
, platform
, UIO_SYSSPACE
)) != 0)
1662 if ((error
= stk_add(args
, args
->pathname
, UIO_SYSSPACE
)) != 0)
1664 if (args
->brandname
!= NULL
&&
1665 (error
= stk_add(args
, args
->brandname
, UIO_SYSSPACE
)) != 0)
1667 if (args
->emulator
!= NULL
&&
1668 (error
= stk_add(args
, args
->emulator
, UIO_SYSSPACE
)) != 0)
1673 * Compute the size of the stack. This includes all the pointers,
1674 * the space reserved for the aux vector, and all the strings.
1675 * The total number of pointers is args->na (which is argc + envc)
1676 * plus 4 more: (1) a pointer's worth of space for argc; (2) the NULL
1677 * after the last argument (i.e. argv[argc]); (3) the NULL after the
1678 * last environment variable (i.e. envp[envc]); and (4) the NULL after
1679 * all the strings, at the very top of the stack.
1681 size
= (args
->na
+ 4) * args
->to_ptrsize
+ args
->auxsize
+
1682 (args
->stk_strp
- args
->stk_base
);
1685 * Pad the string section with zeroes to align the stack size.
1687 pad
= P2NPHASE(size
, args
->stk_align
);
1689 if (STK_AVAIL(args
) < pad
)
1692 args
->usrstack_size
= size
+ pad
;
1695 *args
->stk_strp
++ = 0;
1697 args
->nc
= args
->stk_strp
- args
->stk_base
;
1703 stk_copyout(uarg_t
*args
, char *usrstack
, void **auxvpp
, user_t
*up
)
1705 size_t ptrsize
= args
->to_ptrsize
;
1707 char *kstrp
= args
->stk_base
;
1708 char *ustrp
= usrstack
- args
->nc
- ptrsize
;
1709 char *usp
= usrstack
- args
->usrstack_size
;
1710 int *offp
= (int *)(args
->stk_base
+ args
->stk_size
);
1711 int envc
= args
->ne
;
1712 int argc
= args
->na
- envc
;
1716 * Record argc for /proc.
1721 * Put argc on the stack. Note that even though it's an int,
1722 * it always consumes ptrsize bytes (for alignment).
1724 if (stk_putptr(args
, usp
, (char *)(uintptr_t)argc
))
1728 * Add argc space (ptrsize) to usp and record argv for /proc.
1730 up
->u_argv
= (uintptr_t)(usp
+= ptrsize
);
1733 * Put the argv[] pointers on the stack.
1735 for (i
= 0; i
< argc
; i
++, usp
+= ptrsize
)
1736 if (stk_putptr(args
, usp
, &ustrp
[*--offp
]))
1740 * Copy arguments to u_psargs.
1742 pslen
= MIN(args
->arglen
, PSARGSZ
) - 1;
1743 for (i
= 0; i
< pslen
; i
++)
1744 up
->u_psargs
[i
] = (kstrp
[i
] == '\0' ? ' ' : kstrp
[i
]);
1746 up
->u_psargs
[i
++] = '\0';
1749 * Add space for argv[]'s NULL terminator (ptrsize) to usp and
1750 * record envp for /proc.
1752 up
->u_envp
= (uintptr_t)(usp
+= ptrsize
);
1755 * Put the envp[] pointers on the stack.
1757 for (i
= 0; i
< envc
; i
++, usp
+= ptrsize
)
1758 if (stk_putptr(args
, usp
, &ustrp
[*--offp
]))
1762 * Add space for envp[]'s NULL terminator (ptrsize) to usp and
1763 * remember where the stack ends, which is also where auxv begins.
1765 args
->stackend
= usp
+= ptrsize
;
1768 * Put all the argv[], envp[], and auxv strings on the stack.
1770 if (copyout(args
->stk_base
, ustrp
, args
->nc
))
1774 * Fill in the aux vector now that we know the user stack addresses
1775 * for the AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME and
1776 * AT_SUN_EMULATOR strings.
1778 if (auxvpp
!= NULL
&& *auxvpp
!= NULL
) {
1779 if (args
->to_model
== DATAMODEL_NATIVE
) {
1780 auxv_t
**a
= (auxv_t
**)auxvpp
;
1781 ADDAUX(*a
, AT_SUN_PLATFORM
, (long)&ustrp
[*--offp
])
1782 ADDAUX(*a
, AT_SUN_EXECNAME
, (long)&ustrp
[*--offp
])
1783 if (args
->brandname
!= NULL
)
1785 AT_SUN_BRANDNAME
, (long)&ustrp
[*--offp
])
1786 if (args
->emulator
!= NULL
)
1788 AT_SUN_EMULATOR
, (long)&ustrp
[*--offp
])
1790 auxv32_t
**a
= (auxv32_t
**)auxvpp
;
1792 AT_SUN_PLATFORM
, (int)(uintptr_t)&ustrp
[*--offp
])
1794 AT_SUN_EXECNAME
, (int)(uintptr_t)&ustrp
[*--offp
])
1795 if (args
->brandname
!= NULL
)
1796 ADDAUX(*a
, AT_SUN_BRANDNAME
,
1797 (int)(uintptr_t)&ustrp
[*--offp
])
1798 if (args
->emulator
!= NULL
)
1799 ADDAUX(*a
, AT_SUN_EMULATOR
,
1800 (int)(uintptr_t)&ustrp
[*--offp
])
1808 * Though the actual stack base is constant, slew the %sp by a random aligned
1809 * amount in [0,aslr_max_stack_skew). Mostly, this makes life slightly more
1810 * complicated for buffer overflows hoping to overwrite the return address.
1812 * On some platforms this helps avoid cache thrashing when identical processes
1813 * simultaneously share caches that don't provide enough associativity
1814 * (e.g. sun4v systems). In this case stack slewing makes the same hot stack
1815 * variables in different processes live in different cache sets increasing
1816 * effective associativity.
1819 exec_get_spslew(void)
1822 static uint_t sp_color_stride
= 16;
1823 static uint_t sp_color_mask
= 0x1f;
1824 static uint_t sp_current_color
= (uint_t
)-1;
1828 ASSERT(ISP2(aslr_max_stack_skew
));
1830 if ((aslr_max_stack_skew
== 0) ||
1831 !secflag_enabled(curproc
, PROC_SEC_ASLR
)) {
1833 uint_t spcolor
= atomic_inc_32_nv(&sp_current_color
);
1834 return ((size_t)((spcolor
& sp_color_mask
) *
1835 SA(sp_color_stride
)));
1841 (void) random_get_pseudo_bytes((uint8_t *)&off
, sizeof (off
));
1842 return (SA(P2PHASE(off
, aslr_max_stack_skew
)));
1846 * Initialize a new user stack with the specified arguments and environment.
1847 * The initial user stack layout is as follows:
1850 * +---------------+ <--- curproc->p_usrstack
1868 * +---------------+ <--- ustrp
1872 * +---------------+ <--- auxv
1880 * +---------------+ <--- envp[]
1888 * +---------------+ <--- argv[]
1890 * +---------------+ <--- stack base
1893 exec_args(execa_t
*uap
, uarg_t
*args
, intpdata_t
*intp
, void **auxvpp
)
1897 proc_t
*p
= ttoproc(curthread
);
1898 user_t
*up
= PTOU(p
);
1902 extern int use_stk_lpg
;
1905 args
->from_model
= p
->p_model
;
1906 if (p
->p_model
== DATAMODEL_NATIVE
) {
1907 args
->from_ptrsize
= sizeof (long);
1909 args
->from_ptrsize
= sizeof (int32_t);
1912 if (args
->to_model
== DATAMODEL_NATIVE
) {
1913 args
->to_ptrsize
= sizeof (long);
1914 args
->ncargs
= NCARGS
;
1915 args
->stk_align
= STACK_ALIGN
;
1917 usrstack
= (char *)USRSTACK64_32
;
1919 usrstack
= (char *)USRSTACK
;
1921 args
->to_ptrsize
= sizeof (int32_t);
1922 args
->ncargs
= NCARGS32
;
1923 args
->stk_align
= STACK_ALIGN32
;
1924 usrstack
= (char *)USRSTACK32
;
1927 ASSERT(P2PHASE((uintptr_t)usrstack
, args
->stk_align
) == 0);
1929 #if defined(__sparc)
1931 * Make sure user register windows are empty before
1932 * attempting to make a new stack.
1934 (void) flush_user_windows_to_stack(NULL
);
1937 for (size
= PAGESIZE
; ; size
*= 2) {
1938 args
->stk_size
= size
;
1939 args
->stk_base
= kmem_alloc(size
, KM_SLEEP
);
1940 args
->stk_strp
= args
->stk_base
;
1941 args
->stk_offp
= (int *)(args
->stk_base
+ size
);
1942 error
= stk_copyin(uap
, args
, intp
, auxvpp
);
1945 kmem_free(args
->stk_base
, size
);
1946 if (error
!= E2BIG
&& error
!= ENAMETOOLONG
)
1948 if (size
>= args
->ncargs
)
1952 size
= args
->usrstack_size
;
1955 ASSERT(P2PHASE(size
, args
->stk_align
) == 0);
1956 ASSERT((ssize_t
)STK_AVAIL(args
) >= 0);
1958 if (size
> args
->ncargs
) {
1959 kmem_free(args
->stk_base
, args
->stk_size
);
1964 * Leave only the current lwp and force the other lwps to exit.
1965 * If another lwp beat us to the punch by calling exit(), bail out.
1967 if ((error
= exitlwps(0)) != 0) {
1968 kmem_free(args
->stk_base
, args
->stk_size
);
1973 * Revoke any doors created by the process.
1979 * Release schedctl data structures.
1982 schedctl_proc_cleanup();
1985 * Clean up any DTrace helpers for the process.
1987 if (p
->p_dtrace_helpers
!= NULL
) {
1988 ASSERT(dtrace_helpers_cleanup
!= NULL
);
1989 (*dtrace_helpers_cleanup
)(p
);
1992 mutex_enter(&p
->p_lock
);
1994 * Cleanup the DTrace provider associated with this process.
1996 if (p
->p_dtrace_probes
) {
1997 ASSERT(dtrace_fasttrap_exec_ptr
!= NULL
);
1998 dtrace_fasttrap_exec_ptr(p
);
2000 mutex_exit(&p
->p_lock
);
2003 * discard the lwpchan cache.
2005 if (p
->p_lcp
!= NULL
)
2006 lwpchan_destroy_cache(1);
2009 * Delete the POSIX timers.
2011 if (p
->p_itimer
!= NULL
)
2015 * Delete the ITIMER_REALPROF interval timer.
2016 * The other ITIMER_* interval timers are specified
2017 * to be inherited across exec().
2019 delete_itimer_realprof();
2022 audit_exec(args
->stk_base
, args
->stk_base
+ args
->arglen
,
2023 args
->na
- args
->ne
, args
->ne
, args
->pfcred
);
2026 * Ensure that we don't change resource associations while we
2027 * change address spaces.
2029 mutex_enter(&p
->p_lock
);
2030 pool_barrier_enter();
2031 mutex_exit(&p
->p_lock
);
2034 * Destroy the old address space and create a new one.
2035 * From here on, any errors are fatal to the exec()ing process.
2036 * On error we return -1, which means the caller must SIGKILL
2041 mutex_enter(&p
->p_lock
);
2042 pool_barrier_exit();
2043 mutex_exit(&p
->p_lock
);
2045 up
->u_execsw
= args
->execswp
;
2047 p
->p_brkbase
= NULL
;
2049 p
->p_brkpageszc
= 0;
2051 p
->p_stkpageszc
= 0;
2052 p
->p_model
= args
->to_model
;
2053 p
->p_usrstack
= usrstack
;
2054 p
->p_stkprot
= args
->stk_prot
;
2055 p
->p_datprot
= args
->dat_prot
;
2058 * Reset resource controls such that all controls are again active as
2059 * well as appropriate to the potentially new address model for the
2063 e
.rcep_t
= RCENTITY_PROCESS
;
2064 rctl_set_reset(p
->p_rctls
, p
, &e
);
2066 /* Too early to call map_pgsz for the heap */
2068 p
->p_stkpageszc
= page_szc(map_pgsz(MAPPGSZ_STK
, p
, 0, 0, 0));
2071 mutex_enter(&p
->p_lock
);
2072 p
->p_flag
|= SAUTOLPG
; /* kernel controls page sizes */
2073 mutex_exit(&p
->p_lock
);
2075 sp_slew
= exec_get_spslew();
2076 ASSERT(P2PHASE(sp_slew
, args
->stk_align
) == 0);
2077 /* Be certain we don't underflow */
2078 VERIFY((curproc
->p_usrstack
- (size
+ sp_slew
)) < curproc
->p_usrstack
);
2079 exec_set_sp(size
+ sp_slew
);
2084 if (p
->p_model
== DATAMODEL_ILP32
|| args
->addr32
)
2085 as
->a_userlimit
= (caddr_t
)USERLIMIT32
;
2086 (void) hat_setup(as
->a_hat
, HAT_ALLOC
);
2087 hat_join_srd(as
->a_hat
, args
->ex_vp
);
2090 * Finally, write out the contents of the new stack.
2092 error
= stk_copyout(args
, usrstack
- sp_slew
, auxvpp
, up
);
2093 kmem_free(args
->stk_base
, args
->stk_size
);