| 1 | /* |
| 2 | * Copyright (c) 1993, David Greenman |
| 3 | * All rights reserved. |
| 4 | * |
| 5 | * Redistribution and use in source and binary forms, with or without |
| 6 | * modification, are permitted provided that the following conditions |
| 7 | * are met: |
| 8 | * 1. Redistributions of source code must retain the above copyright |
| 9 | * notice, this list of conditions and the following disclaimer. |
| 10 | * 2. Redistributions in binary form must reproduce the above copyright |
| 11 | * notice, this list of conditions and the following disclaimer in the |
| 12 | * documentation and/or other materials provided with the distribution. |
| 13 | * 3. All advertising materials mentioning features or use of this software |
| 14 | * must display the following acknowledgement: |
| 15 | * This product includes software developed by David Greenman |
| 16 | * 4. The name of the developer may be used to endorse or promote products |
| 17 | * derived from this software without specific prior written permission. |
| 18 | * |
| 19 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
| 20 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 21 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| 22 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE |
| 23 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 24 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| 25 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 26 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| 27 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| 28 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 29 | * SUCH DAMAGE. |
| 30 | * |
| 31 | * $Id: kern_execve.c,v 1.10 1993/12/12 12:23:19 davidg Exp $ |
| 32 | */ |
| 33 | |
| 34 | #include "param.h" |
| 35 | #include "systm.h" |
| 36 | #include "signalvar.h" |
| 37 | #include "resourcevar.h" |
| 38 | #include "imgact.h" |
| 39 | #include "mount.h" |
| 40 | #include "file.h" |
| 41 | #include "acct.h" |
| 42 | #include "exec.h" |
| 43 | #include "stat.h" |
| 44 | #include "wait.h" |
| 45 | #include "mman.h" |
| 46 | #include "malloc.h" |
| 47 | #include "syslog.h" |
| 48 | |
| 49 | #include "vm/vm.h" |
| 50 | #include "vm/vm_param.h" |
| 51 | #include "vm/vm_map.h" |
| 52 | #include "vm/vm_kern.h" |
| 53 | #include "vm/vm_user.h" |
| 54 | |
| 55 | #include "machine/reg.h" |
| 56 | |
| 57 | int exec_extract_strings __P((struct image_params *)); |
| 58 | caddr_t exec_copyout_strings __P((struct image_params *)); |
| 59 | |
| 60 | int exec_aout_imgact __P((struct image_params *)); |
| 61 | int exec_shell_imgact __P((struct image_params *)); |
| 62 | |
| 63 | struct execsw { |
| 64 | int (*imgact) __P((struct image_params *)); |
| 65 | }; |
| 66 | |
| 67 | struct execsw execsw[] = { |
| 68 | { exec_aout_imgact }, |
| 69 | { exec_shell_imgact }, |
| 70 | { NULL }, |
| 71 | { NULL }, |
| 72 | { NULL }, |
| 73 | { NULL }, |
| 74 | { NULL }, |
| 75 | { NULL }, |
| 76 | }; |
| 77 | |
| 78 | /* |
| 79 | * execve() system call. |
| 80 | */ |
| 81 | |
| 82 | int |
| 83 | execve(p, uap, retval) |
| 84 | struct proc *p; |
| 85 | register struct execve_args *uap; |
| 86 | int *retval; |
| 87 | { |
| 88 | struct nameidata nd, *ndp; |
| 89 | char *stringbase, *stringp, *stack_base; |
| 90 | int error, resid, len, i; |
| 91 | #if 0 |
| 92 | char image_header[256]; |
| 93 | #endif |
| 94 | struct image_params image_params, *iparams; |
| 95 | struct vnode *vnodep; |
| 96 | struct vattr attr; |
| 97 | char *image_header; |
| 98 | |
| 99 | iparams = &image_params; |
| 100 | bzero((caddr_t)iparams, sizeof(struct image_params)); |
| 101 | image_header = (char *)0; |
| 102 | |
| 103 | /* |
| 104 | * Initialize a few constants in the common area |
| 105 | */ |
| 106 | iparams->proc = p; |
| 107 | iparams->uap = uap; |
| 108 | iparams->attr = &attr; |
| 109 | |
| 110 | /* |
| 111 | * Allocate temporary demand zeroed space for argument and |
| 112 | * environment strings |
| 113 | */ |
| 114 | error = vm_allocate(kernel_map, (vm_offset_t *)&iparams->stringbase, |
| 115 | ARG_MAX, TRUE); |
| 116 | if (error) { |
| 117 | log(LOG_WARNING, "execve: failed to allocate string space\n"); |
| 118 | return (error); |
| 119 | } |
| 120 | |
| 121 | if (!iparams->stringbase) { |
| 122 | error = ENOMEM; |
| 123 | goto exec_fail; |
| 124 | } |
| 125 | iparams->stringp = iparams->stringbase; |
| 126 | iparams->stringspace = ARG_MAX; |
| 127 | |
| 128 | /* |
| 129 | * Translate the file name. namei() returns a vnode pointer |
| 130 | * in ni_vp amoung other things. |
| 131 | */ |
| 132 | ndp = &nd; |
| 133 | ndp->ni_nameiop = LOOKUP | LOCKLEAF | FOLLOW | SAVENAME; |
| 134 | ndp->ni_segflg = UIO_USERSPACE; |
| 135 | ndp->ni_dirp = uap->fname; |
| 136 | |
| 137 | interpret: |
| 138 | |
| 139 | error = namei(ndp, p); |
| 140 | if (error) { |
| 141 | vm_deallocate(kernel_map, (vm_offset_t)iparams->stringbase, |
| 142 | ARG_MAX); |
| 143 | goto exec_fail; |
| 144 | } |
| 145 | |
| 146 | iparams->vnodep = vnodep = ndp->ni_vp; |
| 147 | |
| 148 | if (vnodep == NULL) { |
| 149 | error = ENOEXEC; |
| 150 | goto exec_fail_dealloc; |
| 151 | } |
| 152 | |
| 153 | /* |
| 154 | * Check file permissions (also 'opens' file) |
| 155 | */ |
| 156 | error = exec_check_permissions(iparams); |
| 157 | if (error) |
| 158 | goto exec_fail_dealloc; |
| 159 | |
| 160 | #if 0 |
| 161 | /* |
| 162 | * Read the image header from the file. |
| 163 | */ |
| 164 | error = vn_rdwr(UIO_READ, |
| 165 | vnodep, |
| 166 | image_header, |
| 167 | sizeof(image_header), |
| 168 | 0, |
| 169 | UIO_SYSSPACE, IO_NODELOCKED, |
| 170 | p->p_ucred, |
| 171 | &resid, |
| 172 | p); |
| 173 | if (error) |
| 174 | goto exec_fail_dealloc; |
| 175 | |
| 176 | /* Clear out junk in image_header if a partial read (small file) */ |
| 177 | if (resid) |
| 178 | bzero(image_header + (sizeof(image_header) - resid), resid); |
| 179 | #endif |
| 180 | /* |
| 181 | * Map the image header (first page) of the file into |
| 182 | * kernel address space |
| 183 | */ |
| 184 | error = vm_mmap(kernel_map, /* map */ |
| 185 | (vm_offset_t *)&image_header, /* address */ |
| 186 | NBPG, /* size */ |
| 187 | VM_PROT_READ, /* protection */ |
| 188 | VM_PROT_READ, /* max protection */ |
| 189 | MAP_FILE, /* flags */ |
| 190 | (caddr_t)vnodep, /* vnode */ |
| 191 | 0); /* offset */ |
| 192 | if (error) { |
| 193 | printf("mmap failed: %d\n",error); |
| 194 | goto exec_fail_dealloc; |
| 195 | } |
| 196 | iparams->image_header = image_header; |
| 197 | |
| 198 | /* |
| 199 | * Loop through list of image activators, calling each one. |
| 200 | * If there is no match, the activator returns -1. If there |
| 201 | * is a match, but there was an error during the activation, |
| 202 | * the error is returned. Otherwise 0 means success. If the |
| 203 | * image is interpreted, loop back up and try activating |
| 204 | * the interpreter. |
| 205 | */ |
| 206 | for (i = 0; i < sizeof(execsw)/sizeof(execsw[0]); ++i) { |
| 207 | if (execsw[i].imgact) |
| 208 | error = (*execsw[i].imgact)(iparams); |
| 209 | else |
| 210 | continue; |
| 211 | |
| 212 | if (error == -1) |
| 213 | continue; |
| 214 | if (error) |
| 215 | goto exec_fail_dealloc; |
| 216 | if (iparams->interpreted) { |
| 217 | /* free old vnode and name buffer */ |
| 218 | vput(ndp->ni_vp); |
| 219 | FREE(ndp->ni_pnbuf, M_NAMEI); |
| 220 | if (vm_deallocate(kernel_map, |
| 221 | (vm_offset_t)image_header, NBPG)) |
| 222 | panic("execve: header dealloc failed (1)"); |
| 223 | |
| 224 | /* set new name to that of the interpreter */ |
| 225 | ndp->ni_segflg = UIO_SYSSPACE; |
| 226 | ndp->ni_dirp = iparams->interpreter_name; |
| 227 | ndp->ni_nameiop = LOOKUP | LOCKLEAF | FOLLOW | SAVENAME; |
| 228 | goto interpret; |
| 229 | } |
| 230 | break; |
| 231 | } |
| 232 | /* If we made it through all the activators and none matched, exit. */ |
| 233 | if (error == -1) { |
| 234 | error = ENOEXEC; |
| 235 | goto exec_fail_dealloc; |
| 236 | } |
| 237 | |
| 238 | /* |
| 239 | * Copy out strings (args and env) and initialize stack base |
| 240 | */ |
| 241 | stack_base = exec_copyout_strings(iparams); |
| 242 | p->p_vmspace->vm_minsaddr = stack_base; |
| 243 | p->p_regs[SP] = (int) stack_base; |
| 244 | |
| 245 | p->p_vmspace->vm_ssize = (((caddr_t)USRSTACK - stack_base) >> PAGE_SHIFT) + 1; |
| 246 | |
| 247 | /* |
| 248 | * Stuff argument count as first item on stack |
| 249 | */ |
| 250 | p->p_regs[SP] -= sizeof(int); |
| 251 | *(int *)(p->p_regs[SP]) = iparams->argc; |
| 252 | |
| 253 | /* close files on exec, fixup signals */ |
| 254 | fdcloseexec(p); |
| 255 | execsigs(p); |
| 256 | |
| 257 | /* name this process - nameiexec(p, ndp) */ |
| 258 | len = MIN(ndp->ni_namelen,MAXCOMLEN); |
| 259 | bcopy(ndp->ni_ptr, p->p_comm, len); |
| 260 | p->p_comm[len] = 0; |
| 261 | |
| 262 | /* |
| 263 | * mark as executable, wakeup any process that was vforked and tell |
| 264 | * it that it now has it's own resources back |
| 265 | */ |
| 266 | p->p_flag |= SEXEC; |
| 267 | if (p->p_pptr && (p->p_flag & SPPWAIT)) { |
| 268 | p->p_flag &= ~SPPWAIT; |
| 269 | wakeup((caddr_t)p->p_pptr); |
| 270 | } |
| 271 | |
| 272 | /* implement set userid/groupid */ |
| 273 | if ((attr.va_mode&VSUID) && (p->p_flag & STRC) == 0) { |
| 274 | p->p_ucred = crcopy(p->p_ucred); |
| 275 | p->p_cred->p_svuid = p->p_ucred->cr_uid = attr.va_uid; |
| 276 | } |
| 277 | if ((attr.va_mode&VSGID) && (p->p_flag & STRC) == 0) { |
| 278 | p->p_ucred = crcopy(p->p_ucred); |
| 279 | p->p_cred->p_svgid = p->p_ucred->cr_groups[0] = attr.va_gid; |
| 280 | } |
| 281 | |
| 282 | /* mark vnode pure text */ |
| 283 | ndp->ni_vp->v_flag |= VTEXT; |
| 284 | |
| 285 | /* |
| 286 | * If tracing the process, trap to debugger so breakpoints |
| 287 | * can be set before the program executes. |
| 288 | */ |
| 289 | if (p->p_flag & STRC) |
| 290 | psignal(p, SIGTRAP); |
| 291 | |
| 292 | /* clear "fork but no exec" flag, as we _are_ execing */ |
| 293 | p->p_acflag &= ~AFORK; |
| 294 | |
| 295 | /* Set entry address */ |
| 296 | setregs(p, iparams->entry_addr); |
| 297 | |
| 298 | /* |
| 299 | * free various allocated resources |
| 300 | */ |
| 301 | if (vm_deallocate(kernel_map, (vm_offset_t)iparams->stringbase, |
| 302 | ARG_MAX)) |
| 303 | panic("execve: string buffer dealloc failed (1)"); |
| 304 | if (vm_deallocate(kernel_map, (vm_offset_t)image_header, NBPG)) |
| 305 | panic("execve: header dealloc failed (2)"); |
| 306 | vput(ndp->ni_vp); |
| 307 | FREE(ndp->ni_pnbuf, M_NAMEI); |
| 308 | |
| 309 | return (0); |
| 310 | |
| 311 | exec_fail_dealloc: |
| 312 | if (iparams->stringbase && iparams->stringbase != (char *)-1) |
| 313 | if (vm_deallocate(kernel_map, (vm_offset_t)iparams->stringbase, |
| 314 | ARG_MAX)) |
| 315 | panic("execve: string buffer dealloc failed (2)"); |
| 316 | if (iparams->image_header && iparams->image_header != (char *)-1) |
| 317 | if (vm_deallocate(kernel_map, |
| 318 | (vm_offset_t)iparams->image_header, NBPG)) |
| 319 | panic("execve: header dealloc failed (3)"); |
| 320 | vput(ndp->ni_vp); |
| 321 | FREE(ndp->ni_pnbuf, M_NAMEI); |
| 322 | |
| 323 | exec_fail: |
| 324 | if (iparams->vmspace_destroyed) { |
| 325 | /* sorry, no more process anymore. exit gracefully */ |
| 326 | #if 0 /* XXX */ |
| 327 | vm_deallocate(&vs->vm_map, USRSTACK - MAXSSIZ, MAXSSIZ); |
| 328 | #endif |
| 329 | kexit(p, W_EXITCODE(0, SIGABRT)); |
| 330 | /* NOT REACHED */ |
| 331 | return(0); |
| 332 | } else { |
| 333 | return(error); |
| 334 | } |
| 335 | } |
| 336 | |
| 337 | /* |
| 338 | * Destroy old address space, and allocate a new stack |
| 339 | * The new stack is only DFLSSIZ large because it is grown |
| 340 | * automatically in trap.c. |
| 341 | */ |
| 342 | int |
| 343 | exec_new_vmspace(iparams) |
| 344 | struct image_params *iparams; |
| 345 | { |
| 346 | int error; |
| 347 | struct vmspace *vmspace = iparams->proc->p_vmspace; |
| 348 | caddr_t stack_addr = (caddr_t) (USRSTACK - DFLSSIZ); |
| 349 | |
| 350 | iparams->vmspace_destroyed = 1; |
| 351 | |
| 352 | /* Blow away entire process VM */ |
| 353 | vm_deallocate(&vmspace->vm_map, 0, USRSTACK); |
| 354 | |
| 355 | /* Allocate a new stack */ |
| 356 | error = vm_allocate(&vmspace->vm_map, (vm_offset_t *)&stack_addr, |
| 357 | DFLSSIZ, FALSE); |
| 358 | if (error) |
| 359 | return(error); |
| 360 | |
| 361 | /* Initialize maximum stack address */ |
| 362 | vmspace->vm_maxsaddr = (char *)USRSTACK - MAXSSIZ; |
| 363 | |
| 364 | return(0); |
| 365 | } |
| 366 | |
| 367 | /* |
| 368 | * Copy out argument and environment strings from the old process |
| 369 | * address space into the temporary string buffer. |
| 370 | */ |
| 371 | int |
| 372 | exec_extract_strings(iparams) |
| 373 | struct image_params *iparams; |
| 374 | { |
| 375 | char **argv, **envv; |
| 376 | char *argp, *envp; |
| 377 | int length; |
| 378 | |
| 379 | /* |
| 380 | * extract arguments first |
| 381 | */ |
| 382 | |
| 383 | argv = iparams->uap->argv; |
| 384 | |
| 385 | if (argv) |
| 386 | while (argp = (caddr_t) fuword(argv++)) { |
| 387 | if (argp == (caddr_t) -1) |
| 388 | return (EFAULT); |
| 389 | if (copyinstr(argp, iparams->stringp, iparams->stringspace, |
| 390 | &length) == ENAMETOOLONG) |
| 391 | return(E2BIG); |
| 392 | iparams->stringspace -= length; |
| 393 | iparams->stringp += length; |
| 394 | iparams->argc++; |
| 395 | } |
| 396 | |
| 397 | /* |
| 398 | * extract environment strings |
| 399 | */ |
| 400 | |
| 401 | envv = iparams->uap->envv; |
| 402 | |
| 403 | if (envv) |
| 404 | while (envp = (caddr_t) fuword(envv++)) { |
| 405 | if (envp == (caddr_t) -1) |
| 406 | return (EFAULT); |
| 407 | if (copyinstr(envp, iparams->stringp, iparams->stringspace, |
| 408 | &length) == ENAMETOOLONG) |
| 409 | return(E2BIG); |
| 410 | iparams->stringspace -= length; |
| 411 | iparams->stringp += length; |
| 412 | iparams->envc++; |
| 413 | } |
| 414 | |
| 415 | return (0); |
| 416 | } |
| 417 | |
| 418 | /* |
| 419 | * Copy strings out to the new process address space, constructing |
| 420 | * new arg and env vector tables. Return a pointer to the base |
| 421 | * so that it can be used as the initial stack pointer. |
| 422 | */ |
| 423 | caddr_t |
| 424 | exec_copyout_strings(iparams) |
| 425 | struct image_params *iparams; |
| 426 | { |
| 427 | int argc, envc; |
| 428 | char **vectp; |
| 429 | char *stack_base, *stringp, *destp; |
| 430 | int vect_table_size, string_table_size; |
| 431 | |
| 432 | /* |
| 433 | * Calculate string base and vector table pointers. |
| 434 | */ |
| 435 | destp = (caddr_t) ((caddr_t)USRSTACK - |
| 436 | roundup((ARG_MAX - iparams->stringspace), sizeof(char *))); |
| 437 | /* |
| 438 | * The '+ 2' is for the null pointers at the end of each of the |
| 439 | * arg and env vector sets |
| 440 | */ |
| 441 | vectp = (char **) (destp - |
| 442 | (iparams->argc + iparams->envc + 2) * sizeof(char *)); |
| 443 | |
| 444 | /* |
| 445 | * vectp also becomes our initial stack base |
| 446 | */ |
| 447 | stack_base = (caddr_t)vectp; |
| 448 | |
| 449 | stringp = iparams->stringbase; |
| 450 | argc = iparams->argc; |
| 451 | envc = iparams->envc; |
| 452 | |
| 453 | for (; argc > 0; --argc) { |
| 454 | *(vectp++) = destp; |
| 455 | while (*destp++ = *stringp++); |
| 456 | } |
| 457 | |
| 458 | /* a null vector table pointer seperates the argp's from the envp's */ |
| 459 | *(vectp++) = NULL; |
| 460 | |
| 461 | for (; envc > 0; --envc) { |
| 462 | *(vectp++) = destp; |
| 463 | while (*destp++ = *stringp++); |
| 464 | } |
| 465 | |
| 466 | /* end of vector table is a null pointer */ |
| 467 | *vectp = NULL; |
| 468 | |
| 469 | return (stack_base); |
| 470 | } |
| 471 | |
| 472 | /* |
| 473 | * Check permissions of file to execute. |
| 474 | * Return 0 for success or error code on failure. |
| 475 | */ |
| 476 | int |
| 477 | exec_check_permissions(iparams) |
| 478 | struct image_params *iparams; |
| 479 | { |
| 480 | struct proc *p = iparams->proc; |
| 481 | struct vnode *vnodep = iparams->vnodep; |
| 482 | struct vattr *attr = iparams->attr; |
| 483 | int error; |
| 484 | |
| 485 | /* |
| 486 | * Check number of open-for-writes on the file and deny execution |
| 487 | * if there are any. |
| 488 | */ |
| 489 | if (vnodep->v_writecount) { |
| 490 | return (ETXTBSY); |
| 491 | } |
| 492 | |
| 493 | /* Get file attributes */ |
| 494 | error = VOP_GETATTR(vnodep, attr, p->p_ucred, p); |
| 495 | if (error) |
| 496 | return (error); |
| 497 | |
| 498 | /* |
| 499 | * 1) Check if file execution is disabled for the filesystem that this |
| 500 | * file resides on. |
| 501 | * 2) Insure that at least one execute bit is on - otherwise root |
| 502 | * will always succeed, and we don't want to happen unless the |
| 503 | * file really is executable. |
| 504 | * 3) Insure that the file is a regular file. |
| 505 | */ |
| 506 | if ((vnodep->v_mount->mnt_flag & MNT_NOEXEC) || |
| 507 | ((attr->va_mode & 0111) == 0) || |
| 508 | (attr->va_type != VREG)) { |
| 509 | return (EACCES); |
| 510 | } |
| 511 | |
| 512 | /* |
| 513 | * Disable setuid/setgid if the filesystem prohibits it or if |
| 514 | * the process is being traced. |
| 515 | */ |
| 516 | if ((vnodep->v_mount->mnt_flag & MNT_NOSUID) || (p->p_flag & STRC)) |
| 517 | attr->va_mode &= ~(VSUID | VSGID); |
| 518 | |
| 519 | /* |
| 520 | * Check for execute permission to file based on current credentials. |
| 521 | * Then call filesystem specific open routine (which does nothing |
| 522 | * in the general case). |
| 523 | */ |
| 524 | error = VOP_ACCESS(vnodep, VEXEC, p->p_ucred, p); |
| 525 | if (error) |
| 526 | return (error); |
| 527 | |
| 528 | error = VOP_OPEN(vnodep, FREAD, p->p_ucred, p); |
| 529 | if (error) |
| 530 | return (error); |
| 531 | |
| 532 | return (0); |
| 533 | } |