search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Expand PMF_FN_* macros.
[netbsd-mini2440.git] / sys / kern / exec_script.c
blob03e345c0b0648eafe22640e41a56fbfe3a0b3d7d
1 /* $NetBSD: exec_script.c,v 1.62 2008/03/21 21:55:00 ad Exp $ */
2
3 /*
4 * Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. All advertising materials mentioning features or use of this software
16 * must display the following acknowledgement:
17 * This product includes software developed by Christopher G. Demetriou.
18 * 4. The name of the author may not be used to endorse or promote products
19 * derived from this software without specific prior written permission
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include <sys/cdefs.h>
34 __KERNEL_RCSID(0, "$NetBSD: exec_script.c,v 1.62 2008/03/21 21:55:00 ad Exp $");
35
36 #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS)
37 #define FDSCRIPTS /* Need this for safe set-id scripts. */
38 #endif
39
40 #include <sys/param.h>
41 #include <sys/systm.h>
42 #include <sys/proc.h>
43 #include <sys/kmem.h>
44 #include <sys/vnode.h>
45 #include <sys/namei.h>
46 #include <sys/file.h>
47 #ifdef SETUIDSCRIPTS
48 #include <sys/stat.h>
49 #endif
50 #include <sys/filedesc.h>
51 #include <sys/exec.h>
52 #include <sys/resourcevar.h>
53 #include <sys/module.h>
54 #include <sys/exec_script.h>
55 #include <sys/exec_elf.h>
56
57 MODULE(MODULE_CLASS_MISC, exec_script, NULL);
58
59 static struct execsw exec_script_execsw[] = {
60 { SCRIPT_HDR_SIZE,
61 exec_script_makecmds,
62 { NULL },
63 NULL,
64 EXECSW_PRIO_ANY,
65 0,
66 NULL,
67 NULL,
68 NULL,
69 exec_setup_stack },
70 };
71
72 static int
73 exec_script_modcmd(modcmd_t cmd, void *arg)
74 {
75
76 switch (cmd) {
77 case MODULE_CMD_INIT:
78 return exec_add(exec_script_execsw,
79 __arraycount(exec_script_execsw));
80
81 case MODULE_CMD_FINI:
82 return exec_remove(exec_script_execsw,
83 __arraycount(exec_script_execsw));
84
85 case MODULE_CMD_AUTOUNLOAD:
86 /*
87 * We don't want to be autounloaded because our use is
88 * transient: no executables with p_execsw equal to
89 * exec_script_execsw will exist, so FINI will never
90 * return EBUSY. However, the system will run scripts
91 * often. Return EBUSY here to prevent this module from
92 * ping-ponging in and out of the kernel.
93 */
94 return EBUSY;
95
96 default:
97 return ENOTTY;
98 }
99 }
100
101 /*
102 * exec_script_makecmds(): Check if it's an executable shell script.
103 *
104 * Given a proc pointer and an exec package pointer, see if the referent
105 * of the epp is in shell script. If it is, then set thing up so that
106 * the script can be run. This involves preparing the address space
107 * and arguments for the shell which will run the script.
108 *
109 * This function is ultimately responsible for creating a set of vmcmds
110 * which can be used to build the process's vm space and inserting them
111 * into the exec package.
112 */
113 int
114 exec_script_makecmds(struct lwp *l, struct exec_package *epp)
115 {
116 int error, hdrlinelen, shellnamelen, shellarglen;
117 char *hdrstr = epp->ep_hdr;
118 char *cp, *shellname, *shellarg, *oldpnbuf;
119 size_t shellargp_len;
120 struct exec_fakearg *shellargp;
121 struct exec_fakearg *tmpsap;
122 struct vnode *scriptvp;
123 #ifdef SETUIDSCRIPTS
124 /* Gcc needs those initialized for spurious uninitialized warning */
125 uid_t script_uid = (uid_t) -1;
126 gid_t script_gid = NOGROUP;
127 u_short script_sbits;
128 #endif
129
130 /*
131 * if the magic isn't that of a shell script, or we've already
132 * done shell script processing for this exec, punt on it.
133 */
134 if ((epp->ep_flags & EXEC_INDIR) != 0 ||
135 epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN ||
136 strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN))
137 return ENOEXEC;
138
139 /*
140 * check that the shell spec is terminated by a newline,
141 * and that it isn't too large. Don't modify the
142 * buffer unless we're ready to commit to handling it.
143 * (The latter requirement means that we have to check
144 * for both spaces and tabs later on.)
145 */
146 hdrlinelen = min(epp->ep_hdrvalid, SCRIPT_HDR_SIZE);
147 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen;
148 cp++) {
149 if (*cp == '\n') {
150 *cp = '\0';
151 break;
152 }
153 }
154 if (cp >= hdrstr + hdrlinelen)
155 return ENOEXEC;
156
157 /*
158 * If the script has an ELF header, don't exec it.
159 */
160 if (epp->ep_hdrvalid >= sizeof(ELFMAG)-1 &&
161 memcmp(hdrstr, ELFMAG, sizeof(ELFMAG)-1) == 0)
162 return ENOEXEC;
163
164 shellname = NULL;
165 shellarg = NULL;
166 shellarglen = 0;
167
168 /* strip spaces before the shell name */
169 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t';
170 cp++)
171 ;
172
173 /* collect the shell name; remember it's length for later */
174 shellname = cp;
175 shellnamelen = 0;
176 if (*cp == '\0')
177 goto check_shell;
178 for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++)
179 shellnamelen++;
180 if (*cp == '\0')
181 goto check_shell;
182 *cp++ = '\0';
183
184 /* skip spaces before any argument */
185 for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++)
186 ;
187 if (*cp == '\0')
188 goto check_shell;
189
190 /*
191 * collect the shell argument. everything after the shell name
192 * is passed as ONE argument; that's the correct (historical)
193 * behaviour.
194 */
195 shellarg = cp;
196 for ( /* cp = cp */ ; *cp != '\0'; cp++)
197 shellarglen++;
198 *cp++ = '\0';
199
200 check_shell:
201 #ifdef SETUIDSCRIPTS
202 /*
203 * MNT_NOSUID has already taken care of by check_exec,
204 * so we don't need to worry about it now or later. We
205 * will need to check PSL_TRACED later, however.
206 */
207 script_sbits = epp->ep_vap->va_mode & (S_ISUID | S_ISGID);
208 if (script_sbits != 0) {
209 script_uid = epp->ep_vap->va_uid;
210 script_gid = epp->ep_vap->va_gid;
211 }
212 #endif
213 #ifdef FDSCRIPTS
214 /*
215 * if the script isn't readable, or it's set-id, then we've
216 * gotta supply a "/dev/fd/..." for the shell to read.
217 * Note that stupid shells (csh) do the wrong thing, and
218 * close all open fd's when the start. That kills this
219 * method of implementing "safe" set-id and x-only scripts.
220 */
221 vn_lock(epp->ep_vp, LK_EXCLUSIVE | LK_RETRY);
222 error = VOP_ACCESS(epp->ep_vp, VREAD, l->l_cred);
223 VOP_UNLOCK(epp->ep_vp, 0);
224 if (error == EACCES
225 #ifdef SETUIDSCRIPTS
226 || script_sbits
227 #endif
228 ) {
229 struct file *fp;
230
231 #if defined(DIAGNOSTIC) && defined(FDSCRIPTS)
232 if (epp->ep_flags & EXEC_HASFD)
233 panic("exec_script_makecmds: epp already has a fd");
234 #endif
235
236 if ((error = fd_allocfile(&fp, &epp->ep_fd)) != 0) {
237 scriptvp = NULL;
238 shellargp = NULL;
239 goto fail;
240 }
241 epp->ep_flags |= EXEC_HASFD;
242 fp->f_type = DTYPE_VNODE;
243 fp->f_ops = &vnops;
244 fp->f_data = (void *) epp->ep_vp;
245 fp->f_flag = FREAD;
246 fd_affix(curproc, fp, epp->ep_fd);
247 }
248 #endif
249
250 /* set up the parameters for the recursive check_exec() call */
251 epp->ep_ndp->ni_dirp = shellname;
252 epp->ep_ndp->ni_segflg = UIO_SYSSPACE;
253 epp->ep_flags |= EXEC_INDIR;
254
255 /* and set up the fake args list, for later */
256 shellargp_len = 4 * sizeof(*shellargp);
257 shellargp = kmem_alloc(shellargp_len, KM_SLEEP);
258 tmpsap = shellargp;
259 tmpsap->fa_len = shellnamelen + 1;
260 tmpsap->fa_arg = kmem_alloc(tmpsap->fa_len, KM_SLEEP);
261 strlcpy(tmpsap->fa_arg, shellname, tmpsap->fa_len);
262 tmpsap++;
263 if (shellarg != NULL) {
264 tmpsap->fa_len = shellarglen + 1;
265 tmpsap->fa_arg = kmem_alloc(tmpsap->fa_len, KM_SLEEP);
266 strlcpy(tmpsap->fa_arg, shellarg, tmpsap->fa_len);
267 tmpsap++;
268 }
269 tmpsap->fa_len = MAXPATHLEN;
270 tmpsap->fa_arg = kmem_alloc(tmpsap->fa_len, KM_SLEEP);
271 #ifdef FDSCRIPTS
272 if ((epp->ep_flags & EXEC_HASFD) == 0) {
273 #endif
274 /* normally can't fail, but check for it if diagnostic */
275 error = copyinstr(epp->ep_name, tmpsap->fa_arg, MAXPATHLEN,
276 (size_t *)0);
277 tmpsap++;
278 #ifdef DIAGNOSTIC
279 if (error != 0)
280 panic("exec_script: copyinstr couldn't fail");
281 #endif
282 #ifdef FDSCRIPTS
283 } else {
284 snprintf(tmpsap->fa_arg, MAXPATHLEN, "/dev/fd/%d", epp->ep_fd);
285 tmpsap++;
286 }
287 #endif
288 tmpsap->fa_arg = NULL;
289
290 /*
291 * mark the header we have as invalid; check_exec will read
292 * the header from the new executable
293 */
294 epp->ep_hdrvalid = 0;
295
296 /*
297 * remember the old vp and pnbuf for later, so we can restore
298 * them if check_exec() fails.
299 */
300 scriptvp = epp->ep_vp;
301 oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf;
302
303 error = check_exec(l, epp);
304 /* note that we've clobbered the header */
305 epp->ep_flags |= EXEC_DESTR;
306 if (error == 0) {
307 /*
308 * It succeeded. Unlock the script and
309 * close it if we aren't using it any more.
310 * Also, set things up so that the fake args
311 * list will be used.
312 */
313 if ((epp->ep_flags & EXEC_HASFD) == 0) {
314 vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY);
315 VOP_CLOSE(scriptvp, FREAD, l->l_cred);
316 vput(scriptvp);
317 }
318
319 /* free the old pathname buffer */
320 PNBUF_PUT(oldpnbuf);
321
322 epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG);
323 epp->ep_fa = shellargp;
324 epp->ep_fa_len = shellargp_len;
325 #ifdef SETUIDSCRIPTS
326 /*
327 * set thing up so that set-id scripts will be
328 * handled appropriately. PSL_TRACED will be
329 * checked later when the shell is actually
330 * exec'd.
331 */
332 epp->ep_vap->va_mode |= script_sbits;
333 if (script_sbits & S_ISUID)
334 epp->ep_vap->va_uid = script_uid;
335 if (script_sbits & S_ISGID)
336 epp->ep_vap->va_gid = script_gid;
337 #endif
338 return (0);
339 }
340
341 /* XXX oldpnbuf not set for "goto fail" path */
342 epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf;
343 #ifdef FDSCRIPTS
344 fail:
345 #endif
346
347 /* kill the opened file descriptor, else close the file */
348 if (epp->ep_flags & EXEC_HASFD) {
349 epp->ep_flags &= ~EXEC_HASFD;
350 fd_close(epp->ep_fd);
351 } else if (scriptvp) {
352 vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY);
353 VOP_CLOSE(scriptvp, FREAD, l->l_cred);
354 vput(scriptvp);
355 }
356
357 PNBUF_PUT(epp->ep_ndp->ni_cnd.cn_pnbuf);
358
359 /* free the fake arg list, because we're not returning it */
360 if ((tmpsap = shellargp) != NULL) {
361 while (tmpsap->fa_arg != NULL) {
362 kmem_free(tmpsap->fa_arg, tmpsap->fa_len);
363 tmpsap++;
364 }
365 kmem_free(shellargp, shellargp_len);
366 }
367
368 /*
369 * free any vmspace-creation commands,
370 * and release their references
371 */
372 kill_vmcmds(&epp->ep_vmcmds);
373
374 return error;
375 }
NetBSD on the FriendlyARM MINI2440