search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
remove support for 'trademark files'
[unleashed/tickless.git] / kernel / os / exec.c
blobbd355249a344ad8f40fc0c2326da792029e276b2
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26 /* Copyright (c) 1988 AT&T */
27 /* All Rights Reserved */
28 /*
29 * Copyright 2016 Joyent, Inc.
30 */
31
32 #include <sys/types.h>
33 #include <sys/param.h>
34 #include <sys/sysmacros.h>
35 #include <sys/systm.h>
36 #include <sys/signal.h>
37 #include <sys/cred_impl.h>
38 #include <sys/policy.h>
39 #include <sys/user.h>
40 #include <sys/errno.h>
41 #include <sys/file.h>
42 #include <sys/vfs.h>
43 #include <sys/vnode.h>
44 #include <sys/mman.h>
45 #include <sys/acct.h>
46 #include <sys/cpuvar.h>
47 #include <sys/proc.h>
48 #include <sys/cmn_err.h>
49 #include <sys/debug.h>
50 #include <sys/pathname.h>
51 #include <sys/vm.h>
52 #include <sys/lgrp.h>
53 #include <sys/vtrace.h>
54 #include <sys/exec.h>
55 #include <sys/exechdr.h>
56 #include <sys/kmem.h>
57 #include <sys/prsystm.h>
58 #include <sys/modctl.h>
59 #include <sys/vmparam.h>
60 #include <sys/door.h>
61 #include <sys/schedctl.h>
62 #include <sys/utrap.h>
63 #include <sys/systeminfo.h>
64 #include <sys/stack.h>
65 #include <sys/rctl.h>
66 #include <sys/dtrace.h>
67 #include <sys/lwpchan_impl.h>
68 #include <sys/pool.h>
69 #include <sys/sdt.h>
70 #include <sys/brand.h>
71 #include <sys/klpd.h>
72 #include <sys/random.h>
73
74 #include <c2/audit.h>
75
76 #include <vm/hat.h>
77 #include <vm/anon.h>
78 #include <vm/as.h>
79 #include <vm/seg.h>
80 #include <vm/seg_vn.h>
81
82 #define PRIV_RESET 0x01 /* needs to reset privs */
83 #define PRIV_SETID 0x02 /* needs to change uids */
84 #define PRIV_SETUGID 0x04 /* is setuid/setgid/forced privs */
85 #define PRIV_INCREASE 0x08 /* child runs with more privs */
86 #define PRIV_FORCED 0x20 /* has forced privileges */
87
88 static int execsetid(struct vnode *, struct vattr *, uid_t *, uid_t *,
89 priv_set_t *, cred_t *, const char *);
90 static int hold_execsw(struct execsw *);
91
92 uint_t auxv_hwcap = 0; /* auxv AT_SUN_HWCAP value; determined on the fly */
93 uint_t auxv_hwcap_2 = 0; /* AT_SUN_HWCAP2 */
94 #if defined(_SYSCALL32_IMPL)
95 uint_t auxv_hwcap32 = 0; /* 32-bit version of auxv_hwcap */
96 uint_t auxv_hwcap32_2 = 0; /* 32-bit version of auxv_hwcap2 */
97 #endif
98
99 #define PSUIDFLAGS (SNOCD|SUGID)
100
101 /*
102 * These are consumed within the specific exec modules, but are defined here
103 * because
104 *
105 * 1) The exec modules are unloadable, which would make this near useless.
106 *
107 * 2) We want them to be common across all of them, should more than ELF come
108 * to support them.
109 *
110 * All must be powers of 2.
111 */
112 size_t aslr_max_brk_skew = 16 * 1024 * 1024; /* 16MB */
113 #pragma weak exec_stackgap = aslr_max_stack_skew /* Old, compatible name */
114 size_t aslr_max_stack_skew = 64 * 1024; /* 64KB */
115
116 /*
117 * exece() - system call wrapper around exec_common()
118 */
119 int
120 exece(const char *fname, const char **argp, const char **envp)
121 {
122 int error;
123
124 error = exec_common(fname, argp, envp, EBA_NONE);
125 return (error ? (set_errno(error)) : 0);
126 }
127
128 int
129 exec_common(const char *fname, const char **argp, const char **envp,
130 int brand_action)
131 {
132 vnode_t *vp = NULL, *dir = NULL, *tmpvp = NULL;
133 proc_t *p = ttoproc(curthread);
134 klwp_t *lwp = ttolwp(curthread);
135 struct user *up = PTOU(p);
136 long execsz; /* temporary count of exec size */
137 int i;
138 int error;
139 char exec_file[MAXCOMLEN+1];
140 struct pathname pn;
141 struct pathname resolvepn;
142 struct uarg args;
143 struct execa ua;
144 k_sigset_t savedmask;
145 lwpdir_t *lwpdir = NULL;
146 tidhash_t *tidhash;
147 lwpdir_t *old_lwpdir = NULL;
148 uint_t old_lwpdir_sz;
149 tidhash_t *old_tidhash;
150 uint_t old_tidhash_sz;
151 ret_tidhash_t *ret_tidhash;
152 lwpent_t *lep;
153 boolean_t brandme = B_FALSE;
154
155 /*
156 * exec() is not supported for the /proc agent lwp.
157 */
158 if (curthread == p->p_agenttp)
159 return (ENOTSUP);
160
161 if (brand_action != EBA_NONE) {
162 /*
163 * Brand actions are not supported for processes that are not
164 * running in a branded zone.
165 */
166 if (!ZONE_IS_BRANDED(p->p_zone))
167 return (ENOTSUP);
168
169 if (brand_action == EBA_NATIVE) {
170 /* Only branded processes can be unbranded */
171 if (!PROC_IS_BRANDED(p))
172 return (ENOTSUP);
173 } else {
174 /* Only unbranded processes can be branded */
175 if (PROC_IS_BRANDED(p))
176 return (ENOTSUP);
177 brandme = B_TRUE;
178 }
179 } else {
180 /*
181 * If this is a native zone, or if the process is already
182 * branded, then we don't need to do anything. If this is
183 * a native process in a branded zone, we need to brand the
184 * process as it exec()s the new binary.
185 */
186 if (ZONE_IS_BRANDED(p->p_zone) && !PROC_IS_BRANDED(p))
187 brandme = B_TRUE;
188 }
189
190 /*
191 * Inform /proc that an exec() has started.
192 * Hold signals that are ignored by default so that we will
193 * not be interrupted by a signal that will be ignored after
194 * successful completion of gexec().
195 */
196 mutex_enter(&p->p_lock);
197 prexecstart();
198 schedctl_finish_sigblock(curthread);
199 savedmask = curthread->t_hold;
200 sigorset(&curthread->t_hold, &ignoredefault);
201 mutex_exit(&p->p_lock);
202
203 /*
204 * Look up path name and remember last component for later.
205 * To help coreadm expand its %d token, we attempt to save
206 * the directory containing the executable in p_execdir. The
207 * first call to lookuppn() may fail and return EINVAL because
208 * dirvpp is non-NULL. In that case, we make a second call to
209 * lookuppn() with dirvpp set to NULL; p_execdir will be NULL,
210 * but coreadm is allowed to expand %d to the empty string and
211 * there are other cases in which that failure may occur.
212 */
213 if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
214 goto out;
215 pn_alloc(&resolvepn);
216 if ((error = lookuppn(&pn, &resolvepn, FOLLOW, &dir, &vp)) != 0) {
217 pn_free(&resolvepn);
218 pn_free(&pn);
219 if (error != EINVAL)
220 goto out;
221
222 dir = NULL;
223 if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
224 goto out;
225 pn_alloc(&resolvepn);
226 if ((error = lookuppn(&pn, &resolvepn, FOLLOW, NULLVPP,
227 &vp)) != 0) {
228 pn_free(&resolvepn);
229 pn_free(&pn);
230 goto out;
231 }
232 }
233 if (vp == NULL) {
234 if (dir != NULL)
235 VN_RELE(dir);
236 error = ENOENT;
237 pn_free(&resolvepn);
238 pn_free(&pn);
239 goto out;
240 }
241
242 if ((error = secpolicy_basic_exec(CRED(), vp)) != 0) {
243 if (dir != NULL)
244 VN_RELE(dir);
245 pn_free(&resolvepn);
246 pn_free(&pn);
247 VN_RELE(vp);
248 goto out;
249 }
250
251 /*
252 * We do not allow executing files in attribute directories.
253 * We test this by determining whether the resolved path
254 * contains a "/" when we're in an attribute directory;
255 * only if the pathname does not contain a "/" the resolved path
256 * points to a file in the current working (attribute) directory.
257 */
258 if ((p->p_user.u_cdir->v_flag & V_XATTRDIR) != 0 &&
259 strchr(resolvepn.pn_path, '/') == NULL) {
260 if (dir != NULL)
261 VN_RELE(dir);
262 error = EACCES;
263 pn_free(&resolvepn);
264 pn_free(&pn);
265 VN_RELE(vp);
266 goto out;
267 }
268
269 bzero(exec_file, MAXCOMLEN+1);
270 (void) strncpy(exec_file, pn.pn_path, MAXCOMLEN);
271 bzero(&args, sizeof (args));
272 args.pathname = resolvepn.pn_path;
273 /* don't free resolvepn until we are done with args */
274 pn_free(&pn);
275
276 /*
277 * If we're running in a profile shell, then call pfexecd.
278 */
279 if ((CR_FLAGS(p->p_cred) & PRIV_PFEXEC) != 0) {
280 error = pfexec_call(p->p_cred, &resolvepn, &args.pfcred,
281 &args.scrubenv);
282
283 /* Returning errno in case we're not allowed to execute. */
284 if (error > 0) {
285 if (dir != NULL)
286 VN_RELE(dir);
287 pn_free(&resolvepn);
288 VN_RELE(vp);
289 goto out;
290 }
291
292 /* Don't change the credentials when using old ptrace. */
293 if (args.pfcred != NULL &&
294 (p->p_proc_flag & P_PR_PTRACE) != 0) {
295 crfree(args.pfcred);
296 args.pfcred = NULL;
297 args.scrubenv = B_FALSE;
298 }
299 }
300
301 /*
302 * Specific exec handlers, or policies determined via
303 * /etc/system may override the historical default.
304 */
305 args.stk_prot = PROT_ZFOD;
306 args.dat_prot = PROT_ZFOD;
307
308 CPU_STATS_ADD_K(sys, sysexec, 1);
309 DTRACE_PROC1(exec, char *, args.pathname);
310
311 ua.fname = fname;
312 ua.argp = argp;
313 ua.envp = envp;
314
315 /* If necessary, brand this process before we start the exec. */
316 if (brandme)
317 brand_setbrand(p);
318
319 if ((error = gexec(&vp, &ua, &args, NULL, 0, &execsz,
320 exec_file, p->p_cred, brand_action)) != 0) {
321 if (brandme)
322 brand_clearbrand(p, B_FALSE);
323 VN_RELE(vp);
324 if (dir != NULL)
325 VN_RELE(dir);
326 pn_free(&resolvepn);
327 goto fail;
328 }
329
330 /*
331 * Free floating point registers (sun4u only)
332 */
333 ASSERT(lwp != NULL);
334 lwp_freeregs(lwp, 1);
335
336 /*
337 * Free thread and process context ops.
338 */
339 if (curthread->t_ctx)
340 freectx(curthread, 1);
341 if (p->p_pctx)
342 freepctx(p, 1);
343
344 /*
345 * Remember file name for accounting; clear any cached DTrace predicate.
346 */
347 up->u_acflag &= ~AFORK;
348 bcopy(exec_file, up->u_comm, MAXCOMLEN+1);
349 curthread->t_predcache = 0;
350
351 /*
352 * Clear contract template state
353 */
354 lwp_ctmpl_clear(lwp);
355
356 /*
357 * Save the directory in which we found the executable for expanding
358 * the %d token used in core file patterns.
359 */
360 mutex_enter(&p->p_lock);
361 tmpvp = p->p_execdir;
362 p->p_execdir = dir;
363 if (p->p_execdir != NULL)
364 VN_HOLD(p->p_execdir);
365 mutex_exit(&p->p_lock);
366
367 if (tmpvp != NULL)
368 VN_RELE(tmpvp);
369
370 /*
371 * Reset stack state to the user stack, clear set of signals
372 * caught on the signal stack, and reset list of signals that
373 * restart system calls; the new program's environment should
374 * not be affected by detritus from the old program. Any
375 * pending held signals remain held, so don't clear t_hold.
376 */
377 mutex_enter(&p->p_lock);
378 lwp->lwp_oldcontext = 0;
379 lwp->lwp_ustack = 0;
380 lwp->lwp_old_stk_ctl = 0;
381 sigemptyset(&up->u_signodefer);
382 sigemptyset(&up->u_sigonstack);
383 sigemptyset(&up->u_sigresethand);
384 lwp->lwp_sigaltstack.ss_sp = 0;
385 lwp->lwp_sigaltstack.ss_size = 0;
386 lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
387
388 /*
389 * Make saved resource limit == current resource limit.
390 */
391 for (i = 0; i < RLIM_NLIMITS; i++) {
392 /*CONSTCOND*/
393 if (RLIM_SAVED(i)) {
394 (void) rctl_rlimit_get(rctlproc_legacy[i], p,
395 &up->u_saved_rlimit[i]);
396 }
397 }
398
399 /*
400 * If the action was to catch the signal, then the action
401 * must be reset to SIG_DFL.
402 */
403 sigdefault(p);
404 p->p_flag &= ~(SNOWAIT|SJCTL);
405 p->p_flag |= (SEXECED|SMSACCT|SMSFORK);
406 up->u_signal[SIGCLD - 1] = SIG_DFL;
407
408 /*
409 * Delete the dot4 sigqueues/signotifies.
410 */
411 sigqfree(p);
412
413 mutex_exit(&p->p_lock);
414
415 mutex_enter(&p->p_pflock);
416 p->p_prof.pr_base = NULL;
417 p->p_prof.pr_size = 0;
418 p->p_prof.pr_off = 0;
419 p->p_prof.pr_scale = 0;
420 p->p_prof.pr_samples = 0;
421 mutex_exit(&p->p_pflock);
422
423 ASSERT(curthread->t_schedctl == NULL);
424
425
426 /*
427 * Close all close-on-exec files.
428 */
429 close_exec(P_FINFO(p));
430 TRACE_2(TR_FAC_PROC, TR_PROC_EXEC, "proc_exec:p %p up %p", p, up);
431
432 /* Unbrand ourself if necessary. */
433 if (PROC_IS_BRANDED(p) && (brand_action == EBA_NATIVE))
434 brand_clearbrand(p, B_FALSE);
435
436 setregs(&args);
437
438 /* Mark this as an executable vnode */
439 mutex_enter(&vp->v_lock);
440 vp->v_flag |= VVMEXEC;
441 mutex_exit(&vp->v_lock);
442
443 VN_RELE(vp);
444 if (dir != NULL)
445 VN_RELE(dir);
446 pn_free(&resolvepn);
447
448 /*
449 * Allocate a new lwp directory and lwpid hash table if necessary.
450 */
451 if (curthread->t_tid != 1 || p->p_lwpdir_sz != 2) {
452 lwpdir = kmem_zalloc(2 * sizeof (lwpdir_t), KM_SLEEP);
453 lwpdir->ld_next = lwpdir + 1;
454 tidhash = kmem_zalloc(2 * sizeof (tidhash_t), KM_SLEEP);
455 if (p->p_lwpdir != NULL)
456 lep = p->p_lwpdir[curthread->t_dslot].ld_entry;
457 else
458 lep = kmem_zalloc(sizeof (*lep), KM_SLEEP);
459 }
460
461 if (PROC_IS_BRANDED(p))
462 BROP(p)->b_exec();
463
464 mutex_enter(&p->p_lock);
465 prbarrier(p);
466
467 /*
468 * Reset lwp id to the default value of 1.
469 * This is a single-threaded process now
470 * and lwp #1 is lwp_wait()able by default.
471 * The t_unpark flag should not be inherited.
472 */
473 ASSERT(p->p_lwpcnt == 1 && p->p_zombcnt == 0);
474 curthread->t_tid = 1;
475 kpreempt_disable();
476 ASSERT(curthread->t_lpl != NULL);
477 p->p_t1_lgrpid = curthread->t_lpl->lpl_lgrpid;
478 kpreempt_enable();
479 if (p->p_tr_lgrpid != LGRP_NONE && p->p_tr_lgrpid != p->p_t1_lgrpid) {
480 lgrp_update_trthr_migrations(1);
481 }
482 curthread->t_unpark = 0;
483 curthread->t_proc_flag |= TP_TWAIT;
484 curthread->t_proc_flag &= ~TP_DAEMON; /* daemons shouldn't exec */
485 p->p_lwpdaemon = 0; /* but oh well ... */
486 p->p_lwpid = 1;
487
488 /*
489 * Install the newly-allocated lwp directory and lwpid hash table
490 * and insert the current thread into the new hash table.
491 */
492 if (lwpdir != NULL) {
493 old_lwpdir = p->p_lwpdir;
494 old_lwpdir_sz = p->p_lwpdir_sz;
495 old_tidhash = p->p_tidhash;
496 old_tidhash_sz = p->p_tidhash_sz;
497 p->p_lwpdir = p->p_lwpfree = lwpdir;
498 p->p_lwpdir_sz = 2;
499 lep->le_thread = curthread;
500 lep->le_lwpid = curthread->t_tid;
501 lep->le_start = curthread->t_start;
502 lwp_hash_in(p, lep, tidhash, 2, 0);
503 p->p_tidhash = tidhash;
504 p->p_tidhash_sz = 2;
505 }
506 ret_tidhash = p->p_ret_tidhash;
507 p->p_ret_tidhash = NULL;
508
509 /*
510 * Restore the saved signal mask and
511 * inform /proc that the exec() has finished.
512 */
513 curthread->t_hold = savedmask;
514 prexecend();
515 mutex_exit(&p->p_lock);
516 if (old_lwpdir) {
517 kmem_free(old_lwpdir, old_lwpdir_sz * sizeof (lwpdir_t));
518 kmem_free(old_tidhash, old_tidhash_sz * sizeof (tidhash_t));
519 }
520 while (ret_tidhash != NULL) {
521 ret_tidhash_t *next = ret_tidhash->rth_next;
522 kmem_free(ret_tidhash->rth_tidhash,
523 ret_tidhash->rth_tidhash_sz * sizeof (tidhash_t));
524 kmem_free(ret_tidhash, sizeof (*ret_tidhash));
525 ret_tidhash = next;
526 }
527
528 ASSERT(error == 0);
529 DTRACE_PROC(exec__success);
530 return (0);
531
532 fail:
533 DTRACE_PROC1(exec__failure, int, error);
534 out: /* error return */
535 mutex_enter(&p->p_lock);
536 curthread->t_hold = savedmask;
537 prexecend();
538 mutex_exit(&p->p_lock);
539 ASSERT(error != 0);
540 return (error);
541 }
542
543
544 /*
545 * Perform generic exec duties and switchout to object-file specific
546 * handler.
547 */
548 int
549 gexec(
550 struct vnode **vpp,
551 struct execa *uap,
552 struct uarg *args,
553 struct intpdata *idatap,
554 int level,
555 long *execsz,
556 caddr_t exec_file,
557 struct cred *cred,
558 int brand_action)
559 {
560 struct vnode *vp, *execvp = NULL;
561 proc_t *pp = ttoproc(curthread);
562 struct execsw *eswp;
563 int error = 0;
564 int suidflags = 0;
565 ssize_t resid;
566 uid_t uid, gid;
567 struct vattr vattr;
568 char magbuf[MAGIC_BYTES];
569 int setid;
570 cred_t *oldcred, *newcred = NULL;
571 int privflags = 0;
572 int setidfl;
573 priv_set_t fset;
574 secflagset_t old_secflags;
575
576 secflags_copy(&old_secflags, &pp->p_secflags.psf_effective);
577
578 /*
579 * If the SNOCD or SUGID flag is set, turn it off and remember the
580 * previous setting so we can restore it if we encounter an error.
581 */
582 if (level == 0 && (pp->p_flag & PSUIDFLAGS)) {
583 mutex_enter(&pp->p_lock);
584 suidflags = pp->p_flag & PSUIDFLAGS;
585 pp->p_flag &= ~PSUIDFLAGS;
586 mutex_exit(&pp->p_lock);
587 }
588
589 if ((error = execpermissions(*vpp, &vattr, args)) != 0)
590 goto bad_noclose;
591
592 /* need to open vnode for stateful file systems */
593 if ((error = fop_open(vpp, FREAD, CRED(), NULL)) != 0)
594 goto bad_noclose;
595 vp = *vpp;
596
597 /*
598 * Note: to support binary compatibility with SunOS a.out
599 * executables, we read in the first four bytes, as the
600 * magic number is in bytes 2-3.
601 */
602 if (error = vn_rdwr(UIO_READ, vp, magbuf, sizeof (magbuf),
603 (offset_t)0, UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid))
604 goto bad;
605 if (resid != 0)
606 goto bad;
607
608 if ((eswp = findexec_by_hdr(magbuf)) == NULL)
609 goto bad;
610
611 if (level == 0 &&
612 (privflags = execsetid(vp, &vattr, &uid, &gid, &fset,
613 args->pfcred == NULL ? cred : args->pfcred, args->pathname)) != 0) {
614
615 /* Pfcred is a credential with a ref count of 1 */
616
617 if (args->pfcred != NULL) {
618 privflags |= PRIV_INCREASE|PRIV_RESET;
619 newcred = cred = args->pfcred;
620 } else {
621 newcred = cred = crdup(cred);
622 }
623
624 /* If we can, drop the PA bit */
625 if ((privflags & PRIV_RESET) != 0)
626 priv_adjust_PA(cred);
627
628 if (privflags & PRIV_SETID) {
629 cred->cr_uid = uid;
630 cred->cr_gid = gid;
631 cred->cr_suid = uid;
632 cred->cr_sgid = gid;
633 }
634
635 /*
636 * Implement the privilege updates:
637 *
638 * Restrict with L:
639 *
640 * I' = I & L
641 *
642 * E' = P' = (I' + F) & A
643 *
644 * But if running under ptrace, we cap I and F with P.
645 */
646 if ((privflags & (PRIV_RESET|PRIV_FORCED)) != 0) {
647 if ((privflags & PRIV_INCREASE) != 0 &&
648 (pp->p_proc_flag & P_PR_PTRACE) != 0) {
649 priv_intersect(&CR_OPPRIV(cred),
650 &CR_IPRIV(cred));
651 priv_intersect(&CR_OPPRIV(cred), &fset);
652 }
653 priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
654 CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
655 if (privflags & PRIV_FORCED) {
656 priv_set_PA(cred);
657 priv_union(&fset, &CR_EPRIV(cred));
658 priv_union(&fset, &CR_PPRIV(cred));
659 }
660 priv_adjust_PA(cred);
661 }
662 } else if (level == 0 && args->pfcred != NULL) {
663 newcred = cred = args->pfcred;
664 privflags |= PRIV_INCREASE;
665 /* pfcred is not forced to adhere to these settings */
666 priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
667 CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
668 priv_adjust_PA(cred);
669 }
670
671 /* The new image gets the inheritable secflags as its secflags */
672 secflags_promote(pp);
673
674 /* SunOS 4.x buy-back */
675 if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) &&
676 (vattr.va_mode & (VSUID|VSGID))) {
677 char path[MAXNAMELEN];
678 refstr_t *mntpt = NULL;
679 int ret = -1;
680
681 bzero(path, sizeof (path));
682 zone_hold(pp->p_zone);
683
684 ret = vnodetopath(pp->p_zone->zone_rootvp, vp, path,
685 sizeof (path), cred);
686
687 /* fallback to mountpoint if a path can't be found */
688 if ((ret != 0) || (ret == 0 && path[0] == '\0'))
689 mntpt = vfs_getmntpoint(vp->v_vfsp);
690
691 if (mntpt == NULL)
692 zcmn_err(pp->p_zone->zone_id, CE_NOTE,
693 "!uid %d: setuid execution not allowed, "
694 "file=%s", cred->cr_uid, path);
695 else
696 zcmn_err(pp->p_zone->zone_id, CE_NOTE,
697 "!uid %d: setuid execution not allowed, "
698 "fs=%s, file=%s", cred->cr_uid,
699 ZONE_PATH_TRANSLATE(refstr_value(mntpt),
700 pp->p_zone), exec_file);
701
702 if (!INGLOBALZONE(pp)) {
703 /* zone_rootpath always has trailing / */
704 if (mntpt == NULL)
705 cmn_err(CE_NOTE, "!zone: %s, uid: %d "
706 "setuid execution not allowed, file=%s%s",
707 pp->p_zone->zone_name, cred->cr_uid,
708 pp->p_zone->zone_rootpath, path + 1);
709 else
710 cmn_err(CE_NOTE, "!zone: %s, uid: %d "
711 "setuid execution not allowed, fs=%s, "
712 "file=%s", pp->p_zone->zone_name,
713 cred->cr_uid, refstr_value(mntpt),
714 exec_file);
715 }
716
717 if (mntpt != NULL)
718 refstr_rele(mntpt);
719
720 zone_rele(pp->p_zone);
721 }
722
723 /*
724 * execsetid() told us whether or not we had to change the
725 * credentials of the process. In privflags, it told us
726 * whether we gained any privileges or executed a set-uid executable.
727 */
728 setid = (privflags & (PRIV_SETUGID|PRIV_INCREASE|PRIV_FORCED));
729
730 /*
731 * Use /etc/system variable to determine if the stack
732 * should be marked as executable by default.
733 */
734 if ((noexec_user_stack != 0) ||
735 secflag_enabled(pp, PROC_SEC_NOEXECSTACK))
736 args->stk_prot &= ~PROT_EXEC;
737
738 args->execswp = eswp; /* Save execsw pointer in uarg for exec_func */
739 args->ex_vp = vp;
740
741 /*
742 * Traditionally, the setid flags told the sub processes whether
743 * the file just executed was set-uid or set-gid; this caused
744 * some confusion as the 'setid' flag did not match the SUGID
745 * process flag which is only set when the uids/gids do not match.
746 * A script set-gid/set-uid to the real uid/gid would start with
747 * /dev/fd/X but an executable would happily trust LD_LIBRARY_PATH.
748 * Now we flag those cases where the calling process cannot
749 * be trusted to influence the newly exec'ed process, either
750 * because it runs with more privileges or when the uids/gids
751 * do in fact not match.
752 * This also makes the runtime linker agree with the on exec
753 * values of SNOCD and SUGID.
754 */
755 setidfl = 0;
756 if (cred->cr_uid != cred->cr_ruid || (cred->cr_rgid != cred->cr_gid &&
757 !supgroupmember(cred->cr_gid, cred))) {
758 setidfl |= EXECSETID_UGIDS;
759 }
760 if (setid & PRIV_SETUGID)
761 setidfl |= EXECSETID_SETID;
762 if (setid & PRIV_FORCED)
763 setidfl |= EXECSETID_PRIVS;
764
765 execvp = pp->p_exec;
766 if (execvp)
767 VN_HOLD(execvp);
768
769 error = (*eswp->exec_func)(vp, uap, args, idatap, level, execsz,
770 setidfl, exec_file, cred, brand_action);
771 rw_exit(eswp->exec_lock);
772 if (error != 0) {
773 if (execvp)
774 VN_RELE(execvp);
775 /*
776 * If this process's p_exec has been set to the vp of
777 * the executable by exec_func, we will return without
778 * calling fop_close because proc_exit will close it
779 * on exit.
780 */
781 if (pp->p_exec == vp)
782 goto bad_noclose;
783 else
784 goto bad;
785 }
786
787 if (level == 0) {
788 uid_t oruid;
789
790 if (execvp != NULL) {
791 /*
792 * Close the previous executable only if we are
793 * at level 0.
794 */
795 (void) fop_close(execvp, FREAD, 1, (offset_t)0,
796 cred, NULL);
797 }
798
799 mutex_enter(&pp->p_crlock);
800
801 oruid = pp->p_cred->cr_ruid;
802
803 if (newcred != NULL) {
804 /*
805 * Free the old credentials, and set the new ones.
806 * Do this for both the process and the (single) thread.
807 */
808 crfree(pp->p_cred);
809 pp->p_cred = cred; /* cred already held for proc */
810 crhold(cred); /* hold new cred for thread */
811 /*
812 * DTrace accesses t_cred in probe context. t_cred
813 * must always be either NULL, or point to a valid,
814 * allocated cred structure.
815 */
816 oldcred = curthread->t_cred;
817 curthread->t_cred = cred;
818 crfree(oldcred);
819
820 if (priv_basic_test >= 0 &&
821 !PRIV_ISMEMBER(&CR_IPRIV(newcred),
822 priv_basic_test)) {
823 pid_t pid = pp->p_pid;
824 char *fn = PTOU(pp)->u_comm;
825
826 cmn_err(CE_WARN, "%s[%d]: exec: basic_test "
827 "privilege removed from E/I", fn, pid);
828 }
829 }
830 /*
831 * On emerging from a successful exec(), the saved
832 * uid and gid equal the effective uid and gid.
833 */
834 cred->cr_suid = cred->cr_uid;
835 cred->cr_sgid = cred->cr_gid;
836
837 /*
838 * If the real and effective ids do not match, this
839 * is a setuid process that should not dump core.
840 * The group comparison is tricky; we prevent the code
841 * from flagging SNOCD when executing with an effective gid
842 * which is a supplementary group.
843 */
844 if (cred->cr_ruid != cred->cr_uid ||
845 (cred->cr_rgid != cred->cr_gid &&
846 !supgroupmember(cred->cr_gid, cred)) ||
847 (privflags & PRIV_INCREASE) != 0)
848 suidflags = PSUIDFLAGS;
849 else
850 suidflags = 0;
851
852 mutex_exit(&pp->p_crlock);
853 if (newcred != NULL && oruid != newcred->cr_ruid) {
854 /* Note that the process remains in the same zone. */
855 mutex_enter(&pidlock);
856 upcount_dec(oruid, crgetzoneid(newcred));
857 upcount_inc(newcred->cr_ruid, crgetzoneid(newcred));
858 mutex_exit(&pidlock);
859 }
860 if (suidflags) {
861 mutex_enter(&pp->p_lock);
862 pp->p_flag |= suidflags;
863 mutex_exit(&pp->p_lock);
864 }
865 if (setid && (pp->p_proc_flag & P_PR_PTRACE) == 0) {
866 /*
867 * If process is traced via /proc, arrange to
868 * invalidate the associated /proc vnode.
869 */
870 if (pp->p_plist || (pp->p_proc_flag & P_PR_TRACE))
871 args->traceinval = 1;
872 }
873 if (pp->p_proc_flag & P_PR_PTRACE)
874 psignal(pp, SIGTRAP);
875 if (args->traceinval)
876 prinvalidate(&pp->p_user);
877 }
878 if (execvp)
879 VN_RELE(execvp);
880 return (0);
881
882 bad:
883 (void) fop_close(vp, FREAD, 1, (offset_t)0, cred, NULL);
884
885 bad_noclose:
886 if (newcred != NULL)
887 crfree(newcred);
888 if (error == 0)
889 error = ENOEXEC;
890
891 mutex_enter(&pp->p_lock);
892 if (suidflags) {
893 pp->p_flag |= suidflags;
894 }
895 /*
896 * Restore the effective secflags, to maintain the invariant they
897 * never change for a given process
898 */
899 secflags_copy(&pp->p_secflags.psf_effective, &old_secflags);
900 mutex_exit(&pp->p_lock);
901
902 return (error);
903 }
904
905 extern char *execswnames[];
906
907 struct execsw *
908 allocate_execsw(char *name, char *magic, size_t magic_size)
909 {
910 int i, j;
911 char *ename;
912 char *magicp;
913
914 mutex_enter(&execsw_lock);
915 for (i = 0; i < nexectype; i++) {
916 if (execswnames[i] == NULL) {
917 ename = kmem_alloc(strlen(name) + 1, KM_SLEEP);
918 (void) strcpy(ename, name);
919 execswnames[i] = ename;
920 /*
921 * Set the magic number last so that we
922 * don't need to hold the execsw_lock in
923 * findexectype().
924 */
925 magicp = kmem_alloc(magic_size, KM_SLEEP);
926 for (j = 0; j < magic_size; j++)
927 magicp[j] = magic[j];
928 execsw[i].exec_magic = magicp;
929 mutex_exit(&execsw_lock);
930 return (&execsw[i]);
931 }
932 }
933 mutex_exit(&execsw_lock);
934 return (NULL);
935 }
936
937 /*
938 * Find the exec switch table entry with the corresponding magic string.
939 */
940 struct execsw *
941 findexecsw(char *magic)
942 {
943 struct execsw *eswp;
944
945 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
946 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
947 if (magic && eswp->exec_maglen != 0 &&
948 bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0)
949 return (eswp);
950 }
951 return (NULL);
952 }
953
954 /*
955 * Find the execsw[] index for the given exec header string by looking for the
956 * magic string at a specified offset and length for each kind of executable
957 * file format until one matches. If no execsw[] entry is found, try to
958 * autoload a module for this magic string.
959 */
960 struct execsw *
961 findexec_by_hdr(char *header)
962 {
963 struct execsw *eswp;
964
965 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
966 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
967 if (header && eswp->exec_maglen != 0 &&
968 bcmp(&header[eswp->exec_magoff], eswp->exec_magic,
969 eswp->exec_maglen) == 0) {
970 if (hold_execsw(eswp) != 0)
971 return (NULL);
972 return (eswp);
973 }
974 }
975 return (NULL); /* couldn't find the type */
976 }
977
978 /*
979 * Find the execsw[] index for the given magic string. If no execsw[] entry
980 * is found, try to autoload a module for this magic string.
981 */
982 struct execsw *
983 findexec_by_magic(char *magic)
984 {
985 struct execsw *eswp;
986
987 for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
988 ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
989 if (magic && eswp->exec_maglen != 0 &&
990 bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0) {
991 if (hold_execsw(eswp) != 0)
992 return (NULL);
993 return (eswp);
994 }
995 }
996 return (NULL); /* couldn't find the type */
997 }
998
999 static int
1000 hold_execsw(struct execsw *eswp)
1001 {
1002 char *name;
1003
1004 rw_enter(eswp->exec_lock, RW_READER);
1005 while (!LOADED_EXEC(eswp)) {
1006 rw_exit(eswp->exec_lock);
1007 name = execswnames[eswp-execsw];
1008 ASSERT(name);
1009 if (modload("exec", name) == -1)
1010 return (-1);
1011 rw_enter(eswp->exec_lock, RW_READER);
1012 }
1013 return (0);
1014 }
1015
1016 static int
1017 execsetid(struct vnode *vp, struct vattr *vattrp, uid_t *uidp, uid_t *gidp,
1018 priv_set_t *fset, cred_t *cr, const char *pathname)
1019 {
1020 proc_t *pp = ttoproc(curthread);
1021 uid_t uid, gid;
1022 int privflags = 0;
1023
1024 /*
1025 * Remember credentials.
1026 */
1027 uid = cr->cr_uid;
1028 gid = cr->cr_gid;
1029
1030 /* Will try to reset the PRIV_AWARE bit later. */
1031 if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_INHERIT)) == PRIV_AWARE)
1032 privflags |= PRIV_RESET;
1033
1034 if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) == 0) {
1035 /*
1036 * If it's a set-uid root program we perform the
1037 * forced privilege look-aside. This has three possible
1038 * outcomes:
1039 * no look aside information -> treat as before
1040 * look aside in Limit set -> apply forced privs
1041 * look aside not in Limit set -> ignore set-uid root
1042 *
1043 * Ordinary set-uid root execution only allowed if the limit
1044 * set holds all unsafe privileges.
1045 */
1046 if (vattrp->va_mode & VSUID) {
1047 if (vattrp->va_uid == 0) {
1048 int res = get_forced_privs(cr, pathname, fset);
1049
1050 switch (res) {
1051 case -1:
1052 if (priv_issubset(&priv_unsafe,
1053 &CR_LPRIV(cr))) {
1054 uid = vattrp->va_uid;
1055 privflags |= PRIV_SETUGID;
1056 }
1057 break;
1058 case 0:
1059 privflags |= PRIV_FORCED|PRIV_INCREASE;
1060 break;
1061 default:
1062 break;
1063 }
1064 } else {
1065 uid = vattrp->va_uid;
1066 privflags |= PRIV_SETUGID;
1067 }
1068 }
1069 if (vattrp->va_mode & VSGID) {
1070 gid = vattrp->va_gid;
1071 privflags |= PRIV_SETUGID;
1072 }
1073 }
1074
1075 /*
1076 * Do we need to change our credential anyway?
1077 * This is the case when E != I or P != I, as
1078 * we need to do the assignments (with F empty and A full)
1079 * Or when I is not a subset of L; in that case we need to
1080 * enforce L.
1081 *
1082 * I' = L & I
1083 *
1084 * E' = P' = (I' + F) & A
1085 * or
1086 * E' = P' = I'
1087 */
1088 if (!priv_isequalset(&CR_EPRIV(cr), &CR_IPRIV(cr)) ||
1089 !priv_issubset(&CR_IPRIV(cr), &CR_LPRIV(cr)) ||
1090 !priv_isequalset(&CR_PPRIV(cr), &CR_IPRIV(cr)))
1091 privflags |= PRIV_RESET;
1092
1093 /* Child has more privileges than parent */
1094 if (!priv_issubset(&CR_IPRIV(cr), &CR_PPRIV(cr)))
1095 privflags |= PRIV_INCREASE;
1096
1097 /*
1098 * Set setuid/setgid protections if no ptrace() compatibility.
1099 * For privileged processes, honor setuid/setgid even in
1100 * the presence of ptrace() compatibility.
1101 */
1102 if (((pp->p_proc_flag & P_PR_PTRACE) == 0 ||
1103 PRIV_POLICY_ONLY(cr, PRIV_PROC_OWNER, (uid == 0))) &&
1104 (cr->cr_uid != uid ||
1105 cr->cr_gid != gid ||
1106 cr->cr_suid != uid ||
1107 cr->cr_sgid != gid)) {
1108 *uidp = uid;
1109 *gidp = gid;
1110 privflags |= PRIV_SETID;
1111 }
1112 return (privflags);
1113 }
1114
1115 int
1116 execpermissions(struct vnode *vp, struct vattr *vattrp, struct uarg *args)
1117 {
1118 int error;
1119 proc_t *p = ttoproc(curthread);
1120
1121 vattrp->va_mask = AT_MODE | AT_UID | AT_GID | AT_SIZE;
1122 if (error = fop_getattr(vp, vattrp, ATTR_EXEC, p->p_cred, NULL))
1123 return (error);
1124 /*
1125 * Check the access mode.
1126 * If VPROC, ask /proc if the file is an object file.
1127 */
1128 if ((error = fop_access(vp, VEXEC, 0, p->p_cred, NULL)) != 0 ||
1129 !(vp->v_type == VREG || (vp->v_type == VPROC && pr_isobject(vp))) ||
1130 (vp->v_vfsp->vfs_flag & VFS_NOEXEC) != 0 ||
1131 (vattrp->va_mode & (VEXEC|(VEXEC>>3)|(VEXEC>>6))) == 0) {
1132 if (error == 0)
1133 error = EACCES;
1134 return (error);
1135 }
1136
1137 if ((p->p_plist || (p->p_proc_flag & (P_PR_PTRACE|P_PR_TRACE))) &&
1138 (error = fop_access(vp, VREAD, 0, p->p_cred, NULL))) {
1139 /*
1140 * If process is under ptrace(2) compatibility,
1141 * fail the exec(2).
1142 */
1143 if (p->p_proc_flag & P_PR_PTRACE)
1144 goto bad;
1145 /*
1146 * Process is traced via /proc.
1147 * Arrange to invalidate the /proc vnode.
1148 */
1149 args->traceinval = 1;
1150 }
1151 return (0);
1152 bad:
1153 if (error == 0)
1154 error = ENOEXEC;
1155 return (error);
1156 }
1157
1158 /*
1159 * Map a section of an executable file into the user's
1160 * address space.
1161 */
1162 int
1163 execmap(struct vnode *vp, caddr_t addr, size_t len, size_t zfodlen,
1164 off_t offset, int prot, int page, uint_t szc)
1165 {
1166 int error = 0;
1167 off_t oldoffset;
1168 caddr_t zfodbase, oldaddr;
1169 size_t end, oldlen;
1170 size_t zfoddiff;
1171 label_t ljb;
1172 proc_t *p = ttoproc(curthread);
1173
1174 oldaddr = addr;
1175 addr = (caddr_t)((uintptr_t)addr & (uintptr_t)PAGEMASK);
1176 if (len) {
1177 oldlen = len;
1178 len += ((size_t)oldaddr - (size_t)addr);
1179 oldoffset = offset;
1180 offset = (off_t)((uintptr_t)offset & PAGEMASK);
1181 if (page) {
1182 spgcnt_t prefltmem, availm, npages;
1183 int preread;
1184 uint_t mflag = MAP_PRIVATE | MAP_FIXED;
1185
1186 if ((prot & (PROT_WRITE | PROT_EXEC)) == PROT_EXEC) {
1187 mflag |= MAP_TEXT;
1188 } else {
1189 mflag |= MAP_INITDATA;
1190 }
1191
1192 if (valid_usr_range(addr, len, prot, p->p_as,
1193 p->p_as->a_userlimit) != RANGE_OKAY) {
1194 error = ENOMEM;
1195 goto bad;
1196 }
1197 if (error = fop_map(vp, (offset_t)offset,
1198 p->p_as, &addr, len, prot, PROT_ALL,
1199 mflag, CRED(), NULL))
1200 goto bad;
1201
1202 /*
1203 * If the segment can fit, then we prefault
1204 * the entire segment in. This is based on the
1205 * model that says the best working set of a
1206 * small program is all of its pages.
1207 */
1208 npages = (spgcnt_t)btopr(len);
1209 prefltmem = freemem - desfree;
1210 preread =
1211 (npages < prefltmem && len < PGTHRESH) ? 1 : 0;
1212
1213 /*
1214 * If we aren't prefaulting the segment,
1215 * increment "deficit", if necessary to ensure
1216 * that pages will become available when this
1217 * process starts executing.
1218 */
1219 availm = freemem - lotsfree;
1220 if (preread == 0 && npages > availm &&
1221 deficit < lotsfree) {
1222 deficit += MIN((pgcnt_t)(npages - availm),
1223 lotsfree - deficit);
1224 }
1225
1226 if (preread) {
1227 TRACE_2(TR_FAC_PROC, TR_EXECMAP_PREREAD,
1228 "execmap preread:freemem %d size %lu",
1229 freemem, len);
1230 (void) as_fault(p->p_as->a_hat, p->p_as,
1231 (caddr_t)addr, len, F_INVAL, S_READ);
1232 }
1233 } else {
1234 if (valid_usr_range(addr, len, prot, p->p_as,
1235 p->p_as->a_userlimit) != RANGE_OKAY) {
1236 error = ENOMEM;
1237 goto bad;
1238 }
1239
1240 if (error = as_map(p->p_as, addr, len,
1241 segvn_create, zfod_argsp))
1242 goto bad;
1243 /*
1244 * Read in the segment in one big chunk.
1245 */
1246 if (error = vn_rdwr(UIO_READ, vp, (caddr_t)oldaddr,
1247 oldlen, (offset_t)oldoffset, UIO_USERSPACE, 0,
1248 (rlim64_t)0, CRED(), (ssize_t *)0))
1249 goto bad;
1250 /*
1251 * Now set protections.
1252 */
1253 if (prot != PROT_ZFOD) {
1254 (void) as_setprot(p->p_as, (caddr_t)addr,
1255 len, prot);
1256 }
1257 }
1258 }
1259
1260 if (zfodlen) {
1261 struct as *as = curproc->p_as;
1262 struct seg *seg;
1263 uint_t zprot = 0;
1264
1265 end = (size_t)addr + len;
1266 zfodbase = (caddr_t)roundup(end, PAGESIZE);
1267 zfoddiff = (uintptr_t)zfodbase - end;
1268 if (zfoddiff) {
1269 /*
1270 * Before we go to zero the remaining space on the last
1271 * page, make sure we have write permission.
1272 *
1273 * Normal illumos binaries don't even hit the case
1274 * where we have to change permission on the last page
1275 * since their protection is typically either
1276 * PROT_USER | PROT_WRITE | PROT_READ
1277 * or
1278 * PROT_ZFOD (same as PROT_ALL).
1279 *
1280 * We need to be careful how we zero-fill the last page
1281 * if the segment protection does not include
1282 * PROT_WRITE. Using as_setprot() can cause the VM
1283 * segment code to call segvn_vpage(), which must
1284 * allocate a page struct for each page in the segment.
1285 * If we have a very large segment, this may fail, so
1286 * we have to check for that, even though we ignore
1287 * other return values from as_setprot.
1288 */
1289
1290 AS_LOCK_ENTER(as, RW_READER);
1291 seg = as_segat(curproc->p_as, (caddr_t)end);
1292 if (seg != NULL)
1293 (void) segop_getprot(seg, (caddr_t)end,
1294 zfoddiff - 1, &zprot);
1295 AS_LOCK_EXIT(as);
1296
1297 if (seg != NULL && (zprot & PROT_WRITE) == 0) {
1298 if (as_setprot(as, (caddr_t)end, zfoddiff - 1,
1299 zprot | PROT_WRITE) == ENOMEM) {
1300 error = ENOMEM;
1301 goto bad;
1302 }
1303 }
1304
1305 if (on_fault(&ljb)) {
1306 no_fault();
1307 if (seg != NULL && (zprot & PROT_WRITE) == 0)
1308 (void) as_setprot(as, (caddr_t)end,
1309 zfoddiff - 1, zprot);
1310 error = EFAULT;
1311 goto bad;
1312 }
1313 uzero((void *)end, zfoddiff);
1314 no_fault();
1315 if (seg != NULL && (zprot & PROT_WRITE) == 0)
1316 (void) as_setprot(as, (caddr_t)end,
1317 zfoddiff - 1, zprot);
1318 }
1319 if (zfodlen > zfoddiff) {
1320 struct segvn_crargs crargs =
1321 SEGVN_ZFOD_ARGS(PROT_ZFOD, PROT_ALL);
1322
1323 zfodlen -= zfoddiff;
1324 if (valid_usr_range(zfodbase, zfodlen, prot, p->p_as,
1325 p->p_as->a_userlimit) != RANGE_OKAY) {
1326 error = ENOMEM;
1327 goto bad;
1328 }
1329 if (szc > 0) {
1330 /*
1331 * ASSERT alignment because the mapelfexec()
1332 * caller for the szc > 0 case extended zfod
1333 * so it's end is pgsz aligned.
1334 */
1335 size_t pgsz = page_get_pagesize(szc);
1336 ASSERT(IS_P2ALIGNED(zfodbase + zfodlen, pgsz));
1337
1338 if (IS_P2ALIGNED(zfodbase, pgsz)) {
1339 crargs.szc = szc;
1340 } else {
1341 crargs.szc = AS_MAP_HEAP;
1342 }
1343 } else {
1344 crargs.szc = AS_MAP_NO_LPOOB;
1345 }
1346 if (error = as_map(p->p_as, (caddr_t)zfodbase,
1347 zfodlen, segvn_create, &crargs))
1348 goto bad;
1349 if (prot != PROT_ZFOD) {
1350 (void) as_setprot(p->p_as, (caddr_t)zfodbase,
1351 zfodlen, prot);
1352 }
1353 }
1354 }
1355 return (0);
1356 bad:
1357 return (error);
1358 }
1359
1360 void
1361 setexecenv(struct execenv *ep)
1362 {
1363 proc_t *p = ttoproc(curthread);
1364 klwp_t *lwp = ttolwp(curthread);
1365 struct vnode *vp;
1366
1367 p->p_bssbase = ep->ex_bssbase;
1368 p->p_brkbase = ep->ex_brkbase;
1369 p->p_brksize = ep->ex_brksize;
1370 if (p->p_exec)
1371 VN_RELE(p->p_exec); /* out with the old */
1372 vp = p->p_exec = ep->ex_vp;
1373 if (vp != NULL)
1374 VN_HOLD(vp); /* in with the new */
1375
1376 lwp->lwp_sigaltstack.ss_sp = 0;
1377 lwp->lwp_sigaltstack.ss_size = 0;
1378 lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
1379 }
1380
1381 int
1382 execopen(struct vnode **vpp, int *fdp)
1383 {
1384 struct vnode *vp = *vpp;
1385 file_t *fp;
1386 int error = 0;
1387 int filemode = FREAD;
1388
1389 VN_HOLD(vp); /* open reference */
1390 if (error = falloc(NULL, filemode, &fp, fdp)) {
1391 VN_RELE(vp);
1392 *fdp = -1; /* just in case falloc changed value */
1393 return (error);
1394 }
1395 if (error = fop_open(&vp, filemode, CRED(), NULL)) {
1396 VN_RELE(vp);
1397 setf(*fdp, NULL);
1398 unfalloc(fp);
1399 *fdp = -1;
1400 return (error);
1401 }
1402 *vpp = vp; /* vnode should not have changed */
1403 fp->f_vnode = vp;
1404 mutex_exit(&fp->f_tlock);
1405 setf(*fdp, fp);
1406 return (0);
1407 }
1408
1409 int
1410 execclose(int fd)
1411 {
1412 return (closeandsetf(fd, NULL));
1413 }
1414
1415
1416 /*
1417 * noexec stub function.
1418 */
1419 /*ARGSUSED*/
1420 int
1421 noexec(
1422 struct vnode *vp,
1423 struct execa *uap,
1424 struct uarg *args,
1425 struct intpdata *idatap,
1426 int level,
1427 long *execsz,
1428 int setid,
1429 caddr_t exec_file,
1430 struct cred *cred)
1431 {
1432 cmn_err(CE_WARN, "missing exec capability for %s", uap->fname);
1433 return (ENOEXEC);
1434 }
1435
1436 /*
1437 * Support routines for building a user stack.
1438 *
1439 * execve(path, argv, envp) must construct a new stack with the specified
1440 * arguments and environment variables (see exec_args() for a description
1441 * of the user stack layout). To do this, we copy the arguments and
1442 * environment variables from the old user address space into the kernel,
1443 * free the old as, create the new as, and copy our buffered information
1444 * to the new stack. Our kernel buffer has the following structure:
1445 *
1446 * +-----------------------+ <--- stk_base + stk_size
1447 * | string offsets |
1448 * +-----------------------+ <--- stk_offp
1449 * | |
1450 * | STK_AVAIL() space |
1451 * | |
1452 * +-----------------------+ <--- stk_strp
1453 * | strings |
1454 * +-----------------------+ <--- stk_base
1455 *
1456 * When we add a string, we store the string's contents (including the null
1457 * terminator) at stk_strp, and we store the offset of the string relative to
1458 * stk_base at --stk_offp. At strings are added, stk_strp increases and
1459 * stk_offp decreases. The amount of space remaining, STK_AVAIL(), is just
1460 * the difference between these pointers. If we run out of space, we return
1461 * an error and exec_args() starts all over again with a buffer twice as large.
1462 * When we're all done, the kernel buffer looks like this:
1463 *
1464 * +-----------------------+ <--- stk_base + stk_size
1465 * | argv[0] offset |
1466 * +-----------------------+
1467 * | ... |
1468 * +-----------------------+
1469 * | argv[argc-1] offset |
1470 * +-----------------------+
1471 * | envp[0] offset |
1472 * +-----------------------+
1473 * | ... |
1474 * +-----------------------+
1475 * | envp[envc-1] offset |
1476 * +-----------------------+
1477 * | AT_SUN_PLATFORM offset|
1478 * +-----------------------+
1479 * | AT_SUN_EXECNAME offset|
1480 * +-----------------------+ <--- stk_offp
1481 * | |
1482 * | STK_AVAIL() space |
1483 * | |
1484 * +-----------------------+ <--- stk_strp
1485 * | AT_SUN_EXECNAME offset|
1486 * +-----------------------+
1487 * | AT_SUN_PLATFORM offset|
1488 * +-----------------------+
1489 * | envp[envc-1] string |
1490 * +-----------------------+
1491 * | ... |
1492 * +-----------------------+
1493 * | envp[0] string |
1494 * +-----------------------+
1495 * | argv[argc-1] string |
1496 * +-----------------------+
1497 * | ... |
1498 * +-----------------------+
1499 * | argv[0] string |
1500 * +-----------------------+ <--- stk_base
1501 */
1502
1503 #define STK_AVAIL(args) ((char *)(args)->stk_offp - (args)->stk_strp)
1504
1505 /*
1506 * Add a string to the stack.
1507 */
1508 static int
1509 stk_add(uarg_t *args, const char *sp, enum uio_seg segflg)
1510 {
1511 int error;
1512 size_t len;
1513
1514 if (STK_AVAIL(args) < sizeof (int))
1515 return (E2BIG);
1516 *--args->stk_offp = args->stk_strp - args->stk_base;
1517
1518 if (segflg == UIO_USERSPACE) {
1519 error = copyinstr(sp, args->stk_strp, STK_AVAIL(args), &len);
1520 if (error != 0)
1521 return (error);
1522 } else {
1523 len = strlen(sp) + 1;
1524 if (len > STK_AVAIL(args))
1525 return (E2BIG);
1526 bcopy(sp, args->stk_strp, len);
1527 }
1528
1529 args->stk_strp += len;
1530
1531 return (0);
1532 }
1533
1534 static int
1535 stk_getptr(uarg_t *args, char *src, char **dst)
1536 {
1537 int error;
1538
1539 if (args->from_model == DATAMODEL_NATIVE) {
1540 ulong_t ptr;
1541 error = fulword(src, &ptr);
1542 *dst = (caddr_t)ptr;
1543 } else {
1544 uint32_t ptr;
1545 error = fuword32(src, &ptr);
1546 *dst = (caddr_t)(uintptr_t)ptr;
1547 }
1548 return (error);
1549 }
1550
1551 static int
1552 stk_putptr(uarg_t *args, char *addr, char *value)
1553 {
1554 if (args->to_model == DATAMODEL_NATIVE)
1555 return (sulword(addr, (ulong_t)value));
1556 else
1557 return (suword32(addr, (uint32_t)(uintptr_t)value));
1558 }
1559
1560 static int
1561 stk_copyin(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1562 {
1563 char *sp;
1564 int argc, error;
1565 int argv_empty = 0;
1566 size_t ptrsize = args->from_ptrsize;
1567 size_t size, pad;
1568 char *argv = (char *)uap->argp;
1569 char *envp = (char *)uap->envp;
1570
1571 /*
1572 * Copy interpreter's name and argument to argv[0] and argv[1].
1573 * In the rare case that we have nested interpreters then those names
1574 * and arguments are also copied to the subsequent slots in argv.
1575 */
1576 if (intp != NULL && intp->intp_name[0] != NULL) {
1577 int i;
1578
1579 for (i = 0; i < INTP_MAXDEPTH; i++) {
1580 if (intp->intp_name[i] == NULL)
1581 break;
1582 error = stk_add(args, intp->intp_name[i], UIO_SYSSPACE);
1583 if (error != 0)
1584 return (error);
1585 if (intp->intp_arg[i] != NULL) {
1586 error = stk_add(args, intp->intp_arg[i],
1587 UIO_SYSSPACE);
1588 if (error != 0)
1589 return (error);
1590 }
1591 }
1592
1593 if (args->fname != NULL)
1594 error = stk_add(args, args->fname, UIO_SYSSPACE);
1595 else
1596 error = stk_add(args, uap->fname, UIO_USERSPACE);
1597 if (error)
1598 return (error);
1599
1600 /*
1601 * Check for an empty argv[].
1602 */
1603 if (stk_getptr(args, argv, &sp))
1604 return (EFAULT);
1605 if (sp == NULL)
1606 argv_empty = 1;
1607
1608 argv += ptrsize; /* ignore original argv[0] */
1609 }
1610
1611 if (argv_empty == 0) {
1612 /*
1613 * Add argv[] strings to the stack.
1614 */
1615 for (;;) {
1616 if (stk_getptr(args, argv, &sp))
1617 return (EFAULT);
1618 if (sp == NULL)
1619 break;
1620 if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1621 return (error);
1622 argv += ptrsize;
1623 }
1624 }
1625 argc = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1626 args->arglen = args->stk_strp - args->stk_base;
1627
1628 /*
1629 * Add environ[] strings to the stack.
1630 */
1631 if (envp != NULL) {
1632 for (;;) {
1633 char *tmp = args->stk_strp;
1634 if (stk_getptr(args, envp, &sp))
1635 return (EFAULT);
1636 if (sp == NULL)
1637 break;
1638 if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1639 return (error);
1640 if (args->scrubenv && strncmp(tmp, "LD_", 3) == 0) {
1641 /* Undo the copied string */
1642 args->stk_strp = tmp;
1643 *(args->stk_offp++) = 0;
1644 }
1645 envp += ptrsize;
1646 }
1647 }
1648 args->na = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1649 args->ne = args->na - argc;
1650
1651 /*
1652 * Add AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME, and
1653 * AT_SUN_EMULATOR strings to the stack.
1654 */
1655 if (auxvpp != NULL && *auxvpp != NULL) {
1656 if ((error = stk_add(args, platform, UIO_SYSSPACE)) != 0)
1657 return (error);
1658 if ((error = stk_add(args, args->pathname, UIO_SYSSPACE)) != 0)
1659 return (error);
1660 if (args->brandname != NULL &&
1661 (error = stk_add(args, args->brandname, UIO_SYSSPACE)) != 0)
1662 return (error);
1663 if (args->emulator != NULL &&
1664 (error = stk_add(args, args->emulator, UIO_SYSSPACE)) != 0)
1665 return (error);
1666 }
1667
1668 /*
1669 * Compute the size of the stack. This includes all the pointers,
1670 * the space reserved for the aux vector, and all the strings.
1671 * The total number of pointers is args->na (which is argc + envc)
1672 * plus 4 more: (1) a pointer's worth of space for argc; (2) the NULL
1673 * after the last argument (i.e. argv[argc]); (3) the NULL after the
1674 * last environment variable (i.e. envp[envc]); and (4) the NULL after
1675 * all the strings, at the very top of the stack.
1676 */
1677 size = (args->na + 4) * args->to_ptrsize + args->auxsize +
1678 (args->stk_strp - args->stk_base);
1679
1680 /*
1681 * Pad the string section with zeroes to align the stack size.
1682 */
1683 pad = P2NPHASE(size, args->stk_align);
1684
1685 if (STK_AVAIL(args) < pad)
1686 return (E2BIG);
1687
1688 args->usrstack_size = size + pad;
1689
1690 while (pad-- != 0)
1691 *args->stk_strp++ = 0;
1692
1693 args->nc = args->stk_strp - args->stk_base;
1694
1695 return (0);
1696 }
1697
1698 static int
1699 stk_copyout(uarg_t *args, char *usrstack, void **auxvpp, user_t *up)
1700 {
1701 size_t ptrsize = args->to_ptrsize;
1702 ssize_t pslen;
1703 char *kstrp = args->stk_base;
1704 char *ustrp = usrstack - args->nc - ptrsize;
1705 char *usp = usrstack - args->usrstack_size;
1706 int *offp = (int *)(args->stk_base + args->stk_size);
1707 int envc = args->ne;
1708 int argc = args->na - envc;
1709 int i;
1710
1711 /*
1712 * Record argc for /proc.
1713 */
1714 up->u_argc = argc;
1715
1716 /*
1717 * Put argc on the stack. Note that even though it's an int,
1718 * it always consumes ptrsize bytes (for alignment).
1719 */
1720 if (stk_putptr(args, usp, (char *)(uintptr_t)argc))
1721 return (-1);
1722
1723 /*
1724 * Add argc space (ptrsize) to usp and record argv for /proc.
1725 */
1726 up->u_argv = (uintptr_t)(usp += ptrsize);
1727
1728 /*
1729 * Put the argv[] pointers on the stack.
1730 */
1731 for (i = 0; i < argc; i++, usp += ptrsize)
1732 if (stk_putptr(args, usp, &ustrp[*--offp]))
1733 return (-1);
1734
1735 /*
1736 * Copy arguments to u_psargs.
1737 */
1738 pslen = MIN(args->arglen, PSARGSZ) - 1;
1739 for (i = 0; i < pslen; i++)
1740 up->u_psargs[i] = (kstrp[i] == '\0' ? ' ' : kstrp[i]);
1741 while (i < PSARGSZ)
1742 up->u_psargs[i++] = '\0';
1743
1744 /*
1745 * Add space for argv[]'s NULL terminator (ptrsize) to usp and
1746 * record envp for /proc.
1747 */
1748 up->u_envp = (uintptr_t)(usp += ptrsize);
1749
1750 /*
1751 * Put the envp[] pointers on the stack.
1752 */
1753 for (i = 0; i < envc; i++, usp += ptrsize)
1754 if (stk_putptr(args, usp, &ustrp[*--offp]))
1755 return (-1);
1756
1757 /*
1758 * Add space for envp[]'s NULL terminator (ptrsize) to usp and
1759 * remember where the stack ends, which is also where auxv begins.
1760 */
1761 args->stackend = usp += ptrsize;
1762
1763 /*
1764 * Put all the argv[], envp[], and auxv strings on the stack.
1765 */
1766 if (copyout(args->stk_base, ustrp, args->nc))
1767 return (-1);
1768
1769 /*
1770 * Fill in the aux vector now that we know the user stack addresses
1771 * for the AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME and
1772 * AT_SUN_EMULATOR strings.
1773 */
1774 if (auxvpp != NULL && *auxvpp != NULL) {
1775 if (args->to_model == DATAMODEL_NATIVE) {
1776 auxv_t **a = (auxv_t **)auxvpp;
1777 ADDAUX(*a, AT_SUN_PLATFORM, (long)&ustrp[*--offp])
1778 ADDAUX(*a, AT_SUN_EXECNAME, (long)&ustrp[*--offp])
1779 if (args->brandname != NULL)
1780 ADDAUX(*a,
1781 AT_SUN_BRANDNAME, (long)&ustrp[*--offp])
1782 if (args->emulator != NULL)
1783 ADDAUX(*a,
1784 AT_SUN_EMULATOR, (long)&ustrp[*--offp])
1785 } else {
1786 auxv32_t **a = (auxv32_t **)auxvpp;
1787 ADDAUX(*a,
1788 AT_SUN_PLATFORM, (int)(uintptr_t)&ustrp[*--offp])
1789 ADDAUX(*a,
1790 AT_SUN_EXECNAME, (int)(uintptr_t)&ustrp[*--offp])
1791 if (args->brandname != NULL)
1792 ADDAUX(*a, AT_SUN_BRANDNAME,
1793 (int)(uintptr_t)&ustrp[*--offp])
1794 if (args->emulator != NULL)
1795 ADDAUX(*a, AT_SUN_EMULATOR,
1796 (int)(uintptr_t)&ustrp[*--offp])
1797 }
1798 }
1799
1800 return (0);
1801 }
1802
1803 /*
1804 * Though the actual stack base is constant, slew the %sp by a random aligned
1805 * amount in [0,aslr_max_stack_skew). Mostly, this makes life slightly more
1806 * complicated for buffer overflows hoping to overwrite the return address.
1807 *
1808 * On some platforms this helps avoid cache thrashing when identical processes
1809 * simultaneously share caches that don't provide enough associativity
1810 * (e.g. sun4v systems). In this case stack slewing makes the same hot stack
1811 * variables in different processes live in different cache sets increasing
1812 * effective associativity.
1813 */
1814 size_t
1815 exec_get_spslew(void)
1816 {
1817 #ifdef sun4v
1818 static uint_t sp_color_stride = 16;
1819 static uint_t sp_color_mask = 0x1f;
1820 static uint_t sp_current_color = (uint_t)-1;
1821 #endif
1822 size_t off;
1823
1824 ASSERT(ISP2(aslr_max_stack_skew));
1825
1826 if ((aslr_max_stack_skew == 0) ||
1827 !secflag_enabled(curproc, PROC_SEC_ASLR)) {
1828 #ifdef sun4v
1829 uint_t spcolor = atomic_inc_32_nv(&sp_current_color);
1830 return ((size_t)((spcolor & sp_color_mask) *
1831 SA(sp_color_stride)));
1832 #else
1833 return (0);
1834 #endif
1835 }
1836
1837 (void) random_get_pseudo_bytes((uint8_t *)&off, sizeof (off));
1838 return (SA(P2PHASE(off, aslr_max_stack_skew)));
1839 }
1840
1841 /*
1842 * Initialize a new user stack with the specified arguments and environment.
1843 * The initial user stack layout is as follows:
1844 *
1845 * User Stack
1846 * +---------------+ <--- curproc->p_usrstack
1847 * | |
1848 * | slew |
1849 * | |
1850 * +---------------+
1851 * | NULL |
1852 * +---------------+
1853 * | |
1854 * | auxv strings |
1855 * | |
1856 * +---------------+
1857 * | |
1858 * | envp strings |
1859 * | |
1860 * +---------------+
1861 * | |
1862 * | argv strings |
1863 * | |
1864 * +---------------+ <--- ustrp
1865 * | |
1866 * | aux vector |
1867 * | |
1868 * +---------------+ <--- auxv
1869 * | NULL |
1870 * +---------------+
1871 * | envp[envc-1] |
1872 * +---------------+
1873 * | ... |
1874 * +---------------+
1875 * | envp[0] |
1876 * +---------------+ <--- envp[]
1877 * | NULL |
1878 * +---------------+
1879 * | argv[argc-1] |
1880 * +---------------+
1881 * | ... |
1882 * +---------------+
1883 * | argv[0] |
1884 * +---------------+ <--- argv[]
1885 * | argc |
1886 * +---------------+ <--- stack base
1887 */
1888 int
1889 exec_args(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1890 {
1891 size_t size;
1892 int error;
1893 proc_t *p = ttoproc(curthread);
1894 user_t *up = PTOU(p);
1895 char *usrstack;
1896 rctl_entity_p_t e;
1897 struct as *as;
1898 extern int use_stk_lpg;
1899 size_t sp_slew;
1900
1901 args->from_model = p->p_model;
1902 if (p->p_model == DATAMODEL_NATIVE) {
1903 args->from_ptrsize = sizeof (long);
1904 } else {
1905 args->from_ptrsize = sizeof (int32_t);
1906 }
1907
1908 if (args->to_model == DATAMODEL_NATIVE) {
1909 args->to_ptrsize = sizeof (long);
1910 args->ncargs = NCARGS;
1911 args->stk_align = STACK_ALIGN;
1912 if (args->addr32)
1913 usrstack = (char *)USRSTACK64_32;
1914 else
1915 usrstack = (char *)USRSTACK;
1916 } else {
1917 args->to_ptrsize = sizeof (int32_t);
1918 args->ncargs = NCARGS32;
1919 args->stk_align = STACK_ALIGN32;
1920 usrstack = (char *)USRSTACK32;
1921 }
1922
1923 ASSERT(P2PHASE((uintptr_t)usrstack, args->stk_align) == 0);
1924
1925
1926 for (size = PAGESIZE; ; size *= 2) {
1927 args->stk_size = size;
1928 args->stk_base = kmem_alloc(size, KM_SLEEP);
1929 args->stk_strp = args->stk_base;
1930 args->stk_offp = (int *)(args->stk_base + size);
1931 error = stk_copyin(uap, args, intp, auxvpp);
1932 if (error == 0)
1933 break;
1934 kmem_free(args->stk_base, size);
1935 if (error != E2BIG && error != ENAMETOOLONG)
1936 return (error);
1937 if (size >= args->ncargs)
1938 return (E2BIG);
1939 }
1940
1941 size = args->usrstack_size;
1942
1943 ASSERT(error == 0);
1944 ASSERT(P2PHASE(size, args->stk_align) == 0);
1945 ASSERT((ssize_t)STK_AVAIL(args) >= 0);
1946
1947 if (size > args->ncargs) {
1948 kmem_free(args->stk_base, args->stk_size);
1949 return (E2BIG);
1950 }
1951
1952 /*
1953 * Leave only the current lwp and force the other lwps to exit.
1954 * If another lwp beat us to the punch by calling exit(), bail out.
1955 */
1956 if ((error = exitlwps(0)) != 0) {
1957 kmem_free(args->stk_base, args->stk_size);
1958 return (error);
1959 }
1960
1961 /*
1962 * Revoke any doors created by the process.
1963 */
1964 if (p->p_door_list)
1965 door_exit();
1966
1967 /*
1968 * Release schedctl data structures.
1969 */
1970 if (p->p_pagep)
1971 schedctl_proc_cleanup();
1972
1973 /*
1974 * Clean up any DTrace helpers for the process.
1975 */
1976 if (p->p_dtrace_helpers != NULL) {
1977 ASSERT(dtrace_helpers_cleanup != NULL);
1978 (*dtrace_helpers_cleanup)(p);
1979 }
1980
1981 mutex_enter(&p->p_lock);
1982 /*
1983 * Cleanup the DTrace provider associated with this process.
1984 */
1985 if (p->p_dtrace_probes) {
1986 ASSERT(dtrace_fasttrap_exec_ptr != NULL);
1987 dtrace_fasttrap_exec_ptr(p);
1988 }
1989 mutex_exit(&p->p_lock);
1990
1991 /*
1992 * discard the lwpchan cache.
1993 */
1994 if (p->p_lcp != NULL)
1995 lwpchan_destroy_cache(1);
1996
1997 /*
1998 * Delete the POSIX timers.
1999 */
2000 if (p->p_itimer != NULL)
2001 timer_exit();
2002
2003 /*
2004 * Delete the ITIMER_REALPROF interval timer.
2005 * The other ITIMER_* interval timers are specified
2006 * to be inherited across exec().
2007 */
2008 delete_itimer_realprof();
2009
2010 if (AU_AUDITING())
2011 audit_exec(args->stk_base, args->stk_base + args->arglen,
2012 args->na - args->ne, args->ne, args->pfcred);
2013
2014 /*
2015 * Ensure that we don't change resource associations while we
2016 * change address spaces.
2017 */
2018 mutex_enter(&p->p_lock);
2019 pool_barrier_enter();
2020 mutex_exit(&p->p_lock);
2021
2022 /*
2023 * Destroy the old address space and create a new one.
2024 * From here on, any errors are fatal to the exec()ing process.
2025 * On error we return -1, which means the caller must SIGKILL
2026 * the process.
2027 */
2028 relvm();
2029
2030 mutex_enter(&p->p_lock);
2031 pool_barrier_exit();
2032 mutex_exit(&p->p_lock);
2033
2034 up->u_execsw = args->execswp;
2035
2036 p->p_brkbase = NULL;
2037 p->p_brksize = 0;
2038 p->p_brkpageszc = 0;
2039 p->p_stksize = 0;
2040 p->p_stkpageszc = 0;
2041 p->p_model = args->to_model;
2042 p->p_usrstack = usrstack;
2043 p->p_stkprot = args->stk_prot;
2044 p->p_datprot = args->dat_prot;
2045
2046 /*
2047 * Reset resource controls such that all controls are again active as
2048 * well as appropriate to the potentially new address model for the
2049 * process.
2050 */
2051 e.rcep_p.proc = p;
2052 e.rcep_t = RCENTITY_PROCESS;
2053 rctl_set_reset(p->p_rctls, p, &e);
2054
2055 /* Too early to call map_pgsz for the heap */
2056 if (use_stk_lpg) {
2057 p->p_stkpageszc = page_szc(map_pgsz(MAPPGSZ_STK, p, 0, 0, 0));
2058 }
2059
2060 mutex_enter(&p->p_lock);
2061 p->p_flag |= SAUTOLPG; /* kernel controls page sizes */
2062 mutex_exit(&p->p_lock);
2063
2064 sp_slew = exec_get_spslew();
2065 ASSERT(P2PHASE(sp_slew, args->stk_align) == 0);
2066 /* Be certain we don't underflow */
2067 VERIFY((curproc->p_usrstack - (size + sp_slew)) < curproc->p_usrstack);
2068 exec_set_sp(size + sp_slew);
2069
2070 as = as_alloc();
2071 p->p_as = as;
2072 as->a_proc = p;
2073 if (p->p_model == DATAMODEL_ILP32 || args->addr32)
2074 as->a_userlimit = (caddr_t)USERLIMIT32;
2075 (void) hat_setup(as->a_hat, HAT_ALLOC);
2076 hat_join_srd(as->a_hat, args->ex_vp);
2077
2078 /*
2079 * Finally, write out the contents of the new stack.
2080 */
2081 error = stk_copyout(args, usrstack - sp_slew, auxvpp, up);
2082 kmem_free(args->stk_base, args->stk_size);
2083 return (error);
2084 }
unleashed repo fork