NetBSD/sys/kern/kern_execve.c

556 lines
16 KiB
C

/*
* Copyright (c) 1989, 1990, 1991, 1992 William F. Jolitz, TeleMuse
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This software is a component of "386BSD" developed by
* William F. Jolitz, TeleMuse.
* 4. Neither the name of the developer nor the name "386BSD"
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS A COMPONENT OF 386BSD DEVELOPED BY WILLIAM F. JOLITZ
* AND IS INTENDED FOR RESEARCH AND EDUCATIONAL PURPOSES ONLY. THIS
* SOFTWARE SHOULD NOT BE CONSIDERED TO BE A COMMERCIAL PRODUCT.
* THE DEVELOPER URGES THAT USERS WHO REQUIRE A COMMERCIAL PRODUCT
* NOT MAKE USE OF THIS WORK.
*
* FOR USERS WHO WISH TO UNDERSTAND THE 386BSD SYSTEM DEVELOPED
* BY WILLIAM F. JOLITZ, WE RECOMMEND THE USER STUDY WRITTEN
* REFERENCES SUCH AS THE "PORTING UNIX TO THE 386" SERIES
* (BEGINNING JANUARY 1991 "DR. DOBBS JOURNAL", USA AND BEGINNING
* JUNE 1991 "UNIX MAGAZIN", GERMANY) BY WILLIAM F. JOLITZ AND
* LYNNE GREER JOLITZ, AS WELL AS OTHER BOOKS ON UNIX AND THE
* ON-LINE 386BSD USER MANUAL BEFORE USE. A BOOK DISCUSSING THE INTERNALS
* OF 386BSD ENTITLED "386BSD FROM THE INSIDE OUT" WILL BE AVAILABLE LATE 1992.
*
* THIS SOFTWARE IS PROVIDED BY THE DEVELOPER ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE DEVELOPER BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* This procedure implements a minimal program execution facility for
* 386BSD. It interfaces to the BSD kernel as the execve system call.
* Significant limitations and lack of compatiblity with POSIX are
* present with this version, to make its basic operation more clear.
*
* PATCHES MAGIC LEVEL PATCH THAT GOT US HERE
* -------------------- ----- ----------------------
* CURRENT PATCH LEVEL: 3 00069
* -------------------- ----- ----------------------
*
* 05 Aug 92 Paul Kranenburg Fixed #! as a magic number
* 29 Jul 92 Mark Tinguely Fixed execute permission enforcement
* 15 Aug 92 Terry Lambert Fixed CMOS RAM size bug
* 12 Dec 92 Julians Elischer Place argc into user address space
* correctly
*/
#include "param.h"
#include "systm.h"
#include "signalvar.h"
#include "resourcevar.h"
#include "proc.h"
#include "mount.h"
#include "namei.h"
#include "vnode.h"
#include "file.h"
#include "exec.h"
#include "stat.h"
#include "wait.h"
#include "mman.h"
#include "malloc.h"
#include "acct.h"
#include "vm/vm.h"
#include "vm/vm_param.h"
#include "vm/vm_map.h"
#include "vm/vm_kern.h"
#include "machine/reg.h"
extern int dostacklimits;
#define copyinoutstr copyinstr
/*
* execve() system call.
*/
/* ARGSUSED */
execve(p, uap, retval)
struct proc *p;
register struct args {
char *fname;
char **argp;
char **envp;
} *uap;
int *retval;
{
register struct nameidata *ndp;
struct nameidata nd;
char **argbuf, **argbufp, *stringbuf, *stringbufp;
char **vectp, *ep;
int needsenv, limitonargs, stringlen, addr, size, len,
rv, amt, argc, tsize, dsize, bsize, cnt, foff;
struct vattr attr;
struct vmspace *vs;
caddr_t newframe;
char shellname[MAXINTERP]; /* 05 Aug 92*/
char arguments[MAXINTERP];
long magic;
union {
char ex_shell[MAXINTERP]; /* #! and interpreter name */
struct exec ex_hdr;
} exdata;
int indir = 0;
/*
* Step 1. Lookup filename to see if we have something to execute.
*/
ndp = &nd;
ndp->ni_segflg = UIO_USERSPACE;
ndp->ni_dirp = uap->fname;
again: /* 05 Aug 92*/
ndp->ni_nameiop = LOOKUP | LOCKLEAF | FOLLOW | SAVENAME;
/* is it there? */
if (rv = namei(ndp, p))
return (rv);
/* does it have any attributes? */
rv = VOP_GETATTR(ndp->ni_vp, &attr, p->p_ucred, p);
if (rv)
goto exec_fail;
if (ndp->ni_vp->v_mount->mnt_flag & MNT_NOEXEC) { /* no exec on fs ?*/
rv = EACCES;
goto exec_fail;
}
/* is it executable, and a regular file? */
if ((ndp->ni_vp->v_mount->mnt_flag & MNT_NOEXEC) || /* 29 Jul 92*/
(VOP_ACCESS(ndp->ni_vp, VEXEC, p->p_ucred, p)) ||
((attr.va_mode & 0111) == 0) ||
(attr.va_type != VREG)) {
rv = EACCES;
goto exec_fail;
}
/*
* Step 2. Does the file contain a format we can
* understand and execute
*
* XXX 05 Aug 92
* Read in first few bytes of file for segment sizes, magic number:
* ZMAGIC = demand paged RO text
* QMAGIC = "compact" demand paged RO text
* (first page unmapped, a.out header in text section)
* Also an ASCII line beginning with #! is
* the file name of a ``shell'' and arguments may be prepended
* to the argument list if given here.
*/
exdata.ex_shell[0] = '\0'; /* for zero length files */
rv = vn_rdwr(UIO_READ, ndp->ni_vp, (caddr_t)&exdata, sizeof(exdata),
0, UIO_SYSSPACE, IO_NODELOCKED, p->p_ucred, &amt, p);
/* big enough to hold a header? */
if (rv)
goto exec_fail;
if (exdata.ex_hdr.a_text != 0 && (ndp->ni_vp->v_flag & VTEXT) == 0 &&
ndp->ni_vp->v_writecount != 0) {
rv = ETXTBSY;
goto exec_fail;
}
/* ... that we recognize? */
rv = ENOEXEC;
magic = exdata.ex_hdr.a_magic;
/*
* XXX We should call a machine-dependent function
* to determine what to do with an executable.
*/
if (magic != ZMAGIC && magic != QMAGIC) {
char *cp, *sp;
if (exdata.ex_shell[0] != '#' ||
exdata.ex_shell[1] != '!' || indir) {
rv = ENOEXEC;
goto exec_fail;
}
for (cp = &exdata.ex_shell[2];; ++cp) {
if (cp >= &exdata.ex_shell[MAXINTERP]) {
rv = ENOEXEC;
goto exec_fail;
}
if (*cp == '\n') {
*cp = '\0';
break;
}
if (*cp == '\t')
*cp = ' ';
}
cp = &exdata.ex_shell[2]; /* get shell interpreter name */
while (*cp == ' ')
cp++;
sp = shellname;
while (*cp && *cp != ' ')
*sp++ = *cp++;
*sp = '\0';
while (*cp == ' ')
cp++;
if (*cp) { /* extra argument */
sp = arguments;
while (*cp)
*sp++ = *cp++;
*sp = '\0';
indir = 2;
}
else
indir = 1; /* indicate this is a script file */
vput(ndp->ni_vp);
FREE(ndp->ni_pnbuf, M_NAMEI);
ndp->ni_dirp = shellname; /* find shell interpreter */
ndp->ni_segflg = UIO_SYSSPACE;
goto again;
}
/* sanity check "ain't not such thing as a sanity clause" -groucho */
rv = ENOMEM;
if (/*exdata.ex_hdr.a_text == 0 || */ exdata.ex_hdr.a_text > MAXTSIZ ||
exdata.ex_hdr.a_text % NBPG || exdata.ex_hdr.a_text > attr.va_size)
goto exec_fail;
if (exdata.ex_hdr.a_data == 0 || exdata.ex_hdr.a_data > DFLDSIZ
|| exdata.ex_hdr.a_data > attr.va_size
|| exdata.ex_hdr.a_data + exdata.ex_hdr.a_text > attr.va_size)
goto exec_fail;
if (exdata.ex_hdr.a_bss > MAXDSIZ)
goto exec_fail;
if (exdata.ex_hdr.a_text + exdata.ex_hdr.a_data + exdata.ex_hdr.a_bss > MAXTSIZ + MAXDSIZ)
goto exec_fail;
if (exdata.ex_hdr.a_data + exdata.ex_hdr.a_bss > p->p_rlimit[RLIMIT_DATA].rlim_cur)
goto exec_fail;
if (exdata.ex_hdr.a_entry > exdata.ex_hdr.a_text + exdata.ex_hdr.a_data)
goto exec_fail;
/*
* Step 3. File and header are valid. Now, dig out the strings
* out of the old process image.
*/
/*
* We implement a single-pass algorithm that builds a new stack
* frame within the address space of the "old" process image,
* avoiding the second pass entirely. Thus, the new frame is
* in position to be run. This consumes much virtual address space,
* and two pages more of 'real' memory, such are the costs.
* [Also, note the cache wipe that's avoided!]
*/
/* create anonymous memory region for new stack */
vs = p->p_vmspace;
if ((unsigned)vs->vm_maxsaddr + MAXSSIZ < USRSTACK)
newframe = (caddr_t) USRSTACK - MAXSSIZ;
else
vs->vm_maxsaddr = newframe = (caddr_t) USRSTACK - 2*MAXSSIZ;
/* don't do stack limit checking on traps temporarily XXX*/
dostacklimits = 0;
rv = vm_allocate(&vs->vm_map, &newframe, MAXSSIZ, FALSE);
if (rv) goto exec_fail;
/* allocate string buffer and arg buffer */
argbuf = (char **) (newframe + MAXSSIZ - 3*ARG_MAX);
stringbuf = stringbufp = ((char *)argbuf) + 2*ARG_MAX;
argbufp = argbuf;
/* first, do args */
vectp = uap->argp;
needsenv = 1;
limitonargs = ARG_MAX;
cnt = 0;
/* first, do (shell name if any then) args */
if (indir) {
ep = shellname;
thrice:
if (ep) {
/* did we outgrow initial argbuf, if so, die */
if (argbufp >= (char **)stringbuf) {
rv = E2BIG;
goto exec_dealloc;
}
if (rv = copyoutstr(ep, stringbufp,
(u_int)limitonargs, (u_int *)&stringlen)) {
if (rv == ENAMETOOLONG)
rv = E2BIG;
goto exec_dealloc;
}
suword(argbufp++, (int)stringbufp);
cnt++;
stringbufp += stringlen;
limitonargs -= stringlen;
}
if (indir == 2) {
indir = 1;
ep = arguments;
goto thrice;
}
if (indir == 1) {
indir = 0;
/* orginal executable is 1st argument with scripts */
ep = uap->fname;
goto thrice;
}
/* terminate in case no more args to script */
suword(argbufp, 0);
if (vectp = uap->argp) vectp++; /* manually doing the first
argument with scripts */
}
do_env_as_well:
if(vectp == 0) goto dont_bother;
/* for each envp, copy in string */
do {
/* did we outgrow initial argbuf, if so, die */
if (argbufp == (char **)stringbuf) {
rv = E2BIG;
goto exec_dealloc;
}
/* get an string pointer */
ep = (char *)fuword(vectp++);
if (ep == (char *)-1) {
rv = EFAULT;
goto exec_dealloc;
}
/* if not a null pointer, copy string */
if (ep) {
if (rv = copyinoutstr(ep, stringbufp,
(u_int)limitonargs, (u_int *) &stringlen)) {
if (rv == ENAMETOOLONG)
rv = E2BIG;
goto exec_dealloc;
}
suword(argbufp++, (int)stringbufp);
cnt++;
stringbufp += stringlen;
limitonargs -= stringlen;
} else {
suword(argbufp++, 0);
break;
}
} while (limitonargs > 0);
dont_bother:
if (limitonargs <= 0) {
rv = E2BIG;
goto exec_dealloc;
}
/* have we done the environment yet ? */
if (needsenv) {
/* remember the arg count for later */
argc = cnt;
vectp = uap->envp;
needsenv = 0;
goto do_env_as_well;
}
/* At this point, one could optionally implement a
* second pass to condense the strings, arguement vectors,
* and stack to fit the fewest pages.
*
* One might selectively do this when copying was cheaper
* than leaving allocated two more pages per process.
*/
/* stuff arg count on top of "new" stack */
/* argbuf[-1] = (char *)argc;*/
suword(argbuf-1,argc);
/*
* Step 4. Build the new processes image.
*
* At this point, we are committed -- destroy old executable!
*/
/* blow away all address space, except the stack */
rv = vm_deallocate(&vs->vm_map, 0, USRSTACK - 2*MAXSSIZ);
if (rv)
goto exec_abort;
/* destroy "old" stack */
if ((unsigned)newframe < USRSTACK - MAXSSIZ) {
rv = vm_deallocate(&vs->vm_map, USRSTACK - MAXSSIZ, MAXSSIZ);
if (rv)
goto exec_abort;
} else {
rv = vm_deallocate(&vs->vm_map, USRSTACK - 2*MAXSSIZ, MAXSSIZ);
if (rv)
goto exec_abort;
}
/* build a new address space */
/* screwball mode -- special case of 413 to save space for floppy */
if (exdata.ex_hdr.a_text == 0) {
foff = tsize = 0;
exdata.ex_hdr.a_data += exdata.ex_hdr.a_text;
} else {
tsize = roundup(exdata.ex_hdr.a_text, NBPG);
/*
* QMAGIC starts mapping in at the beginning
* of the file; ZMAGIC skips the header.
*/
foff = (magic == ZMAGIC ? NBPG : 0);
}
/* treat text and data in terms of integral page size */
dsize = roundup(exdata.ex_hdr.a_data, NBPG);
bsize = roundup(exdata.ex_hdr.a_bss + dsize, NBPG);
bsize -= dsize;
/*
* QMAGIC starts at one page, ZMAGIC at 0.
*/
addr = (magic == QMAGIC ? NBPG : 0);
/* map text & data in file, as being "paged in" on demand */
rv = vm_mmap(&vs->vm_map, &addr, tsize+dsize, VM_PROT_ALL, VM_PROT_DEFAULT,
MAP_FILE|MAP_COPY|MAP_FIXED, (caddr_t)ndp->ni_vp, foff);
if (rv)
goto exec_abort;
/* mark pages r/w data, r/o text */
if (tsize) {
rv = vm_protect(&vs->vm_map, addr, tsize, FALSE,
VM_PROT_READ|VM_PROT_EXECUTE);
if (rv)
goto exec_abort;
}
/* create anonymous memory region for bss */
/* We need to take QMAGIC's offset into account, or else get abort */
addr = dsize + tsize + (magic == QMAGIC ? NBPG : 0);
rv = vm_allocate(&vs->vm_map, &addr, bsize, FALSE);
if (rv)
goto exec_abort;
/*
* Step 5. Prepare process for execution.
*/
/* touchup process information -- vm system is unfinished! */
vs->vm_tsize = tsize/NBPG; /* text size (pages) XXX */
vs->vm_dsize = (dsize+bsize)/NBPG; /* data size (pages) XXX */
/* user virtual address of text XXX */
vs->vm_taddr = (caddr_t)(magic == QMAGIC ? NBPG : 0);
/* user virtual address of data XXX */
vs->vm_daddr = (caddr_t)tsize + (magic == QMAGIC ? NBPG : 0);
vs->vm_maxsaddr = newframe; /* user VA at max stack growth XXX */
vs->vm_ssize = ((unsigned)vs->vm_maxsaddr + MAXSSIZ
- (unsigned)argbuf)/ NBPG + 1; /* stack size (pages) */
dostacklimits = 1; /* allow stack limits to be enforced XXX */
/* close files on exec, fixup signals */
fdcloseexec(p);
execsigs(p);
/* name this process - nameiexec(p, ndp), and set up
* other accounting information
*/
len = MIN(ndp->ni_namelen,MAXCOMLEN);
bcopy(ndp->ni_ptr, p->p_comm, len);
p->p_comm[len] = 0;
p->p_acflag &= ~AFORK;
/* mark as executable, wakeup any process that was vforked and tell
* it that it now has it's own resources back */
p->p_flag |= SEXEC;
if (p->p_pptr && (p->p_flag & SPPWAIT)) {
p->p_flag &= ~SPPWAIT;
wakeup(p->p_pptr);
}
/* implement set userid/groupid */
if ((attr.va_mode&VSUID) && (p->p_flag & STRC) == 0) {
p->p_ucred = crcopy(p->p_ucred);
p->p_cred->p_svuid = p->p_ucred->cr_uid = attr.va_uid;
}
if ((attr.va_mode&VSGID) && (p->p_flag & STRC) == 0) {
p->p_ucred = crcopy(p->p_ucred);
p->p_cred->p_svgid = p->p_ucred->cr_groups[0] = attr.va_gid;
}
/* setup initial register state */
p->p_regs[SP] = (unsigned) (argbuf - 1);
setregs(p, exdata.ex_hdr.a_entry);
ndp->ni_vp->v_flag |= VTEXT; /* mark vnode pure text */
vput(ndp->ni_vp);
FREE(ndp->ni_pnbuf, M_NAMEI);
/* if tracing process, pass control back to debugger so breakpoints
can be set before the program "runs" */
if (p->p_flag & STRC)
psignal(p, SIGTRAP);
return (0);
exec_dealloc:
/* remove interim "new" stack frame we were building */
vm_deallocate(&vs->vm_map, newframe, MAXSSIZ);
exec_fail:
dostacklimits = 1;
vput(ndp->ni_vp);
FREE(ndp->ni_pnbuf, M_NAMEI);
return(rv);
exec_abort:
/* sorry, no more process anymore. exit gracefully */
vm_deallocate(&vs->vm_map, newframe, MAXSSIZ);
vput(ndp->ni_vp);
FREE(ndp->ni_pnbuf, M_NAMEI);
exit(p, W_EXITCODE(0, SIGABRT));
/* NOTREACHED */
return(0);
}