kern_exec.c source code [xnu/bsd/kern/kern_exec.c]

1	/*
2	* Copyright (c) 2000-2013 Apple Inc. All rights reserved.
3	*
4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5	*
6	* This file contains Original Code and/or Modifications of Original Code
7	* as defined in and that are subject to the Apple Public Source License
8	* Version 2.0 (the 'License'). You may not use this file except in
9	* compliance with the License. The rights granted to you under the License
10	* may not be used to create, or enable the creation or redistribution of,
11	* unlawful or unlicensed copies of an Apple operating system, or to
12	* circumvent, violate, or enable the circumvention or violation of, any
13	* terms of an Apple operating system software license agreement.
14	*
15	* Please obtain a copy of the License at
16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
17	*
18	* The Original Code and all software distributed under the License are
19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23	* Please see the License for the specific language governing rights and
24	* limitations under the License.
25	*
26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27	*/
28	/ Copyright (c) 1995 NeXT Computer, Inc. All Rights Reserved /
29	/*
30	* Mach Operating System
31	* Copyright (c) 1987 Carnegie-Mellon University
32	* All rights reserved. The CMU software License Agreement specifies
33	* the terms and conditions for use and redistribution.
34	*/
35
36	/-*
37	* Copyright (c) 1982, 1986, 1991, 1993
38	* The Regents of the University of California. All rights reserved.
39	* (c) UNIX System Laboratories, Inc.
40	* All or some portions of this file are derived from material licensed
41	* to the University of California by American Telephone and Telegraph
42	* Co. or Unix System Laboratories, Inc. and are reproduced herein with
43	* the permission of UNIX System Laboratories, Inc.
44	*
45	* Redistribution and use in source and binary forms, with or without
46	* modification, are permitted provided that the following conditions
47	* are met:
48	* 1. Redistributions of source code must retain the above copyright
49	* notice, this list of conditions and the following disclaimer.
50	* 2. Redistributions in binary form must reproduce the above copyright
51	* notice, this list of conditions and the following disclaimer in the
52	* documentation and/or other materials provided with the distribution.
53	* 3. All advertising materials mentioning features or use of this software
54	* must display the following acknowledgement:
55	* This product includes software developed by the University of
56	* California, Berkeley and its contributors.
57	* 4. Neither the name of the University nor the names of its contributors
58	* may be used to endorse or promote products derived from this software
59	* without specific prior written permission.
60	*
61	* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
62	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
63	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
64	* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
65	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
66	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
67	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
68	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
69	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
70	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
71	* SUCH DAMAGE.
72	*
73	* from: @(#)kern_exec.c 8.1 (Berkeley) 6/10/93
74	*/
75	/*
76	* NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
77	* support for mandatory and extensible security protections. This notice
78	* is included in support of clause 2.2 (b) of the Apple Public License,
79	* Version 2.0.
80	*/
81	#include <machine/reg.h>
82	#include <machine/cpu_capabilities.h>
83
84	#include <sys/param.h>
85	#include <sys/systm.h>
86	#include <sys/filedesc.h>
87	#include <sys/kernel.h>
88	#include <sys/proc_internal.h>
89	#include <sys/kauth.h>
90	#include <sys/user.h>
91	#include <sys/socketvar.h>
92	#include <sys/malloc.h>
93	#include <sys/namei.h>
94	#include <sys/mount_internal.h>
95	#include <sys/vnode_internal.h>
96	#include <sys/file_internal.h>
97	#include <sys/stat.h>
98	#include <sys/uio_internal.h>
99	#include <sys/acct.h>
100	#include <sys/exec.h>
101	#include <sys/kdebug.h>
102	#include <sys/signal.h>
103	#include <sys/aio_kern.h>
104	#include <sys/sysproto.h>
105	#include <sys/persona.h>
106	#include <sys/reason.h>
107	#if SYSV_SHM
108	#include <sys/shm_internal.h> /* shmexec() */
109	#endif
110	#include <sys/ubc_internal.h> /* ubc_map() */
111	#include <sys/spawn.h>
112	#include <sys/spawn_internal.h>
113	#include <sys/process_policy.h>
114	#include <sys/codesign.h>
115	#include <sys/random.h>
116	#include <crypto/sha1.h>
117
118	#include <libkern/libkern.h>
119
120	#include <security/audit/audit.h>
121
122	#include <ipc/ipc_types.h>
123
124	#include <mach/mach_types.h>
125	#include <mach/port.h>
126	#include <mach/task.h>
127	#include <mach/task_access.h>
128	#include <mach/thread_act.h>
129	#include <mach/vm_map.h>
130	#include <mach/mach_vm.h>
131	#include <mach/vm_param.h>
132
133	#include <kern/sched_prim.h> /* thread_wakeup() */
134	#include <kern/affinity.h>
135	#include <kern/assert.h>
136	#include <kern/task.h>
137	#include <kern/coalition.h>
138	#include <kern/policy_internal.h>
139	#include <kern/kalloc.h>
140
141	#include <os/log.h>
142
143	#if CONFIG_MACF
144	#include <security/mac_framework.h>
145	#include <security/mac_mach_internal.h>
146	#endif
147
148	#include <vm/vm_map.h>
149	#include <vm/vm_kern.h>
150	#include <vm/vm_protos.h>
151	#include <vm/vm_kern.h>
152	#include <vm/vm_fault.h>
153	#include <vm/vm_pageout.h>
154
155	#include <kdp/kdp_dyld.h>
156
157	#include <machine/pal_routines.h>
158
159	#include <pexpert/pexpert.h>
160
161	#if CONFIG_MEMORYSTATUS
162	#include <sys/kern_memorystatus.h>
163	#endif
164
165	extern boolean_t vm_darkwake_mode;
166
167	#if CONFIG_DTRACE
168	/ Do not include dtrace.h, it redefines kmem_[alloc/free] /
169	extern void dtrace_proc_exec(proc_t);
170	extern void (*dtrace_proc_waitfor_exec_ptr)(proc_t);
171
172	/*
173	* Since dtrace_proc_waitfor_exec_ptr can be added/removed in dtrace_subr.c,
174	* we will store its value before actually calling it.
175	*/
176	static void (*dtrace_proc_waitfor_hook)(proc_t) = NULL;
177
178	#include <sys/dtrace_ptss.h>
179	#endif
180
181	/ support for child creation in exec after vfork /
182	thread_t fork_create_child(task_t parent_task,
183	coalition_t *parent_coalition,
184	proc_t child_proc,
185	int inherit_memory,
186	int is_64bit_addr,
187	int is_64bit_data,
188	int in_exec);
189	void vfork_exit(proc_t p, int rv);
190	extern void proc_apply_task_networkbg_internal(proc_t, thread_t);
191	extern void task_set_did_exec_flag(task_t task);
192	extern void task_clear_exec_copy_flag(task_t task);
193	proc_t proc_exec_switch_task(proc_t p, task_t old_task, task_t new_task, thread_t new_thread);
194	boolean_t task_is_active(task_t);
195	boolean_t thread_is_active(thread_t thread);
196	void thread_copy_resource_info(thread_t dst_thread, thread_t src_thread);
197	void *ipc_importance_exec_switch_task(task_t old_task, task_t new_task);
198	extern void ipc_importance_release(void *elem);
199
200	/*
201	* Mach things for which prototypes are unavailable from Mach headers
202	*/
203	void ipc_task_reset(
204	task_t task);
205	void ipc_thread_reset(
206	thread_t thread);
207	kern_return_t ipc_object_copyin(
208	ipc_space_t space,
209	mach_port_name_t name,
210	mach_msg_type_name_t msgt_name,
211	ipc_object_t *objectp);
212	void ipc_port_release_send(ipc_port_t);
213
214	#if DEVELOPMENT \|\| DEBUG
215	void task_importance_update_owner_info(task_t);
216	#endif
217
218	extern struct savearea *get_user_regs(thread_t);
219
220	__attribute__((noinline)) int __EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__(mach_port_t task_access_port, int32_t new_pid);
221
222	#include <kern/thread.h>
223	#include <kern/task.h>
224	#include <kern/ast.h>
225	#include <kern/mach_loader.h>
226	#include <kern/mach_fat.h>
227	#include <mach-o/fat.h>
228	#include <mach-o/loader.h>
229	#include <machine/vmparam.h>
230	#include <sys/imgact.h>
231
232	#include <sys/sdt.h>
233
234
235	/*
236	* EAI_ITERLIMIT The maximum number of times to iterate an image
237	* activator in exec_activate_image() before treating
238	* it as malformed/corrupt.
239	*/
240	#define EAI_ITERLIMIT 3
241
242	/*
243	* For #! interpreter parsing
244	*/
245	#define IS_WHITESPACE(ch) ((ch == ' ') \|\| (ch == '\t'))
246	#define IS_EOL(ch) ((ch == '#') \|\| (ch == '\n'))
247
248	extern vm_map_t bsd_pageable_map;
249	extern const struct fileops vnops;
250
251	#define USER_ADDR_ALIGN(addr, val) \
252	( ( (user_addr_t)(addr) + (val) - 1) \
253	& ~((val) - 1) )
254
255	/ Platform Code Exec Logging /
256	static int platform_exec_logging = `0`;
257
258	SYSCTL_DECL(_security_mac);
259
260	SYSCTL_INT(_security_mac, OID_AUTO, platform_exec_logging, CTLFLAG_RW, &platform_exec_logging, `0`,
261	"log cdhashes for all platform binary executions");
262
263	static os_log_t peLog = OS_LOG_DEFAULT;
264
265	struct image_params; / Forward /
266	static int exec_activate_image(struct image_params *imgp);
267	static int exec_copyout_strings(struct image_params imgp, user_addr_t stackp);
268	static int load_return_to_errno(load_return_t lrtn);
269	static int execargs_alloc(struct image_params *imgp);
270	static int execargs_free(struct image_params *imgp);
271	static int exec_check_permissions(struct image_params *imgp);
272	static int exec_extract_strings(struct image_params *imgp);
273	static int exec_add_apple_strings(struct image_params imgp, const* load_result_t *load_result);
274	static int exec_handle_sugid(struct image_params *imgp);
275	static int sugid_scripts = `0`;
276	SYSCTL_INT (_kern, OID_AUTO, sugid_scripts, CTLFLAG_RW \| CTLFLAG_LOCKED, &sugid_scripts, `0`, "");
277	static kern_return_t create_unix_stack(vm_map_t map, load_result_t* load_result, proc_t p);
278	static int copyoutptr(user_addr_t ua, user_addr_t ptr, int ptr_size);
279	static void exec_resettextvp(proc_t, struct image_params *);
280	static int check_for_signature(proc_t, struct image_params *);
281	static void exec_prefault_data(proc_t, struct image_params , load_result_t );
282	static errno_t exec_handle_port_actions(struct image_params imgp, boolean_t portwatch_present, ipc_port_t * portwatch_ports);
283	static errno_t exec_handle_spawnattr_policy(proc_t p, int psa_apptype, uint64_t psa_qos_clamp, uint64_t psa_darwin_role,
284	ipc_port_t * portwatch_ports, int portwatch_count);
285
286	/*
287	* exec_add_user_string
288	*
289	* Add the requested string to the string space area.
290	*
291	* Parameters; struct image_params * image parameter block
292	* user_addr_t string to add to strings area
293	* int segment from which string comes
294	* boolean_t TRUE if string contributes to NCARGS
295	*
296	* Returns: 0 Success
297	* !0 Failure errno from copyinstr()
298	*
299	* Implicit returns:
300	* (imgp->ip_strendp) updated location of next add, if any
301	* (imgp->ip_strspace) updated byte count of space remaining
302	* (imgp->ip_argspace) updated byte count of space in NCARGS
303	*/
304	static int
305	exec_add_user_string(struct image_params imgp, user_addr_t str, int* seg, boolean_t is_ncargs)
306	{
307	int error = `0`;
308
309	do {
310	size_t len = `0`;
311	int space;
312
313	if (is_ncargs)
314	space = imgp->ip_argspace; / by definition smaller than ip_strspace /
315	else
316	space = imgp->ip_strspace;
317
318	if (space <= `0`) {
319	error = E2BIG;
320	break;
321	}
322
323	if (!UIO_SEG_IS_USER_SPACE(seg)) {
324	char kstr = CAST_DOWN(char* ,str); /* SAFE /
325	error = copystr(kstr, imgp->ip_strendp, space, &len);
326	} else {
327	error = copyinstr(str, imgp->ip_strendp, space, &len);
328	}
329
330	imgp->ip_strendp += len;
331	imgp->ip_strspace -= len;
332	if (is_ncargs)
333	imgp->ip_argspace -= len;
334
335	} while (error == ENAMETOOLONG);
336
337	return error;
338	}
339
340	/*
341	* dyld is now passed the executable path as a getenv-like variable
342	* in the same fashion as the stack_guard and malloc_entropy keys.
343	*/
344	#define EXECUTABLE_KEY "executable_path="
345
346	/*
347	* exec_save_path
348	*
349	* To support new app package launching for Mac OS X, the dyld needs the
350	* first argument to execve() stored on the user stack.
351	*
352	* Save the executable path name at the bottom of the strings area and set
353	* the argument vector pointer to the location following that to indicate
354	* the start of the argument and environment tuples, setting the remaining
355	* string space count to the size of the string area minus the path length.
356	*
357	* Parameters; struct image_params * image parameter block
358	* char * path used to invoke program
359	* int segment from which path comes
360	*
361	* Returns: int 0 Success
362	* EFAULT Bad address
363	* copy[in]str:EFAULT Bad address
364	* copy[in]str:ENAMETOOLONG Filename too long
365	*
366	* Implicit returns:
367	* (imgp->ip_strings) saved path
368	* (imgp->ip_strspace) space remaining in ip_strings
369	* (imgp->ip_strendp) start of remaining copy area
370	* (imgp->ip_argspace) space remaining of NCARGS
371	* (imgp->ip_applec) Initial applev[0]
372	*
373	* Note: We have to do this before the initial namei() since in the
374	* path contains symbolic links, namei() will overwrite the
375	* original path buffer contents. If the last symbolic link
376	* resolved was a relative pathname, we would lose the original
377	* "path", which could be an absolute pathname. This might be
378	* unacceptable for dyld.
379	*/
380	static int
381	exec_save_path(struct image_params imgp, user_addr_t path, int* seg, const char **excpath)
382	{
383	int error;
384	size_t len;
385	char *kpath;
386
387	// imgp->ip_strings can come out of a cache, so we need to obliterate the
388	// old path.
389	memset(imgp->ip_strings, `'\0'`, strlen(EXECUTABLE_KEY) + MAXPATHLEN);
390
391	len = MIN(MAXPATHLEN, imgp->ip_strspace);
392
393	switch(seg) {
394	case UIO_USERSPACE32:
395	case UIO_USERSPACE64: / Same for copyin()... /
396	error = copyinstr(path, imgp->ip_strings + strlen(EXECUTABLE_KEY), len, &len);
397	break;
398	case UIO_SYSSPACE:
399	kpath = CAST_DOWN(char ,path); /* SAFE /
400	error = copystr(kpath, imgp->ip_strings + strlen(EXECUTABLE_KEY), len, &len);
401	break;
402	default:
403	error = EFAULT;
404	break;
405	}
406
407	if (!error) {
408	bcopy(EXECUTABLE_KEY, imgp->ip_strings, strlen(EXECUTABLE_KEY));
409	len += strlen(EXECUTABLE_KEY);
410
411	imgp->ip_strendp += len;
412	imgp->ip_strspace -= len;
413
414	if (excpath) {
415	*excpath = imgp->ip_strings + strlen(EXECUTABLE_KEY);
416	}
417	}
418
419	return(error);
420	}
421
422	/*
423	* exec_reset_save_path
424	*
425	* If we detect a shell script, we need to reset the string area
426	* state so that the interpreter can be saved onto the stack.
427
428	* Parameters; struct image_params * image parameter block
429	*
430	* Returns: int 0 Success
431	*
432	* Implicit returns:
433	* (imgp->ip_strings) saved path
434	* (imgp->ip_strspace) space remaining in ip_strings
435	* (imgp->ip_strendp) start of remaining copy area
436	* (imgp->ip_argspace) space remaining of NCARGS
437	*
438	*/
439	static int
440	exec_reset_save_path(struct image_params *imgp)
441	{
442	imgp->ip_strendp = imgp->ip_strings;
443	imgp->ip_argspace = NCARGS;
444	imgp->ip_strspace = ( NCARGS + PAGE_SIZE );
445
446	return (`0`);
447	}
448
449	/*
450	* exec_shell_imgact
451	*
452	* Image activator for interpreter scripts. If the image begins with
453	* the characters "#!", then it is an interpreter script. Verify the
454	* length of the script line indicating the interpreter is not in
455	* excess of the maximum allowed size. If this is the case, then
456	* break out the arguments, if any, which are separated by white
457	* space, and copy them into the argument save area as if they were
458	* provided on the command line before all other arguments. The line
459	* ends when we encounter a comment character ('#') or newline.
460	*
461	* Parameters; struct image_params * image parameter block
462	*
463	* Returns: -1 not an interpreter (keep looking)
464	* -3 Success: interpreter: relookup
465	* >0 Failure: interpreter: error number
466	*
467	* A return value other than -1 indicates subsequent image activators should
468	* not be given the opportunity to attempt to activate the image.
469	*/
470	static int
471	exec_shell_imgact(struct image_params *imgp)
472	{
473	char *vdata = imgp->ip_vdata;
474	char *ihp;
475	char line_startp, line_endp;
476	char *interp;
477
478	/*
479	* Make sure it's a shell script. If we've already redirected
480	* from an interpreted file once, don't do it again.
481	*/
482	if (vdata[`0`] != `'#'` \|\|
483	vdata[`1`] != `'!'` \|\|
484	(imgp->ip_flags & IMGPF_INTERPRET) != `0`) {
485	return (-`1`);
486	}
487
488	if (imgp->ip_origcputype != `0`) {
489	/ Fat header previously matched, don't allow shell script inside /
490	return (-`1`);
491	}
492
493	imgp->ip_flags \|= IMGPF_INTERPRET;
494	imgp->ip_interp_sugid_fd = -`1`;
495	imgp->ip_interp_buffer[`0`] = `'\0'`;
496
497	/ Check to see if SUGID scripts are permitted. If they aren't then*
498	* clear the SUGID bits.
499	* imgp->ip_vattr is known to be valid.
500	*/
501	if (sugid_scripts == `0`) {
502	imgp->ip_origvattr->va_mode &= ~(VSUID \| VSGID);
503	}
504
505	/ Try to find the first non-whitespace character /
506	for( ihp = &vdata[`2`]; ihp < &vdata[IMG_SHSIZE]; ihp++ ) {
507	if (IS_EOL(*ihp)) {
508	/ Did not find interpreter, "#!\n" /
509	return (ENOEXEC);
510	} else if (IS_WHITESPACE(*ihp)) {
511	/ Whitespace, like "#! /bin/sh\n", keep going. /
512	} else {
513	/ Found start of interpreter /
514	break;
515	}
516	}
517
518	if (ihp == &vdata[IMG_SHSIZE]) {
519	/ All whitespace, like "#! " /
520	return (ENOEXEC);
521	}
522
523	line_startp = ihp;
524
525	/ Try to find the end of the interpreter+args string /
526	for ( ; ihp < &vdata[IMG_SHSIZE]; ihp++ ) {
527	if (IS_EOL(*ihp)) {
528	/ Got it /
529	break;
530	} else {
531	/ Still part of interpreter or args /
532	}
533	}
534
535	if (ihp == &vdata[IMG_SHSIZE]) {
536	/ A long line, like "#! blah blah blah" without end /
537	return (ENOEXEC);
538	}
539
540	/ Backtrack until we find the last non-whitespace /
541	while (IS_EOL(ihp) \|\| IS_WHITESPACE(ihp)) {
542	ihp--;
543	}
544
545	/ The character after the last non-whitespace is our logical end of line /
546	line_endp = ihp + `1`;
547
548	/*
549	* Now we have pointers to the usable part of:
550	*
551	* "#! /usr/bin/int first second third \n"
552	* ^ line_startp ^ line_endp
553	*/
554
555	/ copy the interpreter name /
556	interp = imgp->ip_interp_buffer;
557	for ( ihp = line_startp; (ihp < line_endp) && !IS_WHITESPACE(*ihp); ihp++)
558	interp++ = ihp;
559	*interp = `'\0'`;
560
561	exec_reset_save_path(imgp);
562	exec_save_path(imgp, CAST_USER_ADDR_T(imgp->ip_interp_buffer),
563	UIO_SYSSPACE, NULL);
564
565	/ Copy the entire interpreter + args for later processing into argv[] /
566	interp = imgp->ip_interp_buffer;
567	for ( ihp = line_startp; (ihp < line_endp); ihp++)
568	interp++ = ihp;
569	*interp = `'\0'`;
570
571	#if !SECURE_KERNEL
572	/*
573	* If we have an SUID or SGID script, create a file descriptor
574	* from the vnode and pass /dev/fd/%d instead of the actual
575	* path name so that the script does not get opened twice
576	*/
577	if (imgp->ip_origvattr->va_mode & (VSUID \| VSGID)) {
578	proc_t p;
579	struct fileproc *fp;
580	int fd;
581	int error;
582
583	p = vfs_context_proc(imgp->ip_vfs_context);
584	error = falloc(p, &fp, &fd, imgp->ip_vfs_context);
585	if (error)
586	return(error);
587
588	fp->f_fglob->fg_flag = FREAD;
589	fp->f_fglob->fg_ops = &vnops;
590	fp->f_fglob->fg_data = (caddr_t)imgp->ip_vp;
591
592	proc_fdlock(p);
593	procfdtbl_releasefd(p, fd, NULL);
594	fp_drop(p, fd, fp, `1`);
595	proc_fdunlock(p);
596	vnode_ref(imgp->ip_vp);
597
598	imgp->ip_interp_sugid_fd = fd;
599	}
600	#endif
601
602	return (-`3`);
603	}
604
605
606
607	/*
608	* exec_fat_imgact
609	*
610	* Image activator for fat 1.0 binaries. If the binary is fat, then we
611	* need to select an image from it internally, and make that the image
612	* we are going to attempt to execute. At present, this consists of
613	* reloading the first page for the image with a first page from the
614	* offset location indicated by the fat header.
615	*
616	* Parameters; struct image_params * image parameter block
617	*
618	* Returns: -1 not a fat binary (keep looking)
619	* -2 Success: encapsulated binary: reread
620	* >0 Failure: error number
621	*
622	* Important: This image activator is byte order neutral.
623	*
624	* Note: A return value other than -1 indicates subsequent image
625	* activators should not be given the opportunity to attempt
626	* to activate the image.
627	*
628	* If we find an encapsulated binary, we make no assertions
629	* about its validity; instead, we leave that up to a rescan
630	* for an activator to claim it, and, if it is claimed by one,
631	* that activator is responsible for determining validity.
632	*/
633	static int
634	exec_fat_imgact(struct image_params *imgp)
635	{
636	proc_t p = vfs_context_proc(imgp->ip_vfs_context);
637	kauth_cred_t cred = kauth_cred_proc_ref(p);
638	struct fat_header fat_header = (struct* fat_header *)imgp->ip_vdata;
639	struct _posix_spawnattr *psa = NULL;
640	struct fat_arch fat_arch;
641	int resid, error;
642	load_return_t lret;
643
644	if (imgp->ip_origcputype != `0`) {
645	/ Fat header previously matched, don't allow another fat file inside /
646	error = -`1`; / not claimed /
647	goto bad;
648	}
649
650	/ Make sure it's a fat binary /
651	if (OSSwapBigToHostInt32(fat_header->magic) != FAT_MAGIC) {
652	error = -`1`; / not claimed /
653	goto bad;
654	}
655
656	/ imgp->ip_vdata has PAGE_SIZE, zerofilled if the file is smaller /
657	lret = fatfile_validate_fatarches((vm_offset_t)fat_header, PAGE_SIZE);
658	if (lret != LOAD_SUCCESS) {
659	error = load_return_to_errno(lret);
660	goto bad;
661	}
662
663	/ If posix_spawn binprefs exist, respect those prefs. /
664	psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
665	if (psa != NULL && psa->psa_binprefs[`0`] != `0`) {
666	uint32_t pr = `0`;
667
668	/ Check each preference listed against all arches in header /
669	for (pr = `0`; pr < NBINPREFS; pr++) {
670	cpu_type_t pref = psa->psa_binprefs[pr];
671	if (pref == `0`) {
672	/ No suitable arch in the pref list /
673	error = EBADARCH;
674	goto bad;
675	}
676
677	if (pref == CPU_TYPE_ANY) {
678	/ Fall through to regular grading /
679	goto regular_grading;
680	}
681
682	lret = fatfile_getbestarch_for_cputype(pref,
683	(vm_offset_t)fat_header,
684	PAGE_SIZE,
685	&fat_arch);
686	if (lret == LOAD_SUCCESS) {
687	goto use_arch;
688	}
689	}
690
691	/ Requested binary preference was not honored /
692	error = EBADEXEC;
693	goto bad;
694	}
695
696	regular_grading:
697	/ Look up our preferred architecture in the fat file. /
698	lret = fatfile_getbestarch((vm_offset_t)fat_header,
699	PAGE_SIZE,
700	&fat_arch);
701	if (lret != LOAD_SUCCESS) {
702	error = load_return_to_errno(lret);
703	goto bad;
704	}
705
706	use_arch:
707	/ Read the Mach-O header out of fat_arch /
708	error = vn_rdwr(UIO_READ, imgp->ip_vp, imgp->ip_vdata,
709	PAGE_SIZE, fat_arch.offset,
710	UIO_SYSSPACE, (IO_UNIT\|IO_NODELOCKED),
711	cred, &resid, p);
712	if (error) {
713	goto bad;
714	}
715
716	if (resid) {
717	memset(imgp->ip_vdata + (PAGE_SIZE - resid), `0x0`, resid);
718	}
719
720	/ Success. Indicate we have identified an encapsulated binary /
721	error = -`2`;
722	imgp->ip_arch_offset = (user_size_t)fat_arch.offset;
723	imgp->ip_arch_size = (user_size_t)fat_arch.size;
724	imgp->ip_origcputype = fat_arch.cputype;
725	imgp->ip_origcpusubtype = fat_arch.cpusubtype;
726
727	bad:
728	kauth_cred_unref(&cred);
729	return (error);
730	}
731
732	static int
733	activate_exec_state(task_t task, proc_t p, thread_t thread, load_result_t *result)
734	{
735	int ret;
736
737	task_set_dyld_info(task, MACH_VM_MIN_ADDRESS, `0`);
738	task_set_64bit(task, result->is_64bit_addr, result->is_64bit_data);
739	if (result->is_64bit_addr) {
740	OSBitOrAtomic(P_LP64, &p->p_flag);
741	} else {
742	OSBitAndAtomic(~((uint32_t)P_LP64), &p->p_flag);
743	}
744
745	ret = thread_state_initialize(thread);
746	if (ret != KERN_SUCCESS) {
747	return ret;
748	}
749
750	if (result->threadstate) {
751	uint32_t *ts = result->threadstate;
752	uint32_t total_size = result->threadstate_sz;
753
754	while (total_size > `0`) {
755	uint32_t flavor = *ts++;
756	uint32_t size = *ts++;
757
758	ret = thread_setstatus(thread, flavor, (thread_state_t)ts, size);
759	if (ret) {
760	return ret;
761	}
762	ts += size;
763	total_size -= (size + `2`) * sizeof(uint32_t);
764	}
765	}
766
767	thread_setentrypoint(thread, result->entry_point);
768
769	return KERN_SUCCESS;
770	}
771
772
773	/*
774	* Set p->p_comm and p->p_name to the name passed to exec
775	*/
776	static void
777	set_proc_name(struct image_params *imgp, proc_t p)
778	{
779	int p_name_len = sizeof(p->p_name) - `1`;
780
781	if (imgp->ip_ndp->ni_cnd.cn_namelen > p_name_len) {
782	imgp->ip_ndp->ni_cnd.cn_namelen = p_name_len;
783	}
784
785	bcopy((caddr_t)imgp->ip_ndp->ni_cnd.cn_nameptr, (caddr_t)p->p_name,
786	(unsigned)imgp->ip_ndp->ni_cnd.cn_namelen);
787	p->p_name[imgp->ip_ndp->ni_cnd.cn_namelen] = `'\0'`;
788
789	if (imgp->ip_ndp->ni_cnd.cn_namelen > MAXCOMLEN) {
790	imgp->ip_ndp->ni_cnd.cn_namelen = MAXCOMLEN;
791	}
792
793	bcopy((caddr_t)imgp->ip_ndp->ni_cnd.cn_nameptr, (caddr_t)p->p_comm,
794	(unsigned)imgp->ip_ndp->ni_cnd.cn_namelen);
795	p->p_comm[imgp->ip_ndp->ni_cnd.cn_namelen] = `'\0'`;
796	}
797
798	static uint64_t get_va_fsid(struct vnode_attr *vap)
799	{
800	if (VATTR_IS_SUPPORTED(vap, va_fsid64)) {
801	return (uint64_t )&vap->va_fsid64;
802	} else {
803	return vap->va_fsid;
804	}
805	}
806
807	/*
808	* exec_mach_imgact
809	*
810	* Image activator for mach-o 1.0 binaries.
811	*
812	* Parameters; struct image_params * image parameter block
813	*
814	* Returns: -1 not a fat binary (keep looking)
815	* -2 Success: encapsulated binary: reread
816	* >0 Failure: error number
817	* EBADARCH Mach-o binary, but with an unrecognized
818	* architecture
819	* ENOMEM No memory for child process after -
820	* can only happen after vfork()
821	*
822	* Important: This image activator is NOT byte order neutral.
823	*
824	* Note: A return value other than -1 indicates subsequent image
825	* activators should not be given the opportunity to attempt
826	* to activate the image.
827	*
828	* TODO: More gracefully handle failures after vfork
829	*/
830	static int
831	exec_mach_imgact(struct image_params *imgp)
832	{
833	struct mach_header mach_header = (struct* mach_header *)imgp->ip_vdata;
834	proc_t p = vfs_context_proc(imgp->ip_vfs_context);
835	int error = `0`;
836	task_t task;
837	task_t new_task = NULL; / protected by vfexec /
838	thread_t thread;
839	struct uthread *uthread;
840	vm_map_t old_map = VM_MAP_NULL;
841	vm_map_t map = VM_MAP_NULL;
842	load_return_t lret;
843	load_result_t load_result = {};
844	struct _posix_spawnattr *psa = NULL;
845	int spawn = (imgp->ip_flags & IMGPF_SPAWN);
846	int vfexec = (imgp->ip_flags & IMGPF_VFORK_EXEC);
847	int exec = (imgp->ip_flags & IMGPF_EXEC);
848	os_reason_t exec_failure_reason = OS_REASON_NULL;
849
850	/*
851	* make sure it's a Mach-O 1.0 or Mach-O 2.0 binary; the difference
852	* is a reserved field on the end, so for the most part, we can
853	* treat them as if they were identical. Reverse-endian Mach-O
854	* binaries are recognized but not compatible.
855	*/
856	if ((mach_header->magic == MH_CIGAM) \|\|
857	(mach_header->magic == MH_CIGAM_64)) {
858	error = EBADARCH;
859	goto bad;
860	}
861
862	if ((mach_header->magic != MH_MAGIC) &&
863	(mach_header->magic != MH_MAGIC_64)) {
864	error = -`1`;
865	goto bad;
866	}
867
868	if (mach_header->filetype != MH_EXECUTE) {
869	error = -`1`;
870	goto bad;
871	}
872
873	if (imgp->ip_origcputype != `0`) {
874	/ Fat header previously had an idea about this thin file /
875	if (imgp->ip_origcputype != mach_header->cputype \|\|
876	imgp->ip_origcpusubtype != mach_header->cpusubtype) {
877	error = EBADARCH;
878	goto bad;
879	}
880	} else {
881	imgp->ip_origcputype = mach_header->cputype;
882	imgp->ip_origcpusubtype = mach_header->cpusubtype;
883	}
884
885	task = current_task();
886	thread = current_thread();
887	uthread = get_bsdthread_info(thread);
888
889	if ((mach_header->cputype & CPU_ARCH_ABI64) == CPU_ARCH_ABI64) {
890	imgp->ip_flags \|= IMGPF_IS_64BIT_ADDR \| IMGPF_IS_64BIT_DATA;
891	}
892
893	/ If posix_spawn binprefs exist, respect those prefs. /
894	psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
895	if (psa != NULL && psa->psa_binprefs[`0`] != `0`) {
896	int pr = `0`;
897	for (pr = `0`; pr < NBINPREFS; pr++) {
898	cpu_type_t pref = psa->psa_binprefs[pr];
899	if (pref == `0`) {
900	/ No suitable arch in the pref list /
901	error = EBADARCH;
902	goto bad;
903	}
904
905	if (pref == CPU_TYPE_ANY) {
906	/ Jump to regular grading /
907	goto grade;
908	}
909
910	if (pref == imgp->ip_origcputype) {
911	/ We have a match! /
912	goto grade;
913	}
914	}
915	error = EBADARCH;
916	goto bad;
917	}
918	grade:
919	if (!grade_binary(imgp->ip_origcputype, imgp->ip_origcpusubtype & ~CPU_SUBTYPE_MASK)) {
920	error = EBADARCH;
921	goto bad;
922	}
923
924
925
926	/ Copy in arguments/environment from the old process /
927	error = exec_extract_strings(imgp);
928	if (error)
929	goto bad;
930
931	AUDIT_ARG(argv, imgp->ip_startargv, imgp->ip_argc,
932	imgp->ip_endargv - imgp->ip_startargv);
933	AUDIT_ARG(envv, imgp->ip_endargv, imgp->ip_envc,
934	imgp->ip_endenvv - imgp->ip_endargv);
935
936	/*
937	* We are being called to activate an image subsequent to a vfork()
938	* operation; in this case, we know that our task, thread, and
939	* uthread are actually those of our parent, and our proc, which we
940	* obtained indirectly from the image_params vfs_context_t, is the
941	* new child process.
942	*/
943	if (vfexec) {
944	imgp->ip_new_thread = fork_create_child(task,
945	NULL,
946	p,
947	FALSE,
948	(imgp->ip_flags & IMGPF_IS_64BIT_ADDR),
949	(imgp->ip_flags & IMGPF_IS_64BIT_DATA),
950	FALSE);
951	/ task and thread ref returned, will be released in __mac_execve /
952	if (imgp->ip_new_thread == NULL) {
953	error = ENOMEM;
954	goto bad;
955	}
956	}
957
958
959	/ reset local idea of thread, uthread, task /
960	thread = imgp->ip_new_thread;
961	uthread = get_bsdthread_info(thread);
962	task = new_task = get_threadtask(thread);
963
964	/*
965	* Load the Mach-O file.
966	*
967	* NOTE: An error after this point indicates we have potentially
968	* destroyed or overwritten some process state while attempting an
969	* execve() following a vfork(), which is an unrecoverable condition.
970	* We send the new process an immediate SIGKILL to avoid it executing
971	* any instructions in the mutated address space. For true spawns,
972	* this is not the case, and "too late" is still not too late to
973	* return an error code to the parent process.
974	*/
975
976	/*
977	* Actually load the image file we previously decided to load.
978	*/
979	lret = load_machfile(imgp, mach_header, thread, &map, &load_result);
980	if (lret != LOAD_SUCCESS) {
981	error = load_return_to_errno(lret);
982
983	KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) \| DBG_FUNC_NONE,
984	p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_BAD_MACHO, `0`, `0`);
985	if (lret == LOAD_BADMACHO_UPX) {
986	/ set anything that might be useful in the crash report /
987	set_proc_name(imgp, p);
988
989	exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_UPX);
990	exec_failure_reason->osr_flags \|= OS_REASON_FLAG_GENERATE_CRASH_REPORT;
991	exec_failure_reason->osr_flags \|= OS_REASON_FLAG_CONSISTENT_FAILURE;
992	} else if (lret == LOAD_BADARCH_X86) {
993	/ set anything that might be useful in the crash report /
994	set_proc_name(imgp, p);
995
996	exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_NO32EXEC);
997	exec_failure_reason->osr_flags \|= OS_REASON_FLAG_GENERATE_CRASH_REPORT;
998	exec_failure_reason->osr_flags \|= OS_REASON_FLAG_CONSISTENT_FAILURE;
999	} else {
1000	exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_BAD_MACHO);
1001	}
1002
1003	goto badtoolate;
1004	}
1005
1006	proc_lock(p);
1007	p->p_cputype = imgp->ip_origcputype;
1008	p->p_cpusubtype = imgp->ip_origcpusubtype;
1009	proc_unlock(p);
1010
1011	vm_map_set_user_wire_limit(map, p->p_rlimit[RLIMIT_MEMLOCK].rlim_cur);
1012
1013	/*
1014	* Set code-signing flags if this binary is signed, or if parent has
1015	* requested them on exec.
1016	*/
1017	if (load_result.csflags & CS_VALID) {
1018	imgp->ip_csflags \|= load_result.csflags &
1019	(CS_VALID\|CS_SIGNED\|CS_DEV_CODE\|
1020	CS_HARD\|CS_KILL\|CS_RESTRICT\|CS_ENFORCEMENT\|CS_REQUIRE_LV\|
1021	CS_FORCED_LV\|CS_ENTITLEMENTS_VALIDATED\|CS_DYLD_PLATFORM\|CS_RUNTIME\|
1022	CS_ENTITLEMENT_FLAGS\|
1023	CS_EXEC_SET_HARD\|CS_EXEC_SET_KILL\|CS_EXEC_SET_ENFORCEMENT);
1024	} else {
1025	imgp->ip_csflags &= ~CS_VALID;
1026	}
1027
1028	if (p->p_csflags & CS_EXEC_SET_HARD)
1029	imgp->ip_csflags \|= CS_HARD;
1030	if (p->p_csflags & CS_EXEC_SET_KILL)
1031	imgp->ip_csflags \|= CS_KILL;
1032	if (p->p_csflags & CS_EXEC_SET_ENFORCEMENT)
1033	imgp->ip_csflags \|= CS_ENFORCEMENT;
1034	if (p->p_csflags & CS_EXEC_INHERIT_SIP) {
1035	if (p->p_csflags & CS_INSTALLER)
1036	imgp->ip_csflags \|= CS_INSTALLER;
1037	if (p->p_csflags & CS_DATAVAULT_CONTROLLER)
1038	imgp->ip_csflags \|= CS_DATAVAULT_CONTROLLER;
1039	if (p->p_csflags & CS_NVRAM_UNRESTRICTED)
1040	imgp->ip_csflags \|= CS_NVRAM_UNRESTRICTED;
1041	}
1042
1043	/*
1044	* Set up the system reserved areas in the new address space.
1045	*/
1046	int cpu_subtype;
1047	cpu_subtype = `0`; / all cpu_subtypes use the same shared region /
1048	vm_map_exec(map, task, load_result.is_64bit_addr, (void *)p->p_fd->fd_rdir, cpu_type(), cpu_subtype);
1049
1050	/*
1051	* Close file descriptors which specify close-on-exec.
1052	*/
1053	fdexec(p, psa != NULL ? psa->psa_flags : `0`, exec);
1054
1055	/*
1056	* deal with set[ug]id.
1057	*/
1058	error = exec_handle_sugid(imgp);
1059	if (error) {
1060	vm_map_deallocate(map);
1061
1062	KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) \| DBG_FUNC_NONE,
1063	p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_SUGID_FAILURE, `0`, `0`);
1064	exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_SUGID_FAILURE);
1065	goto badtoolate;
1066	}
1067
1068	/*
1069	* Commit to new map.
1070	*
1071	* Swap the new map for the old for target task, which consumes
1072	* our new map reference but each leaves us responsible for the
1073	* old_map reference. That lets us get off the pmap associated
1074	* with it, and then we can release it.
1075	*
1076	* The map needs to be set on the target task which is different
1077	* than current task, thus swap_task_map is used instead of
1078	* vm_map_switch.
1079	*/
1080	old_map = swap_task_map(task, thread, map);
1081	vm_map_deallocate(old_map);
1082	old_map = NULL;
1083
1084	lret = activate_exec_state(task, p, thread, &load_result);
1085	if (lret != KERN_SUCCESS) {
1086
1087	KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) \| DBG_FUNC_NONE,
1088	p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_ACTV_THREADSTATE, `0`, `0`);
1089	exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_ACTV_THREADSTATE);
1090	goto badtoolate;
1091	}
1092
1093	/*
1094	* deal with voucher on exec-calling thread.
1095	*/
1096	if (imgp->ip_new_thread == NULL)
1097	thread_set_mach_voucher(current_thread(), IPC_VOUCHER_NULL);
1098
1099	/ Make sure we won't interrupt ourself signalling a partial process /
1100	if (!vfexec && !spawn && (p->p_lflag & P_LTRACED))
1101	psignal(p, SIGTRAP);
1102
1103	if (load_result.unixproc &&
1104	create_unix_stack(get_task_map(task),
1105	&load_result,
1106	p) != KERN_SUCCESS) {
1107	error = load_return_to_errno(LOAD_NOSPACE);
1108
1109	KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) \| DBG_FUNC_NONE,
1110	p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_STACK_ALLOC, `0`, `0`);
1111	exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_STACK_ALLOC);
1112	goto badtoolate;
1113	}
1114
1115	error = exec_add_apple_strings(imgp, &load_result);
1116	if (error) {
1117
1118	KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) \| DBG_FUNC_NONE,
1119	p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_APPLE_STRING_INIT, `0`, `0`);
1120	exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_APPLE_STRING_INIT);
1121	goto badtoolate;
1122	}
1123
1124	/ Switch to target task's map to copy out strings /
1125	old_map = vm_map_switch(get_task_map(task));
1126
1127	if (load_result.unixproc) {
1128	user_addr_t ap;
1129
1130	/*
1131	* Copy the strings area out into the new process address
1132	* space.
1133	*/
1134	ap = p->user_stack;
1135	error = exec_copyout_strings(imgp, &ap);
1136	if (error) {
1137	vm_map_switch(old_map);
1138
1139	KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) \| DBG_FUNC_NONE,
1140	p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_COPYOUT_STRINGS, `0`, `0`);
1141	exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_COPYOUT_STRINGS);
1142	goto badtoolate;
1143	}
1144	/ Set the stack /
1145	thread_setuserstack(thread, ap);
1146	}
1147
1148	if (load_result.dynlinker) {
1149	uint64_t ap;
1150	int new_ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT_ADDR) ? `8` : `4`;
1151
1152	/ Adjust the stack /
1153	ap = thread_adjuserstack(thread, -new_ptr_size);
1154	error = copyoutptr(load_result.mach_header, ap, new_ptr_size);
1155
1156	if (error) {
1157	vm_map_switch(old_map);
1158
1159	KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) \| DBG_FUNC_NONE,
1160	p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_COPYOUT_DYNLINKER, `0`, `0`);
1161	exec_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_COPYOUT_DYNLINKER);
1162	goto badtoolate;
1163	}
1164	task_set_dyld_info(task, load_result.all_image_info_addr,
1165	load_result.all_image_info_size);
1166	}
1167
1168	/ Avoid immediate VM faults back into kernel /
1169	exec_prefault_data(p, imgp, &load_result);
1170
1171	vm_map_switch(old_map);
1172
1173	/ Stop profiling /
1174	stopprofclock(p);
1175
1176	/*
1177	* Reset signal state.
1178	*/
1179	execsigs(p, thread);
1180
1181	/*
1182	* need to cancel async IO requests that can be cancelled and wait for those
1183	* already active. MAY BLOCK!
1184	*/
1185	_aio_exec( p );
1186
1187	#if SYSV_SHM
1188	/ FIXME: Till vmspace inherit is fixed: /
1189	if (!vfexec && p->vm_shm)
1190	shmexec(p);
1191	#endif
1192	#if SYSV_SEM
1193	/ Clean up the semaphores /
1194	semexit(p);
1195	#endif
1196
1197	/*
1198	* Remember file name for accounting.
1199	*/
1200	p->p_acflag &= ~AFORK;
1201
1202	set_proc_name(imgp, p);
1203
1204	#if CONFIG_SECLUDED_MEMORY
1205	if (secluded_for_apps &&
1206	load_result.platform_binary) {
1207	if (strncmp(p->p_name,
1208	"Camera",
1209	sizeof (p->p_name)) == `0`) {
1210	task_set_could_use_secluded_mem(task, TRUE);
1211	} else {
1212	task_set_could_use_secluded_mem(task, FALSE);
1213	}
1214	if (strncmp(p->p_name,
1215	"mediaserverd",
1216	sizeof (p->p_name)) == `0`) {
1217	task_set_could_also_use_secluded_mem(task, TRUE);
1218	}
1219	}
1220	#endif /* CONFIG_SECLUDED_MEMORY */
1221
1222	#if __arm64__
1223	if (load_result.legacy_footprint) {
1224	task_set_legacy_footprint(task, TRUE);
1225	}
1226	#endif /* __arm64__ */
1227
1228	pal_dbg_set_task_name(task);
1229
1230	/*
1231	* The load result will have already been munged by AMFI to include the
1232	* platform binary flag if boot-args dictated it (AMFI will mark anything
1233	* that doesn't go through the upcall path as a platform binary if its
1234	* enforcement is disabled).
1235	*/
1236	if (load_result.platform_binary) {
1237	if (cs_debug) {
1238	printf("setting platform binary on task: pid = %d\n", p->p_pid);
1239	}
1240
1241	/*
1242	* We must use 'task' here because the proc's task has not yet been
1243	* switched to the new one.
1244	*/
1245	task_set_platform_binary(task, TRUE);
1246	} else {
1247	if (cs_debug) {
1248	printf("clearing platform binary on task: pid = %d\n", p->p_pid);
1249	}
1250
1251	task_set_platform_binary(task, FALSE);
1252	}
1253
1254	#if DEVELOPMENT \|\| DEBUG
1255	/*
1256	* Update the pid an proc name for importance base if any
1257	*/
1258	task_importance_update_owner_info(task);
1259	#endif
1260
1261	memcpy(&p->p_uuid[`0`], &load_result.uuid[`0`], sizeof(p->p_uuid));
1262
1263	#if CONFIG_DTRACE
1264	dtrace_proc_exec(p);
1265	#endif
1266
1267	if (kdebug_enable) {
1268	long args[`4`] = {};
1269
1270	uintptr_t fsid = `0`, fileid = `0`;
1271	if (imgp->ip_vattr) {
1272	uint64_t fsid64 = get_va_fsid(imgp->ip_vattr);
1273	fsid = fsid64;
1274	fileid = imgp->ip_vattr->va_fileid;
1275	// check for (unexpected) overflow and trace zero in that case
1276	if (fsid != fsid64 \|\| fileid != imgp->ip_vattr->va_fileid) {
1277	fsid = fileid = `0`;
1278	}
1279	}
1280	KERNEL_DEBUG_CONSTANT_IST1(TRACE_DATA_EXEC, p->p_pid, fsid, fileid, `0`,
1281	(uintptr_t)thread_tid(thread));
1282
1283	/*
1284	* Collect the pathname for tracing
1285	*/
1286	kdbg_trace_string(p, &args[`0`], &args[`1`], &args[`2`], &args[`3`]);
1287	KERNEL_DEBUG_CONSTANT_IST1(TRACE_STRING_EXEC, args[`0`], args[`1`],
1288	args[`2`], args[`3`], (uintptr_t)thread_tid(thread));
1289	}
1290
1291	/*
1292	* If posix_spawned with the START_SUSPENDED flag, stop the
1293	* process before it runs.
1294	*/
1295	if (imgp->ip_px_sa != NULL) {
1296	psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
1297	if (psa->psa_flags & POSIX_SPAWN_START_SUSPENDED) {
1298	proc_lock(p);
1299	p->p_stat = SSTOP;
1300	proc_unlock(p);
1301	(void) task_suspend_internal(task);
1302	}
1303	}
1304
1305	/*
1306	* mark as execed, wakeup the process that vforked (if any) and tell
1307	* it that it now has its own resources back
1308	*/
1309	OSBitOrAtomic(P_EXEC, &p->p_flag);
1310	proc_resetregister(p);
1311	if (p->p_pptr && (p->p_lflag & P_LPPWAIT)) {
1312	proc_lock(p);
1313	p->p_lflag &= ~P_LPPWAIT;
1314	proc_unlock(p);
1315	wakeup((caddr_t)p->p_pptr);
1316	}
1317
1318	/*
1319	* Pay for our earlier safety; deliver the delayed signals from
1320	* the incomplete vfexec process now that it's complete.
1321	*/
1322	if (vfexec && (p->p_lflag & P_LTRACED)) {
1323	psignal_vfork(p, new_task, thread, SIGTRAP);
1324	}
1325
1326	goto done;
1327
1328	badtoolate:
1329	/ Don't allow child process to execute any instructions /
1330	if (!spawn) {
1331	if (vfexec) {
1332	assert(exec_failure_reason != OS_REASON_NULL);
1333	psignal_vfork_with_reason(p, new_task, thread, SIGKILL, exec_failure_reason);
1334	exec_failure_reason = OS_REASON_NULL;
1335	} else {
1336	assert(exec_failure_reason != OS_REASON_NULL);
1337	psignal_with_reason(p, SIGKILL, exec_failure_reason);
1338	exec_failure_reason = OS_REASON_NULL;
1339
1340	if (exec) {
1341	/ Terminate the exec copy task /
1342	task_terminate_internal(task);
1343	}
1344	}
1345
1346	/ We can't stop this system call at this point, so just pretend we succeeded /
1347	error = `0`;
1348	} else {
1349	os_reason_free(exec_failure_reason);
1350	exec_failure_reason = OS_REASON_NULL;
1351	}
1352
1353	done:
1354	if (load_result.threadstate) {
1355	kfree(load_result.threadstate, load_result.threadstate_sz);
1356	load_result.threadstate = NULL;
1357	}
1358
1359	bad:
1360	/ If we hit this, we likely would have leaked an exit reason /
1361	assert(exec_failure_reason == OS_REASON_NULL);
1362	return(error);
1363	}
1364
1365
1366
1367
1368	/*
1369	* Our image activator table; this is the table of the image types we are
1370	* capable of loading. We list them in order of preference to ensure the
1371	* fastest image load speed.
1372	*
1373	* XXX hardcoded, for now; should use linker sets
1374	*/
1375	struct execsw {
1376	int (ex_imgact)(struct* image_params *);
1377	const char *ex_name;
1378	} execsw[] = {
1379	{ exec_mach_imgact, "Mach-o Binary" },
1380	{ exec_fat_imgact, "Fat Binary" },
1381	{ exec_shell_imgact, "Interpreter Script" },
1382	{ NULL, NULL}
1383	};
1384
1385
1386	/*
1387	* exec_activate_image
1388	*
1389	* Description: Iterate through the available image activators, and activate
1390	* the image associated with the imgp structure. We start with
1391	* the activator for Mach-o binaries followed by that for Fat binaries
1392	* for Interpreter scripts.
1393	*
1394	* Parameters: struct image_params * Image parameter block
1395	*
1396	* Returns: 0 Success
1397	* EBADEXEC The executable is corrupt/unknown
1398	* execargs_alloc:EINVAL Invalid argument
1399	* execargs_alloc:EACCES Permission denied
1400	* execargs_alloc:EINTR Interrupted function
1401	* execargs_alloc:ENOMEM Not enough space
1402	* exec_save_path:EFAULT Bad address
1403	* exec_save_path:ENAMETOOLONG Filename too long
1404	* exec_check_permissions:EACCES Permission denied
1405	* exec_check_permissions:ENOEXEC Executable file format error
1406	* exec_check_permissions:ETXTBSY Text file busy [misuse of error code]
1407	* exec_check_permissions:???
1408	* namei:???
1409	* vn_rdwr:??? [anything vn_rdwr can return]
1410	* <ex_imgact>:??? [anything an imgact can return]
1411	* EDEADLK Process is being terminated
1412	*/
1413	static int
1414	exec_activate_image(struct image_params *imgp)
1415	{
1416	struct nameidata *ndp = NULL;
1417	const char *excpath;
1418	int error;
1419	int resid;
1420	int once = `1`; / save SGUID-ness for interpreted files /
1421	int i;
1422	int itercount = `0`;
1423	proc_t p = vfs_context_proc(imgp->ip_vfs_context);
1424
1425	error = execargs_alloc(imgp);
1426	if (error)
1427	goto bad_notrans;
1428
1429	error = exec_save_path(imgp, imgp->ip_user_fname, imgp->ip_seg, &excpath);
1430	if (error) {
1431	goto bad_notrans;
1432	}
1433
1434	/ Use excpath, which contains the copyin-ed exec path /
1435	DTRACE_PROC1(exec, uintptr_t, excpath);
1436
1437	MALLOC(ndp, struct nameidata , sizeof(ndp), M_TEMP, M_WAITOK \| M_ZERO);
1438	if (ndp == NULL) {
1439	error = ENOMEM;
1440	goto bad_notrans;
1441	}
1442
1443	NDINIT(ndp, LOOKUP, OP_LOOKUP, FOLLOW \| LOCKLEAF \| AUDITVNPATH1,
1444	UIO_SYSSPACE, CAST_USER_ADDR_T(excpath), imgp->ip_vfs_context);
1445
1446	again:
1447	error = namei(ndp);
1448	if (error)
1449	goto bad_notrans;
1450	imgp->ip_ndp = ndp; / successful namei(); call nameidone() later /
1451	imgp->ip_vp = ndp->ni_vp; / if set, need to vnode_put() at some point /
1452
1453	/*
1454	* Before we start the transition from binary A to binary B, make
1455	* sure another thread hasn't started exiting the process. We grab
1456	* the proc lock to check p_lflag initially, and the transition
1457	* mechanism ensures that the value doesn't change after we release
1458	* the lock.
1459	*/
1460	proc_lock(p);
1461	if (p->p_lflag & P_LEXIT) {
1462	error = EDEADLK;
1463	proc_unlock(p);
1464	goto bad_notrans;
1465	}
1466	error = proc_transstart(p, `1`, `0`);
1467	proc_unlock(p);
1468	if (error)
1469	goto bad_notrans;
1470
1471	error = exec_check_permissions(imgp);
1472	if (error)
1473	goto bad;
1474
1475	/ Copy; avoid invocation of an interpreter overwriting the original /
1476	if (once) {
1477	once = `0`;
1478	imgp->ip_origvattr = imgp->ip_vattr;
1479	}
1480
1481	error = vn_rdwr(UIO_READ, imgp->ip_vp, imgp->ip_vdata, PAGE_SIZE, `0`,
1482	UIO_SYSSPACE, IO_NODELOCKED,
1483	vfs_context_ucred(imgp->ip_vfs_context),
1484	&resid, vfs_context_proc(imgp->ip_vfs_context));
1485	if (error)
1486	goto bad;
1487
1488	if (resid) {
1489	memset(imgp->ip_vdata + (PAGE_SIZE - resid), `0x0`, resid);
1490	}
1491
1492	encapsulated_binary:
1493	/ Limit the number of iterations we will attempt on each binary /
1494	if (++itercount > EAI_ITERLIMIT) {
1495	error = EBADEXEC;
1496	goto bad;
1497	}
1498	error = -`1`;
1499	for(i = `0`; error == -`1` && execsw[i].ex_imgact != NULL; i++) {
1500
1501	error = (*execsw[i].ex_imgact)(imgp);
1502
1503	switch (error) {
1504	/ case -1: not claimed: continue /
1505	case -`2`: / Encapsulated binary, imgp->ip_XXX set for next iteration /
1506	goto encapsulated_binary;
1507
1508	case -`3`: / Interpreter /
1509	#if CONFIG_MACF
1510	/*
1511	* Copy the script label for later use. Note that
1512	* the label can be different when the script is
1513	* actually read by the interpreter.
1514	*/
1515	if (imgp->ip_scriptlabelp)
1516	mac_vnode_label_free(imgp->ip_scriptlabelp);
1517	imgp->ip_scriptlabelp = mac_vnode_label_alloc();
1518	if (imgp->ip_scriptlabelp == NULL) {
1519	error = ENOMEM;
1520	break;
1521	}
1522	mac_vnode_label_copy(imgp->ip_vp->v_label,
1523	imgp->ip_scriptlabelp);
1524
1525	/*
1526	* Take a ref of the script vnode for later use.
1527	*/
1528	if (imgp->ip_scriptvp)
1529	vnode_put(imgp->ip_scriptvp);
1530	if (vnode_getwithref(imgp->ip_vp) == `0`)
1531	imgp->ip_scriptvp = imgp->ip_vp;
1532	#endif
1533
1534	nameidone(ndp);
1535
1536	vnode_put(imgp->ip_vp);
1537	imgp->ip_vp = NULL; / already put /
1538	imgp->ip_ndp = NULL; / already nameidone /
1539
1540	/ Use excpath, which exec_shell_imgact reset to the interpreter /
1541	NDINIT(ndp, LOOKUP, OP_LOOKUP, FOLLOW \| LOCKLEAF,
1542	UIO_SYSSPACE, CAST_USER_ADDR_T(excpath), imgp->ip_vfs_context);
1543
1544	proc_transend(p, `0`);
1545	goto again;
1546
1547	default:
1548	break;
1549	}
1550	}
1551
1552	if (error == `0`) {
1553	if (imgp->ip_flags & IMGPF_INTERPRET && ndp->ni_vp) {
1554	AUDIT_ARG(vnpath, ndp->ni_vp, ARG_VNODE2);
1555	}
1556
1557	/*
1558	* Call out to allow 3rd party notification of exec.
1559	* Ignore result of kauth_authorize_fileop call.
1560	*/
1561	if (kauth_authorize_fileop_has_listeners()) {
1562	kauth_authorize_fileop(vfs_context_ucred(imgp->ip_vfs_context),
1563	KAUTH_FILEOP_EXEC,
1564	(uintptr_t)ndp->ni_vp, `0`);
1565	}
1566	}
1567	bad:
1568	proc_transend(p, `0`);
1569
1570	bad_notrans:
1571	if (imgp->ip_strings)
1572	execargs_free(imgp);
1573	if (imgp->ip_ndp)
1574	nameidone(imgp->ip_ndp);
1575	if (ndp)
1576	FREE(ndp, M_TEMP);
1577
1578	return (error);
1579	}
1580
1581
1582	/*
1583	* exec_handle_spawnattr_policy
1584	*
1585	* Description: Decode and apply the posix_spawn apptype, qos clamp, and watchport ports to the task.
1586	*
1587	* Parameters: proc_t p process to apply attributes to
1588	* int psa_apptype posix spawn attribute apptype
1589	*
1590	* Returns: 0 Success
1591	*/
1592	static errno_t
1593	exec_handle_spawnattr_policy(proc_t p, int psa_apptype, uint64_t psa_qos_clamp, uint64_t psa_darwin_role,
1594	ipc_port_t * portwatch_ports, int portwatch_count)
1595	{
1596	int apptype = TASK_APPTYPE_NONE;
1597	int qos_clamp = THREAD_QOS_UNSPECIFIED;
1598	int role = TASK_UNSPECIFIED;
1599
1600	if ((psa_apptype & POSIX_SPAWN_PROC_TYPE_MASK) != `0`) {
1601	int proctype = psa_apptype & POSIX_SPAWN_PROC_TYPE_MASK;
1602
1603	switch(proctype) {
1604	case POSIX_SPAWN_PROC_TYPE_DAEMON_INTERACTIVE:
1605	apptype = TASK_APPTYPE_DAEMON_INTERACTIVE;
1606	break;
1607	case POSIX_SPAWN_PROC_TYPE_DAEMON_STANDARD:
1608	apptype = TASK_APPTYPE_DAEMON_STANDARD;
1609	break;
1610	case POSIX_SPAWN_PROC_TYPE_DAEMON_ADAPTIVE:
1611	apptype = TASK_APPTYPE_DAEMON_ADAPTIVE;
1612	break;
1613	case POSIX_SPAWN_PROC_TYPE_DAEMON_BACKGROUND:
1614	apptype = TASK_APPTYPE_DAEMON_BACKGROUND;
1615	break;
1616	case POSIX_SPAWN_PROC_TYPE_APP_DEFAULT:
1617	apptype = TASK_APPTYPE_APP_DEFAULT;
1618	break;
1619	#if !CONFIG_EMBEDDED
1620	case POSIX_SPAWN_PROC_TYPE_APP_TAL:
1621	apptype = TASK_APPTYPE_APP_TAL;
1622	break;
1623	#endif /* !CONFIG_EMBEDDED */
1624	default:
1625	apptype = TASK_APPTYPE_NONE;
1626	/ TODO: Should an invalid value here fail the spawn? /
1627	break;
1628	}
1629	}
1630
1631	if (psa_qos_clamp != POSIX_SPAWN_PROC_CLAMP_NONE) {
1632	switch (psa_qos_clamp) {
1633	case POSIX_SPAWN_PROC_CLAMP_UTILITY:
1634	qos_clamp = THREAD_QOS_UTILITY;
1635	break;
1636	case POSIX_SPAWN_PROC_CLAMP_BACKGROUND:
1637	qos_clamp = THREAD_QOS_BACKGROUND;
1638	break;
1639	case POSIX_SPAWN_PROC_CLAMP_MAINTENANCE:
1640	qos_clamp = THREAD_QOS_MAINTENANCE;
1641	break;
1642	default:
1643	qos_clamp = THREAD_QOS_UNSPECIFIED;
1644	/ TODO: Should an invalid value here fail the spawn? /
1645	break;
1646	}
1647	}
1648
1649	if (psa_darwin_role != PRIO_DARWIN_ROLE_DEFAULT) {
1650	proc_darwin_role_to_task_role(psa_darwin_role, &role);
1651	}
1652
1653	if (apptype != TASK_APPTYPE_NONE \|\|
1654	qos_clamp != THREAD_QOS_UNSPECIFIED \|\|
1655	role != TASK_UNSPECIFIED) {
1656	proc_set_task_spawnpolicy(p->task, apptype, qos_clamp, role,
1657	portwatch_ports, portwatch_count);
1658	}
1659
1660	return (`0`);
1661	}
1662
1663
1664	/*
1665	* exec_handle_port_actions
1666	*
1667	* Description: Go through the _posix_port_actions_t contents,
1668	* calling task_set_special_port, task_set_exception_ports
1669	* and/or audit_session_spawnjoin for the current task.
1670	*
1671	* Parameters: struct image_params * Image parameter block
1672	*
1673	* Returns: 0 Success
1674	* EINVAL Failure
1675	* ENOTSUP Illegal posix_spawn attr flag was set
1676	*/
1677	static errno_t
1678	exec_handle_port_actions(struct image_params imgp, boolean_t portwatch_present,
1679	ipc_port_t * portwatch_ports)
1680	{
1681	_posix_spawn_port_actions_t pacts = imgp->ip_px_spa;
1682	#if CONFIG_AUDIT
1683	proc_t p = vfs_context_proc(imgp->ip_vfs_context);
1684	#endif
1685	_ps_port_action_t *act = NULL;
1686	task_t task = get_threadtask(imgp->ip_new_thread);
1687	ipc_port_t port = NULL;
1688	errno_t ret = `0`;
1689	int i;
1690	kern_return_t kr;
1691
1692	*portwatch_present = FALSE;
1693
1694	for (i = `0`; i < pacts->pspa_count; i++) {
1695	act = &pacts->pspa_actions[i];
1696
1697	if (MACH_PORT_VALID(act->new_port)) {
1698	kr = ipc_object_copyin(get_task_ipcspace(current_task()),
1699	act->new_port, MACH_MSG_TYPE_COPY_SEND,
1700	(ipc_object_t *) &port);
1701
1702	if (kr != KERN_SUCCESS) {
1703	ret = EINVAL;
1704	goto done;
1705	}
1706	} else {
1707	/ it's NULL or DEAD /
1708	port = CAST_MACH_NAME_TO_PORT(act->new_port);
1709	}
1710
1711	switch (act->port_type) {
1712	case PSPA_SPECIAL:
1713	kr = task_set_special_port(task, act->which, port);
1714
1715	if (kr != KERN_SUCCESS)
1716	ret = EINVAL;
1717	break;
1718
1719	case PSPA_EXCEPTION:
1720	kr = task_set_exception_ports(task, act->mask, port,
1721	act->behavior, act->flavor);
1722	if (kr != KERN_SUCCESS)
1723	ret = EINVAL;
1724	break;
1725	#if CONFIG_AUDIT
1726	case PSPA_AU_SESSION:
1727	ret = audit_session_spawnjoin(p, task, port);
1728	if (ret) {
1729	/ audit_session_spawnjoin() has already dropped the reference in case of error. /
1730	goto done;
1731	}
1732
1733	break;
1734	#endif
1735	case PSPA_IMP_WATCHPORTS:
1736	if (portwatch_ports != NULL && IPC_PORT_VALID(port)) {
1737	*portwatch_present = TRUE;
1738	/ hold on to this till end of spawn /
1739	portwatch_ports[i] = port;
1740	} else {
1741	ipc_port_release_send(port);
1742	}
1743
1744	break;
1745	default:
1746	ret = EINVAL;
1747	break;
1748	}
1749
1750	if (ret) {
1751	/ action failed, so release port resources /
1752	ipc_port_release_send(port);
1753	break;
1754	}
1755	}
1756
1757	done:
1758	if (`0` != ret)
1759	DTRACE_PROC1(spawn__port__failure, mach_port_name_t, act->new_port);
1760	return (ret);
1761	}
1762
1763	/*
1764	* exec_handle_file_actions
1765	*
1766	* Description: Go through the _posix_file_actions_t contents applying the
1767	* open, close, and dup2 operations to the open file table for
1768	* the current process.
1769	*
1770	* Parameters: struct image_params * Image parameter block
1771	*
1772	* Returns: 0 Success
1773	* ???
1774	*
1775	* Note: Actions are applied in the order specified, with the credential
1776	* of the parent process. This is done to permit the parent
1777	* process to utilize POSIX_SPAWN_RESETIDS to drop privilege in
1778	* the child following operations the child may in fact not be
1779	* normally permitted to perform.
1780	*/
1781	static int
1782	exec_handle_file_actions(struct image_params imgp, short* psa_flags)
1783	{
1784	int error = `0`;
1785	int action;
1786	proc_t p = vfs_context_proc(imgp->ip_vfs_context);
1787	_posix_spawn_file_actions_t px_sfap = imgp->ip_px_sfa;
1788	int ival[`2`]; / dummy retval for system calls) /
1789
1790	for (action = `0`; action < px_sfap->psfa_act_count; action++) {
1791	_psfa_action_t *psfa = &px_sfap->psfa_act_acts[ action];
1792
1793	switch(psfa->psfaa_type) {
1794	case PSFA_OPEN: {
1795	/*
1796	* Open is different, in that it requires the use of
1797	* a path argument, which is normally copied in from
1798	* user space; because of this, we have to support an
1799	* open from kernel space that passes an address space
1800	* context of UIO_SYSSPACE, and casts the address
1801	* argument to a user_addr_t.
1802	*/
1803	char *bufp = NULL;
1804	struct vnode_attr *vap;
1805	struct nameidata *ndp;
1806	int mode = psfa->psfaa_openargs.psfao_mode;
1807	struct dup2_args dup2a;
1808	struct close_nocancel_args ca;
1809	int origfd;
1810
1811	MALLOC(bufp, char , sizeof(vap) + sizeof(*ndp), M_TEMP, M_WAITOK \| M_ZERO);
1812	if (bufp == NULL) {
1813	error = ENOMEM;
1814	break;
1815	}
1816
1817	vap = (struct vnode_attr *) bufp;
1818	ndp = (struct nameidata ) (bufp + sizeof(vap));
1819
1820	VATTR_INIT(vap);
1821	/ Mask off all but regular access permissions /
1822	mode = ((mode &~ p->p_fd->fd_cmask) & ALLPERMS) & ~S_ISTXT;
1823	VATTR_SET(vap, va_mode, mode & ACCESSPERMS);
1824
1825	NDINIT(ndp, LOOKUP, OP_OPEN, FOLLOW \| AUDITVNPATH1, UIO_SYSSPACE,
1826	CAST_USER_ADDR_T(psfa->psfaa_openargs.psfao_path),
1827	imgp->ip_vfs_context);
1828
1829	error = open1(imgp->ip_vfs_context,
1830	ndp,
1831	psfa->psfaa_openargs.psfao_oflag,
1832	vap,
1833	fileproc_alloc_init, NULL,
1834	ival);
1835
1836	FREE(bufp, M_TEMP);
1837
1838	/*
1839	* If there's an error, or we get the right fd by
1840	* accident, then drop out here. This is easier than
1841	* reworking all the open code to preallocate fd
1842	* slots, and internally taking one as an argument.
1843	*/
1844	if (error \|\| ival[`0`] == psfa->psfaa_filedes)
1845	break;
1846
1847	origfd = ival[`0`];
1848	/*
1849	* If we didn't fall out from an error, we ended up
1850	* with the wrong fd; so now we've got to try to dup2
1851	* it to the right one.
1852	*/
1853	dup2a.from = origfd;
1854	dup2a.to = psfa->psfaa_filedes;
1855
1856	/*
1857	* The dup2() system call implementation sets
1858	* ival to newfd in the success case, but we
1859	* can ignore that, since if we didn't get the
1860	* fd we wanted, the error will stop us.
1861	*/
1862	error = dup2(p, &dup2a, ival);
1863	if (error)
1864	break;
1865
1866	/*
1867	* Finally, close the original fd.
1868	*/
1869	ca.fd = origfd;
1870
1871	error = close_nocancel(p, &ca, ival);
1872	}
1873	break;
1874
1875	case PSFA_DUP2: {
1876	struct dup2_args dup2a;
1877
1878	dup2a.from = psfa->psfaa_filedes;
1879	dup2a.to = psfa->psfaa_openargs.psfao_oflag;
1880
1881	/*
1882	* The dup2() system call implementation sets
1883	* ival to newfd in the success case, but we
1884	* can ignore that, since if we didn't get the
1885	* fd we wanted, the error will stop us.
1886	*/
1887	error = dup2(p, &dup2a, ival);
1888	}
1889	break;
1890
1891	case PSFA_CLOSE: {
1892	struct close_nocancel_args ca;
1893
1894	ca.fd = psfa->psfaa_filedes;
1895
1896	error = close_nocancel(p, &ca, ival);
1897	}
1898	break;
1899
1900	case PSFA_INHERIT: {
1901	struct fcntl_nocancel_args fcntla;
1902
1903	/*
1904	* Check to see if the descriptor exists, and
1905	* ensure it's -not- marked as close-on-exec.
1906	*
1907	* Attempting to "inherit" a guarded fd will
1908	* result in a error.
1909	*/
1910	fcntla.fd = psfa->psfaa_filedes;
1911	fcntla.cmd = F_GETFD;
1912	if ((error = fcntl_nocancel(p, &fcntla, ival)) != `0`)
1913	break;
1914
1915	if ((ival[`0`] & FD_CLOEXEC) == FD_CLOEXEC) {
1916	fcntla.fd = psfa->psfaa_filedes;
1917	fcntla.cmd = F_SETFD;
1918	fcntla.arg = ival[`0`] & ~FD_CLOEXEC;
1919	error = fcntl_nocancel(p, &fcntla, ival);
1920	}
1921
1922	}
1923	break;
1924
1925	default:
1926	error = EINVAL;
1927	break;
1928	}
1929
1930	/ All file actions failures are considered fatal, per POSIX /
1931
1932	if (error) {
1933	if (PSFA_OPEN == psfa->psfaa_type) {
1934	DTRACE_PROC1(spawn__open__failure, uintptr_t,
1935	psfa->psfaa_openargs.psfao_path);
1936	} else {
1937	DTRACE_PROC1(spawn__fd__failure, int, psfa->psfaa_filedes);
1938	}
1939	break;
1940	}
1941	}
1942
1943	if (error != `0` \|\| (psa_flags & POSIX_SPAWN_CLOEXEC_DEFAULT) == `0`)
1944	return (error);
1945
1946	/*
1947	* If POSIX_SPAWN_CLOEXEC_DEFAULT is set, behave (during
1948	* this spawn only) as if "close on exec" is the default
1949	* disposition of all pre-existing file descriptors. In this case,
1950	* the list of file descriptors mentioned in the file actions
1951	* are the only ones that can be inherited, so mark them now.
1952	*
1953	* The actual closing part comes later, in fdexec().
1954	*/
1955	proc_fdlock(p);
1956	for (action = `0`; action < px_sfap->psfa_act_count; action++) {
1957	_psfa_action_t *psfa = &px_sfap->psfa_act_acts[action];
1958	int fd = psfa->psfaa_filedes;
1959
1960	switch (psfa->psfaa_type) {
1961	case PSFA_DUP2:
1962	fd = psfa->psfaa_openargs.psfao_oflag;
1963	/FALLTHROUGH/
1964	case PSFA_OPEN:
1965	case PSFA_INHERIT:
1966	*fdflags(p, fd) \|= UF_INHERIT;
1967	break;
1968
1969	case PSFA_CLOSE:
1970	break;
1971	}
1972	}
1973	proc_fdunlock(p);
1974
1975	return (`0`);
1976	}
1977
1978	#if CONFIG_MACF
1979	/*
1980	* exec_spawnattr_getmacpolicyinfo
1981	*/
1982	void *
1983	exec_spawnattr_getmacpolicyinfo(const void macextensions, const* char policyname, size_t lenp)
1984	{
1985	const struct _posix_spawn_mac_policy_extensions *psmx = macextensions;
1986	int i;
1987
1988	if (psmx == NULL)
1989	return NULL;
1990
1991	for (i = `0`; i < psmx->psmx_count; i++) {
1992	const _ps_mac_policy_extension_t *extension = &psmx->psmx_extensions[i];
1993	if (strncmp(extension->policyname, policyname, sizeof(extension->policyname)) == `0`) {
1994	if (lenp != NULL)
1995	*lenp = extension->datalen;
1996	return extension->datap;
1997	}
1998	}
1999
2000	if (lenp != NULL)
2001	*lenp = `0`;
2002	return NULL;
2003	}
2004
2005	static int
2006	spawn_copyin_macpolicyinfo(const struct user__posix_spawn_args_desc px_args, _posix_spawn_mac_policy_extensions_t psmxp)
2007	{
2008	_posix_spawn_mac_policy_extensions_t psmx = NULL;
2009	int error = `0`;
2010	int copycnt = `0`;
2011	int i = `0`;
2012
2013	*psmxp = NULL;
2014
2015	if (px_args->mac_extensions_size < PS_MAC_EXTENSIONS_SIZE(`1`) \|\|
2016	px_args->mac_extensions_size > PAGE_SIZE) {
2017	error = EINVAL;
2018	goto bad;
2019	}
2020
2021	MALLOC(psmx, _posix_spawn_mac_policy_extensions_t, px_args->mac_extensions_size, M_TEMP, M_WAITOK);
2022	if ((error = copyin(px_args->mac_extensions, psmx, px_args->mac_extensions_size)) != `0`)
2023	goto bad;
2024
2025	size_t extsize = PS_MAC_EXTENSIONS_SIZE(psmx->psmx_count);
2026	if (extsize == `0` \|\| extsize > px_args->mac_extensions_size) {
2027	error = EINVAL;
2028	goto bad;
2029	}
2030
2031	for (i = `0`; i < psmx->psmx_count; i++) {
2032	_ps_mac_policy_extension_t *extension = &psmx->psmx_extensions[i];
2033	if (extension->datalen == `0` \|\| extension->datalen > PAGE_SIZE) {
2034	error = EINVAL;
2035	goto bad;
2036	}
2037	}
2038
2039	for (copycnt = `0`; copycnt < psmx->psmx_count; copycnt++) {
2040	_ps_mac_policy_extension_t *extension = &psmx->psmx_extensions[copycnt];
2041	void *data = NULL;
2042
2043	MALLOC(data, void *, extension->datalen, M_TEMP, M_WAITOK);
2044	if ((error = copyin(extension->data, data, extension->datalen)) != `0`) {
2045	FREE(data, M_TEMP);
2046	goto bad;
2047	}
2048	extension->datap = data;
2049	}
2050
2051	*psmxp = psmx;
2052	return `0`;
2053
2054	bad:
2055	if (psmx != NULL) {
2056	for (i = `0`; i < copycnt; i++)
2057	FREE(psmx->psmx_extensions[i].datap, M_TEMP);
2058	FREE(psmx, M_TEMP);
2059	}
2060	return error;
2061	}
2062
2063	static void
2064	spawn_free_macpolicyinfo(_posix_spawn_mac_policy_extensions_t psmx)
2065	{
2066	int i;
2067
2068	if (psmx == NULL)
2069	return;
2070	for (i = `0`; i < psmx->psmx_count; i++)
2071	FREE(psmx->psmx_extensions[i].datap, M_TEMP);
2072	FREE(psmx, M_TEMP);
2073	}
2074	#endif /* CONFIG_MACF */
2075
2076	#if CONFIG_COALITIONS
2077	static inline void spawn_coalitions_release_all(coalition_t coal[COALITION_NUM_TYPES])
2078	{
2079	for (int c = `0`; c < COALITION_NUM_TYPES; c++) {
2080	if (coal[c]) {
2081	coalition_remove_active(coal[c]);
2082	coalition_release(coal[c]);
2083	}
2084	}
2085	}
2086	#endif
2087
2088	#if CONFIG_PERSONAS
2089	static int spawn_validate_persona(struct _posix_spawn_persona_info *px_persona)
2090	{
2091	int error = `0`;
2092	struct persona *persona = NULL;
2093	int verify = px_persona->pspi_flags & POSIX_SPAWN_PERSONA_FLAGS_VERIFY;
2094
2095	/*
2096	* TODO: rdar://problem/19981151
2097	* Add entitlement check!
2098	*/
2099	if (!kauth_cred_issuser(kauth_cred_get()))
2100	return EPERM;
2101
2102	persona = persona_lookup(px_persona->pspi_id);
2103	if (!persona) {
2104	error = ESRCH;
2105	goto out;
2106	}
2107
2108	if (verify) {
2109	if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_UID) {
2110	if (px_persona->pspi_uid != persona_get_uid(persona)) {
2111	error = EINVAL;
2112	goto out;
2113	}
2114	}
2115	if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GID) {
2116	if (px_persona->pspi_gid != persona_get_gid(persona)) {
2117	error = EINVAL;
2118	goto out;
2119	}
2120	}
2121	if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GROUPS) {
2122	unsigned ngroups = `0`;
2123	gid_t groups[NGROUPS_MAX];
2124
2125	if (persona_get_groups(persona, &ngroups, groups,
2126	px_persona->pspi_ngroups) != `0`) {
2127	error = EINVAL;
2128	goto out;
2129	}
2130	if (ngroups != px_persona->pspi_ngroups) {
2131	error = EINVAL;
2132	goto out;
2133	}
2134	while (ngroups--) {
2135	if (px_persona->pspi_groups[ngroups] != groups[ngroups]) {
2136	error = EINVAL;
2137	goto out;
2138	}
2139	}
2140	if (px_persona->pspi_gmuid != persona_get_gmuid(persona)) {
2141	error = EINVAL;
2142	goto out;
2143	}
2144	}
2145	}
2146
2147	out:
2148	if (persona)
2149	persona_put(persona);
2150
2151	return error;
2152	}
2153
2154	static int spawn_persona_adopt(proc_t p, struct _posix_spawn_persona_info *px_persona)
2155	{
2156	int ret;
2157	kauth_cred_t cred;
2158	struct persona *persona = NULL;
2159	int override = !!(px_persona->pspi_flags & POSIX_SPAWN_PERSONA_FLAGS_OVERRIDE);
2160
2161	if (!override)
2162	return persona_proc_adopt_id(p, px_persona->pspi_id, NULL);
2163
2164	/*
2165	* we want to spawn into the given persona, but we want to override
2166	* the kauth with a different UID/GID combo
2167	*/
2168	persona = persona_lookup(px_persona->pspi_id);
2169	if (!persona)
2170	return ESRCH;
2171
2172	cred = persona_get_cred(persona);
2173	if (!cred) {
2174	ret = EINVAL;
2175	goto out;
2176	}
2177
2178	if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_UID) {
2179	cred = kauth_cred_setresuid(cred,
2180	px_persona->pspi_uid,
2181	px_persona->pspi_uid,
2182	px_persona->pspi_uid,
2183	KAUTH_UID_NONE);
2184	}
2185
2186	if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GID) {
2187	cred = kauth_cred_setresgid(cred,
2188	px_persona->pspi_gid,
2189	px_persona->pspi_gid,
2190	px_persona->pspi_gid);
2191	}
2192
2193	if (px_persona->pspi_flags & POSIX_SPAWN_PERSONA_GROUPS) {
2194	cred = kauth_cred_setgroups(cred,
2195	px_persona->pspi_groups,
2196	px_persona->pspi_ngroups,
2197	px_persona->pspi_gmuid);
2198	}
2199
2200	ret = persona_proc_adopt(p, persona, cred);
2201
2202	out:
2203	persona_put(persona);
2204	return ret;
2205	}
2206	#endif
2207
2208	/*
2209	* posix_spawn
2210	*
2211	* Parameters: uap->pid Pointer to pid return area
2212	* uap->fname File name to exec
2213	* uap->argp Argument list
2214	* uap->envp Environment list
2215	*
2216	* Returns: 0 Success
2217	* EINVAL Invalid argument
2218	* ENOTSUP Not supported
2219	* ENOEXEC Executable file format error
2220	* exec_activate_image:EINVAL Invalid argument
2221	* exec_activate_image:EACCES Permission denied
2222	* exec_activate_image:EINTR Interrupted function
2223	* exec_activate_image:ENOMEM Not enough space
2224	* exec_activate_image:EFAULT Bad address
2225	* exec_activate_image:ENAMETOOLONG Filename too long
2226	* exec_activate_image:ENOEXEC Executable file format error
2227	* exec_activate_image:ETXTBSY Text file busy [misuse of error code]
2228	* exec_activate_image:EBADEXEC The executable is corrupt/unknown
2229	* exec_activate_image:???
2230	* mac_execve_enter:???
2231	*
2232	* TODO: Expect to need __mac_posix_spawn() at some point...
2233	* Handle posix_spawnattr_t
2234	* Handle posix_spawn_file_actions_t
2235	*/
2236	int
2237	posix_spawn(proc_t ap, struct posix_spawn_args uap, int32_t retval)
2238	{
2239	proc_t p = ap; / quiet bogus GCC vfork() warning /
2240	user_addr_t pid = uap->pid;
2241	int ival[`2`]; / dummy retval for setpgid() /
2242	char *bufp = NULL;
2243	struct image_params *imgp;
2244	struct vnode_attr *vap;
2245	struct vnode_attr *origvap;
2246	struct uthread uthread = `0`; /* compiler complains if not set to 0/
2247	int error, sig;
2248	int is_64 = IS_64BIT_PROCESS(p);
2249	struct vfs_context context;
2250	struct user__posix_spawn_args_desc px_args;
2251	struct _posix_spawnattr px_sa;
2252	_posix_spawn_file_actions_t px_sfap = NULL;
2253	_posix_spawn_port_actions_t px_spap = NULL;
2254	struct __kern_sigaction vec;
2255	boolean_t spawn_no_exec = FALSE;
2256	boolean_t proc_transit_set = TRUE;
2257	boolean_t exec_done = FALSE;
2258	int portwatch_count = `0`;
2259	ipc_port_t * portwatch_ports = NULL;
2260	vm_size_t px_sa_offset = offsetof(struct _posix_spawnattr, psa_ports);
2261	task_t old_task = current_task();
2262	task_t new_task = NULL;
2263	boolean_t should_release_proc_ref = FALSE;
2264	void *inherit = NULL;
2265	#if CONFIG_PERSONAS
2266	struct _posix_spawn_persona_info *px_persona = NULL;
2267	#endif
2268
2269	/*
2270	* Allocate a big chunk for locals instead of using stack since these
2271	* structures are pretty big.
2272	*/
2273	MALLOC(bufp, char , (sizeof(imgp) + sizeof(vap) + sizeof(origvap)), M_TEMP, M_WAITOK \| M_ZERO);
2274	imgp = (struct image_params *) bufp;
2275	if (bufp == NULL) {
2276	error = ENOMEM;
2277	goto bad;
2278	}
2279	vap = (struct vnode_attr ) (bufp + sizeof(imgp));
2280	origvap = (struct vnode_attr ) (bufp + sizeof(imgp) + sizeof(*vap));
2281
2282	/ Initialize the common data in the image_params structure /
2283	imgp->ip_user_fname = uap->path;
2284	imgp->ip_user_argv = uap->argv;
2285	imgp->ip_user_envv = uap->envp;
2286	imgp->ip_vattr = vap;
2287	imgp->ip_origvattr = origvap;
2288	imgp->ip_vfs_context = &context;
2289	imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT_ADDR : IMGPF_NONE);
2290	imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
2291	imgp->ip_mac_return = `0`;
2292	imgp->ip_px_persona = NULL;
2293	imgp->ip_cs_error = OS_REASON_NULL;
2294
2295	if (uap->adesc != USER_ADDR_NULL) {
2296	if(is_64) {
2297	error = copyin(uap->adesc, &px_args, sizeof(px_args));
2298	} else {
2299	struct user32__posix_spawn_args_desc px_args32;
2300
2301	error = copyin(uap->adesc, &px_args32, sizeof(px_args32));
2302
2303	/*
2304	* Convert arguments descriptor from external 32 bit
2305	* representation to internal 64 bit representation
2306	*/
2307	px_args.attr_size = px_args32.attr_size;
2308	px_args.attrp = CAST_USER_ADDR_T(px_args32.attrp);
2309	px_args.file_actions_size = px_args32.file_actions_size;
2310	px_args.file_actions = CAST_USER_ADDR_T(px_args32.file_actions);
2311	px_args.port_actions_size = px_args32.port_actions_size;
2312	px_args.port_actions = CAST_USER_ADDR_T(px_args32.port_actions);
2313	px_args.mac_extensions_size = px_args32.mac_extensions_size;
2314	px_args.mac_extensions = CAST_USER_ADDR_T(px_args32.mac_extensions);
2315	px_args.coal_info_size = px_args32.coal_info_size;
2316	px_args.coal_info = CAST_USER_ADDR_T(px_args32.coal_info);
2317	px_args.persona_info_size = px_args32.persona_info_size;
2318	px_args.persona_info = CAST_USER_ADDR_T(px_args32.persona_info);
2319	}
2320	if (error)
2321	goto bad;
2322
2323	if (px_args.attr_size != `0`) {
2324	/*
2325	* We are not copying the port_actions pointer,
2326	* because we already have it from px_args.
2327	* This is a bit fragile: <rdar://problem/16427422>
2328	*/
2329
2330	if ((error = copyin(px_args.attrp, &px_sa, px_sa_offset)) != `0`) {
2331	goto bad;
2332	}
2333
2334	bzero( (void )( (unsigned* long) &px_sa + px_sa_offset), sizeof(px_sa) - px_sa_offset );
2335
2336	imgp->ip_px_sa = &px_sa;
2337	}
2338	if (px_args.file_actions_size != `0`) {
2339	/ Limit file_actions to allowed number of open files /
2340	int maxfa = (p->p_limit ? p->p_rlimit[RLIMIT_NOFILE].rlim_cur : NOFILE);
2341	size_t maxfa_size = PSF_ACTIONS_SIZE(maxfa);
2342	if (px_args.file_actions_size < PSF_ACTIONS_SIZE(`1`) \|\|
2343	maxfa_size == `0` \|\| px_args.file_actions_size > maxfa_size) {
2344	error = EINVAL;
2345	goto bad;
2346	}
2347	MALLOC(px_sfap, _posix_spawn_file_actions_t, px_args.file_actions_size, M_TEMP, M_WAITOK);
2348	if (px_sfap == NULL) {
2349	error = ENOMEM;
2350	goto bad;
2351	}
2352	imgp->ip_px_sfa = px_sfap;
2353
2354	if ((error = copyin(px_args.file_actions, px_sfap,
2355	px_args.file_actions_size)) != `0`)
2356	goto bad;
2357
2358	/ Verify that the action count matches the struct size /
2359	size_t psfsize = PSF_ACTIONS_SIZE(px_sfap->psfa_act_count);
2360	if (psfsize == `0` \|\| psfsize != px_args.file_actions_size) {
2361	error = EINVAL;
2362	goto bad;
2363	}
2364	}
2365	if (px_args.port_actions_size != `0`) {
2366	/ Limit port_actions to one page of data /
2367	if (px_args.port_actions_size < PS_PORT_ACTIONS_SIZE(`1`) \|\|
2368	px_args.port_actions_size > PAGE_SIZE) {
2369	error = EINVAL;
2370	goto bad;
2371	}
2372
2373	MALLOC(px_spap, _posix_spawn_port_actions_t,
2374	px_args.port_actions_size, M_TEMP, M_WAITOK);
2375	if (px_spap == NULL) {
2376	error = ENOMEM;
2377	goto bad;
2378	}
2379	imgp->ip_px_spa = px_spap;
2380
2381	if ((error = copyin(px_args.port_actions, px_spap,
2382	px_args.port_actions_size)) != `0`)
2383	goto bad;
2384
2385	/ Verify that the action count matches the struct size /
2386	size_t pasize = PS_PORT_ACTIONS_SIZE(px_spap->pspa_count);
2387	if (pasize == `0` \|\| pasize != px_args.port_actions_size) {
2388	error = EINVAL;
2389	goto bad;
2390	}
2391	}
2392	#if CONFIG_PERSONAS
2393	/ copy in the persona info /
2394	if (px_args.persona_info_size != `0` && px_args.persona_info != `0`) {
2395	/ for now, we need the exact same struct in user space /
2396	if (px_args.persona_info_size != sizeof(*px_persona)) {
2397	error = ERANGE;
2398	goto bad;
2399	}
2400
2401	MALLOC(px_persona, struct _posix_spawn_persona_info *, px_args.persona_info_size, M_TEMP, M_WAITOK\|M_ZERO);
2402	if (px_persona == NULL) {
2403	error = ENOMEM;
2404	goto bad;
2405	}
2406	imgp->ip_px_persona = px_persona;
2407
2408	if ((error = copyin(px_args.persona_info, px_persona,
2409	px_args.persona_info_size)) != `0`)
2410	goto bad;
2411	if ((error = spawn_validate_persona(px_persona)) != `0`)
2412	goto bad;
2413	}
2414	#endif
2415	#if CONFIG_MACF
2416	if (px_args.mac_extensions_size != `0`) {
2417	if ((error = spawn_copyin_macpolicyinfo(&px_args, (_posix_spawn_mac_policy_extensions_t *)&imgp->ip_px_smpx)) != `0`)
2418	goto bad;
2419	}
2420	#endif /* CONFIG_MACF */
2421	}
2422
2423	/ set uthread to parent /
2424	uthread = get_bsdthread_info(current_thread());
2425
2426	/*
2427	* <rdar://6640530>; this does not result in a behaviour change
2428	* relative to Leopard, so there should not be any existing code
2429	* which depends on it.
2430	*/
2431	if (uthread->uu_flag & UT_VFORK) {
2432	error = EINVAL;
2433	goto bad;
2434	}
2435
2436	/*
2437	* If we don't have the extension flag that turns "posix_spawn()"
2438	* into "execve() with options", then we will be creating a new
2439	* process which does not inherit memory from the parent process,
2440	* which is one of the most expensive things about using fork()
2441	* and execve().
2442	*/
2443	if (imgp->ip_px_sa == NULL \|\| !(px_sa.psa_flags & POSIX_SPAWN_SETEXEC)){
2444
2445	/ Set the new task's coalition, if it is requested. /
2446	coalition_t coal[COALITION_NUM_TYPES] = { COALITION_NULL };
2447	#if CONFIG_COALITIONS
2448	int i, ncoals;
2449	kern_return_t kr = KERN_SUCCESS;
2450	struct _posix_spawn_coalition_info coal_info;
2451	int coal_role[COALITION_NUM_TYPES];
2452
2453	if (imgp->ip_px_sa == NULL \|\| !px_args.coal_info)
2454	goto do_fork1;
2455
2456	memset(&coal_info, `0`, sizeof(coal_info));
2457
2458	if (px_args.coal_info_size > sizeof(coal_info))
2459	px_args.coal_info_size = sizeof(coal_info);
2460	error = copyin(px_args.coal_info,
2461	&coal_info, px_args.coal_info_size);
2462	if (error != `0`)
2463	goto bad;
2464
2465	ncoals = `0`;
2466	for (i = `0`; i < COALITION_NUM_TYPES; i++) {
2467	uint64_t cid = coal_info.psci_info[i].psci_id;
2468	if (cid != `0`) {
2469	/*
2470	* don't allow tasks which are not in a
2471	* privileged coalition to spawn processes
2472	* into coalitions other than their own
2473	*/
2474	if (!task_is_in_privileged_coalition(p->task, i)) {
2475	coal_dbg("ERROR: %d not in privilegd "
2476	"coalition of type %d",
2477	p->p_pid, i);
2478	spawn_coalitions_release_all(coal);
2479	error = EPERM;
2480	goto bad;
2481	}
2482
2483	coal_dbg("searching for coalition id:%llu", cid);
2484	/*
2485	* take a reference and activation on the
2486	* coalition to guard against free-while-spawn
2487	* races
2488	*/
2489	coal[i] = coalition_find_and_activate_by_id(cid);
2490	if (coal[i] == COALITION_NULL) {
2491	coal_dbg("could not find coalition id:%llu "
2492	"(perhaps it has been terminated or reaped)", cid);
2493	/*
2494	* release any other coalition's we
2495	* may have a reference to
2496	*/
2497	spawn_coalitions_release_all(coal);
2498	error = ESRCH;
2499	goto bad;
2500	}
2501	if (coalition_type(coal[i]) != i) {
2502	coal_dbg("coalition with id:%lld is not of type:%d"
2503	" (it's type:%d)", cid, i, coalition_type(coal[i]));
2504	error = ESRCH;
2505	goto bad;
2506	}
2507	coal_role[i] = coal_info.psci_info[i].psci_role;
2508	ncoals++;
2509	}
2510	}
2511	if (ncoals < COALITION_NUM_TYPES) {
2512	/*
2513	* If the user is attempting to spawn into a subset of
2514	* the known coalition types, then make sure they have
2515	* _at_least_ specified a resource coalition. If not,
2516	* the following fork1() call will implicitly force an
2517	* inheritance from 'p' and won't actually spawn the
2518	* new task into the coalitions the user specified.
2519	* (also the call to coalitions_set_roles will panic)
2520	*/
2521	if (coal[COALITION_TYPE_RESOURCE] == COALITION_NULL) {
2522	spawn_coalitions_release_all(coal);
2523	error = EINVAL;
2524	goto bad;
2525	}
2526	}
2527	do_fork1:
2528	#endif /* CONFIG_COALITIONS */
2529
2530	/*
2531	* note that this will implicitly inherit the
2532	* caller's persona (if it exists)
2533	*/
2534	error = fork1(p, &imgp->ip_new_thread, PROC_CREATE_SPAWN, coal);
2535	/ returns a thread and task reference /
2536
2537	if (error == `0`) {
2538	new_task = get_threadtask(imgp->ip_new_thread);
2539	}
2540	#if CONFIG_COALITIONS
2541	/ set the roles of this task within each given coalition /
2542	if (error == `0`) {
2543	kr = coalitions_set_roles(coal, new_task, coal_role);
2544	if (kr != KERN_SUCCESS)
2545	error = EINVAL;
2546	if (kdebug_debugid_enabled(MACHDBG_CODE(DBG_MACH_COALITION,
2547	MACH_COALITION_ADOPT))) {
2548	for (i = `0`; i < COALITION_NUM_TYPES; i++) {
2549	if (coal[i] != COALITION_NULL) {
2550	/*
2551	* On 32-bit targets, uniqueid
2552	* will get truncated to 32 bits
2553	*/
2554	KDBG_RELEASE(MACHDBG_CODE(
2555	DBG_MACH_COALITION,
2556	MACH_COALITION_ADOPT),
2557	coalition_id(coal[i]),
2558	get_task_uniqueid(new_task));
2559	}
2560	}
2561	}
2562	}
2563
2564	/ drop our references and activations - fork1() now holds them /
2565	spawn_coalitions_release_all(coal);
2566	#endif /* CONFIG_COALITIONS */
2567	if (error != `0`) {
2568	goto bad;
2569	}
2570	imgp->ip_flags \|= IMGPF_SPAWN; / spawn w/o exec /
2571	spawn_no_exec = TRUE; / used in later tests /
2572
2573	#if CONFIG_PERSONAS
2574	/*
2575	* If the parent isn't in a persona (launchd), and
2576	* hasn't specified a new persona for the process,
2577	* then we'll put the process into the system persona
2578	*
2579	* TODO: this will have to be re-worked because as of
2580	* now, without any launchd adoption, the resulting
2581	* xpcproxy process will not have sufficient
2582	* privileges to setuid/gid.
2583	*/
2584	#if 0
2585	if (!proc_has_persona(p) && imgp->ip_px_persona == NULL) {
2586	MALLOC(px_persona, struct _posix_spawn_persona_info *,
2587	sizeof(*px_persona), M_TEMP, M_WAITOK\|M_ZERO);
2588	if (px_persona == NULL) {
2589	error = ENOMEM;
2590	goto bad;
2591	}
2592	px_persona->pspi_id = persona_get_id(g_system_persona);
2593	imgp->ip_px_persona = px_persona;
2594	}
2595	#endif /* 0 */
2596	#endif /* CONFIG_PERSONAS */
2597	} else {
2598	/*
2599	* For execve case, create a new task and thread
2600	* which points to current_proc. The current_proc will point
2601	* to the new task after image activation and proc ref drain.
2602	*
2603	* proc (current_proc) <----- old_task (current_task)
2604	* ^ \| ^
2605	* \| \| \|
2606	* \| ----------------------------------
2607	* \|
2608	* --------- new_task (task marked as TF_EXEC_COPY)
2609	*
2610	* After image activation, the proc will point to the new task
2611	* and would look like following.
2612	*
2613	* proc (current_proc) <----- old_task (current_task, marked as TPF_DID_EXEC)
2614	* ^ \|
2615	* \| \|
2616	* \| ----------> new_task
2617	* \| \|
2618	* -----------------
2619	*
2620	* During exec any transition from new_task -> proc is fine, but don't allow
2621	* transition from proc->task, since it will modify old_task.
2622	*/
2623	imgp->ip_new_thread = fork_create_child(old_task,
2624	NULL,
2625	p,
2626	FALSE,
2627	p->p_flag & P_LP64,
2628	task_get_64bit_data(old_task),
2629	TRUE);
2630	/ task and thread ref returned by fork_create_child /
2631	if (imgp->ip_new_thread == NULL) {
2632	error = ENOMEM;
2633	goto bad;
2634	}
2635
2636	new_task = get_threadtask(imgp->ip_new_thread);
2637	imgp->ip_flags \|= IMGPF_EXEC;
2638	}
2639
2640	if (spawn_no_exec) {
2641	p = (proc_t)get_bsdthreadtask_info(imgp->ip_new_thread);
2642
2643	/*
2644	* We had to wait until this point before firing the
2645	* proc:::create probe, otherwise p would not point to the
2646	* child process.
2647	*/
2648	DTRACE_PROC1(create, proc_t, p);
2649	}
2650	assert(p != NULL);
2651
2652	context.vc_thread = imgp->ip_new_thread;
2653	context.vc_ucred = p->p_ucred; / XXX must NOT be kauth_cred_get() /
2654
2655	/*
2656	* Post fdcopy(), pre exec_handle_sugid() - this is where we want
2657	* to handle the file_actions. Since vfork() also ends up setting
2658	* us into the parent process group, and saved off the signal flags,
2659	* this is also where we want to handle the spawn flags.
2660	*/
2661
2662	/ Has spawn file actions? /
2663	if (imgp->ip_px_sfa != NULL) {
2664	/*
2665	* The POSIX_SPAWN_CLOEXEC_DEFAULT flag
2666	* is handled in exec_handle_file_actions().
2667	*/
2668	if ((error = exec_handle_file_actions(imgp,
2669	imgp->ip_px_sa != NULL ? px_sa.psa_flags : `0`)) != `0`)
2670	goto bad;
2671	}
2672
2673	/ Has spawn port actions? /
2674	if (imgp->ip_px_spa != NULL) {
2675	boolean_t is_adaptive = FALSE;
2676	boolean_t portwatch_present = FALSE;
2677
2678	/ Will this process become adaptive? The apptype isn't ready yet, so we can't look there. /
2679	if (imgp->ip_px_sa != NULL && px_sa.psa_apptype == POSIX_SPAWN_PROC_TYPE_DAEMON_ADAPTIVE)
2680	is_adaptive = TRUE;
2681
2682	/*
2683	* portwatch only:
2684	* Allocate a place to store the ports we want to bind to the new task
2685	* We can't bind them until after the apptype is set.
2686	*/
2687	if (px_spap->pspa_count != `0` && is_adaptive) {
2688	portwatch_count = px_spap->pspa_count;
2689	MALLOC(portwatch_ports, ipc_port_t , (sizeof(ipc_port_t) portwatch_count), M_TEMP, M_WAITOK \| M_ZERO);
2690	} else {
2691	portwatch_ports = NULL;
2692	}
2693
2694	if ((error = exec_handle_port_actions(imgp, &portwatch_present, portwatch_ports)) != `0`)
2695	goto bad;
2696
2697	if (portwatch_present == FALSE && portwatch_ports != NULL) {
2698	FREE(portwatch_ports, M_TEMP);
2699	portwatch_ports = NULL;
2700	portwatch_count = `0`;
2701	}
2702	}
2703
2704	/ Has spawn attr? /
2705	if (imgp->ip_px_sa != NULL) {
2706	/*
2707	* Set the process group ID of the child process; this has
2708	* to happen before the image activation.
2709	*/
2710	if (px_sa.psa_flags & POSIX_SPAWN_SETPGROUP) {
2711	struct setpgid_args spga;
2712	spga.pid = p->p_pid;
2713	spga.pgid = px_sa.psa_pgroup;
2714	/*
2715	* Effectively, call setpgid() system call; works
2716	* because there are no pointer arguments.
2717	*/
2718	if((error = setpgid(p, &spga, ival)) != `0`)
2719	goto bad;
2720	}
2721
2722	/*
2723	* Reset UID/GID to parent's RUID/RGID; This works only
2724	* because the operation occurs after the vfork() and
2725	* before the call to exec_handle_sugid() by the image
2726	* activator called from exec_activate_image(). POSIX
2727	* requires that any setuid/setgid bits on the process
2728	* image will take precedence over the spawn attributes
2729	* (re)setting them.
2730	*
2731	* Modifications to p_ucred must be guarded using the
2732	* proc's ucred lock. This prevents others from accessing
2733	* a garbage credential.
2734	*/
2735	while (px_sa.psa_flags & POSIX_SPAWN_RESETIDS) {
2736	kauth_cred_t my_cred = kauth_cred_proc_ref(p);
2737	kauth_cred_t my_new_cred = kauth_cred_setuidgid(my_cred, kauth_cred_getruid(my_cred), kauth_cred_getrgid(my_cred));
2738
2739	if (my_cred == my_new_cred) {
2740	kauth_cred_unref(&my_cred);
2741	break;
2742	}
2743
2744	/ update cred on proc /
2745	proc_ucred_lock(p);
2746
2747	if (p->p_ucred != my_cred) {
2748	proc_ucred_unlock(p);
2749	kauth_cred_unref(&my_new_cred);
2750	continue;
2751	}
2752
2753	/ donate cred reference on my_new_cred to p->p_ucred /
2754	p->p_ucred = my_new_cred;
2755	PROC_UPDATE_CREDS_ONPROC(p);
2756	proc_ucred_unlock(p);
2757
2758	/ drop additional reference that was taken on the previous cred /
2759	kauth_cred_unref(&my_cred);
2760	}
2761
2762	#if CONFIG_PERSONAS
2763	if (spawn_no_exec && imgp->ip_px_persona != NULL) {
2764	/*
2765	* If we were asked to spawn a process into a new persona,
2766	* do the credential switch now (which may override the UID/GID
2767	* inherit done just above). It's important to do this switch
2768	* before image activation both for reasons stated above, and
2769	* to ensure that the new persona has access to the image/file
2770	* being executed.
2771	*/
2772	error = spawn_persona_adopt(p, imgp->ip_px_persona);
2773	if (error != `0`)
2774	goto bad;
2775	}
2776	#endif /* CONFIG_PERSONAS */
2777	#if !SECURE_KERNEL
2778	/*
2779	* Disable ASLR for the spawned process.
2780	*
2781	* But only do so if we are not embedded + RELEASE.
2782	* While embedded allows for a boot-arg (-disable_aslr)
2783	* to deal with this (which itself is only honored on
2784	* DEVELOPMENT or DEBUG builds of xnu), it is often
2785	* useful or necessary to disable ASLR on a per-process
2786	* basis for unit testing and debugging.
2787	*/
2788	if (px_sa.psa_flags & _POSIX_SPAWN_DISABLE_ASLR)
2789	OSBitOrAtomic(P_DISABLE_ASLR, &p->p_flag);
2790	#endif /* !SECURE_KERNEL */
2791
2792	/ Randomize high bits of ASLR slide /
2793	if (px_sa.psa_flags & _POSIX_SPAWN_HIGH_BITS_ASLR)
2794	imgp->ip_flags \|= IMGPF_HIGH_BITS_ASLR;
2795
2796	/*
2797	* Forcibly disallow execution from data pages for the spawned process
2798	* even if it would otherwise be permitted by the architecture default.
2799	*/
2800	if (px_sa.psa_flags & _POSIX_SPAWN_ALLOW_DATA_EXEC)
2801	imgp->ip_flags \|= IMGPF_ALLOW_DATA_EXEC;
2802	}
2803
2804	/*
2805	* Disable ASLR during image activation. This occurs either if the
2806	* _POSIX_SPAWN_DISABLE_ASLR attribute was found above or if
2807	* P_DISABLE_ASLR was inherited from the parent process.
2808	*/
2809	if (p->p_flag & P_DISABLE_ASLR)
2810	imgp->ip_flags \|= IMGPF_DISABLE_ASLR;
2811
2812	/*
2813	* Clear transition flag so we won't hang if exec_activate_image() causes
2814	* an automount (and launchd does a proc sysctl to service it).
2815	*
2816	* <rdar://problem/6848672>, <rdar://problem/5959568>.
2817	*/
2818	if (spawn_no_exec) {
2819	proc_transend(p, `0`);
2820	proc_transit_set = `0`;
2821	}
2822
2823	#if MAC_SPAWN /* XXX */
2824	if (uap->mac_p != USER_ADDR_NULL) {
2825	error = mac_execve_enter(uap->mac_p, imgp);
2826	if (error)
2827	goto bad;
2828	}
2829	#endif
2830
2831	/*
2832	* Activate the image
2833	*/
2834	error = exec_activate_image(imgp);
2835
2836	if (error == `0` && !spawn_no_exec) {
2837	p = proc_exec_switch_task(p, old_task, new_task, imgp->ip_new_thread);
2838	/ proc ref returned /
2839	should_release_proc_ref = TRUE;
2840
2841	/*
2842	* Need to transfer pending watch port boosts to the new task while still making
2843	* sure that the old task remains in the importance linkage. Create an importance
2844	* linkage from old task to new task, then switch the task importance base
2845	* of old task and new task. After the switch the port watch boost will be
2846	* boosting the new task and new task will be donating importance to old task.
2847	*/
2848	inherit = ipc_importance_exec_switch_task(old_task, new_task);
2849	}
2850
2851	if (error == `0`) {
2852	/ process completed the exec /
2853	exec_done = TRUE;
2854	} else if (error == -`1`) {
2855	/ Image not claimed by any activator? /
2856	error = ENOEXEC;
2857	}
2858
2859	/*
2860	* If we have a spawn attr, and it contains signal related flags,
2861	* the we need to process them in the "context" of the new child
2862	* process, so we have to process it following image activation,
2863	* prior to making the thread runnable in user space. This is
2864	* necessitated by some signal information being per-thread rather
2865	* than per-process, and we don't have the new allocation in hand
2866	* until after the image is activated.
2867	*/
2868	if (!error && imgp->ip_px_sa != NULL) {
2869	thread_t child_thread = imgp->ip_new_thread;
2870	uthread_t child_uthread = get_bsdthread_info(child_thread);
2871
2872	/*
2873	* Mask a list of signals, instead of them being unmasked, if
2874	* they were unmasked in the parent; note that some signals
2875	* are not maskable.
2876	*/
2877	if (px_sa.psa_flags & POSIX_SPAWN_SETSIGMASK)
2878	child_uthread->uu_sigmask = (px_sa.psa_sigmask & ~sigcantmask);
2879	/*
2880	* Default a list of signals instead of ignoring them, if
2881	* they were ignored in the parent. Note that we pass
2882	* spawn_no_exec to setsigvec() to indicate that we called
2883	* fork1() and therefore do not need to call proc_signalstart()
2884	* internally.
2885	*/
2886	if (px_sa.psa_flags & POSIX_SPAWN_SETSIGDEF) {
2887	vec.sa_handler = SIG_DFL;
2888	vec.sa_tramp = `0`;
2889	vec.sa_mask = `0`;
2890	vec.sa_flags = `0`;
2891	for (sig = `1`; sig < NSIG; sig++)
2892	if (px_sa.psa_sigdefault & (`1` << (sig-`1`))) {
2893	error = setsigvec(p, child_thread, sig, &vec, spawn_no_exec);
2894	}
2895	}
2896
2897	/*
2898	* Activate the CPU usage monitor, if requested. This is done via a task-wide, per-thread CPU
2899	* usage limit, which will generate a resource exceeded exception if any one thread exceeds the
2900	* limit.
2901	*
2902	* Userland gives us interval in seconds, and the kernel SPI expects nanoseconds.
2903	*/
2904	if (px_sa.psa_cpumonitor_percent != `0`) {
2905	/*
2906	* Always treat a CPU monitor activation coming from spawn as entitled. Requiring
2907	* an entitlement to configure the monitor a certain way seems silly, since
2908	* whomever is turning it on could just as easily choose not to do so.
2909	*/
2910	error = proc_set_task_ruse_cpu(p->task,
2911	TASK_POLICY_RESOURCE_ATTRIBUTE_NOTIFY_EXC,
2912	px_sa.psa_cpumonitor_percent,
2913	px_sa.psa_cpumonitor_interval * NSEC_PER_SEC,
2914	`0`, TRUE);
2915	}
2916	}
2917
2918	bad:
2919
2920	if (error == `0`) {
2921	/ reset delay idle sleep status if set /
2922	#if !CONFIG_EMBEDDED
2923	if ((p->p_flag & P_DELAYIDLESLEEP) == P_DELAYIDLESLEEP)
2924	OSBitAndAtomic(~((uint32_t)P_DELAYIDLESLEEP), &p->p_flag);
2925	#endif /* !CONFIG_EMBEDDED */
2926	/ upon successful spawn, re/set the proc control state /
2927	if (imgp->ip_px_sa != NULL) {
2928	switch (px_sa.psa_pcontrol) {
2929	case POSIX_SPAWN_PCONTROL_THROTTLE:
2930	p->p_pcaction = P_PCTHROTTLE;
2931	break;
2932	case POSIX_SPAWN_PCONTROL_SUSPEND:
2933	p->p_pcaction = P_PCSUSP;
2934	break;
2935	case POSIX_SPAWN_PCONTROL_KILL:
2936	p->p_pcaction = P_PCKILL;
2937	break;
2938	case POSIX_SPAWN_PCONTROL_NONE:
2939	default:
2940	p->p_pcaction = `0`;
2941	break;
2942	};
2943	}
2944	exec_resettextvp(p, imgp);
2945
2946	#if CONFIG_MEMORYSTATUS
2947	/ Has jetsam attributes? /
2948	if (imgp->ip_px_sa != NULL && (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_SET)) {
2949	/*
2950	* With 2-level high-water-mark support, POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND is no
2951	* longer relevant, as background limits are described via the inactive limit slots.
2952	*
2953	* That said, however, if the POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND is passed in,
2954	* we attempt to mimic previous behavior by forcing the BG limit data into the
2955	* inactive/non-fatal mode and force the active slots to hold system_wide/fatal mode.
2956	*/
2957	if (px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_HIWATER_BACKGROUND) {
2958	memorystatus_update(p, px_sa.psa_priority, `0`,
2959	(px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_USE_EFFECTIVE_PRIORITY),
2960	TRUE,
2961	-`1`, TRUE,
2962	px_sa.psa_memlimit_inactive, FALSE);
2963	} else {
2964	memorystatus_update(p, px_sa.psa_priority, `0`,
2965	(px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_USE_EFFECTIVE_PRIORITY),
2966	TRUE,
2967	px_sa.psa_memlimit_active,
2968	(px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_MEMLIMIT_ACTIVE_FATAL),
2969	px_sa.psa_memlimit_inactive,
2970	(px_sa.psa_jetsam_flags & POSIX_SPAWN_JETSAM_MEMLIMIT_INACTIVE_FATAL));
2971	}
2972
2973	}
2974	#endif /* CONFIG_MEMORYSTATUS */
2975	if (imgp->ip_px_sa != NULL && px_sa.psa_thread_limit > `0`) {
2976	task_set_thread_limit(new_task, (uint16_t)px_sa.psa_thread_limit);
2977	}
2978	}
2979
2980	/*
2981	* If we successfully called fork1(), we always need to do this;
2982	* we identify this case by noting the IMGPF_SPAWN flag. This is
2983	* because we come back from that call with signals blocked in the
2984	* child, and we have to unblock them, but we want to wait until
2985	* after we've performed any spawn actions. This has to happen
2986	* before check_for_signature(), which uses psignal.
2987	*/
2988	if (spawn_no_exec) {
2989	if (proc_transit_set)
2990	proc_transend(p, `0`);
2991
2992	/*
2993	* Drop the signal lock on the child which was taken on our
2994	* behalf by forkproc()/cloneproc() to prevent signals being
2995	* received by the child in a partially constructed state.
2996	*/
2997	proc_signalend(p, `0`);
2998
2999	/ flag the 'fork' has occurred /
3000	proc_knote(p->p_pptr, NOTE_FORK \| p->p_pid);
3001	}
3002
3003	/ flag exec has occurred, notify only if it has not failed due to FP Key error /
3004	if (!error && ((p->p_lflag & P_LTERM_DECRYPTFAIL) == `0`))
3005	proc_knote(p, NOTE_EXEC);
3006
3007
3008	if (error == `0`) {
3009	/*
3010	* We need to initialize the bank context behind the protection of
3011	* the proc_trans lock to prevent a race with exit. We can't do this during
3012	* exec_activate_image because task_bank_init checks entitlements that
3013	* aren't loaded until subsequent calls (including exec_resettextvp).
3014	*/
3015	error = proc_transstart(p, `0`, `0`);
3016
3017	if (error == `0`) {
3018	task_bank_init(new_task);
3019	proc_transend(p, `0`);
3020	}
3021	}
3022
3023	/ Inherit task role from old task to new task for exec /
3024	if (error == `0` && !spawn_no_exec) {
3025	proc_inherit_task_role(new_task, old_task);
3026	}
3027
3028	/*
3029	* Apply the spawnattr policy, apptype (which primes the task for importance donation),
3030	* and bind any portwatch ports to the new task.
3031	* This must be done after the exec so that the child's thread is ready,
3032	* and after the in transit state has been released, because priority is
3033	* dropped here so we need to be prepared for a potentially long preemption interval
3034	*
3035	* TODO: Consider splitting this up into separate phases
3036	*/
3037	if (error == `0` && imgp->ip_px_sa != NULL) {
3038	struct _posix_spawnattr psa = (struct* _posix_spawnattr *) imgp->ip_px_sa;
3039
3040	exec_handle_spawnattr_policy(p, psa->psa_apptype, psa->psa_qos_clamp, psa->psa_darwin_role,
3041	portwatch_ports, portwatch_count);
3042	}
3043
3044	/*
3045	* Apply the requested maximum address.
3046	*/
3047	if (error == `0` && imgp->ip_px_sa != NULL) {
3048	struct _posix_spawnattr psa = (struct* _posix_spawnattr *) imgp->ip_px_sa;
3049
3050	if (psa->psa_max_addr) {
3051	vm_map_set_max_addr(get_task_map(new_task), psa->psa_max_addr);
3052	}
3053	}
3054
3055	if (error == `0`) {
3056	/ Apply the main thread qos /
3057	thread_t main_thread = imgp->ip_new_thread;
3058	task_set_main_thread_qos(new_task, main_thread);
3059
3060	#if CONFIG_MACF
3061	/*
3062	* Processes with the MAP_JIT entitlement are permitted to have
3063	* a jumbo-size map.
3064	*/
3065	if (mac_proc_check_map_anon(p, `0`, `0`, `0`, MAP_JIT, NULL) == `0`) {
3066	vm_map_set_jumbo(get_task_map(new_task));
3067	}
3068	#endif /* CONFIG_MACF */
3069	}
3070
3071	/*
3072	* Release any ports we kept around for binding to the new task
3073	* We need to release the rights even if the posix_spawn has failed.
3074	*/
3075	if (portwatch_ports != NULL) {
3076	for (int i = `0`; i < portwatch_count; i++) {
3077	ipc_port_t port = NULL;
3078	if ((port = portwatch_ports[i]) != NULL) {
3079	ipc_port_release_send(port);
3080	}
3081	}
3082	FREE(portwatch_ports, M_TEMP);
3083	portwatch_ports = NULL;
3084	portwatch_count = `0`;
3085	}
3086
3087	/*
3088	* We have to delay operations which might throw a signal until after
3089	* the signals have been unblocked; however, we want that to happen
3090	* after exec_resettextvp() so that the textvp is correct when they
3091	* fire.
3092	*/
3093	if (error == `0`) {
3094	error = check_for_signature(p, imgp);
3095
3096	/*
3097	* Pay for our earlier safety; deliver the delayed signals from
3098	* the incomplete spawn process now that it's complete.
3099	*/
3100	if (imgp != NULL && spawn_no_exec && (p->p_lflag & P_LTRACED)) {
3101	psignal_vfork(p, p->task, imgp->ip_new_thread, SIGTRAP);
3102	}
3103
3104	if (error == `0` && !spawn_no_exec)
3105	KDBG(BSDDBG_CODE(DBG_BSD_PROC,BSD_PROC_EXEC),
3106	p->p_pid);
3107	}
3108
3109
3110	if (imgp != NULL) {
3111	if (imgp->ip_vp)
3112	vnode_put(imgp->ip_vp);
3113	if (imgp->ip_scriptvp)
3114	vnode_put(imgp->ip_scriptvp);
3115	if (imgp->ip_strings)
3116	execargs_free(imgp);
3117	if (imgp->ip_px_sfa != NULL)
3118	FREE(imgp->ip_px_sfa, M_TEMP);
3119	if (imgp->ip_px_spa != NULL)
3120	FREE(imgp->ip_px_spa, M_TEMP);
3121	#if CONFIG_PERSONAS
3122	if (imgp->ip_px_persona != NULL)
3123	FREE(imgp->ip_px_persona, M_TEMP);
3124	#endif
3125	#if CONFIG_MACF
3126	if (imgp->ip_px_smpx != NULL)
3127	spawn_free_macpolicyinfo(imgp->ip_px_smpx);
3128	if (imgp->ip_execlabelp)
3129	mac_cred_label_free(imgp->ip_execlabelp);
3130	if (imgp->ip_scriptlabelp)
3131	mac_vnode_label_free(imgp->ip_scriptlabelp);
3132	if (imgp->ip_cs_error != OS_REASON_NULL) {
3133	os_reason_free(imgp->ip_cs_error);
3134	imgp->ip_cs_error = OS_REASON_NULL;
3135	}
3136	#endif
3137	}
3138
3139	#if CONFIG_DTRACE
3140	if (spawn_no_exec) {
3141	/*
3142	* In the original DTrace reference implementation,
3143	* posix_spawn() was a libc routine that just
3144	* did vfork(2) then exec(2). Thus the proc::: probes
3145	* are very fork/exec oriented. The details of this
3146	* in-kernel implementation of posix_spawn() is different
3147	* (while producing the same process-observable effects)
3148	* particularly w.r.t. errors, and which thread/process
3149	* is constructing what on behalf of whom.
3150	*/
3151	if (error) {
3152	DTRACE_PROC1(spawn__failure, int, error);
3153	} else {
3154	DTRACE_PROC(spawn__success);
3155	/*
3156	* Some DTrace scripts, e.g. newproc.d in
3157	* /usr/bin, rely on the the 'exec-success'
3158	* probe being fired in the child after the
3159	* new process image has been constructed
3160	* in order to determine the associated pid.
3161	*
3162	* So, even though the parent built the image
3163	* here, for compatibility, mark the new thread
3164	* so 'exec-success' fires on it as it leaves
3165	* the kernel.
3166	*/
3167	dtrace_thread_didexec(imgp->ip_new_thread);
3168	}
3169	} else {
3170	if (error) {
3171	DTRACE_PROC1(exec__failure, int, error);
3172	} else {
3173	dtrace_thread_didexec(imgp->ip_new_thread);
3174	}
3175	}
3176
3177	if ((dtrace_proc_waitfor_hook = dtrace_proc_waitfor_exec_ptr) != NULL) {
3178	(*dtrace_proc_waitfor_hook)(p);
3179	}
3180	#endif
3181
3182	#if CONFIG_AUDIT
3183	if (!error && AUDIT_ENABLED() && p) {
3184	/ Add the CDHash of the new process to the audit record /
3185	uint8_t *cdhash = cs_get_cdhash(p);
3186	if (cdhash) {
3187	AUDIT_ARG(data, cdhash, sizeof(uint8_t), CS_CDHASH_LEN);
3188	}
3189	}
3190	#endif
3191
3192	/*
3193	* clear bsd_info from old task if it did exec.
3194	*/
3195	if (task_did_exec(old_task)) {
3196	set_bsdtask_info(old_task, NULL);
3197	}
3198
3199	/ clear bsd_info from new task and terminate it if exec failed /
3200	if (new_task != NULL && task_is_exec_copy(new_task)) {
3201	set_bsdtask_info(new_task, NULL);
3202	task_terminate_internal(new_task);
3203	}
3204
3205	/ Return to both the parent and the child? /
3206	if (imgp != NULL && spawn_no_exec) {
3207	/*
3208	* If the parent wants the pid, copy it out
3209	*/
3210	if (pid != USER_ADDR_NULL)
3211	(void)suword(pid, p->p_pid);
3212	retval[`0`] = error;
3213
3214	/*
3215	* If we had an error, perform an internal reap ; this is
3216	* entirely safe, as we have a real process backing us.
3217	*/
3218	if (error) {
3219	proc_list_lock();
3220	p->p_listflag \|= P_LIST_DEADPARENT;
3221	proc_list_unlock();
3222	proc_lock(p);
3223	/ make sure no one else has killed it off... /
3224	if (p->p_stat != SZOMB && p->exit_thread == NULL) {
3225	p->exit_thread = current_thread();
3226	proc_unlock(p);
3227	exit1(p, `1`, (int *)NULL);
3228	} else {
3229	/ someone is doing it for us; just skip it /
3230	proc_unlock(p);
3231	}
3232	}
3233	}
3234
3235	/*
3236	* Do not terminate the current task, if proc_exec_switch_task did not
3237	* switch the tasks, terminating the current task without the switch would
3238	* result in loosing the SIGKILL status.
3239	*/
3240	if (task_did_exec(old_task)) {
3241	/ Terminate the current task, since exec will start in new task /
3242	task_terminate_internal(old_task);
3243	}
3244
3245	/ Release the thread ref returned by fork_create_child/fork1 /
3246	if (imgp != NULL && imgp->ip_new_thread) {
3247	/ wake up the new thread /
3248	task_clear_return_wait(get_threadtask(imgp->ip_new_thread));
3249	thread_deallocate(imgp->ip_new_thread);
3250	imgp->ip_new_thread = NULL;
3251	}
3252
3253	/ Release the ref returned by fork_create_child/fork1 /
3254	if (new_task) {
3255	task_deallocate(new_task);
3256	new_task = NULL;
3257	}
3258
3259	if (should_release_proc_ref) {
3260	proc_rele(p);
3261	}
3262
3263	if (bufp != NULL) {
3264	FREE(bufp, M_TEMP);
3265	}
3266
3267	if (inherit != NULL) {
3268	ipc_importance_release(inherit);
3269	}
3270
3271	return(error);
3272	}
3273
3274	/*
3275	* proc_exec_switch_task
3276	*
3277	* Parameters: p proc
3278	* old_task task before exec
3279	* new_task task after exec
3280	* new_thread thread in new task
3281	*
3282	* Returns: proc.
3283	*
3284	* Note: The function will switch the task pointer of proc
3285	* from old task to new task. The switch needs to happen
3286	* after draining all proc refs and inside a proc translock.
3287	* In the case of failure to switch the task, which might happen
3288	* if the process received a SIGKILL or jetsam killed it, it will make
3289	* sure that the new tasks terminates. User proc ref returned
3290	* to caller.
3291	*
3292	* This function is called after point of no return, in the case
3293	* failure to switch, it will terminate the new task and swallow the
3294	* error and let the terminated process complete exec and die.
3295	*/
3296	proc_t
3297	proc_exec_switch_task(proc_t p, task_t old_task, task_t new_task, thread_t new_thread)
3298	{
3299	int error = `0`;
3300	boolean_t task_active;
3301	boolean_t proc_active;
3302	boolean_t thread_active;
3303	thread_t old_thread = current_thread();
3304
3305	/*
3306	* Switch the task pointer of proc to new task.
3307	* Before switching the task, wait for proc_refdrain.
3308	* After the switch happens, the proc can disappear,
3309	* take a ref before it disappears. Waiting for
3310	* proc_refdrain in exec will block all other threads
3311	* trying to take a proc ref, boost the current thread
3312	* to avoid priority inversion.
3313	*/
3314	thread_set_exec_promotion(old_thread);
3315	p = proc_refdrain_with_refwait(p, TRUE);
3316	/ extra proc ref returned to the caller /
3317
3318	assert(get_threadtask(new_thread) == new_task);
3319	task_active = task_is_active(new_task);
3320
3321	/ Take the proc_translock to change the task ptr /
3322	proc_lock(p);
3323	proc_active = !(p->p_lflag & P_LEXIT);
3324
3325	/ Check if the current thread is not aborted due to SIGKILL /
3326	thread_active = thread_is_active(old_thread);
3327
3328	/*
3329	* Do not switch the task if the new task or proc is already terminated
3330	* as a result of error in exec past point of no return
3331	*/
3332	if (proc_active && task_active && thread_active) {
3333	error = proc_transstart(p, `1`, `0`);
3334	if (error == `0`) {
3335	uthread_t new_uthread = get_bsdthread_info(new_thread);
3336	uthread_t old_uthread = get_bsdthread_info(current_thread());
3337
3338	/*
3339	* bsd_info of old_task will get cleared in execve and posix_spawn
3340	* after firing exec-success/error dtrace probe.
3341	*/
3342	p->task = new_task;
3343
3344	/ Clear dispatchqueue and workloop ast offset /
3345	p->p_dispatchqueue_offset = `0`;
3346	p->p_dispatchqueue_serialno_offset = `0`;
3347	p->p_return_to_kernel_offset = `0`;
3348
3349	/ Copy the signal state, dtrace state and set bsd ast on new thread /
3350	act_set_astbsd(new_thread);
3351	new_uthread->uu_siglist = old_uthread->uu_siglist;
3352	new_uthread->uu_sigwait = old_uthread->uu_sigwait;
3353	new_uthread->uu_sigmask = old_uthread->uu_sigmask;
3354	new_uthread->uu_oldmask = old_uthread->uu_oldmask;
3355	new_uthread->uu_vforkmask = old_uthread->uu_vforkmask;
3356	new_uthread->uu_exit_reason = old_uthread->uu_exit_reason;
3357	#if CONFIG_DTRACE
3358	new_uthread->t_dtrace_sig = old_uthread->t_dtrace_sig;
3359	new_uthread->t_dtrace_stop = old_uthread->t_dtrace_stop;
3360	new_uthread->t_dtrace_resumepid = old_uthread->t_dtrace_resumepid;
3361	assert(new_uthread->t_dtrace_scratch == NULL);
3362	new_uthread->t_dtrace_scratch = old_uthread->t_dtrace_scratch;
3363
3364	old_uthread->t_dtrace_sig = `0`;
3365	old_uthread->t_dtrace_stop = `0`;
3366	old_uthread->t_dtrace_resumepid = `0`;
3367	old_uthread->t_dtrace_scratch = NULL;
3368	#endif
3369	/ Copy the resource accounting info /
3370	thread_copy_resource_info(new_thread, current_thread());
3371
3372	/ Clear the exit reason and signal state on old thread /
3373	old_uthread->uu_exit_reason = NULL;
3374	old_uthread->uu_siglist = `0`;
3375
3376	/ Add the new uthread to proc uthlist and remove the old one /
3377	TAILQ_INSERT_TAIL(&p->p_uthlist, new_uthread, uu_list);
3378	TAILQ_REMOVE(&p->p_uthlist, old_uthread, uu_list);
3379
3380	task_set_did_exec_flag(old_task);
3381	task_clear_exec_copy_flag(new_task);
3382
3383	task_copy_fields_for_exec(new_task, old_task);
3384
3385	proc_transend(p, `1`);
3386	}
3387	}
3388
3389	proc_unlock(p);
3390	proc_refwake(p);
3391	thread_clear_exec_promotion(old_thread);
3392
3393	if (error != `0` \|\| !task_active \|\| !proc_active \|\| !thread_active) {
3394	task_terminate_internal(new_task);
3395	}
3396
3397	return p;
3398	}
3399
3400	/*
3401	* execve
3402	*
3403	* Parameters: uap->fname File name to exec
3404	* uap->argp Argument list
3405	* uap->envp Environment list
3406	*
3407	* Returns: 0 Success
3408	* __mac_execve:EINVAL Invalid argument
3409	* __mac_execve:ENOTSUP Invalid argument
3410	* __mac_execve:EACCES Permission denied
3411	* __mac_execve:EINTR Interrupted function
3412	* __mac_execve:ENOMEM Not enough space
3413	* __mac_execve:EFAULT Bad address
3414	* __mac_execve:ENAMETOOLONG Filename too long
3415	* __mac_execve:ENOEXEC Executable file format error
3416	* __mac_execve:ETXTBSY Text file busy [misuse of error code]
3417	* __mac_execve:???
3418	*
3419	* TODO: Dynamic linker header address on stack is copied via suword()
3420	*/
3421	/ ARGSUSED /
3422	int
3423	execve(proc_t p, struct execve_args uap, int32_t retval)
3424	{
3425	struct __mac_execve_args muap;
3426	int err;
3427
3428	memoryshot(VM_EXECVE, DBG_FUNC_NONE);
3429
3430	muap.fname = uap->fname;
3431	muap.argp = uap->argp;
3432	muap.envp = uap->envp;
3433	muap.mac_p = USER_ADDR_NULL;
3434	err = __mac_execve(p, &muap, retval);
3435
3436	return(err);
3437	}
3438
3439	/*
3440	* __mac_execve
3441	*
3442	* Parameters: uap->fname File name to exec
3443	* uap->argp Argument list
3444	* uap->envp Environment list
3445	* uap->mac_p MAC label supplied by caller
3446	*
3447	* Returns: 0 Success
3448	* EINVAL Invalid argument
3449	* ENOTSUP Not supported
3450	* ENOEXEC Executable file format error
3451	* exec_activate_image:EINVAL Invalid argument
3452	* exec_activate_image:EACCES Permission denied
3453	* exec_activate_image:EINTR Interrupted function
3454	* exec_activate_image:ENOMEM Not enough space
3455	* exec_activate_image:EFAULT Bad address
3456	* exec_activate_image:ENAMETOOLONG Filename too long
3457	* exec_activate_image:ENOEXEC Executable file format error
3458	* exec_activate_image:ETXTBSY Text file busy [misuse of error code]
3459	* exec_activate_image:EBADEXEC The executable is corrupt/unknown
3460	* exec_activate_image:???
3461	* mac_execve_enter:???
3462	*
3463	* TODO: Dynamic linker header address on stack is copied via suword()
3464	*/
3465	int
3466	__mac_execve(proc_t p, struct __mac_execve_args uap, int32_t retval)
3467	{
3468	char *bufp = NULL;
3469	struct image_params *imgp;
3470	struct vnode_attr *vap;
3471	struct vnode_attr *origvap;
3472	int error;
3473	int is_64 = IS_64BIT_PROCESS(p);
3474	struct vfs_context context;
3475	struct uthread *uthread;
3476	task_t old_task = current_task();
3477	task_t new_task = NULL;
3478	boolean_t should_release_proc_ref = FALSE;
3479	boolean_t exec_done = FALSE;
3480	boolean_t in_vfexec = FALSE;
3481	void *inherit = NULL;
3482
3483	context.vc_thread = current_thread();
3484	context.vc_ucred = kauth_cred_proc_ref(p); / XXX must NOT be kauth_cred_get() /
3485
3486	/ Allocate a big chunk for locals instead of using stack since these*
3487	* structures a pretty big.
3488	*/
3489	MALLOC(bufp, char , (sizeof(imgp) + sizeof(vap) + sizeof(origvap)), M_TEMP, M_WAITOK \| M_ZERO);
3490	imgp = (struct image_params *) bufp;
3491	if (bufp == NULL) {
3492	error = ENOMEM;
3493	goto exit_with_error;
3494	}
3495	vap = (struct vnode_attr ) (bufp + sizeof(imgp));
3496	origvap = (struct vnode_attr ) (bufp + sizeof(imgp) + sizeof(*vap));
3497
3498	/ Initialize the common data in the image_params structure /
3499	imgp->ip_user_fname = uap->fname;
3500	imgp->ip_user_argv = uap->argp;
3501	imgp->ip_user_envv = uap->envp;
3502	imgp->ip_vattr = vap;
3503	imgp->ip_origvattr = origvap;
3504	imgp->ip_vfs_context = &context;
3505	imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT_ADDR : IMGPF_NONE) \| ((p->p_flag & P_DISABLE_ASLR) ? IMGPF_DISABLE_ASLR : IMGPF_NONE);
3506	imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
3507	imgp->ip_mac_return = `0`;
3508	imgp->ip_cs_error = OS_REASON_NULL;
3509
3510	#if CONFIG_MACF
3511	if (uap->mac_p != USER_ADDR_NULL) {
3512	error = mac_execve_enter(uap->mac_p, imgp);
3513	if (error) {
3514	kauth_cred_unref(&context.vc_ucred);
3515	goto exit_with_error;
3516	}
3517	}
3518	#endif
3519	uthread = get_bsdthread_info(current_thread());
3520	if (uthread->uu_flag & UT_VFORK) {
3521	imgp->ip_flags \|= IMGPF_VFORK_EXEC;
3522	in_vfexec = TRUE;
3523	} else {
3524	imgp->ip_flags \|= IMGPF_EXEC;
3525
3526	/*
3527	* For execve case, create a new task and thread
3528	* which points to current_proc. The current_proc will point
3529	* to the new task after image activation and proc ref drain.
3530	*
3531	* proc (current_proc) <----- old_task (current_task)
3532	* ^ \| ^
3533	* \| \| \|
3534	* \| ----------------------------------
3535	* \|
3536	* --------- new_task (task marked as TF_EXEC_COPY)
3537	*
3538	* After image activation, the proc will point to the new task
3539	* and would look like following.
3540	*
3541	* proc (current_proc) <----- old_task (current_task, marked as TPF_DID_EXEC)
3542	* ^ \|
3543	* \| \|
3544	* \| ----------> new_task
3545	* \| \|
3546	* -----------------
3547	*
3548	* During exec any transition from new_task -> proc is fine, but don't allow
3549	* transition from proc->task, since it will modify old_task.
3550	*/
3551	imgp->ip_new_thread = fork_create_child(old_task,
3552	NULL,
3553	p,
3554	FALSE,
3555	p->p_flag & P_LP64,
3556	task_get_64bit_data(old_task),
3557	TRUE);
3558	/ task and thread ref returned by fork_create_child /
3559	if (imgp->ip_new_thread == NULL) {
3560	error = ENOMEM;
3561	goto exit_with_error;
3562	}
3563
3564	new_task = get_threadtask(imgp->ip_new_thread);
3565	context.vc_thread = imgp->ip_new_thread;
3566	}
3567
3568	error = exec_activate_image(imgp);
3569	/ thread and task ref returned for vfexec case /
3570
3571	if (imgp->ip_new_thread != NULL) {
3572	/*
3573	* task reference might be returned by exec_activate_image
3574	* for vfexec.
3575	*/
3576	new_task = get_threadtask(imgp->ip_new_thread);
3577	}
3578
3579	if (!error && !in_vfexec) {
3580	p = proc_exec_switch_task(p, old_task, new_task, imgp->ip_new_thread);
3581	/ proc ref returned /
3582	should_release_proc_ref = TRUE;
3583
3584	/*
3585	* Need to transfer pending watch port boosts to the new task while still making
3586	* sure that the old task remains in the importance linkage. Create an importance
3587	* linkage from old task to new task, then switch the task importance base
3588	* of old task and new task. After the switch the port watch boost will be
3589	* boosting the new task and new task will be donating importance to old task.
3590	*/
3591	inherit = ipc_importance_exec_switch_task(old_task, new_task);
3592	}
3593
3594	kauth_cred_unref(&context.vc_ucred);
3595
3596	/ Image not claimed by any activator? /
3597	if (error == -`1`)
3598	error = ENOEXEC;
3599
3600	if (!error) {
3601	exec_done = TRUE;
3602	assert(imgp->ip_new_thread != NULL);
3603
3604	exec_resettextvp(p, imgp);
3605	error = check_for_signature(p, imgp);
3606	}
3607
3608	/ flag exec has occurred, notify only if it has not failed due to FP Key error /
3609	if (exec_done && ((p->p_lflag & P_LTERM_DECRYPTFAIL) == `0`))
3610	proc_knote(p, NOTE_EXEC);
3611
3612	if (imgp->ip_vp != NULLVP)
3613	vnode_put(imgp->ip_vp);
3614	if (imgp->ip_scriptvp != NULLVP)
3615	vnode_put(imgp->ip_scriptvp);
3616	if (imgp->ip_strings)
3617	execargs_free(imgp);
3618	#if CONFIG_MACF
3619	if (imgp->ip_execlabelp)
3620	mac_cred_label_free(imgp->ip_execlabelp);
3621	if (imgp->ip_scriptlabelp)
3622	mac_vnode_label_free(imgp->ip_scriptlabelp);
3623	#endif
3624	if (imgp->ip_cs_error != OS_REASON_NULL) {
3625	os_reason_free(imgp->ip_cs_error);
3626	imgp->ip_cs_error = OS_REASON_NULL;
3627	}
3628
3629	if (!error) {
3630	/*
3631	* We need to initialize the bank context behind the protection of
3632	* the proc_trans lock to prevent a race with exit. We can't do this during
3633	* exec_activate_image because task_bank_init checks entitlements that
3634	* aren't loaded until subsequent calls (including exec_resettextvp).
3635	*/
3636	error = proc_transstart(p, `0`, `0`);
3637	}
3638
3639	if (!error) {
3640	task_bank_init(new_task);
3641	proc_transend(p, `0`);
3642
3643	/ Sever any extant thread affinity /
3644	thread_affinity_exec(current_thread());
3645
3646	/ Inherit task role from old task to new task for exec /
3647	if (!in_vfexec) {
3648	proc_inherit_task_role(new_task, old_task);
3649	}
3650
3651	thread_t main_thread = imgp->ip_new_thread;
3652
3653	task_set_main_thread_qos(new_task, main_thread);
3654
3655	#if CONFIG_MACF
3656	/*
3657	* Processes with the MAP_JIT entitlement are permitted to have
3658	* a jumbo-size map.
3659	*/
3660	if (mac_proc_check_map_anon(p, `0`, `0`, `0`, MAP_JIT, NULL) == `0`) {
3661	vm_map_set_jumbo(get_task_map(new_task));
3662	}
3663	#endif /* CONFIG_MACF */
3664
3665	if (vm_darkwake_mode == TRUE) {
3666	/*
3667	* This process is being launched when the system
3668	* is in darkwake. So mark it specially. This will
3669	* cause all its pages to be entered in the background Q.
3670	*/
3671	task_set_darkwake_mode(new_task, vm_darkwake_mode);
3672	}
3673
3674	#if CONFIG_DTRACE
3675	dtrace_thread_didexec(imgp->ip_new_thread);
3676
3677	if ((dtrace_proc_waitfor_hook = dtrace_proc_waitfor_exec_ptr) != NULL)
3678	(*dtrace_proc_waitfor_hook)(p);
3679	#endif
3680
3681	#if CONFIG_AUDIT
3682	if (!error && AUDIT_ENABLED() && p) {
3683	/ Add the CDHash of the new process to the audit record /
3684	uint8_t *cdhash = cs_get_cdhash(p);
3685	if (cdhash) {
3686	AUDIT_ARG(data, cdhash, sizeof(uint8_t), CS_CDHASH_LEN);
3687	}
3688	}
3689	#endif
3690
3691	if (in_vfexec) {
3692	vfork_return(p, retval, p->p_pid);
3693	}
3694	} else {
3695	DTRACE_PROC1(exec__failure, int, error);
3696	}
3697
3698	exit_with_error:
3699
3700	/*
3701	* clear bsd_info from old task if it did exec.
3702	*/
3703	if (task_did_exec(old_task)) {
3704	set_bsdtask_info(old_task, NULL);
3705	}
3706
3707	/ clear bsd_info from new task and terminate it if exec failed /
3708	if (new_task != NULL && task_is_exec_copy(new_task)) {
3709	set_bsdtask_info(new_task, NULL);
3710	task_terminate_internal(new_task);
3711	}
3712
3713	if (imgp != NULL) {
3714	/*
3715	* Do not terminate the current task, if proc_exec_switch_task did not
3716	* switch the tasks, terminating the current task without the switch would
3717	* result in loosing the SIGKILL status.
3718	*/
3719	if (task_did_exec(old_task)) {
3720	/ Terminate the current task, since exec will start in new task /
3721	task_terminate_internal(old_task);
3722	}
3723
3724	/ Release the thread ref returned by fork_create_child /
3725	if (imgp->ip_new_thread) {
3726	/ wake up the new exec thread /
3727	task_clear_return_wait(get_threadtask(imgp->ip_new_thread));
3728	thread_deallocate(imgp->ip_new_thread);
3729	imgp->ip_new_thread = NULL;
3730	}
3731	}
3732
3733	/ Release the ref returned by fork_create_child /
3734	if (new_task) {
3735	task_deallocate(new_task);
3736	new_task = NULL;
3737	}
3738
3739	if (should_release_proc_ref) {
3740	proc_rele(p);
3741	}
3742
3743	if (bufp != NULL) {
3744	FREE(bufp, M_TEMP);
3745	}
3746
3747	if (inherit != NULL) {
3748	ipc_importance_release(inherit);
3749	}
3750
3751	return(error);
3752	}
3753
3754
3755	/*
3756	* copyinptr
3757	*
3758	* Description: Copy a pointer in from user space to a user_addr_t in kernel
3759	* space, based on 32/64 bitness of the user space
3760	*
3761	* Parameters: froma User space address
3762	* toptr Address of kernel space user_addr_t
3763	* ptr_size 4/8, based on 'froma' address space
3764	*
3765	* Returns: 0 Success
3766	* EFAULT Bad 'froma'
3767	*
3768	* Implicit returns:
3769	* *ptr_size Modified
3770	*/
3771	static int
3772	copyinptr(user_addr_t froma, user_addr_t toptr, int* ptr_size)
3773	{
3774	int error;
3775
3776	if (ptr_size == `4`) {
3777	/ 64 bit value containing 32 bit address /
3778	unsigned int i;
3779
3780	error = copyin(froma, &i, `4`);
3781	toptr = CAST_USER_ADDR_T(i); /* SAFE /
3782	} else {
3783	error = copyin(froma, toptr, `8`);
3784	}
3785	return (error);
3786	}
3787
3788
3789	/*
3790	* copyoutptr
3791	*
3792	* Description: Copy a pointer out from a user_addr_t in kernel space to
3793	* user space, based on 32/64 bitness of the user space
3794	*
3795	* Parameters: ua User space address to copy to
3796	* ptr Address of kernel space user_addr_t
3797	* ptr_size 4/8, based on 'ua' address space
3798	*
3799	* Returns: 0 Success
3800	* EFAULT Bad 'ua'
3801	*
3802	*/
3803	static int
3804	copyoutptr(user_addr_t ua, user_addr_t ptr, int ptr_size)
3805	{
3806	int error;
3807
3808	if (ptr_size == `4`) {
3809	/ 64 bit value containing 32 bit address /
3810	unsigned int i = CAST_DOWN_EXPLICIT(unsigned int,ua); / SAFE /
3811
3812	error = copyout(&i, ptr, `4`);
3813	} else {
3814	error = copyout(&ua, ptr, `8`);
3815	}
3816	return (error);
3817	}
3818
3819
3820	/*
3821	* exec_copyout_strings
3822	*
3823	* Copy out the strings segment to user space. The strings segment is put
3824	* on a preinitialized stack frame.
3825	*
3826	* Parameters: struct image_params * the image parameter block
3827	* int * a pointer to the stack offset variable
3828	*
3829	* Returns: 0 Success
3830	* !0 Faiure: errno
3831	*
3832	* Implicit returns:
3833	* (*stackp) The stack offset, modified
3834	*
3835	* Note: The strings segment layout is backward, from the beginning
3836	* of the top of the stack to consume the minimal amount of
3837	* space possible; the returned stack pointer points to the
3838	* end of the area consumed (stacks grow downward).
3839	*
3840	* argc is an int; arg[i] are pointers; env[i] are pointers;
3841	* the 0's are (void *)NULL's
3842	*
3843	* The stack frame layout is:
3844	*
3845	* +-------------+ <- p->user_stack
3846	* \| 16b \|
3847	* +-------------+
3848	* \| STRING AREA \|
3849	* \| : \|
3850	* \| : \|
3851	* \| : \|
3852	* +- -- -- -- --+
3853	* \| PATH AREA \|
3854	* +-------------+
3855	* \| 0 \|
3856	* +-------------+
3857	* \| applev[n] \|
3858	* +-------------+
3859	* :
3860	* :
3861	* +-------------+
3862	* \| applev[1] \|
3863	* +-------------+
3864	* \| exec_path / \|
3865	* \| applev[0] \|
3866	* +-------------+
3867	* \| 0 \|
3868	* +-------------+
3869	* \| env[n] \|
3870	* +-------------+
3871	* :
3872	* :
3873	* +-------------+
3874	* \| env[0] \|
3875	* +-------------+
3876	* \| 0 \|
3877	* +-------------+
3878	* \| arg[argc-1] \|
3879	* +-------------+
3880	* :
3881	* :
3882	* +-------------+
3883	* \| arg[0] \|
3884	* +-------------+
3885	* \| argc \|
3886	* sp-> +-------------+
3887	*
3888	* Although technically a part of the STRING AREA, we treat the PATH AREA as
3889	* a separate entity. This allows us to align the beginning of the PATH AREA
3890	* to a pointer boundary so that the exec_path, env[i], and argv[i] pointers
3891	* which preceed it on the stack are properly aligned.
3892	*/
3893
3894	static int
3895	exec_copyout_strings(struct image_params imgp, user_addr_t stackp)
3896	{
3897	proc_t p = vfs_context_proc(imgp->ip_vfs_context);
3898	int ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT_ADDR) ? `8` : `4`;
3899	int ptr_area_size;
3900	void ptr_buffer_start, ptr_buffer;
3901	int string_size;
3902
3903	user_addr_t string_area; / argv[], env[] /
3904	user_addr_t ptr_area; / argv[], env[], applev[] /
3905	user_addr_t argc_area; / argc /
3906	user_addr_t stack;
3907	int error;
3908
3909	unsigned i;
3910	struct copyout_desc {
3911	char *start_string;
3912	int count;
3913	#if CONFIG_DTRACE
3914	user_addr_t *dtrace_cookie;
3915	#endif
3916	boolean_t null_term;
3917	} descriptors[] = {
3918	{
3919	.start_string = imgp->ip_startargv,
3920	.count = imgp->ip_argc,
3921	#if CONFIG_DTRACE
3922	.dtrace_cookie = &p->p_dtrace_argv,
3923	#endif
3924	.null_term = TRUE
3925	},
3926	{
3927	.start_string = imgp->ip_endargv,
3928	.count = imgp->ip_envc,
3929	#if CONFIG_DTRACE
3930	.dtrace_cookie = &p->p_dtrace_envp,
3931	#endif
3932	.null_term = TRUE
3933	},
3934	{
3935	.start_string = imgp->ip_strings,
3936	.count = `1`,
3937	#if CONFIG_DTRACE
3938	.dtrace_cookie = NULL,
3939	#endif
3940	.null_term = FALSE
3941	},
3942	{
3943	.start_string = imgp->ip_endenvv,
3944	.count = imgp->ip_applec - `1`, / exec_path handled above /
3945	#if CONFIG_DTRACE
3946	.dtrace_cookie = NULL,
3947	#endif
3948	.null_term = TRUE
3949	}
3950	};
3951
3952	stack = *stackp;
3953
3954	/*
3955	* All previous contributors to the string area
3956	* should have aligned their sub-area
3957	*/
3958	if (imgp->ip_strspace % ptr_size != `0`) {
3959	error = EINVAL;
3960	goto bad;
3961	}
3962
3963	/ Grow the stack down for the strings we've been building up /
3964	string_size = imgp->ip_strendp - imgp->ip_strings;
3965	stack -= string_size;
3966	string_area = stack;
3967
3968	/*
3969	* Need room for one pointer for each string, plus
3970	* one for the NULLs terminating the argv, envv, and apple areas.
3971	*/
3972	ptr_area_size = (imgp->ip_argc + imgp->ip_envc + imgp->ip_applec + `3`) * ptr_size;
3973	stack -= ptr_area_size;
3974	ptr_area = stack;
3975
3976	/ We'll construct all the pointer arrays in our string buffer,*
3977	* which we already know is aligned properly, and ip_argspace
3978	* was used to verify we have enough space.
3979	*/
3980	ptr_buffer_start = ptr_buffer = (void *)imgp->ip_strendp;
3981
3982	/*
3983	* Need room for pointer-aligned argc slot.
3984	*/
3985	stack -= ptr_size;
3986	argc_area = stack;
3987
3988	/*
3989	* Record the size of the arguments area so that sysctl_procargs()
3990	* can return the argument area without having to parse the arguments.
3991	*/
3992	proc_lock(p);
3993	p->p_argc = imgp->ip_argc;
3994	p->p_argslen = (int)(*stackp - string_area);
3995	proc_unlock(p);
3996
3997	/ Return the initial stack address: the location of argc /
3998	*stackp = stack;
3999
4000	/*
4001	* Copy out the entire strings area.
4002	*/
4003	error = copyout(imgp->ip_strings, string_area,
4004	string_size);
4005	if (error)
4006	goto bad;
4007
4008	for (i = `0`; i < sizeof(descriptors)/sizeof(descriptors[`0`]); i++) {
4009	char *cur_string = descriptors[i].start_string;
4010	int j;
4011
4012	#if CONFIG_DTRACE
4013	if (descriptors[i].dtrace_cookie) {
4014	proc_lock(p);
4015	descriptors[i].dtrace_cookie = ptr_area + ((uintptr_t)ptr_buffer - (uintptr_t)ptr_buffer_start); /* dtrace convenience /
4016	proc_unlock(p);
4017	}
4018	#endif /* CONFIG_DTRACE */
4019
4020	/*
4021	* For each segment (argv, envv, applev), copy as many pointers as requested
4022	* to our pointer buffer.
4023	*/
4024	for (j = `0`; j < descriptors[i].count; j++) {
4025	user_addr_t cur_address = string_area + (cur_string - imgp->ip_strings);
4026
4027	/ Copy out the pointer to the current string. Alignment has been verified /
4028	if (ptr_size == `8`) {
4029	(uint64_t )ptr_buffer = (uint64_t)cur_address;
4030	} else {
4031	(uint32_t )ptr_buffer = (uint32_t)cur_address;
4032	}
4033
4034	ptr_buffer = (void *)((uintptr_t)ptr_buffer + ptr_size);
4035	cur_string += strlen(cur_string) + `1`; / Only a NUL between strings in the same area /
4036	}
4037
4038	if (descriptors[i].null_term) {
4039	if (ptr_size == `8`) {
4040	(uint64_t )ptr_buffer = `0ULL`;
4041	} else {
4042	(uint32_t )ptr_buffer = `0`;
4043	}
4044
4045	ptr_buffer = (void *)((uintptr_t)ptr_buffer + ptr_size);
4046	}
4047	}
4048
4049	/*
4050	* Copy out all our pointer arrays in bulk.
4051	*/
4052	error = copyout(ptr_buffer_start, ptr_area,
4053	ptr_area_size);
4054	if (error)
4055	goto bad;
4056
4057	/ argc (int32, stored in a ptr_size area) /
4058	error = copyoutptr((user_addr_t)imgp->ip_argc, argc_area, ptr_size);
4059	if (error)
4060	goto bad;
4061
4062	bad:
4063	return(error);
4064	}
4065
4066
4067	/*
4068	* exec_extract_strings
4069	*
4070	* Copy arguments and environment from user space into work area; we may
4071	* have already copied some early arguments into the work area, and if
4072	* so, any arguments opied in are appended to those already there.
4073	* This function is the primary manipulator of ip_argspace, since
4074	* these are the arguments the client of execve(2) knows about. After
4075	* each argv[]/envv[] string is copied, we charge the string length
4076	* and argv[]/envv[] pointer slot to ip_argspace, so that we can
4077	* full preflight the arg list size.
4078	*
4079	* Parameters: struct image_params * the image parameter block
4080	*
4081	* Returns: 0 Success
4082	* !0 Failure: errno
4083	*
4084	* Implicit returns;
4085	* (imgp->ip_argc) Count of arguments, updated
4086	* (imgp->ip_envc) Count of environment strings, updated
4087	* (imgp->ip_argspace) Count of remaining of NCARGS
4088	* (imgp->ip_interp_buffer) Interpreter and args (mutated in place)
4089	*
4090	*
4091	* Note: The argument and environment vectors are user space pointers
4092	* to arrays of user space pointers.
4093	*/
4094	static int
4095	exec_extract_strings(struct image_params *imgp)
4096	{
4097	int error = `0`;
4098	int ptr_size = (imgp->ip_flags & IMGPF_WAS_64BIT_ADDR) ? `8` : `4`;
4099	int new_ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT_ADDR) ? `8` : `4`;
4100	user_addr_t argv = imgp->ip_user_argv;
4101	user_addr_t envv = imgp->ip_user_envv;
4102
4103	/*
4104	* Adjust space reserved for the path name by however much padding it
4105	* needs. Doing this here since we didn't know if this would be a 32-
4106	* or 64-bit process back in exec_save_path.
4107	*/
4108	while (imgp->ip_strspace % new_ptr_size != `0`) {
4109	*imgp->ip_strendp++ = `'\0'`;
4110	imgp->ip_strspace--;
4111	/ imgp->ip_argspace--; not counted towards exec args total /
4112	}
4113
4114	/*
4115	* From now on, we start attributing string space to ip_argspace
4116	*/
4117	imgp->ip_startargv = imgp->ip_strendp;
4118	imgp->ip_argc = `0`;
4119
4120	if((imgp->ip_flags & IMGPF_INTERPRET) != `0`) {
4121	user_addr_t arg;
4122	char argstart, ch;
4123
4124	/ First, the arguments in the "#!" string are tokenized and extracted. /
4125	argstart = imgp->ip_interp_buffer;
4126	while (argstart) {
4127	ch = argstart;
4128	while (ch && !IS_WHITESPACE(ch)) {
4129	ch++;
4130	}
4131
4132	if (*ch == `'\0'`) {
4133	/ last argument, no need to NUL-terminate /
4134	error = exec_add_user_string(imgp, CAST_USER_ADDR_T(argstart), UIO_SYSSPACE, TRUE);
4135	argstart = NULL;
4136	} else {
4137	/ NUL-terminate /
4138	*ch = `'\0'`;
4139	error = exec_add_user_string(imgp, CAST_USER_ADDR_T(argstart), UIO_SYSSPACE, TRUE);
4140
4141	/*
4142	* Find the next string. We know spaces at the end of the string have already
4143	* been stripped.
4144	*/
4145	argstart = ch + `1`;
4146	while (IS_WHITESPACE(*argstart)) {
4147	argstart++;
4148	}
4149	}
4150
4151	/ Error-check, regardless of whether this is the last interpreter arg or not /
4152	if (error)
4153	goto bad;
4154	if (imgp->ip_argspace < new_ptr_size) {
4155	error = E2BIG;
4156	goto bad;
4157	}
4158	imgp->ip_argspace -= new_ptr_size; / to hold argv[] entry /
4159	imgp->ip_argc++;
4160	}
4161
4162	if (argv != `0LL`) {
4163	/*
4164	* If we are running an interpreter, replace the av[0] that was
4165	* passed to execve() with the path name that was
4166	* passed to execve() for interpreters which do not use the PATH
4167	* to locate their script arguments.
4168	*/
4169	error = copyinptr(argv, &arg, ptr_size);
4170	if (error)
4171	goto bad;
4172	if (arg != `0LL`) {
4173	argv += ptr_size; / consume without using /
4174	}
4175	}
4176
4177	if (imgp->ip_interp_sugid_fd != -`1`) {
4178	char temp[`19`]; / "/dev/fd/" + 10 digits + NUL /
4179	snprintf(temp, sizeof(temp), "/dev/fd/%d", imgp->ip_interp_sugid_fd);
4180	error = exec_add_user_string(imgp, CAST_USER_ADDR_T(temp), UIO_SYSSPACE, TRUE);
4181	} else {
4182	error = exec_add_user_string(imgp, imgp->ip_user_fname, imgp->ip_seg, TRUE);
4183	}
4184
4185	if (error)
4186	goto bad;
4187	if (imgp->ip_argspace < new_ptr_size) {
4188	error = E2BIG;
4189	goto bad;
4190	}
4191	imgp->ip_argspace -= new_ptr_size; / to hold argv[] entry /
4192	imgp->ip_argc++;
4193	}
4194
4195	while (argv != `0LL`) {
4196	user_addr_t arg;
4197
4198	error = copyinptr(argv, &arg, ptr_size);
4199	if (error)
4200	goto bad;
4201
4202	if (arg == `0LL`) {
4203	break;
4204	}
4205
4206	argv += ptr_size;
4207
4208	/*
4209	* av[n...] = arg[n]
4210	*/
4211	error = exec_add_user_string(imgp, arg, imgp->ip_seg, TRUE);
4212	if (error)
4213	goto bad;
4214	if (imgp->ip_argspace < new_ptr_size) {
4215	error = E2BIG;
4216	goto bad;
4217	}
4218	imgp->ip_argspace -= new_ptr_size; / to hold argv[] entry /
4219	imgp->ip_argc++;
4220	}
4221
4222	/ Save space for argv[] NULL terminator /
4223	if (imgp->ip_argspace < new_ptr_size) {
4224	error = E2BIG;
4225	goto bad;
4226	}
4227	imgp->ip_argspace -= new_ptr_size;
4228
4229	/ Note where the args ends and env begins. /
4230	imgp->ip_endargv = imgp->ip_strendp;
4231	imgp->ip_envc = `0`;
4232
4233	/ Now, get the environment /
4234	while (envv != `0LL`) {
4235	user_addr_t env;
4236
4237	error = copyinptr(envv, &env, ptr_size);
4238	if (error)
4239	goto bad;
4240
4241	envv += ptr_size;
4242	if (env == `0LL`) {
4243	break;
4244	}
4245	/*
4246	* av[n...] = env[n]
4247	*/
4248	error = exec_add_user_string(imgp, env, imgp->ip_seg, TRUE);
4249	if (error)
4250	goto bad;
4251	if (imgp->ip_argspace < new_ptr_size) {
4252	error = E2BIG;
4253	goto bad;
4254	}
4255	imgp->ip_argspace -= new_ptr_size; / to hold envv[] entry /
4256	imgp->ip_envc++;
4257	}
4258
4259	/ Save space for envv[] NULL terminator /
4260	if (imgp->ip_argspace < new_ptr_size) {
4261	error = E2BIG;
4262	goto bad;
4263	}
4264	imgp->ip_argspace -= new_ptr_size;
4265
4266	/ Align the tail of the combined argv+envv area /
4267	while (imgp->ip_strspace % new_ptr_size != `0`) {
4268	if (imgp->ip_argspace < `1`) {
4269	error = E2BIG;
4270	goto bad;
4271	}
4272	*imgp->ip_strendp++ = `'\0'`;
4273	imgp->ip_strspace--;
4274	imgp->ip_argspace--;
4275	}
4276
4277	/ Note where the envv ends and applev begins. /
4278	imgp->ip_endenvv = imgp->ip_strendp;
4279
4280	/*
4281	* From now on, we are no longer charging argument
4282	* space to ip_argspace.
4283	*/
4284
4285	bad:
4286	return error;
4287	}
4288
4289	/*
4290	* Libc has an 8-element array set up for stack guard values. It only fills
4291	* in one of those entries, and both gcc and llvm seem to use only a single
4292	* 8-byte guard. Until somebody needs more than an 8-byte guard value, don't
4293	* do the work to construct them.
4294	*/
4295	#define GUARD_VALUES 1
4296	#define GUARD_KEY "stack_guard="
4297
4298	/*
4299	* System malloc needs some entropy when it is initialized.
4300	*/
4301	#define ENTROPY_VALUES 2
4302	#define ENTROPY_KEY "malloc_entropy="
4303
4304	/*
4305	* libplatform needs a random pointer-obfuscation value when it is initialized.
4306	*/
4307	#define PTR_MUNGE_VALUES 1
4308	#define PTR_MUNGE_KEY "ptr_munge="
4309
4310	/*
4311	* System malloc engages nanozone for UIAPP.
4312	*/
4313	#define NANO_ENGAGE_KEY "MallocNanoZone=1"
4314
4315	#define PFZ_KEY "pfz="
4316	extern user32_addr_t commpage_text32_location;
4317	extern user64_addr_t commpage_text64_location;
4318
4319	#define MAIN_STACK_VALUES 4
4320	#define MAIN_STACK_KEY "main_stack="
4321
4322	#define FSID_KEY "executable_file="
4323	#define DYLD_FSID_KEY "dyld_file="
4324	#define CDHASH_KEY "executable_cdhash="
4325
4326	#define FSID_MAX_STRING "0x1234567890abcdef,0x1234567890abcdef"
4327
4328	#define HEX_STR_LEN 18 // 64-bit hex value "0x0123456701234567"
4329
4330	static int
4331	exec_add_entropy_key(struct image_params *imgp,
4332	const char *key,
4333	int values,
4334	boolean_t embedNUL)
4335	{
4336	const int limit = `8`;
4337	uint64_t entropy[limit];
4338	char str[strlen(key) + (HEX_STR_LEN + `1`) * limit + `1`];
4339	if (values > limit) {
4340	values = limit;
4341	}
4342
4343	read_random(entropy, sizeof(entropy[`0`]) * values);
4344
4345	if (embedNUL) {
4346	entropy[`0`] &= ~(`0xffull` << `8`);
4347	}
4348
4349	int len = snprintf(str, sizeof(str), "%s0x%llx", key, entropy[`0`]);
4350	int remaining = sizeof(str) - len;
4351	for (int i = `1`; i < values && remaining > `0`; ++i) {
4352	int start = sizeof(str) - remaining;
4353	len = snprintf(&str[start], remaining, ",0x%llx", entropy[i]);
4354	remaining -= len;
4355	}
4356
4357	return exec_add_user_string(imgp, CAST_USER_ADDR_T(str), UIO_SYSSPACE, FALSE);
4358	}
4359
4360	/*
4361	* Build up the contents of the apple[] string vector
4362	*/
4363	static int
4364	exec_add_apple_strings(struct image_params *imgp,
4365	const load_result_t *load_result)
4366	{
4367	int error;
4368	int img_ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT_ADDR) ? `8` : `4`;
4369
4370	/ exec_save_path stored the first string /
4371	imgp->ip_applec = `1`;
4372
4373	/ adding the pfz string /
4374	{
4375	char pfz_string[strlen(PFZ_KEY) + HEX_STR_LEN + `1`];
4376
4377	if (img_ptr_size == `8`) {
4378	snprintf(pfz_string, sizeof(pfz_string), PFZ_KEY "0x%llx", commpage_text64_location);
4379	} else {
4380	snprintf(pfz_string, sizeof(pfz_string), PFZ_KEY "0x%x", commpage_text32_location);
4381	}
4382	error = exec_add_user_string(imgp, CAST_USER_ADDR_T(pfz_string), UIO_SYSSPACE, FALSE);
4383	if (error) {
4384	goto bad;
4385	}
4386	imgp->ip_applec++;
4387	}
4388
4389	/ adding the NANO_ENGAGE_KEY key /
4390	if (imgp->ip_px_sa) {
4391	int proc_flags = (((struct _posix_spawnattr *) imgp->ip_px_sa)->psa_flags);
4392
4393	if ((proc_flags & _POSIX_SPAWN_NANO_ALLOCATOR) == _POSIX_SPAWN_NANO_ALLOCATOR) {
4394	const char *nano_string = NANO_ENGAGE_KEY;
4395	error = exec_add_user_string(imgp, CAST_USER_ADDR_T(nano_string), UIO_SYSSPACE, FALSE);
4396	if (error){
4397	goto bad;
4398	}
4399	imgp->ip_applec++;
4400	}
4401	}
4402
4403	/*
4404	* Supply libc with a collection of random values to use when
4405	* implementing -fstack-protector.
4406	*
4407	* (The first random string always contains an embedded NUL so that
4408	* __stack_chk_guard also protects against C string vulnerabilities)
4409	*/
4410	error = exec_add_entropy_key(imgp, GUARD_KEY, GUARD_VALUES, TRUE);
4411	if (error) {
4412	goto bad;
4413	}
4414	imgp->ip_applec++;
4415
4416	/*
4417	* Supply libc with entropy for system malloc.
4418	*/
4419	error = exec_add_entropy_key(imgp, ENTROPY_KEY, ENTROPY_VALUES, FALSE);
4420	if (error) {
4421	goto bad;
4422	}
4423	imgp->ip_applec++;
4424
4425	/*
4426	* Supply libpthread & libplatform with a random value to use for pointer
4427	* obfuscation.
4428	*/
4429	error = exec_add_entropy_key(imgp, PTR_MUNGE_KEY, PTR_MUNGE_VALUES, FALSE);
4430	if (error) {
4431	goto bad;
4432	}
4433	imgp->ip_applec++;
4434
4435	/*
4436	* Add MAIN_STACK_KEY: Supplies the address and size of the main thread's
4437	* stack if it was allocated by the kernel.
4438	*
4439	* The guard page is not included in this stack size as libpthread
4440	* expects to add it back in after receiving this value.
4441	*/
4442	if (load_result->unixproc) {
4443	char stack_string[strlen(MAIN_STACK_KEY) + (HEX_STR_LEN + `1`) * MAIN_STACK_VALUES + `1`];
4444	snprintf(stack_string, sizeof(stack_string),
4445	MAIN_STACK_KEY "0x%llx,0x%llx,0x%llx,0x%llx",
4446	(uint64_t)load_result->user_stack,
4447	(uint64_t)load_result->user_stack_size,
4448	(uint64_t)load_result->user_stack_alloc,
4449	(uint64_t)load_result->user_stack_alloc_size);
4450	error = exec_add_user_string(imgp, CAST_USER_ADDR_T(stack_string), UIO_SYSSPACE, FALSE);
4451	if (error) {
4452	goto bad;
4453	}
4454	imgp->ip_applec++;
4455	}
4456
4457	if (imgp->ip_vattr) {
4458	uint64_t fsid = get_va_fsid(imgp->ip_vattr);
4459	uint64_t fsobjid = imgp->ip_vattr->va_fileid;
4460
4461	char fsid_string[strlen(FSID_KEY) + strlen(FSID_MAX_STRING) + `1`];
4462	snprintf(fsid_string, sizeof(fsid_string),
4463	FSID_KEY "0x%llx,0x%llx", fsid, fsobjid);
4464	error = exec_add_user_string(imgp, CAST_USER_ADDR_T(fsid_string), UIO_SYSSPACE, FALSE);
4465	if (error) {
4466	goto bad;
4467	}
4468	imgp->ip_applec++;
4469	}
4470
4471	if (imgp->ip_dyld_fsid \|\| imgp->ip_dyld_fsobjid ) {
4472	char fsid_string[strlen(DYLD_FSID_KEY) + strlen(FSID_MAX_STRING) + `1`];
4473	snprintf(fsid_string, sizeof(fsid_string),
4474	DYLD_FSID_KEY "0x%llx,0x%llx", imgp->ip_dyld_fsid, imgp->ip_dyld_fsobjid);
4475	error = exec_add_user_string(imgp, CAST_USER_ADDR_T(fsid_string), UIO_SYSSPACE, FALSE);
4476	if (error) {
4477	goto bad;
4478	}
4479	imgp->ip_applec++;
4480	}
4481
4482	uint8_t cdhash[SHA1_RESULTLEN];
4483	int cdhash_errror = ubc_cs_getcdhash(imgp->ip_vp, imgp->ip_arch_offset, cdhash);
4484	if (cdhash_errror == `0`) {
4485	char hash_string[strlen(CDHASH_KEY) + `2`*SHA1_RESULTLEN + `1`];
4486	strncpy(hash_string, CDHASH_KEY, sizeof(hash_string));
4487	char p = hash_string + sizeof*(CDHASH_KEY) - `1`;
4488	for (int i = `0`; i < SHA1_RESULTLEN; i++) {
4489	snprintf(p, `3`, "%02x", (int) cdhash[i]);
4490	p += `2`;
4491	}
4492	error = exec_add_user_string(imgp, CAST_USER_ADDR_T(hash_string), UIO_SYSSPACE, FALSE);
4493	if (error) {
4494	goto bad;
4495	}
4496	imgp->ip_applec++;
4497	}
4498
4499	/ Align the tail of the combined applev area /
4500	while (imgp->ip_strspace % img_ptr_size != `0`) {
4501	*imgp->ip_strendp++ = `'\0'`;
4502	imgp->ip_strspace--;
4503	}
4504
4505	bad:
4506	return error;
4507	}
4508
4509	#define unix_stack_size(p) (p->p_rlimit[RLIMIT_STACK].rlim_cur)
4510
4511	/*
4512	* exec_check_permissions
4513	*
4514	* Description: Verify that the file that is being attempted to be executed
4515	* is in fact allowed to be executed based on it POSIX file
4516	* permissions and other access control criteria
4517	*
4518	* Parameters: struct image_params * the image parameter block
4519	*
4520	* Returns: 0 Success
4521	* EACCES Permission denied
4522	* ENOEXEC Executable file format error
4523	* ETXTBSY Text file busy [misuse of error code]
4524	* vnode_getattr:???
4525	* vnode_authorize:???
4526	*/
4527	static int
4528	exec_check_permissions(struct image_params *imgp)
4529	{
4530	struct vnode *vp = imgp->ip_vp;
4531	struct vnode_attr *vap = imgp->ip_vattr;
4532	proc_t p = vfs_context_proc(imgp->ip_vfs_context);
4533	int error;
4534	kauth_action_t action;
4535
4536	/ Only allow execution of regular files /
4537	if (!vnode_isreg(vp))
4538	return (EACCES);
4539
4540	/ Get the file attributes that we will be using here and elsewhere /
4541	VATTR_INIT(vap);
4542	VATTR_WANTED(vap, va_uid);
4543	VATTR_WANTED(vap, va_gid);
4544	VATTR_WANTED(vap, va_mode);
4545	VATTR_WANTED(vap, va_fsid);
4546	VATTR_WANTED(vap, va_fsid64);
4547	VATTR_WANTED(vap, va_fileid);
4548	VATTR_WANTED(vap, va_data_size);
4549	if ((error = vnode_getattr(vp, vap, imgp->ip_vfs_context)) != `0`)
4550	return (error);
4551
4552	/*
4553	* Ensure that at least one execute bit is on - otherwise root
4554	* will always succeed, and we don't want to happen unless the
4555	* file really is executable.
4556	*/
4557	if (!vfs_authopaque(vnode_mount(vp)) && ((vap->va_mode & (S_IXUSR \| S_IXGRP \| S_IXOTH)) == `0`))
4558	return (EACCES);
4559
4560	/ Disallow zero length files /
4561	if (vap->va_data_size == `0`)
4562	return (ENOEXEC);
4563
4564	imgp->ip_arch_offset = (user_size_t)`0`;
4565	imgp->ip_arch_size = vap->va_data_size;
4566
4567	/ Disable setuid-ness for traced programs or if MNT_NOSUID /
4568	if ((vp->v_mount->mnt_flag & MNT_NOSUID) \|\| (p->p_lflag & P_LTRACED))
4569	vap->va_mode &= ~(VSUID \| VSGID);
4570
4571	/*
4572	* Disable _POSIX_SPAWN_ALLOW_DATA_EXEC and _POSIX_SPAWN_DISABLE_ASLR
4573	* flags for setuid/setgid binaries.
4574	*/
4575	if (vap->va_mode & (VSUID \| VSGID))
4576	imgp->ip_flags &= ~(IMGPF_ALLOW_DATA_EXEC \| IMGPF_DISABLE_ASLR);
4577
4578	#if CONFIG_MACF
4579	error = mac_vnode_check_exec(imgp->ip_vfs_context, vp, imgp);
4580	if (error)
4581	return (error);
4582	#endif
4583
4584	/ Check for execute permission /
4585	action = KAUTH_VNODE_EXECUTE;
4586	/ Traced images must also be readable /
4587	if (p->p_lflag & P_LTRACED)
4588	action \|= KAUTH_VNODE_READ_DATA;
4589	if ((error = vnode_authorize(vp, NULL, action, imgp->ip_vfs_context)) != `0`)
4590	return (error);
4591
4592	#if 0
4593	/ Don't let it run if anyone had it open for writing /
4594	vnode_lock(vp);
4595	if (vp->v_writecount) {
4596	panic("going to return ETXTBSY %x", vp);
4597	vnode_unlock(vp);
4598	return (ETXTBSY);
4599	}
4600	vnode_unlock(vp);
4601	#endif
4602
4603
4604	/ XXX May want to indicate to underlying FS that vnode is open /
4605
4606	return (error);
4607	}
4608
4609
4610	/*
4611	* exec_handle_sugid
4612	*
4613	* Initially clear the P_SUGID in the process flags; if an SUGID process is
4614	* exec'ing a non-SUGID image, then this is the point of no return.
4615	*
4616	* If the image being activated is SUGID, then replace the credential with a
4617	* copy, disable tracing (unless the tracing process is root), reset the
4618	* mach task port to revoke it, set the P_SUGID bit,
4619	*
4620	* If the saved user and group ID will be changing, then make sure it happens
4621	* to a new credential, rather than a shared one.
4622	*
4623	* Set the security token (this is probably obsolete, given that the token
4624	* should not technically be separate from the credential itself).
4625	*
4626	* Parameters: struct image_params * the image parameter block
4627	*
4628	* Returns: void No failure indication
4629	*
4630	* Implicit returns:
4631	* <process credential> Potentially modified/replaced
4632	* <task port> Potentially revoked
4633	* <process flags> P_SUGID bit potentially modified
4634	* <security token> Potentially modified
4635	*/
4636	static int
4637	exec_handle_sugid(struct image_params *imgp)
4638	{
4639	proc_t p = vfs_context_proc(imgp->ip_vfs_context);
4640	kauth_cred_t cred = vfs_context_ucred(imgp->ip_vfs_context);
4641	kauth_cred_t my_cred, my_new_cred;
4642	int i;
4643	int leave_sugid_clear = `0`;
4644	int mac_reset_ipc = `0`;
4645	int error = `0`;
4646	task_t task = NULL;
4647	#if CONFIG_MACF
4648	int mac_transition, disjoint_cred = `0`;
4649	int label_update_return = `0`;
4650
4651	/*
4652	* Determine whether a call to update the MAC label will result in the
4653	* credential changing.
4654	*
4655	* Note: MAC policies which do not actually end up modifying
4656	* the label subsequently are strongly encouraged to
4657	* return 0 for this check, since a non-zero answer will
4658	* slow down the exec fast path for normal binaries.
4659	*/
4660	mac_transition = mac_cred_check_label_update_execve(
4661	imgp->ip_vfs_context,
4662	imgp->ip_vp,
4663	imgp->ip_arch_offset,
4664	imgp->ip_scriptvp,
4665	imgp->ip_scriptlabelp,
4666	imgp->ip_execlabelp,
4667	p,
4668	imgp->ip_px_smpx);
4669	#endif
4670
4671	OSBitAndAtomic(~((uint32_t)P_SUGID), &p->p_flag);
4672
4673	/*
4674	* Order of the following is important; group checks must go last,
4675	* as we use the success of the 'ismember' check combined with the
4676	* failure of the explicit match to indicate that we will be setting
4677	* the egid of the process even though the new process did not
4678	* require VSUID/VSGID bits in order for it to set the new group as
4679	* its egid.
4680	*
4681	* Note: Technically, by this we are implying a call to
4682	* setegid() in the new process, rather than implying
4683	* it used its VSGID bit to set the effective group,
4684	* even though there is no code in that process to make
4685	* such a call.
4686	*/
4687	if (((imgp->ip_origvattr->va_mode & VSUID) != `0` &&
4688	kauth_cred_getuid(cred) != imgp->ip_origvattr->va_uid) \|\|
4689	((imgp->ip_origvattr->va_mode & VSGID) != `0` &&
4690	((kauth_cred_ismember_gid(cred, imgp->ip_origvattr->va_gid, &leave_sugid_clear) \|\| !leave_sugid_clear) \|\|
4691	(kauth_cred_getgid(cred) != imgp->ip_origvattr->va_gid)))) {
4692
4693	#if CONFIG_MACF
4694	/ label for MAC transition and neither VSUID nor VSGID /
4695	handle_mac_transition:
4696	#endif
4697
4698	#if !SECURE_KERNEL
4699	/*
4700	* Replace the credential with a copy of itself if euid or
4701	* egid change.
4702	*
4703	* Note: setuid binaries will automatically opt out of
4704	* group resolver participation as a side effect
4705	* of this operation. This is an intentional
4706	* part of the security model, which requires a
4707	* participating credential be established by
4708	* escalating privilege, setting up all other
4709	* aspects of the credential including whether
4710	* or not to participate in external group
4711	* membership resolution, then dropping their
4712	* effective privilege to that of the desired
4713	* final credential state.
4714	*
4715	* Modifications to p_ucred must be guarded using the
4716	* proc's ucred lock. This prevents others from accessing
4717	* a garbage credential.
4718	*/
4719	while (imgp->ip_origvattr->va_mode & VSUID) {
4720	my_cred = kauth_cred_proc_ref(p);
4721	my_new_cred = kauth_cred_setresuid(my_cred, KAUTH_UID_NONE, imgp->ip_origvattr->va_uid, imgp->ip_origvattr->va_uid, KAUTH_UID_NONE);
4722
4723	if (my_new_cred == my_cred) {
4724	kauth_cred_unref(&my_cred);
4725	break;
4726	}
4727
4728	/ update cred on proc /
4729	proc_ucred_lock(p);
4730
4731	if (p->p_ucred != my_cred) {
4732	proc_ucred_unlock(p);
4733	kauth_cred_unref(&my_new_cred);
4734	continue;
4735	}
4736
4737	/ donate cred reference on my_new_cred to p->p_ucred /
4738	p->p_ucred = my_new_cred;
4739	PROC_UPDATE_CREDS_ONPROC(p);
4740	proc_ucred_unlock(p);
4741
4742	/ drop additional reference that was taken on the previous cred /
4743	kauth_cred_unref(&my_cred);
4744
4745	break;
4746	}
4747
4748	while (imgp->ip_origvattr->va_mode & VSGID) {
4749	my_cred = kauth_cred_proc_ref(p);
4750	my_new_cred = kauth_cred_setresgid(my_cred, KAUTH_GID_NONE, imgp->ip_origvattr->va_gid, imgp->ip_origvattr->va_gid);
4751
4752	if (my_new_cred == my_cred) {
4753	kauth_cred_unref(&my_cred);
4754	break;
4755	}
4756
4757	/ update cred on proc /
4758	proc_ucred_lock(p);
4759
4760	if (p->p_ucred != my_cred) {
4761	proc_ucred_unlock(p);
4762	kauth_cred_unref(&my_new_cred);
4763	continue;
4764	}
4765
4766	/ donate cred reference on my_new_cred to p->p_ucred /
4767	p->p_ucred = my_new_cred;
4768	PROC_UPDATE_CREDS_ONPROC(p);
4769	proc_ucred_unlock(p);
4770
4771	/ drop additional reference that was taken on the previous cred /
4772	kauth_cred_unref(&my_cred);
4773
4774	break;
4775	}
4776	#endif /* !SECURE_KERNEL */
4777
4778	#if CONFIG_MACF
4779	/*
4780	* If a policy has indicated that it will transition the label,
4781	* before making the call into the MAC policies, get a new
4782	* duplicate credential, so they can modify it without
4783	* modifying any others sharing it.
4784	*/
4785	if (mac_transition) {
4786	/*
4787	* This hook may generate upcalls that require
4788	* importance donation from the kernel.
4789	* (23925818)
4790	*/
4791	thread_t thread = current_thread();
4792	thread_enable_send_importance(thread, TRUE);
4793	kauth_proc_label_update_execve(p,
4794	imgp->ip_vfs_context,
4795	imgp->ip_vp,
4796	imgp->ip_arch_offset,
4797	imgp->ip_scriptvp,
4798	imgp->ip_scriptlabelp,
4799	imgp->ip_execlabelp,
4800	&imgp->ip_csflags,
4801	imgp->ip_px_smpx,
4802	&disjoint_cred, / will be non zero if disjoint /
4803	&label_update_return);
4804	thread_enable_send_importance(thread, FALSE);
4805
4806	if (disjoint_cred) {
4807	/*
4808	* If updating the MAC label resulted in a
4809	* disjoint credential, flag that we need to
4810	* set the P_SUGID bit. This protects
4811	* against debuggers being attached by an
4812	* insufficiently privileged process onto the
4813	* result of a transition to a more privileged
4814	* credential.
4815	*/
4816	leave_sugid_clear = `0`;
4817	}
4818
4819	imgp->ip_mac_return = label_update_return;
4820	}
4821
4822	mac_reset_ipc = mac_proc_check_inherit_ipc_ports(p, p->p_textvp, p->p_textoff, imgp->ip_vp, imgp->ip_arch_offset, imgp->ip_scriptvp);
4823
4824	#endif /* CONFIG_MACF */
4825
4826	/*
4827	* If 'leave_sugid_clear' is non-zero, then we passed the
4828	* VSUID and MACF checks, and successfully determined that
4829	* the previous cred was a member of the VSGID group, but
4830	* that it was not the default at the time of the execve,
4831	* and that the post-labelling credential was not disjoint.
4832	* So we don't set the P_SUGID or reset mach ports and fds
4833	* on the basis of simply running this code.
4834	*/
4835	if (mac_reset_ipc \|\| !leave_sugid_clear) {
4836	/*
4837	* Have mach reset the task and thread ports.
4838	* We don't want anyone who had the ports before
4839	* a setuid exec to be able to access/control the
4840	* task/thread after.
4841	*/
4842	ipc_task_reset((imgp->ip_new_thread != NULL) ?
4843	get_threadtask(imgp->ip_new_thread) : p->task);
4844	ipc_thread_reset((imgp->ip_new_thread != NULL) ?
4845	imgp->ip_new_thread : current_thread());
4846	}
4847
4848	if (!leave_sugid_clear) {
4849	/*
4850	* Flag the process as setuid.
4851	*/
4852	OSBitOrAtomic(P_SUGID, &p->p_flag);
4853
4854	/*
4855	* Radar 2261856; setuid security hole fix
4856	* XXX For setuid processes, attempt to ensure that
4857	* stdin, stdout, and stderr are already allocated.
4858	* We do not want userland to accidentally allocate
4859	* descriptors in this range which has implied meaning
4860	* to libc.
4861	*/
4862	for (i = `0`; i < `3`; i++) {
4863
4864	if (p->p_fd->fd_ofiles[i] != NULL)
4865	continue;
4866
4867	/*
4868	* Do the kernel equivalent of
4869	*
4870	* if i == 0
4871	* (void) open("/dev/null", O_RDONLY);
4872	* else
4873	* (void) open("/dev/null", O_WRONLY);
4874	*/
4875
4876	struct fileproc *fp;
4877	int indx;
4878	int flag;
4879	struct nameidata *ndp = NULL;
4880
4881	if (i == `0`)
4882	flag = FREAD;
4883	else
4884	flag = FWRITE;
4885
4886	if ((error = falloc(p,
4887	&fp, &indx, imgp->ip_vfs_context)) != `0`)
4888	continue;
4889
4890	MALLOC(ndp, struct nameidata , sizeof(ndp), M_TEMP, M_WAITOK \| M_ZERO);
4891	if (ndp == NULL) {
4892	fp_free(p, indx, fp);
4893	error = ENOMEM;
4894	break;
4895	}
4896
4897	NDINIT(ndp, LOOKUP, OP_OPEN, FOLLOW, UIO_SYSSPACE,
4898	CAST_USER_ADDR_T("/dev/null"),
4899	imgp->ip_vfs_context);
4900
4901	if ((error = vn_open(ndp, flag, `0`)) != `0`) {
4902	fp_free(p, indx, fp);
4903	FREE(ndp, M_TEMP);
4904	break;
4905	}
4906
4907	struct fileglob *fg = fp->f_fglob;
4908
4909	fg->fg_flag = flag;
4910	fg->fg_ops = &vnops;
4911	fg->fg_data = ndp->ni_vp;
4912
4913	vnode_put(ndp->ni_vp);
4914
4915	proc_fdlock(p);
4916	procfdtbl_releasefd(p, indx, NULL);
4917	fp_drop(p, indx, fp, `1`);
4918	proc_fdunlock(p);
4919
4920	FREE(ndp, M_TEMP);
4921	}
4922	}
4923	}
4924	#if CONFIG_MACF
4925	else {
4926	/*
4927	* We are here because we were told that the MAC label will
4928	* be transitioned, and the binary is not VSUID or VSGID; to
4929	* deal with this case, we could either duplicate a lot of
4930	* code, or we can indicate we want to default the P_SUGID
4931	* bit clear and jump back up.
4932	*/
4933	if (mac_transition) {
4934	leave_sugid_clear = `1`;
4935	goto handle_mac_transition;
4936	}
4937	}
4938
4939	#endif /* CONFIG_MACF */
4940
4941	/*
4942	* Implement the semantic where the effective user and group become
4943	* the saved user and group in exec'ed programs.
4944	*
4945	* Modifications to p_ucred must be guarded using the
4946	* proc's ucred lock. This prevents others from accessing
4947	* a garbage credential.
4948	*/
4949	for (;;) {
4950	my_cred = kauth_cred_proc_ref(p);
4951	my_new_cred = kauth_cred_setsvuidgid(my_cred, kauth_cred_getuid(my_cred), kauth_cred_getgid(my_cred));
4952
4953	if (my_new_cred == my_cred) {
4954	kauth_cred_unref(&my_cred);
4955	break;
4956	}
4957
4958	/ update cred on proc /
4959	proc_ucred_lock(p);
4960
4961	if (p->p_ucred != my_cred) {
4962	proc_ucred_unlock(p);
4963	kauth_cred_unref(&my_new_cred);
4964	continue;
4965	}
4966
4967	/ donate cred reference on my_new_cred to p->p_ucred /
4968	p->p_ucred = my_new_cred;
4969	PROC_UPDATE_CREDS_ONPROC(p);
4970	proc_ucred_unlock(p);
4971
4972	/ drop additional reference that was taken on the previous cred /
4973	kauth_cred_unref(&my_cred);
4974
4975	break;
4976	}
4977
4978
4979	/ Update the process' identity version and set the security token /
4980	p->p_idversion++;
4981
4982	if (imgp->ip_new_thread != NULL) {
4983	task = get_threadtask(imgp->ip_new_thread);
4984	} else {
4985	task = p->task;
4986	}
4987	set_security_token_task_internal(p, task);
4988
4989	return(error);
4990	}
4991
4992
4993	/*
4994	* create_unix_stack
4995	*
4996	* Description: Set the user stack address for the process to the provided
4997	* address. If a custom stack was not set as a result of the
4998	* load process (i.e. as specified by the image file for the
4999	* executable), then allocate the stack in the provided map and
5000	* set up appropriate guard pages for enforcing administrative
5001	* limits on stack growth, if they end up being needed.
5002	*
5003	* Parameters: p Process to set stack on
5004	* load_result Information from mach-o load commands
5005	* map Address map in which to allocate the new stack
5006	*
5007	* Returns: KERN_SUCCESS Stack successfully created
5008	* !KERN_SUCCESS Mach failure code
5009	*/
5010	static kern_return_t
5011	create_unix_stack(vm_map_t map, load_result_t* load_result,
5012	proc_t p)
5013	{
5014	mach_vm_size_t size, prot_size;
5015	mach_vm_offset_t addr, prot_addr;
5016	kern_return_t kr;
5017
5018	mach_vm_address_t user_stack = load_result->user_stack;
5019
5020	proc_lock(p);
5021	p->user_stack = user_stack;
5022	proc_unlock(p);
5023
5024	if (load_result->user_stack_alloc_size > `0`) {
5025	/*
5026	* Allocate enough space for the maximum stack size we
5027	* will ever authorize and an extra page to act as
5028	* a guard page for stack overflows. For default stacks,
5029	* vm_initial_limit_stack takes care of the extra guard page.
5030	* Otherwise we must allocate it ourselves.
5031	*/
5032	if (mach_vm_round_page_overflow(load_result->user_stack_alloc_size, &size)) {
5033	return KERN_INVALID_ARGUMENT;
5034	}
5035	addr = mach_vm_trunc_page(load_result->user_stack - size);
5036	kr = mach_vm_allocate_kernel(map, &addr, size,
5037	VM_FLAGS_FIXED, VM_MEMORY_STACK);
5038	if (kr != KERN_SUCCESS) {
5039	// Can't allocate at default location, try anywhere
5040	addr = `0`;
5041	kr = mach_vm_allocate_kernel(map, &addr, size,
5042	VM_FLAGS_ANYWHERE, VM_MEMORY_STACK);
5043	if (kr != KERN_SUCCESS) {
5044	return kr;
5045	}
5046
5047	user_stack = addr + size;
5048	load_result->user_stack = user_stack;
5049
5050	proc_lock(p);
5051	p->user_stack = user_stack;
5052	proc_unlock(p);
5053	}
5054
5055	load_result->user_stack_alloc = addr;
5056
5057	/*
5058	* And prevent access to what's above the current stack
5059	* size limit for this process.
5060	*/
5061	if (load_result->user_stack_size == `0`) {
5062	load_result->user_stack_size = unix_stack_size(p);
5063	prot_size = mach_vm_trunc_page(size - load_result->user_stack_size);
5064	} else {
5065	prot_size = PAGE_SIZE;
5066	}
5067
5068	prot_addr = addr;
5069	kr = mach_vm_protect(map,
5070	prot_addr,
5071	prot_size,
5072	FALSE,
5073	VM_PROT_NONE);
5074	if (kr != KERN_SUCCESS) {
5075	(void)mach_vm_deallocate(map, addr, size);
5076	return kr;
5077	}
5078	}
5079
5080	return KERN_SUCCESS;
5081	}
5082
5083	#include <sys/reboot.h>
5084
5085	/*
5086	* load_init_program_at_path
5087	*
5088	* Description: Load the "init" program; in most cases, this will be "launchd"
5089	*
5090	* Parameters: p Process to call execve() to create
5091	* the "init" program
5092	* scratch_addr Page in p, scratch space
5093	* path NULL terminated path
5094	*
5095	* Returns: KERN_SUCCESS Success
5096	* !KERN_SUCCESS See execve/mac_execve for error codes
5097	*
5098	* Notes: The process that is passed in is the first manufactured
5099	* process on the system, and gets here via bsd_ast() firing
5100	* for the first time. This is done to ensure that bsd_init()
5101	* has run to completion.
5102	*
5103	* The address map of the first manufactured process matches the
5104	* word width of the kernel. Once the self-exec completes, the
5105	* initproc might be different.
5106	*/
5107	static int
5108	load_init_program_at_path(proc_t p, user_addr_t scratch_addr, const char* path)
5109	{
5110	int retval[`2`];
5111	int error;
5112	struct execve_args init_exec_args;
5113	user_addr_t argv0 = USER_ADDR_NULL, argv1 = USER_ADDR_NULL;
5114
5115	/*
5116	* Validate inputs and pre-conditions
5117	*/
5118	assert(p);
5119	assert(scratch_addr);
5120	assert(path);
5121
5122	/*
5123	* Copy out program name.
5124	*/
5125	size_t path_length = strlen(path) + `1`;
5126	argv0 = scratch_addr;
5127	error = copyout(path, argv0, path_length);
5128	if (error)
5129	return error;
5130
5131	scratch_addr = USER_ADDR_ALIGN(scratch_addr + path_length, sizeof(user_addr_t));
5132
5133	/*
5134	* Put out first (and only) argument, similarly.
5135	* Assumes everything fits in a page as allocated above.
5136	*/
5137	if (boothowto & RB_SINGLE) {
5138	const char *init_args = "-s";
5139	size_t init_args_length = strlen(init_args)+`1`;
5140
5141	argv1 = scratch_addr;
5142	error = copyout(init_args, argv1, init_args_length);
5143	if (error)
5144	return error;
5145
5146	scratch_addr = USER_ADDR_ALIGN(scratch_addr + init_args_length, sizeof(user_addr_t));
5147	}
5148
5149	if (proc_is64bit(p)) {
5150	user64_addr_t argv64bit[`3`] = {};
5151
5152	argv64bit[`0`] = argv0;
5153	argv64bit[`1`] = argv1;
5154	argv64bit[`2`] = USER_ADDR_NULL;
5155
5156	error = copyout(argv64bit, scratch_addr, sizeof(argv64bit));
5157	if (error)
5158	return error;
5159	} else {
5160	user32_addr_t argv32bit[`3`] = {};
5161
5162	argv32bit[`0`] = (user32_addr_t)argv0;
5163	argv32bit[`1`] = (user32_addr_t)argv1;
5164	argv32bit[`2`] = USER_ADDR_NULL;
5165
5166	error = copyout(argv32bit, scratch_addr, sizeof(argv32bit));
5167	if (error)
5168	return error;
5169	}
5170
5171	/*
5172	* Set up argument block for fake call to execve.
5173	*/
5174	init_exec_args.fname = argv0;
5175	init_exec_args.argp = scratch_addr;
5176	init_exec_args.envp = USER_ADDR_NULL;
5177
5178	/*
5179	* So that init task is set with uid,gid 0 token
5180	*/
5181	set_security_token(p);
5182
5183	return execve(p, &init_exec_args, retval);
5184	}
5185
5186	static const char * init_programs[] = {
5187	#if DEBUG
5188	"/usr/local/sbin/launchd.debug",
5189	#endif
5190	#if DEVELOPMENT \|\| DEBUG
5191	"/usr/local/sbin/launchd.development",
5192	#endif
5193	"/sbin/launchd",
5194	};
5195
5196	/*
5197	* load_init_program
5198	*
5199	* Description: Load the "init" program; in most cases, this will be "launchd"
5200	*
5201	* Parameters: p Process to call execve() to create
5202	* the "init" program
5203	*
5204	* Returns: (void)
5205	*
5206	* Notes: The process that is passed in is the first manufactured
5207	* process on the system, and gets here via bsd_ast() firing
5208	* for the first time. This is done to ensure that bsd_init()
5209	* has run to completion.
5210	*
5211	* In DEBUG & DEVELOPMENT builds, the launchdsuffix boot-arg
5212	* may be used to select a specific launchd executable. As with
5213	* the kcsuffix boot-arg, setting launchdsuffix to "" or "release"
5214	* will force /sbin/launchd to be selected.
5215	*
5216	* Search order by build:
5217	*
5218	* DEBUG DEVELOPMENT RELEASE PATH
5219	* ----------------------------------------------------------------------------------
5220	* 1 1 NA /usr/local/sbin/launchd.$LAUNCHDSUFFIX
5221	* 2 NA NA /usr/local/sbin/launchd.debug
5222	* 3 2 NA /usr/local/sbin/launchd.development
5223	* 4 3 1 /sbin/launchd
5224	*/
5225	void
5226	load_init_program(proc_t p)
5227	{
5228	uint32_t i;
5229	int error;
5230	vm_map_t map = current_map();
5231	mach_vm_offset_t scratch_addr = `0`;
5232	mach_vm_size_t map_page_size = vm_map_page_size(map);
5233
5234	(void) mach_vm_allocate_kernel(map, &scratch_addr, map_page_size, VM_FLAGS_ANYWHERE, VM_KERN_MEMORY_NONE);
5235	#if CONFIG_MEMORYSTATUS
5236	(void) memorystatus_init_at_boot_snapshot();
5237	#endif /* CONFIG_MEMORYSTATUS */
5238
5239	#if DEBUG \|\| DEVELOPMENT
5240	/ Check for boot-arg suffix first /
5241	char launchd_suffix[`64`];
5242	if (PE_parse_boot_argn("launchdsuffix", launchd_suffix, sizeof(launchd_suffix))) {
5243	char launchd_path[`128`];
5244	boolean_t is_release_suffix = ((launchd_suffix[`0`] == `0`) \|\|
5245	(strcmp(launchd_suffix, "release") == `0`));
5246
5247	if (is_release_suffix) {
5248	printf("load_init_program: attempting to load /sbin/launchd\n");
5249	error = load_init_program_at_path(p, (user_addr_t)scratch_addr, "/sbin/launchd");
5250	if (!error)
5251	return;
5252
5253	panic("Process 1 exec of launchd.release failed, errno %d", error);
5254	} else {
5255	strlcpy(launchd_path, "/usr/local/sbin/launchd.", sizeof(launchd_path));
5256	strlcat(launchd_path, launchd_suffix, sizeof(launchd_path));
5257
5258	printf("load_init_program: attempting to load %s\n", launchd_path);
5259	error = load_init_program_at_path(p, (user_addr_t)scratch_addr, launchd_path);
5260	if (!error) {
5261	return;
5262	} else {
5263	printf("load_init_program: failed loading %s: errno %d\n", launchd_path, error);
5264	}
5265	}
5266	}
5267	#endif
5268
5269	error = ENOENT;
5270	for (i = `0`; i < sizeof(init_programs)/sizeof(init_programs[`0`]); i++) {
5271	printf("load_init_program: attempting to load %s\n", init_programs[i]);
5272	error = load_init_program_at_path(p, (user_addr_t)scratch_addr, init_programs[i]);
5273	if (!error) {
5274	return;
5275	} else {
5276	printf("load_init_program: failed loading %s: errno %d\n", init_programs[i], error);
5277	}
5278	}
5279
5280	panic("Process 1 exec of %s failed, errno %d", ((i == `0`) ? "<null>" : init_programs[i-`1`]), error);
5281	}
5282
5283	/*
5284	* load_return_to_errno
5285	*
5286	* Description: Convert a load_return_t (Mach error) to an errno (BSD error)
5287	*
5288	* Parameters: lrtn Mach error number
5289	*
5290	* Returns: (int) BSD error number
5291	* 0 Success
5292	* EBADARCH Bad architecture
5293	* EBADMACHO Bad Mach object file
5294	* ESHLIBVERS Bad shared library version
5295	* ENOMEM Out of memory/resource shortage
5296	* EACCES Access denied
5297	* ENOENT Entry not found (usually "file does
5298	* does not exist")
5299	* EIO An I/O error occurred
5300	* EBADEXEC The executable is corrupt/unknown
5301	*/
5302	static int
5303	load_return_to_errno(load_return_t lrtn)
5304	{
5305	switch (lrtn) {
5306	case LOAD_SUCCESS:
5307	return `0`;
5308	case LOAD_BADARCH:
5309	case LOAD_BADARCH_X86:
5310	return EBADARCH;
5311	case LOAD_BADMACHO:
5312	case LOAD_BADMACHO_UPX:
5313	return EBADMACHO;
5314	case LOAD_SHLIB:
5315	return ESHLIBVERS;
5316	case LOAD_NOSPACE:
5317	case LOAD_RESOURCE:
5318	return ENOMEM;
5319	case LOAD_PROTECT:
5320	return EACCES;
5321	case LOAD_ENOENT:
5322	return ENOENT;
5323	case LOAD_IOERROR:
5324	return EIO;
5325	case LOAD_FAILURE:
5326	case LOAD_DECRYPTFAIL:
5327	default:
5328	return EBADEXEC;
5329	}
5330	}
5331
5332	#include <mach/mach_types.h>
5333	#include <mach/vm_prot.h>
5334	#include <mach/semaphore.h>
5335	#include <mach/sync_policy.h>
5336	#include <kern/clock.h>
5337	#include <mach/kern_return.h>
5338
5339	/*
5340	* execargs_alloc
5341	*
5342	* Description: Allocate the block of memory used by the execve arguments.
5343	* At the same time, we allocate a page so that we can read in
5344	* the first page of the image.
5345	*
5346	* Parameters: struct image_params * the image parameter block
5347	*
5348	* Returns: 0 Success
5349	* EINVAL Invalid argument
5350	* EACCES Permission denied
5351	* EINTR Interrupted function
5352	* ENOMEM Not enough space
5353	*
5354	* Notes: This is a temporary allocation into the kernel address space
5355	* to enable us to copy arguments in from user space. This is
5356	* necessitated by not mapping the process calling execve() into
5357	* the kernel address space during the execve() system call.
5358	*
5359	* We assemble the argument and environment, etc., into this
5360	* region before copying it as a single block into the child
5361	* process address space (at the top or bottom of the stack,
5362	* depending on which way the stack grows; see the function
5363	* exec_copyout_strings() for details).
5364	*
5365	* This ends up with a second (possibly unnecessary) copy compared
5366	* with assembing the data directly into the child address space,
5367	* instead, but since we cannot be guaranteed that the parent has
5368	* not modified its environment, we can't really know that it's
5369	* really a block there as well.
5370	*/
5371
5372
5373	static int execargs_waiters = `0`;
5374	lck_mtx_t *execargs_cache_lock;
5375
5376	static void
5377	execargs_lock_lock(void) {
5378	lck_mtx_lock_spin(execargs_cache_lock);
5379	}
5380
5381	static void
5382	execargs_lock_unlock(void) {
5383	lck_mtx_unlock(execargs_cache_lock);
5384	}
5385
5386	static wait_result_t
5387	execargs_lock_sleep(void) {
5388	return(lck_mtx_sleep(execargs_cache_lock, LCK_SLEEP_DEFAULT, &execargs_free_count, THREAD_INTERRUPTIBLE));
5389	}
5390
5391	static kern_return_t
5392	execargs_purgeable_allocate(char **execarg_address) {
5393	kern_return_t kr = vm_allocate_kernel(bsd_pageable_map, (vm_offset_t *)execarg_address, BSD_PAGEABLE_SIZE_PER_EXEC, VM_FLAGS_ANYWHERE \| VM_FLAGS_PURGABLE, VM_KERN_MEMORY_NONE);
5394	assert(kr == KERN_SUCCESS);
5395	return kr;
5396	}
5397
5398	static kern_return_t
5399	execargs_purgeable_reference(void *execarg_address) {
5400	int state = VM_PURGABLE_NONVOLATILE;
5401	kern_return_t kr = vm_purgable_control(bsd_pageable_map, (vm_offset_t) execarg_address, VM_PURGABLE_SET_STATE, &state);
5402
5403	assert(kr == KERN_SUCCESS);
5404	return kr;
5405	}
5406
5407	static kern_return_t
5408	execargs_purgeable_volatilize(void *execarg_address) {
5409	int state = VM_PURGABLE_VOLATILE \| VM_PURGABLE_ORDERING_OBSOLETE;
5410	kern_return_t kr;
5411	kr = vm_purgable_control(bsd_pageable_map, (vm_offset_t) execarg_address, VM_PURGABLE_SET_STATE, &state);
5412
5413	assert(kr == KERN_SUCCESS);
5414
5415	return kr;
5416	}
5417
5418	static void
5419	execargs_wakeup_waiters(void) {
5420	thread_wakeup(&execargs_free_count);
5421	}
5422
5423	static int
5424	execargs_alloc(struct image_params *imgp)
5425	{
5426	kern_return_t kret;
5427	wait_result_t res;
5428	int i, cache_index = -`1`;
5429
5430	execargs_lock_lock();
5431
5432	while (execargs_free_count == `0`) {
5433	execargs_waiters++;
5434	res = execargs_lock_sleep();
5435	execargs_waiters--;
5436	if (res != THREAD_AWAKENED) {
5437	execargs_lock_unlock();
5438	return (EINTR);
5439	}
5440	}
5441
5442	execargs_free_count--;
5443
5444	for (i = `0`; i < execargs_cache_size; i++) {
5445	vm_offset_t element = execargs_cache[i];
5446	if (element) {
5447	cache_index = i;
5448	imgp->ip_strings = (char *)(execargs_cache[i]);
5449	execargs_cache[i] = `0`;
5450	break;
5451	}
5452	}
5453
5454	assert(execargs_free_count >= `0`);
5455
5456	execargs_lock_unlock();
5457
5458	if (cache_index == -`1`) {
5459	kret = execargs_purgeable_allocate(&imgp->ip_strings);
5460	}
5461	else
5462	kret = execargs_purgeable_reference(imgp->ip_strings);
5463
5464	assert(kret == KERN_SUCCESS);
5465	if (kret != KERN_SUCCESS) {
5466	return (ENOMEM);
5467	}
5468
5469	/ last page used to read in file headers /
5470	imgp->ip_vdata = imgp->ip_strings + ( NCARGS + PAGE_SIZE );
5471	imgp->ip_strendp = imgp->ip_strings;
5472	imgp->ip_argspace = NCARGS;
5473	imgp->ip_strspace = ( NCARGS + PAGE_SIZE );
5474
5475	return (`0`);
5476	}
5477
5478	/*
5479	* execargs_free
5480	*
5481	* Description: Free the block of memory used by the execve arguments and the
5482	* first page of the executable by a previous call to the function
5483	* execargs_alloc().
5484	*
5485	* Parameters: struct image_params * the image parameter block
5486	*
5487	* Returns: 0 Success
5488	* EINVAL Invalid argument
5489	* EINTR Oeration interrupted
5490	*/
5491	static int
5492	execargs_free(struct image_params *imgp)
5493	{
5494	kern_return_t kret;
5495	int i;
5496	boolean_t needs_wakeup = FALSE;
5497
5498	kret = execargs_purgeable_volatilize(imgp->ip_strings);
5499
5500	execargs_lock_lock();
5501	execargs_free_count++;
5502
5503	for (i = `0`; i < execargs_cache_size; i++) {
5504	vm_offset_t element = execargs_cache[i];
5505	if (element == `0`) {
5506	execargs_cache[i] = (vm_offset_t) imgp->ip_strings;
5507	imgp->ip_strings = NULL;
5508	break;
5509	}
5510	}
5511
5512	assert(imgp->ip_strings == NULL);
5513
5514	if (execargs_waiters > `0`)
5515	needs_wakeup = TRUE;
5516
5517	execargs_lock_unlock();
5518
5519	if (needs_wakeup == TRUE)
5520	execargs_wakeup_waiters();
5521
5522	return ((kret == KERN_SUCCESS ? `0` : EINVAL));
5523	}
5524
5525	static void
5526	exec_resettextvp(proc_t p, struct image_params *imgp)
5527	{
5528	vnode_t vp;
5529	off_t offset;
5530	vnode_t tvp = p->p_textvp;
5531	int ret;
5532
5533	vp = imgp->ip_vp;
5534	offset = imgp->ip_arch_offset;
5535
5536	if (vp == NULLVP)
5537	panic("exec_resettextvp: expected valid vp");
5538
5539	ret = vnode_ref(vp);
5540	proc_lock(p);
5541	if (ret == `0`) {
5542	p->p_textvp = vp;
5543	p->p_textoff = offset;
5544	} else {
5545	p->p_textvp = NULLVP; / this is paranoia /
5546	p->p_textoff = `0`;
5547	}
5548	proc_unlock(p);
5549
5550	if ( tvp != NULLVP) {
5551	if (vnode_getwithref(tvp) == `0`) {
5552	vnode_rele(tvp);
5553	vnode_put(tvp);
5554	}
5555	}
5556
5557	}
5558
5559	// Includes the 0-byte (therefore "SIZE" instead of "LEN").
5560	static const size_t CS_CDHASH_STRING_SIZE = CS_CDHASH_LEN * `2` + `1`;
5561
5562	static void cdhash_to_string(char str[CS_CDHASH_STRING_SIZE], uint8_t const * const cdhash) {
5563	static char const nibble[] = "0123456789abcdef";
5564
5565	/ Apparently still the safest way to get a hex representation*
5566	* of binary data.
5567	* xnu's printf routines have %*D/%20D in theory, but "not really", see:
5568	* <rdar://problem/33328859> confusion around %*D/%nD in printf
5569	*/
5570	for (int i = `0`; i < CS_CDHASH_LEN; ++i) {
5571	str[i*`2`] = nibble[(cdhash[i] & `0xf0`) >> `4`];
5572	str[i*`2`+`1`] = nibble[cdhash[i] & `0x0f`];
5573	}
5574	str[CS_CDHASH_STRING_SIZE - `1`] = `0`;
5575	}
5576
5577	/*
5578	* __EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__
5579	*
5580	* Description: Waits for the userspace daemon to respond to the request
5581	* we made. Function declared non inline to be visible in
5582	* stackshots and spindumps as well as debugging.
5583	*/
5584	__attribute__((noinline)) int
5585	__EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__(mach_port_t task_access_port, int32_t new_pid)
5586	{
5587	return find_code_signature(task_access_port, new_pid);
5588	}
5589
5590	static int
5591	check_for_signature(proc_t p, struct image_params *imgp)
5592	{
5593	mach_port_t port = NULL;
5594	kern_return_t kr = KERN_FAILURE;
5595	int error = EACCES;
5596	boolean_t unexpected_failure = FALSE;
5597	struct cs_blob *csb;
5598	boolean_t require_success = FALSE;
5599	int spawn = (imgp->ip_flags & IMGPF_SPAWN);
5600	int vfexec = (imgp->ip_flags & IMGPF_VFORK_EXEC);
5601	os_reason_t signature_failure_reason = OS_REASON_NULL;
5602
5603	/*
5604	* Override inherited code signing flags with the
5605	* ones for the process that is being successfully
5606	* loaded
5607	*/
5608	proc_lock(p);
5609	p->p_csflags = imgp->ip_csflags;
5610	proc_unlock(p);
5611
5612	/ Set the switch_protect flag on the map /
5613	if(p->p_csflags & (CS_HARD\|CS_KILL)) {
5614	vm_map_switch_protect(get_task_map(p->task), TRUE);
5615	}
5616
5617	/*
5618	* image activation may be failed due to policy
5619	* which is unexpected but security framework does not
5620	* approve of exec, kill and return immediately.
5621	*/
5622	if (imgp->ip_mac_return != `0`) {
5623
5624	KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) \| DBG_FUNC_NONE,
5625	p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_SECURITY_POLICY, `0`, `0`);
5626	signature_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_SECURITY_POLICY);
5627	error = imgp->ip_mac_return;
5628	unexpected_failure = TRUE;
5629	goto done;
5630	}
5631
5632	if (imgp->ip_cs_error != OS_REASON_NULL) {
5633	signature_failure_reason = imgp->ip_cs_error;
5634	imgp->ip_cs_error = OS_REASON_NULL;
5635	error = EACCES;
5636	goto done;
5637	}
5638
5639	/ If the code signature came through the image activation path, we skip the*
5640	* taskgated / externally attached path. */
5641	if (imgp->ip_csflags & CS_SIGNED) {
5642	error = `0`;
5643	goto done;
5644	}
5645
5646	/ The rest of the code is for signatures that either already have been externally*
5647	* attached (likely, but not necessarily by a previous run through the taskgated
5648	* path), or that will now be attached by taskgated. */
5649
5650	kr = task_get_task_access_port(p->task, &port);
5651	if (KERN_SUCCESS != kr \|\| !IPC_PORT_VALID(port)) {
5652	error = `0`;
5653	if (require_success) {
5654	KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) \| DBG_FUNC_NONE,
5655	p->p_pid, OS_REASON_CODESIGNING, CODESIGNING_EXIT_REASON_TASK_ACCESS_PORT, `0`, `0`);
5656	signature_failure_reason = os_reason_create(OS_REASON_CODESIGNING, CODESIGNING_EXIT_REASON_TASK_ACCESS_PORT);
5657	error = EACCES;
5658	}
5659	goto done;
5660	}
5661
5662	/*
5663	* taskgated returns KERN_SUCCESS if it has completed its work
5664	* and the exec should continue, KERN_FAILURE if the exec should
5665	* fail, or it may error out with different error code in an
5666	* event of mig failure (e.g. process was signalled during the
5667	* rpc call, taskgated died, mig server died etc.).
5668	*/
5669
5670	kr = __EXEC_WAITING_ON_TASKGATED_CODE_SIGNATURE_UPCALL__(port, p->p_pid);
5671	switch (kr) {
5672	case KERN_SUCCESS:
5673	error = `0`;
5674	break;
5675	case KERN_FAILURE:
5676	error = EACCES;
5677
5678	KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) \| DBG_FUNC_NONE,
5679	p->p_pid, OS_REASON_CODESIGNING, CODESIGNING_EXIT_REASON_TASKGATED_INVALID_SIG, `0`, `0`);
5680	signature_failure_reason = os_reason_create(OS_REASON_CODESIGNING, CODESIGNING_EXIT_REASON_TASKGATED_INVALID_SIG);
5681	goto done;
5682	default:
5683	error = EACCES;
5684
5685	KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_EXITREASON_CREATE) \| DBG_FUNC_NONE,
5686	p->p_pid, OS_REASON_EXEC, EXEC_EXIT_REASON_TASKGATED_OTHER, `0`, `0`);
5687	signature_failure_reason = os_reason_create(OS_REASON_EXEC, EXEC_EXIT_REASON_TASKGATED_OTHER);
5688	unexpected_failure = TRUE;
5689	goto done;
5690	}
5691
5692	/ Only do this if exec_resettextvp() did not fail /
5693	if (p->p_textvp != NULLVP) {
5694	csb = ubc_cs_blob_get(p->p_textvp, -`1`, p->p_textoff);
5695
5696	if (csb != NULL) {
5697	/ As the enforcement we can do here is very limited, we only allow things that*
5698	* are the only reason why this code path still exists:
5699	* Adhoc signed non-platform binaries without special cs_flags and without any
5700	* entitlements (unrestricted ones still pass AMFI). */
5701	if (
5702	/ Revalidate the blob if necessary through bumped generation count. /
5703	(ubc_cs_generation_check(p->p_textvp) == `0` \|\|
5704	ubc_cs_blob_revalidate(p->p_textvp, csb, imgp, `0`) == `0`) &&
5705	/ Only CS_ADHOC, no CS_KILL, CS_HARD etc. /
5706	(csb->csb_flags & CS_ALLOWED_MACHO) == CS_ADHOC &&
5707	/ If it has a CMS blob, it's not adhoc. The CS_ADHOC flag can lie. /
5708	csblob_find_blob_bytes((const uint8_t *)csb->csb_mem_kaddr, csb->csb_mem_size,
5709	CSSLOT_SIGNATURESLOT,
5710	CSMAGIC_BLOBWRAPPER) == NULL &&
5711	/ It could still be in a trust cache (unlikely with CS_ADHOC), or a magic path. /
5712	csb->csb_platform_binary == `0` &&
5713	/ No entitlements, not even unrestricted ones. /
5714	csb->csb_entitlements_blob == NULL) {
5715
5716	proc_lock(p);
5717	p->p_csflags \|= CS_SIGNED \| CS_VALID;
5718	proc_unlock(p);
5719
5720	} else {
5721	uint8_t cdhash[CS_CDHASH_LEN];
5722	char cdhash_string[CS_CDHASH_STRING_SIZE];
5723	proc_getcdhash(p, cdhash);
5724	cdhash_to_string(cdhash_string, cdhash);
5725	printf("ignoring detached code signature on '%s' with cdhash '%s' "
5726	"because it is invalid, or not a simple adhoc signature.\n",
5727	p->p_name, cdhash_string);
5728	}
5729
5730	}
5731	}
5732
5733	done:
5734	if (`0` == error) {
5735	/ The process's code signature related properties are*
5736	* fully set up, so this is an opportune moment to log
5737	* platform binary execution, if desired. */
5738	if (platform_exec_logging != `0` && csproc_get_platform_binary(p)) {
5739	uint8_t cdhash[CS_CDHASH_LEN];
5740	char cdhash_string[CS_CDHASH_STRING_SIZE];
5741	proc_getcdhash(p, cdhash);
5742	cdhash_to_string(cdhash_string, cdhash);
5743
5744	os_log(peLog, "CS Platform Exec Logging: Executing platform signed binary "
5745	"'%s' with cdhash %s\n", p->p_name, cdhash_string);
5746	}
5747	} else {
5748	if (!unexpected_failure)
5749	p->p_csflags \|= CS_KILLED;
5750	/ make very sure execution fails /
5751	if (vfexec \|\| spawn) {
5752	assert(signature_failure_reason != OS_REASON_NULL);
5753	psignal_vfork_with_reason(p, p->task, imgp->ip_new_thread,
5754	SIGKILL, signature_failure_reason);
5755	signature_failure_reason = OS_REASON_NULL;
5756	error = `0`;
5757	} else {
5758	assert(signature_failure_reason != OS_REASON_NULL);
5759	psignal_with_reason(p, SIGKILL, signature_failure_reason);
5760	signature_failure_reason = OS_REASON_NULL;
5761	}
5762	}
5763
5764	/ If we hit this, we likely would have leaked an exit reason /
5765	assert(signature_failure_reason == OS_REASON_NULL);
5766	return error;
5767	}
5768
5769	/*
5770	* Typically as soon as we start executing this process, the
5771	* first instruction will trigger a VM fault to bring the text
5772	* pages (as executable) into the address space, followed soon
5773	* thereafter by dyld data structures (for dynamic executable).
5774	* To optimize this, as well as improve support for hardware
5775	* debuggers that can only access resident pages present
5776	* in the process' page tables, we prefault some pages if
5777	* possible. Errors are non-fatal.
5778	*/
5779	static void exec_prefault_data(proc_t p __unused, struct image_params imgp, load_result_t load_result)
5780	{
5781	int ret;
5782	size_t expected_all_image_infos_size;
5783
5784	/*
5785	* Prefault executable or dyld entry point.
5786	*/
5787	vm_fault(current_map(),
5788	vm_map_trunc_page(load_result->entry_point,
5789	vm_map_page_mask(current_map())),
5790	VM_PROT_READ \| VM_PROT_EXECUTE,
5791	FALSE, VM_KERN_MEMORY_NONE,
5792	THREAD_UNINT, NULL, `0`);
5793
5794	if (imgp->ip_flags & IMGPF_IS_64BIT_ADDR) {
5795	expected_all_image_infos_size = sizeof(struct user64_dyld_all_image_infos);
5796	} else {
5797	expected_all_image_infos_size = sizeof(struct user32_dyld_all_image_infos);
5798	}
5799
5800	/ Decode dyld anchor structure from <mach-o/dyld_images.h> /
5801	if (load_result->dynlinker &&
5802	load_result->all_image_info_addr &&
5803	load_result->all_image_info_size >= expected_all_image_infos_size) {
5804	union {
5805	struct user64_dyld_all_image_infos infos64;
5806	struct user32_dyld_all_image_infos infos32;
5807	} all_image_infos;
5808
5809	/*
5810	* Pre-fault to avoid copyin() going through the trap handler
5811	* and recovery path.
5812	*/
5813	vm_fault(current_map(),
5814	vm_map_trunc_page(load_result->all_image_info_addr,
5815	vm_map_page_mask(current_map())),
5816	VM_PROT_READ \| VM_PROT_WRITE,
5817	FALSE, VM_KERN_MEMORY_NONE,
5818	THREAD_UNINT, NULL, `0`);
5819	if ((load_result->all_image_info_addr & PAGE_MASK) + expected_all_image_infos_size > PAGE_SIZE) {
5820	/ all_image_infos straddles a page /
5821	vm_fault(current_map(),
5822	vm_map_trunc_page(load_result->all_image_info_addr + expected_all_image_infos_size - `1`,
5823	vm_map_page_mask(current_map())),
5824	VM_PROT_READ \| VM_PROT_WRITE,
5825	FALSE, VM_KERN_MEMORY_NONE,
5826	THREAD_UNINT, NULL, `0`);
5827	}
5828
5829	ret = copyin(load_result->all_image_info_addr,
5830	&all_image_infos,
5831	expected_all_image_infos_size);
5832	if (ret == `0` && all_image_infos.infos32.version >= DYLD_ALL_IMAGE_INFOS_ADDRESS_MINIMUM_VERSION) {
5833
5834	user_addr_t notification_address;
5835	user_addr_t dyld_image_address;
5836	user_addr_t dyld_version_address;
5837	user_addr_t dyld_all_image_infos_address;
5838	user_addr_t dyld_slide_amount;
5839
5840	if (imgp->ip_flags & IMGPF_IS_64BIT_ADDR) {
5841	notification_address = all_image_infos.infos64.notification;
5842	dyld_image_address = all_image_infos.infos64.dyldImageLoadAddress;
5843	dyld_version_address = all_image_infos.infos64.dyldVersion;
5844	dyld_all_image_infos_address = all_image_infos.infos64.dyldAllImageInfosAddress;
5845	} else {
5846	notification_address = all_image_infos.infos32.notification;
5847	dyld_image_address = all_image_infos.infos32.dyldImageLoadAddress;
5848	dyld_version_address = all_image_infos.infos32.dyldVersion;
5849	dyld_all_image_infos_address = all_image_infos.infos32.dyldAllImageInfosAddress;
5850	}
5851
5852	/*
5853	* dyld statically sets up the all_image_infos in its Mach-O
5854	* binary at static link time, with pointers relative to its default
5855	* load address. Since ASLR might slide dyld before its first
5856	* instruction is executed, "dyld_slide_amount" tells us how far
5857	* dyld was loaded compared to its default expected load address.
5858	* All other pointers into dyld's image should be adjusted by this
5859	* amount. At some point later, dyld will fix up pointers to take
5860	* into account the slide, at which point the all_image_infos_address
5861	* field in the structure will match the runtime load address, and
5862	* "dyld_slide_amount" will be 0, if we were to consult it again.
5863	*/
5864
5865	dyld_slide_amount = load_result->all_image_info_addr - dyld_all_image_infos_address;
5866
5867	#if 0
5868	kprintf("exec_prefault: 0x%016llx 0x%08x 0x%016llx 0x%016llx 0x%016llx 0x%016llx\n",
5869	(uint64_t)load_result->all_image_info_addr,
5870	all_image_infos.infos32.version,
5871	(uint64_t)notification_address,
5872	(uint64_t)dyld_image_address,
5873	(uint64_t)dyld_version_address,
5874	(uint64_t)dyld_all_image_infos_address);
5875	#endif
5876
5877	vm_fault(current_map(),
5878	vm_map_trunc_page(notification_address + dyld_slide_amount,
5879	vm_map_page_mask(current_map())),
5880	VM_PROT_READ \| VM_PROT_EXECUTE,
5881	FALSE, VM_KERN_MEMORY_NONE,
5882	THREAD_UNINT, NULL, `0`);
5883	vm_fault(current_map(),
5884	vm_map_trunc_page(dyld_image_address + dyld_slide_amount,
5885	vm_map_page_mask(current_map())),
5886	VM_PROT_READ \| VM_PROT_EXECUTE,
5887	FALSE, VM_KERN_MEMORY_NONE,
5888	THREAD_UNINT, NULL, `0`);
5889	vm_fault(current_map(),
5890	vm_map_trunc_page(dyld_version_address + dyld_slide_amount,
5891	vm_map_page_mask(current_map())),
5892	VM_PROT_READ,
5893	FALSE, VM_KERN_MEMORY_NONE,
5894	THREAD_UNINT, NULL, `0`);
5895	vm_fault(current_map(),
5896	vm_map_trunc_page(dyld_all_image_infos_address + dyld_slide_amount,
5897	vm_map_page_mask(current_map())),
5898	VM_PROT_READ \| VM_PROT_WRITE,
5899	FALSE, VM_KERN_MEMORY_NONE,
5900	THREAD_UNINT, NULL, `0`);
5901	}
5902	}
5903	}
5904

Browse the source code of xnu/bsd/kern/kern_exec.c