]>
Commit | Line | Data |
---|---|---|
6d7e8eda | 1 | /* Copyright (C) 1991-2023 Free Software Foundation, Inc. |
c84142e8 | 2 | This file is part of the GNU C Library. |
28f540f4 | 3 | |
c84142e8 | 4 | The GNU C Library is free software; you can redistribute it and/or |
41bdb6e2 AJ |
5 | modify it under the terms of the GNU Lesser General Public |
6 | License as published by the Free Software Foundation; either | |
7 | version 2.1 of the License, or (at your option) any later version. | |
28f540f4 | 8 | |
c84142e8 UD |
9 | The GNU C Library is distributed in the hope that it will be useful, |
10 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
41bdb6e2 | 12 | Lesser General Public License for more details. |
28f540f4 | 13 | |
41bdb6e2 | 14 | You should have received a copy of the GNU Lesser General Public |
59ba27a6 | 15 | License along with the GNU C Library; if not, see |
5a82c748 | 16 | <https://www.gnu.org/licenses/>. */ |
28f540f4 RM |
17 | |
18 | #include <errno.h> | |
19 | #include <unistd.h> | |
20 | #include <fcntl.h> | |
21 | #include <limits.h> | |
22 | #include <stdlib.h> | |
23 | #include <string.h> | |
24 | #include <hurd.h> | |
25 | #include <hurd/fd.h> | |
26 | #include <hurd/signal.h> | |
98e1c93a | 27 | #include <hurd/id.h> |
8f0c527e | 28 | #include <assert.h> |
75cd5204 | 29 | #include <argz.h> |
28f540f4 RM |
30 | |
31 | /* Overlay TASK, executing FILE with arguments ARGV and environment ENVP. | |
32 | If TASK == mach_task_self (), some ports are dealloc'd by the exec server. | |
311ba8dc ST |
33 | ARGV and ENVP are terminated by NULL pointers. |
34 | Deprecated: use _hurd_exec_paths instead. */ | |
28f540f4 | 35 | error_t |
75914335 | 36 | _hurd_exec (task_t task, file_t file, |
28f540f4 | 37 | char *const argv[], char *const envp[]) |
311ba8dc ST |
38 | { |
39 | return _hurd_exec_paths (task, file, NULL, NULL, argv, envp); | |
40 | } | |
41 | ||
42 | link_warning (_hurd_exec, | |
43 | "_hurd_exec is deprecated, use _hurd_exec_paths instead"); | |
44 | ||
45 | /* Overlay TASK, executing FILE with arguments ARGV and environment ENVP. | |
46 | If TASK == mach_task_self (), some ports are dealloc'd by the exec server. | |
47 | ARGV and ENVP are terminated by NULL pointers. PATH is the relative path to | |
48 | FILE and ABSPATH is the absolute path to FILE. Passing NULL, though possible, | |
49 | should be avoided, since then the exec server may not know the path to | |
50 | FILE if FILE is a script, and will then pass /dev/fd/N to the | |
51 | interpreter. */ | |
52 | error_t | |
53 | _hurd_exec_paths (task_t task, file_t file, | |
54 | const char *path, const char *abspath, | |
55 | char *const argv[], char *const envp[]) | |
28f540f4 RM |
56 | { |
57 | error_t err; | |
8f0c527e | 58 | char *args, *env; |
28f540f4 RM |
59 | size_t argslen, envlen; |
60 | int ints[INIT_INT_MAX]; | |
61 | mach_port_t ports[_hurd_nports]; | |
62 | struct hurd_userlink ulink_ports[_hurd_nports]; | |
98e1c93a RM |
63 | inline void free_port (unsigned int i) |
64 | { | |
65 | _hurd_port_free (&_hurd_ports[i], &ulink_ports[i], ports[i]); | |
66 | } | |
28f540f4 | 67 | file_t *dtable; |
5d8eb435 | 68 | unsigned int dtablesize, i, j; |
28f540f4 RM |
69 | struct hurd_port **dtable_cells; |
70 | struct hurd_userlink *ulink_dtable; | |
28f540f4 RM |
71 | struct hurd_sigstate *ss; |
72 | mach_port_t *please_dealloc, *pdp; | |
98e1c93a | 73 | int reauth = 0; |
5d8eb435 ST |
74 | mach_port_t *portnames = NULL; |
75 | mach_msg_type_number_t nportnames = 0; | |
76 | mach_port_type_t *porttypes = NULL; | |
77 | mach_msg_type_number_t nporttypes = 0; | |
28f540f4 | 78 | |
8f0c527e | 79 | /* XXX needs to be hurdmalloc XXX */ |
8c4b8cbc RM |
80 | if (argv == NULL) |
81 | args = NULL, argslen = 0; | |
82 | else if (err = __argz_create (argv, &args, &argslen)) | |
75cd5204 | 83 | return err; |
8c4b8cbc RM |
84 | if (envp == NULL) |
85 | env = NULL, envlen = 0; | |
1d88de3d | 86 | else if (err = __argz_create (envp, &env, &envlen)) |
75cd5204 | 87 | goto outargs; |
28f540f4 RM |
88 | |
89 | /* Load up the ports to give to the new program. */ | |
90 | for (i = 0; i < _hurd_nports; ++i) | |
91 | if (i == INIT_PORT_PROC && task != __mach_task_self ()) | |
92 | { | |
93 | /* This is another task, so we need to ask the proc server | |
94 | for the right proc server port for it. */ | |
95 | if (err = __USEPORT (PROC, __proc_task2proc (port, task, &ports[i]))) | |
96 | { | |
97 | while (--i > 0) | |
98e1c93a | 98 | free_port (i); |
75cd5204 | 99 | goto outenv; |
28f540f4 RM |
100 | } |
101 | } | |
102 | else | |
103 | ports[i] = _hurd_port_get (&_hurd_ports[i], &ulink_ports[i]); | |
104 | ||
105 | ||
106 | /* Load up the ints to give the new program. */ | |
107 | for (i = 0; i < INIT_INT_MAX; ++i) | |
108 | switch (i) | |
109 | { | |
110 | case INIT_UMASK: | |
111 | ints[i] = _hurd_umask; | |
112 | break; | |
113 | ||
114 | case INIT_SIGMASK: | |
115 | case INIT_SIGIGN: | |
116 | case INIT_SIGPENDING: | |
117 | /* We will set these all below. */ | |
118 | break; | |
119 | ||
fe4d0ab7 MB |
120 | case INIT_TRACEMASK: |
121 | ints[i] = _hurdsig_traced; | |
122 | break; | |
123 | ||
28f540f4 RM |
124 | default: |
125 | ints[i] = 0; | |
126 | } | |
127 | ||
128 | ss = _hurd_self_sigstate (); | |
8f0c527e | 129 | |
c3b287be | 130 | retry: |
8f0c527e RM |
131 | assert (! __spin_lock_locked (&ss->critical_section_lock)); |
132 | __spin_lock (&ss->critical_section_lock); | |
133 | ||
653d74f1 JK |
134 | _hurd_sigstate_lock (ss); |
135 | struct sigaction *actions = _hurd_sigstate_actions (ss); | |
28f540f4 | 136 | ints[INIT_SIGMASK] = ss->blocked; |
653d74f1 | 137 | ints[INIT_SIGPENDING] = _hurd_sigstate_pending (ss); |
28f540f4 RM |
138 | ints[INIT_SIGIGN] = 0; |
139 | for (i = 1; i < NSIG; ++i) | |
653d74f1 | 140 | if (actions[i].sa_handler == SIG_IGN) |
28f540f4 RM |
141 | ints[INIT_SIGIGN] |= __sigmask (i); |
142 | ||
143 | /* We hold the sigstate lock until the exec has failed so that no signal | |
144 | can arrive between when we pack the blocked and ignored signals, and | |
145 | when the exec actually happens. A signal handler could change what | |
146 | signals are blocked and ignored. Either the change will be reflected | |
147 | in the exec, or the signal will never be delivered. Setting the | |
148 | critical section flag avoids anything we call trying to acquire the | |
149 | sigstate lock. */ | |
75914335 | 150 | |
653d74f1 | 151 | _hurd_sigstate_unlock (ss); |
28f540f4 RM |
152 | |
153 | /* Pack up the descriptor table to give the new program. */ | |
154 | __mutex_lock (&_hurd_dtable_lock); | |
155 | ||
156 | dtablesize = _hurd_dtable ? _hurd_dtablesize : _hurd_init_dtablesize; | |
157 | ||
158 | if (task == __mach_task_self ()) | |
159 | /* Request the exec server to deallocate some ports from us if the exec | |
160 | succeeds. The init ports and descriptor ports will arrive in the | |
161 | new program's exec_startup message. If we failed to deallocate | |
162 | them, the new program would have duplicate user references for them. | |
163 | But we cannot deallocate them ourselves, because we must still have | |
164 | them after a failed exec call. */ | |
98e1c93a | 165 | please_dealloc = __alloca ((_hurd_nports + 3 + (3 * dtablesize)) |
28f540f4 RM |
166 | * sizeof (mach_port_t)); |
167 | else | |
168 | please_dealloc = NULL; | |
169 | pdp = please_dealloc; | |
170 | ||
171 | if (_hurd_dtable != NULL) | |
172 | { | |
173 | dtable = __alloca (dtablesize * sizeof (dtable[0])); | |
174 | ulink_dtable = __alloca (dtablesize * sizeof (ulink_dtable[0])); | |
175 | dtable_cells = __alloca (dtablesize * sizeof (dtable_cells[0])); | |
176 | for (i = 0; i < dtablesize; ++i) | |
177 | { | |
178 | struct hurd_fd *const d = _hurd_dtable[i]; | |
179 | if (d == NULL) | |
180 | { | |
181 | dtable[i] = MACH_PORT_NULL; | |
182 | continue; | |
183 | } | |
184 | __spin_lock (&d->port.lock); | |
185 | if (d->flags & FD_CLOEXEC) | |
186 | { | |
187 | /* This descriptor is marked to be closed on exec. | |
188 | So don't pass it to the new program. */ | |
189 | dtable[i] = MACH_PORT_NULL; | |
190 | if (pdp && d->port.port != MACH_PORT_NULL) | |
191 | { | |
192 | /* We still need to deallocate the ports. */ | |
193 | *pdp++ = d->port.port; | |
194 | if (d->ctty.port != MACH_PORT_NULL) | |
195 | *pdp++ = d->ctty.port; | |
196 | } | |
197 | __spin_unlock (&d->port.lock); | |
198 | } | |
199 | else | |
200 | { | |
201 | if (pdp && d->ctty.port != MACH_PORT_NULL) | |
202 | /* All the elements of DTABLE are added to PLEASE_DEALLOC | |
203 | below, so we needn't add the port itself. | |
204 | But we must deallocate the ctty port as well as | |
205 | the normal port that got installed in DTABLE[I]. */ | |
206 | *pdp++ = d->ctty.port; | |
207 | dtable[i] = _hurd_port_locked_get (&d->port, &ulink_dtable[i]); | |
208 | dtable_cells[i] = &d->port; | |
209 | } | |
210 | } | |
211 | } | |
212 | else | |
213 | { | |
214 | dtable = _hurd_init_dtable; | |
215 | ulink_dtable = NULL; | |
216 | dtable_cells = NULL; | |
217 | } | |
218 | ||
57d58860 | 219 | /* Prune trailing null ports from the descriptor table. */ |
21bc421f | 220 | while (dtablesize > 0 && dtable[dtablesize - 1] == MACH_PORT_NULL) |
57d58860 RM |
221 | --dtablesize; |
222 | ||
98e1c93a RM |
223 | /* See if we need to diddle the auth port of the new program. |
224 | The purpose of this is to get the effect setting the saved-set UID and | |
225 | GID to the respective effective IDs after the exec, as POSIX.1 requires. | |
226 | Note that we don't reauthenticate with the proc server; that would be a | |
227 | no-op since it only keeps track of the effective UIDs, and if it did | |
228 | keep track of the available IDs we would have the problem that we'd be | |
229 | changing the IDs before the exec and have to change them back after a | |
230 | failure. Arguably we could skip all the reauthentications because the | |
231 | available IDs have no bearing on any filesystem. But the conservative | |
232 | approach is to reauthenticate all the io ports so that no state anywhere | |
233 | reflects that our whole ID set differs from what we've set it to. */ | |
234 | __mutex_lock (&_hurd_id.lock); | |
235 | err = _hurd_check_ids (); | |
0e298448 ST |
236 | |
237 | /* Avoid leaking the rid_auth port reference to the new progam */ | |
238 | if (_hurd_id.rid_auth != MACH_PORT_NULL) | |
239 | { | |
240 | __mach_port_deallocate (__mach_task_self (), _hurd_id.rid_auth); | |
241 | _hurd_id.rid_auth = MACH_PORT_NULL; | |
242 | } | |
243 | ||
98e1c93a RM |
244 | if (err == 0 && ((_hurd_id.aux.nuids >= 2 && _hurd_id.gen.nuids >= 1 |
245 | && _hurd_id.aux.uids[1] != _hurd_id.gen.uids[0]) | |
246 | || (_hurd_id.aux.ngids >= 2 && _hurd_id.gen.ngids >= 1 | |
247 | && _hurd_id.aux.gids[1] != _hurd_id.gen.gids[0]))) | |
248 | { | |
249 | /* We have euid != svuid or egid != svgid. POSIX.1 says that exec | |
250 | sets svuid = euid and svgid = egid. So we must get a new auth | |
251 | port and reauthenticate everything with it. We'll pass the new | |
311ba8dc | 252 | ports in file_exec_paths instead of our own ports. */ |
28f540f4 | 253 | |
98e1c93a | 254 | auth_t newauth; |
20d13812 | 255 | |
98e1c93a RM |
256 | _hurd_id.aux.uids[1] = _hurd_id.gen.uids[0]; |
257 | _hurd_id.aux.gids[1] = _hurd_id.gen.gids[0]; | |
258 | _hurd_id.valid = 0; | |
98e1c93a RM |
259 | |
260 | err = __auth_makeauth (ports[INIT_PORT_AUTH], | |
261 | NULL, MACH_MSG_TYPE_COPY_SEND, 0, | |
262 | _hurd_id.gen.uids, _hurd_id.gen.nuids, | |
263 | _hurd_id.aux.uids, _hurd_id.aux.nuids, | |
264 | _hurd_id.gen.gids, _hurd_id.gen.ngids, | |
265 | _hurd_id.aux.gids, _hurd_id.aux.ngids, | |
266 | &newauth); | |
267 | if (err == 0) | |
268 | { | |
269 | /* Now we have to reauthenticate the ports with this new ID. | |
270 | */ | |
271 | ||
272 | inline error_t reauth_io (io_t port, io_t *newport) | |
273 | { | |
274 | mach_port_t ref = __mach_reply_port (); | |
275 | *newport = MACH_PORT_NULL; | |
276 | error_t err = __io_reauthenticate (port, | |
277 | ref, MACH_MSG_TYPE_MAKE_SEND); | |
278 | if (!err) | |
279 | err = __auth_user_authenticate (newauth, | |
280 | ref, MACH_MSG_TYPE_MAKE_SEND, | |
281 | newport); | |
282 | __mach_port_destroy (__mach_task_self (), ref); | |
283 | return err; | |
284 | } | |
285 | inline void reauth_port (unsigned int idx) | |
286 | { | |
287 | io_t newport; | |
288 | err = reauth_io (ports[idx], &newport) ?: err; | |
289 | if (pdp) | |
290 | *pdp++ = ports[idx]; /* XXX presumed still in _hurd_ports */ | |
291 | free_port (idx); | |
292 | ports[idx] = newport; | |
293 | } | |
294 | ||
295 | if (pdp) | |
296 | *pdp++ = ports[INIT_PORT_AUTH]; | |
297 | free_port (INIT_PORT_AUTH); | |
298 | ports[INIT_PORT_AUTH] = newauth; | |
299 | ||
300 | reauth_port (INIT_PORT_CRDIR); | |
301 | reauth_port (INIT_PORT_CWDIR); | |
302 | ||
303 | if (!err) | |
304 | { | |
305 | /* Now we'll reauthenticate each file descriptor. */ | |
306 | if (ulink_dtable == NULL) | |
307 | { | |
308 | assert (dtable == _hurd_init_dtable); | |
309 | dtable = __alloca (dtablesize * sizeof (dtable[0])); | |
310 | for (i = 0; i < dtablesize; ++i) | |
311 | if (_hurd_init_dtable[i] != MACH_PORT_NULL) | |
312 | { | |
313 | if (pdp) | |
314 | *pdp++ = _hurd_init_dtable[i]; | |
315 | err = reauth_io (_hurd_init_dtable[i], &dtable[i]); | |
316 | if (err) | |
317 | { | |
318 | while (++i < dtablesize) | |
319 | dtable[i] = MACH_PORT_NULL; | |
320 | break; | |
321 | } | |
322 | } | |
323 | else | |
324 | dtable[i] = MACH_PORT_NULL; | |
325 | } | |
326 | else | |
327 | { | |
328 | if (pdp) | |
329 | { | |
330 | /* Ask to deallocate all the old fd ports, | |
331 | since we will have new ones in DTABLE. */ | |
332 | memcpy (pdp, dtable, dtablesize * sizeof pdp[0]); | |
333 | pdp += dtablesize; | |
334 | } | |
335 | for (i = 0; i < dtablesize; ++i) | |
336 | if (dtable[i] != MACH_PORT_NULL) | |
337 | { | |
338 | io_t newport; | |
339 | err = reauth_io (dtable[i], &newport); | |
340 | _hurd_port_free (dtable_cells[i], &ulink_dtable[i], | |
341 | dtable[i]); | |
342 | dtable[i] = newport; | |
343 | if (err) | |
344 | { | |
345 | while (++i < dtablesize) | |
346 | _hurd_port_free (dtable_cells[i], | |
347 | &ulink_dtable[i], dtable[i]); | |
348 | break; | |
349 | } | |
350 | } | |
351 | ulink_dtable = NULL; | |
352 | dtable_cells = NULL; | |
353 | } | |
354 | } | |
355 | } | |
356 | ||
357 | reauth = 1; | |
358 | } | |
359 | __mutex_unlock (&_hurd_id.lock); | |
360 | ||
361 | /* The information is all set up now. Try to exec the file. */ | |
362 | if (!err) | |
363 | { | |
364 | int flags; | |
28f540f4 | 365 | |
98e1c93a RM |
366 | if (pdp) |
367 | { | |
5d8eb435 ST |
368 | /* Get all ports that we may not know about and we should thus destroy. */ |
369 | /* XXX need to disable other threads to be safe. */ | |
370 | if (err = __mach_port_names (__mach_task_self (), | |
371 | &portnames, &nportnames, | |
372 | &porttypes, &nporttypes)) | |
373 | return err; | |
374 | if (nportnames != nporttypes) | |
375 | return EGRATUITOUS; | |
376 | ||
98e1c93a RM |
377 | /* Request the exec server to deallocate some ports from us if |
378 | the exec succeeds. The init ports and descriptor ports will | |
379 | arrive in the new program's exec_startup message. If we | |
380 | failed to deallocate them, the new program would have | |
381 | duplicate user references for them. But we cannot deallocate | |
382 | them ourselves, because we must still have them after a failed | |
383 | exec call. */ | |
384 | ||
385 | for (i = 0; i < _hurd_nports; ++i) | |
41a11a5e ST |
386 | if (ports[i] != MACH_PORT_NULL) |
387 | { | |
388 | *pdp++ = ports[i]; | |
389 | for (j = 0; j < nportnames; j++) | |
390 | if (portnames[j] == ports[i]) | |
391 | portnames[j] = MACH_PORT_NULL; | |
392 | } | |
98e1c93a | 393 | for (i = 0; i < dtablesize; ++i) |
41a11a5e ST |
394 | if (dtable[i] != MACH_PORT_NULL) |
395 | { | |
396 | *pdp++ = dtable[i]; | |
397 | for (j = 0; j < nportnames; j++) | |
398 | if (portnames[j] == dtable[i]) | |
399 | portnames[j] = MACH_PORT_NULL; | |
400 | } | |
5d8eb435 ST |
401 | |
402 | /* Pack ports to be destroyed together. */ | |
403 | for (i = 0, j = 0; i < nportnames; i++) | |
404 | { | |
405 | if (portnames[i] == MACH_PORT_NULL) | |
406 | continue; | |
407 | if (j != i) | |
408 | portnames[j] = portnames[i]; | |
409 | j++; | |
410 | } | |
411 | nportnames = j; | |
98e1c93a RM |
412 | } |
413 | ||
414 | flags = 0; | |
20d13812 | 415 | #ifdef EXEC_SIGTRAP |
98e1c93a RM |
416 | /* PTRACE_TRACEME sets all bits in _hurdsig_traced, which is |
417 | propagated through exec by INIT_TRACEMASK, so this checks if | |
418 | PTRACE_TRACEME has been called in this process in any of its | |
419 | current or prior lives. */ | |
420 | if (__sigismember (&_hurdsig_traced, SIGKILL)) | |
421 | flags |= EXEC_SIGTRAP; | |
20d13812 | 422 | #endif |
311ba8dc ST |
423 | err = __file_exec_paths (file, task, flags, |
424 | path ? path : "", | |
425 | abspath ? abspath : "", | |
426 | args, argslen, env, envlen, | |
427 | dtable, MACH_MSG_TYPE_COPY_SEND, dtablesize, | |
428 | ports, MACH_MSG_TYPE_COPY_SEND, | |
429 | _hurd_nports, | |
430 | ints, INIT_INT_MAX, | |
431 | please_dealloc, pdp - please_dealloc, | |
5d8eb435 | 432 | portnames, nportnames); |
311ba8dc ST |
433 | /* Fall back for backwards compatibility. This can just be removed |
434 | when __file_exec goes away. */ | |
435 | if (err == MIG_BAD_ID) | |
436 | err = __file_exec (file, task, flags, | |
437 | args, argslen, env, envlen, | |
438 | dtable, MACH_MSG_TYPE_COPY_SEND, dtablesize, | |
439 | ports, MACH_MSG_TYPE_COPY_SEND, _hurd_nports, | |
440 | ints, INIT_INT_MAX, | |
441 | please_dealloc, pdp - please_dealloc, | |
5d8eb435 | 442 | portnames, nportnames); |
98e1c93a | 443 | } |
28f540f4 RM |
444 | |
445 | /* Release references to the standard ports. */ | |
446 | for (i = 0; i < _hurd_nports; ++i) | |
98e1c93a RM |
447 | if ((i == INIT_PORT_PROC && task != __mach_task_self ()) |
448 | || (reauth && (i == INIT_PORT_AUTH | |
449 | || i == INIT_PORT_CRDIR || i == INIT_PORT_CWDIR))) | |
28f540f4 RM |
450 | __mach_port_deallocate (__mach_task_self (), ports[i]); |
451 | else | |
98e1c93a | 452 | free_port (i); |
28f540f4 | 453 | |
98e1c93a | 454 | /* Release references to the file descriptor ports. */ |
28f540f4 | 455 | if (ulink_dtable != NULL) |
98e1c93a RM |
456 | { |
457 | for (i = 0; i < dtablesize; ++i) | |
458 | if (dtable[i] != MACH_PORT_NULL) | |
459 | _hurd_port_free (dtable_cells[i], &ulink_dtable[i], dtable[i]); | |
460 | } | |
461 | else if (dtable && dtable != _hurd_init_dtable) | |
28f540f4 | 462 | for (i = 0; i < dtablesize; ++i) |
98e1c93a | 463 | __mach_port_deallocate (__mach_task_self (), dtable[i]); |
28f540f4 RM |
464 | |
465 | /* Release lock on the file descriptor table. */ | |
466 | __mutex_unlock (&_hurd_dtable_lock); | |
467 | ||
468 | /* Safe to let signals happen now. */ | |
8f0c527e | 469 | _hurd_critical_section_unlock (ss); |
c3b287be ST |
470 | if (err == EINTR) |
471 | /* Got a signal while inside an RPC of the critical section, retry again */ | |
472 | goto retry; | |
28f540f4 | 473 | |
75cd5204 RM |
474 | outenv: |
475 | free (env); | |
84a9d583 ST |
476 | outargs: |
477 | free (args); | |
28f540f4 RM |
478 | return err; |
479 | } | |
7a8f45e3 | 480 | libc_hidden_def (_hurd_exec_paths) |