path: root/usr/src/uts/common/exec/intp/intp.c

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 * Copyright 2012 Milan Jurik. All rights reserved.
 * Copyright 2019 Joyent, Inc.
 */

/*	Copyright (c) 1988 AT&T	*/
/*	  All Rights Reserved	*/


/* from S5R4 1.6 */

#include <sys/types.h>
#include <sys/param.h>
#include <sys/sysmacros.h>
#include <sys/signal.h>
#include <sys/cred.h>
#include <sys/user.h>
#include <sys/errno.h>
#include <sys/vnode.h>
#include <sys/proc.h>
#include <sys/cmn_err.h>
#include <sys/debug.h>
#include <sys/pathname.h>
#include <sys/disp.h>
#include <sys/exec.h>
#include <sys/kmem.h>
#include <sys/note.h>
#include <sys/sdt.h>
#include <sys/brand.h>

/*
 * This is the loadable module wrapper.
 */
#include <sys/modctl.h>

extern int intpexec(struct vnode *, struct execa *, struct uarg *,
    struct intpdata *, int, size_t *, int, caddr_t, struct cred *, int *);

static struct execsw esw = {
	intpmagicstr,
	0,
	2,
	intpexec,
	NULL
};

/*
 * Module linkage information for the kernel.
 */
extern struct mod_ops mod_execops;

static struct modlexec modlexec = {
	&mod_execops, "exec mod for interp", &esw
};

static struct modlinkage modlinkage = {
	MODREV_1, (void *)&modlexec, NULL
};

int
_init()
{
	return (mod_install(&modlinkage));
}

int
_fini()
{
	return (mod_remove(&modlinkage));
}

int
_info(struct modinfo *modinfop)
{
	return (mod_info(&modlinkage, modinfop));
}


/*
 * Crack open a '#!' line.
 */
static int
getintphead(struct vnode *vp, struct intpdata *idatap)
{
	int error;
	char *cp, *linep = idatap->intp;
	ssize_t resid;

	/*
	 * Read the entire line and confirm that it starts with '#!'.
	 */
	if (error = vn_rdwr(UIO_READ, vp, linep, INTPSZ, (offset_t)0,
	    UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid))
		return (error);
	if (resid > INTPSZ-2 || linep[0] != '#' || linep[1] != '!')
		return (ENOEXEC);
	/*
	 * Blank all white space and find the newline.
	 */
	for (cp = &linep[2]; cp < &linep[INTPSZ] && *cp != '\n'; cp++)
		if (*cp == '\t')
			*cp = ' ';
	if (cp >= &linep[INTPSZ])
		return (ENOEXEC);
	ASSERT(*cp == '\n');
	*cp = '\0';

	/*
	 * Locate the beginning and end of the interpreter name. Historically,
	 * for illumos and its predecessors, in addition to the name, one
	 * additional argument may optionally be included here, to be prepended
	 * to the arguments provided on the command line. Thus, for example,
	 * you can say
	 *
	 * 	#! /usr/bin/awk -f
	 *
	 * However, handling of interpreter arguments varies across operating
	 * systems and other systems allow more than one argument. In
	 * particular, Linux allows more than one and delivers all arguments
	 * as a single string (argv[1] is "-arg1 -arg2 ..."). We support this
	 * style of argument handling as a brand-specific option (setting
	 * b_intp_parse_arg to B_FALSE).
	 */
	for (cp = &linep[2]; *cp == ' '; cp++)
		;
	if (*cp == '\0')
		return (ENOEXEC);
	idatap->intp_name[0] = cp;
	while (*cp && *cp != ' ')
		cp++;
	if (*cp == '\0') {
		idatap->intp_arg[0] = NULL;
	} else {
		*cp++ = '\0';
		while (*cp == ' ')
			cp++;
		if (*cp == '\0')
			idatap->intp_arg[0] = NULL;
		else {
			idatap->intp_arg[0] = cp;
			if (!PROC_IS_BRANDED(curproc) ||
			    BROP(curproc)->b_intp_parse_arg) {
				while (*cp && *cp != ' ')
					cp++;
				*cp = '\0';
			}
		}
	}
	return (0);
}

/*
 * We support nested interpreters up to a depth of INTP_MAXDEPTH (this value
 * matches the depth on Linux). When a nested interpreter is in use, the
 * previous name and argument must be passed along. We use the intpdata_t
 * name and argument arrays for this. In the normal, non-nested case, only the
 * first element in those arrays will be populated.
 *
 * For setid scripts the "script hole" is a security race condition between
 * when we exec the interpreter and when the interpreter reads the script. We
 * handle this below for the initial script, but we don't allow setid scripts
 * when using nested interpreters. Because gexec only modifies the credentials
 * for a setid script at level 0, then if we come back through for a nested
 * interpreter we know that args->fname will be set (the first script is setid)
 * and we can return an error. If an intermediate nested interpreter is setid
 * then it will not be run with different credentials because of the gexec
 * handling, so it is effectively no longer setid and we don't have to worry
 * about the "script hole".
 */
int
intpexec(
	struct vnode *vp,
	struct execa *uap,
	struct uarg *args,
	struct intpdata *idatap,
	int level,
	size_t *execsz,
	int setid,
	caddr_t exec_file,
	struct cred *cred,
	int *brand_action)
{
	vnode_t *nvp;
	int error = 0;
	struct intpdata idata;
	struct pathname intppn;
	struct pathname resolvepn;
	char *opath;
	char devfd[19]; /* 32-bit int fits in 10 digits + 8 for "/dev/fd/" */
	int fd = -1;

	if (level >= INTP_MAXDEPTH) {	/* Can't recurse past maxdepth */
		error = ELOOP;
		goto bad;
	}

	if (level == 0)
		ASSERT(idatap == (struct intpdata *)NULL);

	bzero(&idata, sizeof (intpdata_t));

	/*
	 * Allocate a buffer to read in the interpreter pathname.
	 */
	idata.intp = kmem_alloc(INTPSZ, KM_SLEEP);
	if (error = getintphead(vp, &idata))
		goto fail;

	/*
	 * Look the new vnode up.
	 */
	if (error = pn_get(idata.intp_name[0], UIO_SYSSPACE, &intppn))
		goto fail;
	pn_alloc(&resolvepn);
	if (error = lookuppn(&intppn, &resolvepn, FOLLOW, NULLVPP, &nvp)) {
		pn_free(&resolvepn);
		pn_free(&intppn);
		goto fail;
	}

	if (level > 0) {
		/*
		 * We have a nested interpreter. The previous name(s) and
		 * argument(s) need to be passed along. We also keep track
		 * of how often this zone uses nested interpreters.
		 */
		int i;

		atomic_inc_32(&curproc->p_zone->zone_nested_intp);

		ASSERT(idatap != NULL);
		/* since we're shifting up, loop stops one short */
		for (i = 0; i < (INTP_MAXDEPTH - 1); i++) {
			idata.intp_name[i + 1] = idatap->intp_name[i];
			idata.intp_arg[i + 1] = idatap->intp_arg[i];
		}

		DTRACE_PROBE3(nested__intp, int, level, void *, &idata,
		    void *, nvp);
	}

	opath = args->pathname;
	args->pathname = resolvepn.pn_path;
	/* don't free resolvepn until we are done with args */
	pn_free(&intppn);

	/*
	 * Disallow setuid or additional privilege execution for nested
	 * interpreters.
	 */
	if (level > 0 && args->fname != NULL) {
		error = ENOEXEC;
		goto done;
	}

	/*
	 * When we're executing a set-uid script resulting in uids
	 * mismatching or when we execute with additional privileges,
	 * we close the "replace script between exec and open by shell"
	 * hole by passing the script as /dev/fd parameter.
	 */
	if ((setid & EXECSETID_PRIVS) != 0 ||
	    (setid & (EXECSETID_UGIDS|EXECSETID_SETID)) ==
	    (EXECSETID_UGIDS|EXECSETID_SETID)) {
		(void) strcpy(devfd, "/dev/fd/");
		if (error = execopen(&vp, &fd))
			goto done;
		numtos(fd, &devfd[8]);
		args->fname = devfd;
	}

	error = gexec(&nvp, uap, args, &idata, ++level, execsz, exec_file, cred,
	    brand_action);

	if (!error) {
		/*
		 * Close this executable as the interpreter
		 * will open and close it later on.
		 */
		(void) VOP_CLOSE(vp, FREAD, 1, (offset_t)0, cred, NULL);
	}
done:
	VN_RELE(nvp);
	args->pathname = opath;
	pn_free(&resolvepn);
fail:
	kmem_free(idata.intp, INTPSZ);
	if (error && fd != -1)
		(void) execclose(fd);
bad:
	return (error);
}