mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-18 17:54:13 +08:00
51f39a1f0c
This patchset adds execveat(2) for x86, and is derived from Meredydd Luff's patch from Sept 2012 (https://lkml.org/lkml/2012/9/11/528). The primary aim of adding an execveat syscall is to allow an implementation of fexecve(3) that does not rely on the /proc filesystem, at least for executables (rather than scripts). The current glibc version of fexecve(3) is implemented via /proc, which causes problems in sandboxed or otherwise restricted environments. Given the desire for a /proc-free fexecve() implementation, HPA suggested (https://lkml.org/lkml/2006/7/11/556) that an execveat(2) syscall would be an appropriate generalization. Also, having a new syscall means that it can take a flags argument without back-compatibility concerns. The current implementation just defines the AT_EMPTY_PATH and AT_SYMLINK_NOFOLLOW flags, but other flags could be added in future -- for example, flags for new namespaces (as suggested at https://lkml.org/lkml/2006/7/11/474). Related history: - https://lkml.org/lkml/2006/12/27/123 is an example of someone realizing that fexecve() is likely to fail in a chroot environment. - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514043 covered documenting the /proc requirement of fexecve(3) in its manpage, to "prevent other people from wasting their time". - https://bugzilla.redhat.com/show_bug.cgi?id=241609 described a problem where a process that did setuid() could not fexecve() because it no longer had access to /proc/self/fd; this has since been fixed. This patch (of 4): Add a new execveat(2) system call. execveat() is to execve() as openat() is to open(): it takes a file descriptor that refers to a directory, and resolves the filename relative to that. In addition, if the filename is empty and AT_EMPTY_PATH is specified, execveat() executes the file to which the file descriptor refers. This replicates the functionality of fexecve(), which is a system call in other UNIXen, but in Linux glibc it depends on opening "/proc/self/fd/<fd>" (and so relies on /proc being mounted). The filename fed to the executed program as argv[0] (or the name of the script fed to a script interpreter) will be of the form "/dev/fd/<fd>" (for an empty filename) or "/dev/fd/<fd>/<filename>", effectively reflecting how the executable was found. This does however mean that execution of a script in a /proc-less environment won't work; also, script execution via an O_CLOEXEC file descriptor fails (as the file will not be accessible after exec). Based on patches by Meredydd Luff. Signed-off-by: David Drysdale <drysdale@google.com> Cc: Meredydd Luff <meredydd@senatehouse.org> Cc: Shuah Khan <shuah.kh@samsung.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Kees Cook <keescook@chromium.org> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Rich Felker <dalias@aerifal.cx> Cc: Christoph Hellwig <hch@infradead.org> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
130 lines
3.0 KiB
C
130 lines
3.0 KiB
C
/*
|
|
* linux/fs/binfmt_script.c
|
|
*
|
|
* Copyright (C) 1996 Martin von Löwis
|
|
* original #!-checking implemented by tytso.
|
|
*/
|
|
|
|
#include <linux/module.h>
|
|
#include <linux/string.h>
|
|
#include <linux/stat.h>
|
|
#include <linux/binfmts.h>
|
|
#include <linux/init.h>
|
|
#include <linux/file.h>
|
|
#include <linux/err.h>
|
|
#include <linux/fs.h>
|
|
|
|
static int load_script(struct linux_binprm *bprm)
|
|
{
|
|
const char *i_arg, *i_name;
|
|
char *cp;
|
|
struct file *file;
|
|
char interp[BINPRM_BUF_SIZE];
|
|
int retval;
|
|
|
|
if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!'))
|
|
return -ENOEXEC;
|
|
|
|
/*
|
|
* If the script filename will be inaccessible after exec, typically
|
|
* because it is a "/dev/fd/<fd>/.." path against an O_CLOEXEC fd, give
|
|
* up now (on the assumption that the interpreter will want to load
|
|
* this file).
|
|
*/
|
|
if (bprm->interp_flags & BINPRM_FLAGS_PATH_INACCESSIBLE)
|
|
return -ENOENT;
|
|
|
|
/*
|
|
* This section does the #! interpretation.
|
|
* Sorta complicated, but hopefully it will work. -TYT
|
|
*/
|
|
|
|
allow_write_access(bprm->file);
|
|
fput(bprm->file);
|
|
bprm->file = NULL;
|
|
|
|
bprm->buf[BINPRM_BUF_SIZE - 1] = '\0';
|
|
if ((cp = strchr(bprm->buf, '\n')) == NULL)
|
|
cp = bprm->buf+BINPRM_BUF_SIZE-1;
|
|
*cp = '\0';
|
|
while (cp > bprm->buf) {
|
|
cp--;
|
|
if ((*cp == ' ') || (*cp == '\t'))
|
|
*cp = '\0';
|
|
else
|
|
break;
|
|
}
|
|
for (cp = bprm->buf+2; (*cp == ' ') || (*cp == '\t'); cp++);
|
|
if (*cp == '\0')
|
|
return -ENOEXEC; /* No interpreter name found */
|
|
i_name = cp;
|
|
i_arg = NULL;
|
|
for ( ; *cp && (*cp != ' ') && (*cp != '\t'); cp++)
|
|
/* nothing */ ;
|
|
while ((*cp == ' ') || (*cp == '\t'))
|
|
*cp++ = '\0';
|
|
if (*cp)
|
|
i_arg = cp;
|
|
strcpy (interp, i_name);
|
|
/*
|
|
* OK, we've parsed out the interpreter name and
|
|
* (optional) argument.
|
|
* Splice in (1) the interpreter's name for argv[0]
|
|
* (2) (optional) argument to interpreter
|
|
* (3) filename of shell script (replace argv[0])
|
|
*
|
|
* This is done in reverse order, because of how the
|
|
* user environment and arguments are stored.
|
|
*/
|
|
retval = remove_arg_zero(bprm);
|
|
if (retval)
|
|
return retval;
|
|
retval = copy_strings_kernel(1, &bprm->interp, bprm);
|
|
if (retval < 0) return retval;
|
|
bprm->argc++;
|
|
if (i_arg) {
|
|
retval = copy_strings_kernel(1, &i_arg, bprm);
|
|
if (retval < 0) return retval;
|
|
bprm->argc++;
|
|
}
|
|
retval = copy_strings_kernel(1, &i_name, bprm);
|
|
if (retval) return retval;
|
|
bprm->argc++;
|
|
retval = bprm_change_interp(interp, bprm);
|
|
if (retval < 0)
|
|
return retval;
|
|
|
|
/*
|
|
* OK, now restart the process with the interpreter's dentry.
|
|
*/
|
|
file = open_exec(interp);
|
|
if (IS_ERR(file))
|
|
return PTR_ERR(file);
|
|
|
|
bprm->file = file;
|
|
retval = prepare_binprm(bprm);
|
|
if (retval < 0)
|
|
return retval;
|
|
return search_binary_handler(bprm);
|
|
}
|
|
|
|
static struct linux_binfmt script_format = {
|
|
.module = THIS_MODULE,
|
|
.load_binary = load_script,
|
|
};
|
|
|
|
static int __init init_script_binfmt(void)
|
|
{
|
|
register_binfmt(&script_format);
|
|
return 0;
|
|
}
|
|
|
|
static void __exit exit_script_binfmt(void)
|
|
{
|
|
unregister_binfmt(&script_format);
|
|
}
|
|
|
|
core_initcall(init_script_binfmt);
|
|
module_exit(exit_script_binfmt);
|
|
MODULE_LICENSE("GPL");
|