📄 1.txt
字号:
794 continue;
795 fdt->close_on_exec->fds_bits[j] = 0;
796 spin_unlock(&files->file_lock);
797 for ( ; set ; i++,set >>= 1) {
798 if (set & 1) {
799 sys_close(i);
800 }
801 }
802 spin_lock(&files->file_lock);
803
804 }
805 spin_unlock(&files->file_lock);
806 }
807
808 void get_task_comm(char *buf, struct task_struct *tsk)
809 {
810 /* buf must be at least sizeof(tsk->comm) in size */
811 task_lock(tsk);
812 strncpy(buf, tsk->comm, sizeof(tsk->comm));
813 task_unlock(tsk);
814 }
815
816 void set_task_comm(struct task_struct *tsk, char *buf)
817 {
818 task_lock(tsk);
819 strlcpy(tsk->comm, buf, sizeof(tsk->comm));
820 task_unlock(tsk);
821 }
822
823 int flush_old_exec(struct linux_binprm * bprm)
824 {
825 char * name;
826 int i, ch, retval;
827 struct files_struct *files;
828 char tcomm[sizeof(current->comm)];
829
830 /*
831 * Make sure we have a private signal table and that
832 * we are unassociated from the previous thread group.
833 */
834 retval = de_thread(current);
835 if (retval)
836 goto out;
837
838 /*
839 * Make sure we have private file handles. Ask the
840 * fork helper to do the work for us and the exit
841 * helper to do the cleanup of the old one.
842 */
843 files = current->files; /* refcounted so safe to hold */
844 retval = unshare_files();
845 if (retval)
846 goto out;
847 /*
848 * Release all of the old mmap stuff
849 */
850 retval = exec_mmap(bprm->mm);
851 if (retval)
852 goto mmap_failed;
853
854 bprm->mm = NULL; /* We're using it now */
855
856 /* This is the point of no return */
857 put_files_struct(files);
858
859 current->sas_ss_sp = current->sas_ss_size = 0;
860
861 if (current->euid == current->uid && current->egid == current->gid)
862 current->mm->dumpable = 1;
863 else
864 current->mm->dumpable = suid_dumpable;
865
866 name = bprm->filename;
867
868 /* Copies the binary name from after last slash */
869 for (i=0; (ch = *(name++)) != '\0';) {
870 if (ch == '/')
871 i = 0; /* overwrite what we wrote */
872 else
873 if (i < (sizeof(tcomm) - 1))
874 tcomm[i++] = ch;
875 }
876 tcomm[i] = '\0';
877 set_task_comm(current, tcomm);
878
879 current->flags &= ~PF_RANDOMIZE;
880 flush_thread();
881
882 /* Set the new mm task size. We have to do that late because it may
883 * depend on TIF_32BIT which is only updated in flush_thread() on
884 * some architectures like powerpc
885 */
886 current->mm->task_size = TASK_SIZE;
887
888 if (bprm->e_uid != current->euid || bprm->e_gid != current->egid) {
889 suid_keys(current);
890 current->mm->dumpable = suid_dumpable;
891 current->pdeath_signal = 0;
892 } else if (file_permission(bprm->file, MAY_READ) ||
893 (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
894 suid_keys(current);
895 current->mm->dumpable = suid_dumpable;
896 }
897
898 /* An exec changes our domain. We are no longer part of the thread
899 group */
900
901 current->self_exec_id++;
902
903 flush_signal_handlers(current, 0);
904 flush_old_files(current->files);
905
906 return 0;
907
908 mmap_failed:
909 reset_files_struct(current, files);
910 out:
911 return retval;
912 }
913
914 EXPORT_SYMBOL(flush_old_exec);
915
916 /*
917 * Fill the binprm structure from the inode.
918 * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
919 */
920 int prepare_binprm(struct linux_binprm *bprm)
921 {
922 int mode;
923 struct inode * inode = bprm->file->f_path.dentry->d_inode;
924 int retval;
925
926 mode = inode->i_mode;
927 if (bprm->file->f_op == NULL)
928 return -EACCES;
929
930 bprm->e_uid = current->euid;
931 bprm->e_gid = current->egid;
932
933 if(!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) {
934 /* Set-uid? */
935 if (mode & S_ISUID) {
936 current->personality &= ~PER_CLEAR_ON_SETID;
937 bprm->e_uid = inode->i_uid;
938 }
939
940 /* Set-gid? */
941 /*
942 * If setgid is set but no group execute bit then this
943 * is a candidate for mandatory locking, not a setgid
944 * executable.
945 */
946 if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
947 current->personality &= ~PER_CLEAR_ON_SETID;
948 bprm->e_gid = inode->i_gid;
949 }
950 }
951
952 /* fill in binprm security blob */
953 retval = security_bprm_set(bprm);
954 if (retval)
955 return retval;
956
957 memset(bprm->buf,0,BINPRM_BUF_SIZE);
958 return kernel_read(bprm->file,0,bprm->buf,BINPRM_BUF_SIZE);
959 }
960
961 EXPORT_SYMBOL(prepare_binprm);
962
963 static int unsafe_exec(struct task_struct *p)
964 {
965 int unsafe = 0;
966 if (p->ptrace & PT_PTRACED) {
967 if (p->ptrace & PT_PTRACE_CAP)
968 unsafe |= LSM_UNSAFE_PTRACE_CAP;
969 else
970 unsafe |= LSM_UNSAFE_PTRACE;
971 }
972 if (atomic_read(&p->fs->count) > 1 ||
973 atomic_read(&p->files->count) > 1 ||
974 atomic_read(&p->sighand->count) > 1)
975 unsafe |= LSM_UNSAFE_SHARE;
976
977 return unsafe;
978 }
979
980 void compute_creds(struct linux_binprm *bprm)
981 {
982 int unsafe;
983
984 if (bprm->e_uid != current->uid) {
985 suid_keys(current);
986 current->pdeath_signal = 0;
987 }
988 exec_keys(current);
989
990 task_lock(current);
991 unsafe = unsafe_exec(current);
992 security_bprm_apply_creds(bprm, unsafe);
993 task_unlock(current);
994 security_bprm_post_apply_creds(bprm);
995 }
996 EXPORT_SYMBOL(compute_creds);
997
998 /*
999 * Arguments are '\0' separated strings found at the location bprm->p
1000 * points to; chop off the first by relocating brpm->p to right after
1001 * the first '\0' encountered.
1002 */
1003 void remove_arg_zero(struct linux_binprm *bprm)
1004 {
1005 if (bprm->argc) {
1006 char ch;
1007
1008 do {
1009 unsigned long offset;
1010 unsigned long index;
1011 char *kaddr;
1012 struct page *page;
1013
1014 offset = bprm->p & ~PAGE_MASK;
1015 index = bprm->p >> PAGE_SHIFT;
1016
1017 page = bprm->page[index];
1018 kaddr = kmap_atomic(page, KM_USER0);
1019
1020 /* run through page until we reach end or find NUL */
1021 do {
1022 ch = *(kaddr + offset);
1023
1024 /* discard that character... */
1025 bprm->p++;
1026 offset++;
1027 } while (offset < PAGE_SIZE && ch != '\0');
1028
1029 kunmap_atomic(kaddr, KM_USER0);
1030
1031 /* free the old page */
1032 if (offset == PAGE_SIZE) {
1033 __free_page(page);
1034 bprm->page[index] = NULL;
1035 }
1036 } while (ch != '\0');
1037
1038 bprm->argc--;
1039 }
1040 }
1041 EXPORT_SYMBOL(remove_arg_zero);
1042
1043 /*
1044 * cycle the list of binary formats handler, until one recognizes the image
1045 */
1046 int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
1047 {
1048 int try,retval;
1049 struct linux_binfmt *fmt;
1050 #ifdef __alpha__
1051 /* handle /sbin/loader.. */
1052 {
1053 struct exec * eh = (struct exec *) bprm->buf;
1054
1055 if (!bprm->loader && eh->fh.f_magic == 0x183 &&
1056 (eh->fh.f_flags & 0x3000) == 0x3000)
1057 {
1058 struct file * file;
1059 unsigned long loader;
1060
1061 allow_write_access(bprm->file);
1062 fput(bprm->file);
1063 bprm->file = NULL;
1064
1065 loader = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
1066
1067 file = open_exec("/sbin/loader");
1068 retval = PTR_ERR(file);
1069 if (IS_ERR(file))
1070 return retval;
1071
1072 /* Remember if the application is TASO. */
1073 bprm->sh_bang = eh->ah.entry < 0x100000000UL;
1074
1075 bprm->file = file;
1076 bprm->loader = loader;
1077 retval = prepare_binprm(bprm);
1078 if (retval<0)
1079 return retval;
1080 /* should call search_binary_handler recursively here,
1081 but it does not matter */
1082 }
1083 }
1084 #endif
1085 retval = security_bprm_check(bprm);
1086 if (retval)
1087 return retval;
1088
1089 /* kernel module loader fixup */
1090 /* so we don't try to load run modprobe in kernel space. */
1091 set_fs(USER_DS);
1092
1093 retval = audit_bprm(bprm);
1094 if (retval)
1095 return retval;
1096
1097 retval = -ENOENT;
1098 for (try=0; try<2; try++) {
1099 read_lock(&binfmt_lock);
1100 for (fmt = formats ; fmt ; fmt = fmt->next) {
1101 int (*fn)(struct linux_binprm *, struct pt_regs *) = fmt->load_binary;
1102 if (!fn)
1103 continue;
1104 if (!try_module_get(fmt->module))
1105 continue;
1106 read_unlock(&binfmt_lock);
1107 retval = fn(bprm, regs);
1108 if (retval >= 0) {
1109 put_binfmt(fmt);
1110 allow_write_access(bprm->file);
1111 if (bprm->file)
1112 fput(bprm->file);
1113 bprm->file = NULL;
1114 current->did_exec = 1;
1115 proc_exec_connector(current);
1116 return retval;
1117 }
1118 read_lock(&binfmt_lock);
1119 put_binfmt(fmt);
1120 if (retval != -ENOEXEC || bprm->mm == NULL)
1121 break;
1122 if (!bprm->file) {
1123 read_unlock(&binfmt_lock);
1124 return retval;
1125 }
1126 }
1127 read_unlock(&binfmt_lock);
1128 if (retval != -ENOEXEC || bprm->mm == NULL) {
1129 break;
1130 #ifdef CONFIG_KMOD
1131 }else{
1132 #define printable(c) (((c)=='\t') || ((c)=='\n') || (0x20<=(c) && (c)<=0x7e))
1133 if (printable(bprm->buf[0]) &&
1134 printable(bprm->buf[1]) &&
1135 printable(bprm->buf[2]) &&
1136 printable(bprm->buf[3]))
1137 break; /* -ENOEXEC */
1138 request_module("binfmt-%04x", *(unsigned short *)(&bprm->buf[2]));
1139 #endif
1140 }
1141 }
1142 return retval;
1143 }
1144
1145 EXPORT_SYMBOL(search_binary_handler);
1146
1147 /*
1148 * sys_execve() executes a new program.
1149 */
1150 int do_execve(char * filename,
1151 char __user *__user *argv,
1152 char __user *__user *envp,
1153 struct pt_regs * regs)
1154 {
1155 struct linux_binprm *bprm;
1156 struct file *file;
1157 int retval;
1158 int i;
1159
1160 retval = -ENOMEM;
1161 bprm = kzalloc(sizeof(*bprm), GFP_KERNEL);
1162 if (!bprm)
1163 goto out_ret;
1164
1165 file = open_exec(filename);
1166 retval = PTR_ERR(file);
1167 if (IS_ERR(file))
1168 goto out_kfree;
1169
1170 sched_exec();
1171
1172 bprm->p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
1173
1174 bprm->file = file;
1175 bprm->filename = filename;
1176 bprm->interp = filename;
1177 bprm->mm = mm_alloc();
1178 retval = -ENOMEM;
1179 if (!bprm->mm)
1180 goto out_file;
1181
1182 retval = init_new_context(current, bprm->mm);
1183 if (retval < 0)
1184 goto out_mm;
1185
1186 bprm->argc = count(argv, bprm->p / sizeof(void *));
1187 if ((retval = bprm->argc) < 0)
1188 goto out_mm;
1189
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -