NAME | SYNOPSIS | DESCRIPTION | RETURN VALUES | ERRORS | ATTRIBUTES | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO
#include <unistd.h>int execl(const char * path, const char * arg0, ..., const char * argn, char * /*NULL*/);
Each of the functions in the exec family overlays a new process image on an old process. The new process image is constructed from an ordinary, executable file. This file is either an executable object file, or a file of data for an interpreter. There can be no return from a successful call to one of these functions because the calling process image is overlaid by the new process image.
An interpreter file begins with a line of the form
#! pathname [ arg ]
where pathname is the path of the interpreter, and arg is an optional argument. When an interpreter file is executed, the system invokes the specified interpreter. The pathname specified in the interpreter file is passed as arg0 to the interpreter. If arg was specified in the interpreter file, it is passed as arg1 to the interpreter. The remaining arguments to the interpreter are arg0 through argn of the originally exec'd file. The interpreter named by pathname must not be an interpreter file.
When a C program is executed, it is called as follows:
int main (int argc, char *argv[], char *envp[]);
where argc is the argument count, argv is an array of character pointers to the arguments themselves, and envp is an array of character pointers to the environment strings. As indicated, argc is at least one, and the first member of the array points to a string containing the name of the file.
The arguments arg0 , ... , argn point to null-terminated character strings. These strings constitute the argument list available to the new process image. Conventionally at least arg0 should be present. It will become the name of the process, as displayed by the ps(1) command. The arg0 argument points to a string that is the same as path (or the last component of path ). The list of argument strings is terminated by a (char *)0 argument.
The argv argument is an array of character pointers to null-terminated strings. These strings constitute the argument list available to the new process image. By convention, argv must have at least one member, and it should point to a string that is the same as path (or its last component). The argv argument is terminated by a null pointer.
The envp argument is an array of character pointers to null-terminated strings. These strings constitute the environment for the new process image. The envp argument is terminated by a null pointer. For execl() , execv() , execvp() , and execlp() , the C run-time start-off routine places a pointer to the environment of the calling process in the global object extern char **environ , and it is used to pass the environment of the calling process to the new process.
The path argument points to a path name that identifies the new process file.
The file argument points to the new process file. If file does not contain a slash character, the path prefix for this file is obtained by a search of the directories passed in the PATH environment variable (see environ(5) ). The environment is supplied typically by the shell. If the new process file is not an executable object file, execlp() and execvp() use the contents of that file as standard input to the shell. In a standard-conforming application (see standards(5) ), the exec family of functions use /usr/bin/ksh (see ksh(1) ); otherwise, they use /usr/bin/sh (see sh(1) ).
The calling process must have read and execute access to the new process file or have the following in its set of effective privileges:
PRIV_FILE_DAC_SEARCH
PRIV_FILE_DAC_EXECUTE
PRIV_FILE_MAC_SEARCH
PRIV_FILE_MAC_READ
File descriptors open in the calling process remain open in the new process, except for those whose close-on-exec flag is set; (see fcntl(2) ). For those file descriptors that remain open, the file pointer is unchanged.
Signals that are being caught by the calling process are set to the default disposition in the new process image (see signal(3C) ). Otherwise, the new process image inherits the signal dispositions of the calling process.
The saved resource limits in the new process image are set to be a copy of the process's corresponding hard and soft resource limits.
If the set-user- ID mode bit of the new process file is set (see chmod(2) ), the effective user ID of the new process is set to the owner ID of the new process file. Similarly, if the set-group- ID mode bit of the new process file is set, the effective group ID of the new process is set to the group ID of the new process file. The real user ID and real group ID of the new process remain the same as those of the calling process.
If the process has the
PRIV_PROC_OWNER
privilege, the set-user-
ID
and set-group-
ID
bits will be honored
when the process is being controlled by
ptrace()
.
The shared memory segments attached to the calling process will not be attached to the new process (see shmop(2) ). Memory mappings in the calling process are unmapped before the new process begins execution (see mmap(2) ).
Profiling is disabled for the new process; see profil(2) .
Timers created by timer_create(3R) are deleted before the new process begins execution.
Any outstanding asynchronous I/O operations may be cancelled.
The new process also inherits the following attributes from the calling process:
nice value (see nice(2) )
scheduler class and priority (see priocntl(2) )
process ID
parent process ID
process group ID
supplementary group ID s
semadj values (see semop(2) )
session ID (see exit(2) and signal(3C) )
trace flag (see ptrace(2) request 0)
time left until an alarm (see alarm(2) )
current working directory
root directory
file mode creation mask (see umask(2) )
resource limits (see getrlimit(2) )
utime , stime , cutime , and cstime (see times(2) )
controlling terminal
process signal mask (see sigprocmask(2) )
pending signals (see sigpending(2) )
clearance (see getclearance(2) )
sensitivity label (see getcmwlabel(2) )
inheritable privilege set (see getppriv(2) )
process attribute flags (see getpattr(2) )
The four privilege sets of the new process are updated as described in the following equations where E1, P1, S1, I1 are the four privilege sets of the calling process; E2, P2, S2, I2 are the four privilege sets of the new process; and F and A are the forced set and the allowed set of the program file:
E2 = P2 = (I1 union F) intersect A S2 = I1 intersect A I2 = I1
When a script file is run, the resulting forced privileges are the combination of the forced privileges of the script and the forced privileges of the interpreter program; and the resulting allowed privileges are the allowed privileges of the interpreter program. The privilege update equations for a script executable could be expressed like this:
E2 = P2 = (I1 union Fs union Fi) intersect Ai S2 = I1 intersect A I2 = I1
Fs is the forced privilege set of the script, Fi is the forced privilege set of the interpreter program, and Ai is the allowed privilege set of the interpreter program.
Upon successful completion, each of the functions in the exec family marks for update the st_atime field of the file, unless the file is on a read-only file system. Should the function succeed, the process image file is considered to have been opened by the open(2) system called. The corresponding close() is considered to occur at a time after this open, but before process termination or successful completion of a subsequent call to one of the functions in the exec family.
If a function in the exec family returns to the calling process, an error has occurred; the return value is -1 and errno is set to indicate the error.
Each of the functions in the exec family will fail if:
The number of bytes in the new process's argument list is greater than the system-imposed limit of ARG_MAX bytes. The argument list limit is sum of the size of the argument list plus the size of the environment's exported shell variables.
Search permission is denied for a directory listed in the new process file's path prefix; the new process file is not an ordinary file; or the new process file mode denies execute permission. Moreover, the calling process
does not have
PRIV_FILE_DAC_SEARCH
and/or
PRIV_FILE_MAC_SEARCH
to override the restriction.
Total amount of system memory available when reading using raw I/O is temporarily insufficient.
An argument points to an illegal address.
A signal was caught during the execution of one of the functions in the exec family.
Too many symbolic links were encountered in translating path or file .
The length of the file or path argument exceeds PATH_MAX , or the length of a file or path component exceeds NAME_MAX while _POSIX_NO_TRUNC is in effect.
One or more components of the new process path name of the file do not exist or is a null pathname.
The function call is not an execlp() or execvp() , and the new process file has the appropriate access permission but an invalid magic number in its header.
The path argument points to a remote machine and the link to that machine is no longer active.
The new process requires more memory than RLIMIT_VMEM , the limit imposed by setrlimit() (see brk(2) ).
A component of the new process path of the file prefix is not a directory.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
MT-Level | execle() and execve() are Async-Signal-Safe |
MAC search and execute permissions on the executable object are required. Process privilege sets and process information label are updated upon execution of the program. Other Trusted Solaris process attributes, such as clearance, sensitivity label, and process attribute flags, are unchanged.
Information labels (
IL
s) are not supported in Trusted Solaris 7 and later releases. Trusted Solaris software interprets any
IL
s on communications and files from systems running earlier releases as
ADMIN_LOW
.
Objects still have
CMW
labels, and
CMW
labels still include the
IL
component:
IL[SL]
; however, the
IL
component is fixed at
ADMIN_LOW
.
As a result, Trusted Solaris 7 has the following characteristics:
IL s do not display in window labels; SL s (Sensitivity Labels) display alone within brackets.
IL s do not float.
Setting an IL on an object has no effect.
Getting an object's
IL
will always return
ADMIN_LOW
.
Although certain utilities, library functions, and system calls can manipulate
IL
strings, the resulting
IL
s are always
ADMIN_LOW
, and cannot be set on any objects.
Options related to information labels in the label_encodings(4) file can be ignored:
Markings Name= Marks; Float Process Information Label;
chmod(2) , fcntl(2) , fork(2) , getrlimit(2) , nice(2) , priocntl(2) , semop(2) , shmop(2)
ksh(1) , ps(1) , sh(1) , alarm(2) , brk(2) , exit(2) , mmap(2) , profil(2) , ptrace(2) , sigpending(2) , sigprocmask(2) , times(2) , umask(2) , lockf(3C) , signal(3C) , system(3S) , timer_create(3R) , a.out(4) , attributes(5) , environ(5) , standards(5)
NAME | SYNOPSIS | DESCRIPTION | RETURN VALUES | ERRORS | ATTRIBUTES | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO