From ff59c9de3274134e3e517a7faf7b5fbedfc0bb7f Mon Sep 17 00:00:00 2001
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Thu, 14 Jan 2021 15:38:29 +0200
Subject: [PATCH] sysent: allow ABI to disable setid on exec.

(cherry picked from commit 2d423f7671fe452486932c8e41e7d3547afe82aa)
---
 sys/kern/kern_exec.c | 4 ++++
 sys/sys/sysent.h     | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index 1df422dec08..3413a5d024d 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -774,6 +774,10 @@ interpret:
 		signotify(td);
 	}
 
+	if (imgp->sysent->sv_setid_allowed != NULL &&
+	    !(*imgp->sysent->sv_setid_allowed)(td, imgp))
+		execve_nosetid(imgp);
+
 	/*
 	 * Implement image setuid/setgid installation.
 	 */
diff --git a/sys/sys/sysent.h b/sys/sys/sysent.h
index e6db2ec3dfb..4a707b41e02 100644
--- a/sys/sys/sysent.h
+++ b/sys/sys/sysent.h
@@ -148,6 +148,8 @@ struct sysentvec {
 	void		(*sv_onexec)(struct proc *, struct image_params *);
 	void		(*sv_onexit)(struct proc *);
 	void		(*sv_ontdexit)(struct thread *td);
+	bool		(*sv_setid_allowed)(struct thread *td,
+			    struct image_params *imgp);
 };
 
 #define	SV_ILP32	0x000100	/* 32-bit executable. */