1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 #include <sys/mutex.h>
27 #include <sys/debug.h>
28 #include <sys/types.h>
29 #include <sys/param.h>
30 #include <sys/kmem.h>
31 #include <sys/thread.h>
32 #include <sys/id_space.h>
33 #include <sys/avl.h>
34 #include <sys/list.h>
35 #include <sys/sysmacros.h>
36 #include <sys/proc.h>
37 #include <sys/contract.h>
38 #include <sys/contract_impl.h>
39 #include <sys/contract/process.h>
40 #include <sys/contract/process_impl.h>
41 #include <sys/cmn_err.h>
42 #include <sys/nvpair.h>
43 #include <sys/policy.h>
44 #include <sys/refstr.h>
45 #include <sys/sunddi.h>
46
47 /*
48 * Process Contracts
49 * -----------------
50 *
51 * Generally speaking, a process contract is a contract between a
52 * process and a set of its descendent processes. In some cases, when
53 * the child processes outlive the author of the contract, the contract
54 * may be held by (and therefore be between the child processes and) a
55 * successor process which adopts the contract after the death of the
56 * original author.
57 *
58 * The process contract adds two new concepts to the Solaris process
59 * model. The first is that a process contract forms a rigid fault
60 * boundary around a set of processes. Hardware, software, and even
61 * administrator errors impacting a process in a process contract
62 * generate specific events and can be requested to atomically shutdown
63 * all processes in the contract. The second is that a process
64 * contract is a process collective whose leader is not a member of the
65 * collective. This means that the leader can reliably react to events
66 * in the collective, and may also act upon the collective without
67 * special casing itself.
68 *
69 * A composite outcome of these two concepts is that we can now create
70 * a tree of process contracts, rooted at init(1M), which represent
71 * services and subservices that are reliably observed and can be
72 * restarted when fatal errors occur. The service management framework
73 * (SMF) realizes this structure.
74 *
75 * For more details, see the "restart agreements" case, PSARC 2003/193.
76 *
77 * There are four sets of routines in this file: the process contract
78 * standard template operations, the process contract standard contract
79 * operations, a couple routines used only by the contract subsystem to
80 * handle process contracts' unique role as a temporary holder of
81 * abandoned contracts, and the interfaces which allow the system to
82 * create and act upon process contracts. The first two are defined by
83 * the contracts framework and won't be discussed further. As for the
84 * remaining two:
85 *
86 * Special framework interfaces
87 * ----------------------------
88 *
89 * contract_process_accept - determines if a process contract is a
90 * regent, i.e. if it can inherit other contracts.
91 *
92 * contract_process_take - tells a regent process contract to inherit
93 * an abandoned contract
94 *
95 * contract_process_adopt - tells a regent process contract that a
96 * contract it has inherited is being adopted by a process.
97 *
98 * Process contract interfaces
99 * ---------------------------
100 *
101 * contract_process_fork - called when a process is created; adds the
102 * new process to an existing contract or to a newly created one.
103 *
104 * contract_process_exit - called when a process exits
105 *
106 * contract_process_core - called when a process would have dumped core
107 * (even if a core file wasn't generated)
108 *
109 * contract_process_hwerr - called when a process was killed because of
110 * an uncorrectable hardware error
111 *
112 * contract_process_sig - called when a process was killed by a fatal
113 * signal sent by a process in another process contract
114 *
115 */
116
117 ct_type_t *process_type;
118 ctmpl_process_t *sys_process_tmpl;
119 refstr_t *conp_svc_aux_default;
120
121 /*
122 * Macro predicates for determining when events should be sent and how.
123 */
124 #define EVSENDP(ctp, flag) \
125 ((ctp->conp_contract.ct_ev_info | ctp->conp_contract.ct_ev_crit) & flag)
126
127 #define EVINFOP(ctp, flag) \
128 ((ctp->conp_contract.ct_ev_crit & flag) == 0)
129
130 #define EVFATALP(ctp, flag) \
131 (ctp->conp_ev_fatal & flag)
132
133
134 /*
135 * Process contract template implementation
136 */
137
138 /*
139 * ctmpl_process_dup
140 *
141 * The process contract template dup entry point. Other than the
142 * to-be-subsumed contract, which must be held, this simply copies all
143 * the fields of the original.
144 */
145 static struct ct_template *
ctmpl_process_dup(struct ct_template * template)146 ctmpl_process_dup(struct ct_template *template)
147 {
148 ctmpl_process_t *new;
149 ctmpl_process_t *old = template->ctmpl_data;
150
151 new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP);
152
153 ctmpl_copy(&new->ctp_ctmpl, template);
154 new->ctp_ctmpl.ctmpl_data = new;
155
156 new->ctp_subsume = old->ctp_subsume;
157 if (new->ctp_subsume)
158 contract_hold(new->ctp_subsume);
159 new->ctp_params = old->ctp_params;
160 new->ctp_ev_fatal = old->ctp_ev_fatal;
161 new->ctp_svc_fmri = old->ctp_svc_fmri;
162 if (new->ctp_svc_fmri != NULL) {
163 refstr_hold(new->ctp_svc_fmri);
164 }
165 new->ctp_svc_aux = old->ctp_svc_aux;
166 if (new->ctp_svc_aux != NULL) {
167 refstr_hold(new->ctp_svc_aux);
168 }
169
170 return (&new->ctp_ctmpl);
171 }
172
173 /*
174 * ctmpl_process_free
175 *
176 * The process contract template free entry point. Just releases a
177 * to-be-subsumed contract and frees the template.
178 */
179 static void
ctmpl_process_free(struct ct_template * template)180 ctmpl_process_free(struct ct_template *template)
181 {
182 ctmpl_process_t *ctp = template->ctmpl_data;
183
184 if (ctp->ctp_subsume)
185 contract_rele(ctp->ctp_subsume);
186 if (ctp->ctp_svc_fmri != NULL) {
187 refstr_rele(ctp->ctp_svc_fmri);
188 }
189 if (ctp->ctp_svc_aux != NULL) {
190 refstr_rele(ctp->ctp_svc_aux);
191 }
192 kmem_free(template, sizeof (ctmpl_process_t));
193 }
194
195 /*
196 * SAFE_EV is the set of events which a non-privileged process is
197 * allowed to make critical but not fatal or if the PGRPONLY parameter
198 * is set. EXCESS tells us if "value", a critical event set, requires
199 * additional privilege given the template "ctp".
200 */
201 #define SAFE_EV (CT_PR_EV_EMPTY)
202 #define EXCESS(ctp, value) \
203 (((value) & ~((ctp)->ctp_ev_fatal | SAFE_EV)) || \
204 (((value) & ~SAFE_EV) && (ctp->ctp_params & CT_PR_PGRPONLY)))
205
206 /*
207 * ctmpl_process_set
208 *
209 * The process contract template set entry point. None of the terms
210 * may be unconditionally set, and setting the parameters or fatal
211 * event set may result in events being implicitly removed from to the
212 * critical event set and added to the informative event set. The
213 * (admittedly subtle) reason we implicitly change the critical event
214 * set when the parameter or fatal event set is modified but not the
215 * other way around is because a change to the critical event set only
216 * affects the contract's owner, whereas a change to the parameter set
217 * and fatal set can affect the execution of the application running in
218 * the contract (and should therefore be only made explicitly). We
219 * allow implicit changes at all so that setting contract terms doesn't
220 * become a complex dance dependent on the template's initial state and
221 * the desired terms.
222 */
223 static int
ctmpl_process_set(struct ct_template * tmpl,ct_kparam_t * kparam,const cred_t * cr)224 ctmpl_process_set(struct ct_template *tmpl, ct_kparam_t *kparam,
225 const cred_t *cr)
226 {
227 ctmpl_process_t *ctp = tmpl->ctmpl_data;
228 ct_param_t *param = &kparam->param;
229 contract_t *ct;
230 int error;
231 uint64_t param_value;
232 char *str_value;
233
234 if ((param->ctpm_id == CTPP_SVC_FMRI) ||
235 (param->ctpm_id == CTPP_CREATOR_AUX)) {
236 str_value = (char *)kparam->ctpm_kbuf;
237 str_value[param->ctpm_size - 1] = '\0';
238 } else {
239 if (param->ctpm_size < sizeof (uint64_t))
240 return (EINVAL);
241 param_value = *(uint64_t *)kparam->ctpm_kbuf;
242 /*
243 * No process contract parameters are > 32 bits.
244 * Unless it is a string.
245 */
246 if (param_value & ~UINT32_MAX)
247 return (EINVAL);
248 }
249
250 switch (param->ctpm_id) {
251 case CTPP_SUBSUME:
252 if (param_value != 0) {
253 /*
254 * Ensure that the contract exists, that we
255 * hold the contract, and that the contract is
256 * empty.
257 */
258 ct = contract_type_ptr(process_type, param_value,
259 curproc->p_zone->zone_uniqid);
260 if (ct == NULL)
261 return (ESRCH);
262 if (ct->ct_owner != curproc) {
263 contract_rele(ct);
264 return (EACCES);
265 }
266 if (((cont_process_t *)ct->ct_data)->conp_nmembers) {
267 contract_rele(ct);
268 return (ENOTEMPTY);
269 }
270 } else {
271 ct = NULL;
272 }
273 if (ctp->ctp_subsume)
274 contract_rele(ctp->ctp_subsume);
275 ctp->ctp_subsume = ct;
276 break;
277 case CTPP_PARAMS:
278 if (param_value & ~CT_PR_ALLPARAM)
279 return (EINVAL);
280 ctp->ctp_params = param_value;
281 /*
282 * If an unprivileged process requests that
283 * CT_PR_PGRPONLY be set, remove any unsafe events from
284 * the critical event set and add them to the
285 * informative event set.
286 */
287 if ((ctp->ctp_params & CT_PR_PGRPONLY) &&
288 EXCESS(ctp, tmpl->ctmpl_ev_crit) &&
289 !secpolicy_contract_event_choice(cr)) {
290 tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~SAFE_EV);
291 tmpl->ctmpl_ev_crit &= SAFE_EV;
292 }
293
294 break;
295 case CTPP_SVC_FMRI:
296 if (error = secpolicy_contract_identity(cr))
297 return (error);
298 if (ctp->ctp_svc_fmri != NULL)
299 refstr_rele(ctp->ctp_svc_fmri);
300 if (strcmp(CT_PR_SVC_DEFAULT, str_value) == 0)
301 ctp->ctp_svc_fmri = NULL;
302 else
303 ctp->ctp_svc_fmri =
304 refstr_alloc(str_value);
305 break;
306 case CTPP_CREATOR_AUX:
307 if (ctp->ctp_svc_aux != NULL)
308 refstr_rele(ctp->ctp_svc_aux);
309 if (param->ctpm_size == 1) /* empty string */
310 ctp->ctp_svc_aux = NULL;
311 else
312 ctp->ctp_svc_aux =
313 refstr_alloc(str_value);
314 break;
315 case CTP_EV_CRITICAL:
316 /*
317 * We simply don't allow adding events to the critical
318 * event set which aren't permitted by our policy or by
319 * privilege.
320 */
321 if (EXCESS(ctp, param_value) &&
322 (error = secpolicy_contract_event(cr)) != 0)
323 return (error);
324 tmpl->ctmpl_ev_crit = param_value;
325 break;
326 case CTPP_EV_FATAL:
327 if (param_value & ~CT_PR_ALLFATAL)
328 return (EINVAL);
329 ctp->ctp_ev_fatal = param_value;
330 /*
331 * Check to see if an unprivileged process is
332 * requesting that events be removed from the fatal
333 * event set which are still in the critical event set.
334 */
335 if (EXCESS(ctp, tmpl->ctmpl_ev_crit) &&
336 !secpolicy_contract_event_choice(cr)) {
337 int allowed =
338 SAFE_EV | (ctp->ctp_params & CT_PR_PGRPONLY) ?
339 0 : ctp->ctp_ev_fatal;
340 tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~allowed);
341 tmpl->ctmpl_ev_crit &= allowed;
342 }
343 break;
344 default:
345 return (EINVAL);
346 }
347
348 return (0);
349 }
350
351 /*
352 * ctmpl_process_get
353 *
354 * The process contract template get entry point. Simply fetches and
355 * returns the requested term.
356 */
357 static int
ctmpl_process_get(struct ct_template * template,ct_kparam_t * kparam)358 ctmpl_process_get(struct ct_template *template, ct_kparam_t *kparam)
359 {
360 ctmpl_process_t *ctp = template->ctmpl_data;
361 ct_param_t *param = &kparam->param;
362 uint64_t *param_value = kparam->ctpm_kbuf;
363
364 if (param->ctpm_id == CTPP_SUBSUME ||
365 param->ctpm_id == CTPP_PARAMS ||
366 param->ctpm_id == CTPP_EV_FATAL) {
367 if (param->ctpm_size < sizeof (uint64_t))
368 return (EINVAL);
369 kparam->ret_size = sizeof (uint64_t);
370 }
371
372 switch (param->ctpm_id) {
373 case CTPP_SUBSUME:
374 *param_value = ctp->ctp_subsume ?
375 ctp->ctp_subsume->ct_id : 0;
376 break;
377 case CTPP_PARAMS:
378 *param_value = ctp->ctp_params;
379 break;
380 case CTPP_SVC_FMRI:
381 if (ctp->ctp_svc_fmri == NULL) {
382 kparam->ret_size =
383 strlcpy((char *)kparam->ctpm_kbuf,
384 CT_PR_SVC_DEFAULT, param->ctpm_size);
385 } else {
386 kparam->ret_size =
387 strlcpy((char *)kparam->ctpm_kbuf,
388 refstr_value(ctp->ctp_svc_fmri), param->ctpm_size);
389 }
390 kparam->ret_size++;
391 break;
392 case CTPP_CREATOR_AUX:
393 if (ctp->ctp_svc_aux == NULL) {
394 kparam->ret_size =
395 strlcpy((char *)kparam->ctpm_kbuf,
396 refstr_value(conp_svc_aux_default),
397 param->ctpm_size);
398 } else {
399 kparam->ret_size =
400 strlcpy((char *)kparam->ctpm_kbuf,
401 refstr_value(ctp->ctp_svc_aux), param->ctpm_size);
402 }
403 kparam->ret_size++;
404 break;
405 case CTPP_EV_FATAL:
406 *param_value = ctp->ctp_ev_fatal;
407 break;
408 default:
409 return (EINVAL);
410 }
411
412 return (0);
413 }
414
415 static ctmplops_t ctmpl_process_ops = {
416 ctmpl_process_dup, /* ctop_dup */
417 ctmpl_process_free, /* ctop_free */
418 ctmpl_process_set, /* ctop_set */
419 ctmpl_process_get, /* ctop_get */
420 ctmpl_create_inval, /* ctop_create */
421 CT_PR_ALLEVENT
422 };
423
424
425 /*
426 * Process contract implementation
427 */
428
429 /*
430 * ctmpl_process_default
431 *
432 * The process contract default template entry point. Creates a
433 * process contract template with no parameters set, with informative
434 * core and signal events, critical empty and hwerr events, and fatal
435 * hwerr events.
436 */
437 static ct_template_t *
contract_process_default(void)438 contract_process_default(void)
439 {
440 ctmpl_process_t *new;
441
442 new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP);
443 ctmpl_init(&new->ctp_ctmpl, &ctmpl_process_ops, process_type, new);
444
445 new->ctp_subsume = NULL;
446 new->ctp_params = 0;
447 new->ctp_ctmpl.ctmpl_ev_info = CT_PR_EV_CORE | CT_PR_EV_SIGNAL;
448 new->ctp_ctmpl.ctmpl_ev_crit = CT_PR_EV_EMPTY | CT_PR_EV_HWERR;
449 new->ctp_ev_fatal = CT_PR_EV_HWERR;
450 new->ctp_svc_fmri = NULL;
451 new->ctp_svc_aux = NULL;
452
453 return (&new->ctp_ctmpl);
454 }
455
456 /*
457 * contract_process_free
458 *
459 * The process contract free entry point.
460 */
461 static void
contract_process_free(contract_t * ct)462 contract_process_free(contract_t *ct)
463 {
464 cont_process_t *ctp = ct->ct_data;
465 crfree(ctp->conp_cred);
466 list_destroy(&ctp->conp_members);
467 list_destroy(&ctp->conp_inherited);
468 if (ctp->conp_svc_fmri != NULL) {
469 refstr_rele(ctp->conp_svc_fmri);
470 }
471 if (ctp->conp_svc_aux != NULL) {
472 refstr_rele(ctp->conp_svc_aux);
473 }
474 if (ctp->conp_svc_creator != NULL) {
475 refstr_rele(ctp->conp_svc_creator);
476 }
477 kmem_free(ctp, sizeof (cont_process_t));
478 }
479
480 /*
481 * contract_process_cankill
482 *
483 * Determine if the contract author had or if the process generating
484 * the event, sp, has adequate privileges to kill process tp.
485 */
486 static int
contract_process_cankill(proc_t * tp,proc_t * sp,cont_process_t * ctp)487 contract_process_cankill(proc_t *tp, proc_t *sp, cont_process_t *ctp)
488 {
489 int cankill;
490
491 mutex_enter(&tp->p_crlock);
492 cankill = hasprocperm(tp->p_cred, ctp->conp_cred);
493 mutex_exit(&tp->p_crlock);
494 if (cankill || (sp && prochasprocperm(tp, sp, CRED())))
495 return (1);
496
497 return (0);
498 }
499
500 /*
501 * contract_process_kill
502 *
503 * Kills all processes in a contract, or all processes in the
504 * intersection of a contract and ex's process group (if ex is non-NULL
505 * and the contract's PGRPONLY parameter is set). If checkpriv is
506 * true, only those processes which may be signaled by the contract
507 * author or ex are killed.
508 */
509 static void
contract_process_kill(contract_t * ct,proc_t * ex,int checkpriv)510 contract_process_kill(contract_t *ct, proc_t *ex, int checkpriv)
511 {
512 cont_process_t *ctp = ct->ct_data;
513 proc_t *p;
514 pid_t pgrp = -1;
515
516 ASSERT(MUTEX_HELD(&ct->ct_lock));
517
518 if (ex && (ctp->conp_params & CT_PR_PGRPONLY)) {
519 pgrp = ex->p_pgrp;
520 mutex_enter(&pidlock);
521 }
522
523 for (p = list_head(&ctp->conp_members); p != NULL;
524 p = list_next(&ctp->conp_members, p)) {
525 if ((p == ex) ||
526 (pgrp != -1 && (p->p_stat == SIDL || p->p_pgrp != pgrp)) ||
527 (checkpriv && !contract_process_cankill(p, ex, ctp)))
528 continue;
529
530 psignal(p, SIGKILL);
531 }
532
533 if (pgrp != -1)
534 mutex_exit(&pidlock);
535 }
536
537
538 /*
539 * contract_process_accept
540 *
541 * Tests if the process contract is willing to act as a regent for
542 * inherited contracts. Though brief and only called from one place,
543 * this functionality is kept here to avoid including knowledge of
544 * process contract implementation in the generic contract code.
545 */
546 int
contract_process_accept(contract_t * parent)547 contract_process_accept(contract_t *parent)
548 {
549 cont_process_t *ctp = parent->ct_data;
550
551 ASSERT(parent->ct_type == process_type);
552
553 return (ctp->conp_params & CT_PR_REGENT);
554 }
555
556 /*
557 * contract_process_take
558 *
559 * Executes the process contract side of inheriting a contract.
560 */
561 void
contract_process_take(contract_t * parent,contract_t * child)562 contract_process_take(contract_t *parent, contract_t *child)
563 {
564 cont_process_t *ctp = parent->ct_data;
565
566 ASSERT(MUTEX_HELD(&parent->ct_lock));
567 ASSERT(MUTEX_HELD(&child->ct_lock));
568 ASSERT(parent->ct_type == process_type);
569 ASSERT(ctp->conp_params & CT_PR_REGENT);
570
571 list_insert_head(&ctp->conp_inherited, child);
572 ctp->conp_ninherited++;
573 }
574
575 /*
576 * contract_process_adopt
577 *
578 * Executes the process contract side of adopting a contract.
579 */
580 void
contract_process_adopt(contract_t * ct,proc_t * p)581 contract_process_adopt(contract_t *ct, proc_t *p)
582 {
583 cont_process_t *parent = p->p_ct_process;
584
585 ASSERT(MUTEX_HELD(&parent->conp_contract.ct_lock));
586 ASSERT(MUTEX_HELD(&ct->ct_lock));
587
588 list_remove(&parent->conp_inherited, ct);
589 parent->conp_ninherited--;
590
591 /*
592 * We drop the parent lock first because a) we are passing the
593 * contract reference to the child, and b) contract_adopt
594 * expects us to return with the contract lock held.
595 */
596 mutex_exit(&parent->conp_contract.ct_lock);
597 }
598
599 /*
600 * contract_process_abandon
601 *
602 * The process contract abandon entry point.
603 */
604 static void
contract_process_abandon(contract_t * ct)605 contract_process_abandon(contract_t *ct)
606 {
607 cont_process_t *ctp = ct->ct_data;
608
609 ASSERT(MUTEX_HELD(&ct->ct_lock));
610
611 /*
612 * Shall we stay or shall we go?
613 */
614 if (list_head(&ctp->conp_members) == NULL) {
615 contract_destroy(ct);
616 } else {
617 /*
618 * Strictly speaking, we actually do orphan the contract.
619 * Assuming our credentials allow us to kill all
620 * processes in the contract, this is only temporary.
621 */
622 if (ctp->conp_params & CT_PR_NOORPHAN)
623 contract_process_kill(ct, NULL, B_TRUE);
624 contract_orphan(ct);
625 mutex_exit(&ct->ct_lock);
626 contract_rele(ct);
627 }
628 }
629
630 /*
631 * contract_process_destroy
632 *
633 * The process contract destroy entry point.
634 */
635 static void
contract_process_destroy(contract_t * ct)636 contract_process_destroy(contract_t *ct)
637 {
638 cont_process_t *ctp = ct->ct_data;
639 contract_t *cct;
640
641 ASSERT(MUTEX_HELD(&ct->ct_lock));
642
643 /*
644 * contract_destroy all empty children, kill or orphan the rest
645 */
646 while (cct = list_head(&ctp->conp_inherited)) {
647 mutex_enter(&cct->ct_lock);
648
649 ASSERT(cct->ct_state == CTS_INHERITED);
650
651 list_remove(&ctp->conp_inherited, cct);
652 ctp->conp_ninherited--;
653 cct->ct_regent = NULL;
654 cct->ct_type->ct_type_ops->contop_abandon(cct);
655 }
656 }
657
658 /*
659 * contract_process_status
660 *
661 * The process contract status entry point.
662 */
663 static void
contract_process_status(contract_t * ct,zone_t * zone,int detail,nvlist_t * nvl,void * status,model_t model)664 contract_process_status(contract_t *ct, zone_t *zone, int detail, nvlist_t *nvl,
665 void *status, model_t model)
666 {
667 cont_process_t *ctp = ct->ct_data;
668 uint32_t *pids, *ctids;
669 uint_t npids, nctids;
670 uint_t spids, sctids;
671 ctid_t local_svc_zone_enter;
672
673 if (detail == CTD_FIXED) {
674 mutex_enter(&ct->ct_lock);
675 contract_status_common(ct, zone, status, model);
676 local_svc_zone_enter = ctp->conp_svc_zone_enter;
677 mutex_exit(&ct->ct_lock);
678 } else {
679 contract_t *cnext;
680 proc_t *pnext;
681 uint_t loc;
682
683 ASSERT(detail == CTD_ALL);
684 mutex_enter(&ct->ct_lock);
685 for (;;) {
686 spids = ctp->conp_nmembers + 5;
687 sctids = ctp->conp_ninherited + 5;
688 mutex_exit(&ct->ct_lock);
689
690 pids = kmem_alloc(spids * sizeof (uint32_t), KM_SLEEP);
691 ctids = kmem_alloc(sctids * sizeof (uint32_t),
692 KM_SLEEP);
693
694 mutex_enter(&ct->ct_lock);
695 npids = ctp->conp_nmembers;
696 nctids = ctp->conp_ninherited;
697 if (spids >= npids && sctids >= nctids)
698 break;
699
700 kmem_free(pids, spids * sizeof (uint32_t));
701 kmem_free(ctids, sctids * sizeof (uint32_t));
702 }
703 contract_status_common(ct, zone, status, model);
704 for (loc = 0, cnext = list_head(&ctp->conp_inherited); cnext;
705 cnext = list_next(&ctp->conp_inherited, cnext))
706 ctids[loc++] = cnext->ct_id;
707 ASSERT(loc == nctids);
708 for (loc = 0, pnext = list_head(&ctp->conp_members); pnext;
709 pnext = list_next(&ctp->conp_members, pnext))
710 pids[loc++] = pnext->p_pid;
711 ASSERT(loc == npids);
712 local_svc_zone_enter = ctp->conp_svc_zone_enter;
713 mutex_exit(&ct->ct_lock);
714 }
715
716 /*
717 * Contract terms are static; there's no need to hold the
718 * contract lock while accessing them.
719 */
720 VERIFY(nvlist_add_uint32(nvl, CTPS_PARAMS, ctp->conp_params) == 0);
721 VERIFY(nvlist_add_uint32(nvl, CTPS_EV_FATAL, ctp->conp_ev_fatal) == 0);
722 if (detail == CTD_ALL) {
723 VERIFY(nvlist_add_uint32_array(nvl, CTPS_MEMBERS, pids,
724 npids) == 0);
725 VERIFY(nvlist_add_uint32_array(nvl, CTPS_CONTRACTS, ctids,
726 nctids) == 0);
727 VERIFY(nvlist_add_string(nvl, CTPS_CREATOR_AUX,
728 refstr_value(ctp->conp_svc_aux)) == 0);
729 VERIFY(nvlist_add_string(nvl, CTPS_SVC_CREATOR,
730 refstr_value(ctp->conp_svc_creator)) == 0);
731 kmem_free(pids, spids * sizeof (uint32_t));
732 kmem_free(ctids, sctids * sizeof (uint32_t));
733 }
734
735 /*
736 * if we are in a local zone and svc_fmri was inherited from
737 * the global zone, we provide fake svc_fmri and svc_ctid
738 */
739 if (local_svc_zone_enter == 0||
740 zone->zone_uniqid == GLOBAL_ZONEUNIQID) {
741 if (detail > CTD_COMMON) {
742 VERIFY(nvlist_add_int32(nvl, CTPS_SVC_CTID,
743 ctp->conp_svc_ctid) == 0);
744 }
745 if (detail == CTD_ALL) {
746 VERIFY(nvlist_add_string(nvl, CTPS_SVC_FMRI,
747 refstr_value(ctp->conp_svc_fmri)) == 0);
748 }
749 } else {
750 if (detail > CTD_COMMON) {
751 VERIFY(nvlist_add_int32(nvl, CTPS_SVC_CTID,
752 local_svc_zone_enter) == 0);
753 }
754 if (detail == CTD_ALL) {
755 VERIFY(nvlist_add_string(nvl, CTPS_SVC_FMRI,
756 CT_PR_SVC_FMRI_ZONE_ENTER) == 0);
757 }
758 }
759 }
760
761 /*ARGSUSED*/
762 static int
contract_process_newct(contract_t * ct)763 contract_process_newct(contract_t *ct)
764 {
765 return (0);
766 }
767
768 /* process contracts don't negotiate */
769 static contops_t contract_process_ops = {
770 contract_process_free, /* contop_free */
771 contract_process_abandon, /* contop_abandon */
772 contract_process_destroy, /* contop_destroy */
773 contract_process_status, /* contop_status */
774 contract_ack_inval, /* contop_ack */
775 contract_ack_inval, /* contop_nack */
776 contract_qack_inval, /* contop_qack */
777 contract_process_newct /* contop_newct */
778 };
779
780 /*
781 * contract_process_init
782 *
783 * Initializes the process contract type. Also creates a template for
784 * use by newproc() when it creates user processes.
785 */
786 void
contract_process_init(void)787 contract_process_init(void)
788 {
789 process_type = contract_type_init(CTT_PROCESS, "process",
790 &contract_process_ops, contract_process_default);
791
792 /*
793 * Create a template for use with init(1M) and other
794 * kernel-started processes.
795 */
796 sys_process_tmpl = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP);
797 ctmpl_init(&sys_process_tmpl->ctp_ctmpl, &ctmpl_process_ops,
798 process_type, sys_process_tmpl);
799 sys_process_tmpl->ctp_subsume = NULL;
800 sys_process_tmpl->ctp_params = CT_PR_NOORPHAN;
801 sys_process_tmpl->ctp_ev_fatal = CT_PR_EV_HWERR;
802 sys_process_tmpl->ctp_svc_fmri =
803 refstr_alloc("svc:/system/init:default");
804 sys_process_tmpl->ctp_svc_aux = refstr_alloc("");
805 conp_svc_aux_default = sys_process_tmpl->ctp_svc_aux;
806 refstr_hold(conp_svc_aux_default);
807 }
808
809 /*
810 * contract_process_create
811 *
812 * create a process contract given template "tmpl" and parent process
813 * "parent". May fail and return NULL if project.max-contracts would
814 * have been exceeded.
815 */
816 static cont_process_t *
contract_process_create(ctmpl_process_t * tmpl,proc_t * parent,int canfail)817 contract_process_create(ctmpl_process_t *tmpl, proc_t *parent, int canfail)
818 {
819 cont_process_t *ctp;
820
821 ASSERT(tmpl != NULL);
822
823 (void) contract_type_pbundle(process_type, parent);
824
825 ctp = kmem_zalloc(sizeof (cont_process_t), KM_SLEEP);
826
827 list_create(&ctp->conp_members, sizeof (proc_t),
828 offsetof(proc_t, p_ct_member));
829 list_create(&ctp->conp_inherited, sizeof (contract_t),
830 offsetof(contract_t, ct_ctlist));
831 mutex_enter(&tmpl->ctp_ctmpl.ctmpl_lock);
832 ctp->conp_params = tmpl->ctp_params;
833 ctp->conp_ev_fatal = tmpl->ctp_ev_fatal;
834 crhold(ctp->conp_cred = CRED());
835
836 if (contract_ctor(&ctp->conp_contract, process_type, &tmpl->ctp_ctmpl,
837 ctp, (ctp->conp_params & CT_PR_INHERIT) ? CTF_INHERIT : 0,
838 parent, canfail)) {
839 mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock);
840 contract_process_free(&ctp->conp_contract);
841 return (NULL);
842 }
843
844 /*
845 * inherit svc_fmri if not defined by consumer. In this case, inherit
846 * also svc_ctid to keep track of the contract id where
847 * svc_fmri was set
848 */
849 if (tmpl->ctp_svc_fmri == NULL) {
850 ctp->conp_svc_fmri = parent->p_ct_process->conp_svc_fmri;
851 ctp->conp_svc_ctid = parent->p_ct_process->conp_svc_ctid;
852 ctp->conp_svc_zone_enter =
853 parent->p_ct_process->conp_svc_zone_enter;
854 } else {
855 ctp->conp_svc_fmri = tmpl->ctp_svc_fmri;
856 ctp->conp_svc_ctid = ctp->conp_contract.ct_id;
857 /* make svc_zone_enter flag false when svc_fmri is set */
858 ctp->conp_svc_zone_enter = 0;
859 }
860 refstr_hold(ctp->conp_svc_fmri);
861 /* set svc_aux to default value if not defined in template */
862 if (tmpl->ctp_svc_aux == NULL) {
863 ctp->conp_svc_aux = conp_svc_aux_default;
864 } else {
865 ctp->conp_svc_aux = tmpl->ctp_svc_aux;
866 }
867 refstr_hold(ctp->conp_svc_aux);
868 /*
869 * set svc_creator to execname
870 * We special case pid0 because when newproc() creates
871 * the init process, the p_user.u_comm field of sched's proc_t
872 * has not been populated yet.
873 */
874 if (parent->p_pidp == &pid0) /* if the kernel is the creator */
875 ctp->conp_svc_creator = refstr_alloc("sched");
876 else
877 ctp->conp_svc_creator = refstr_alloc(parent->p_user.u_comm);
878
879 /*
880 * Transfer subcontracts only after new contract is visible.
881 * Also, only transfer contracts if the parent matches -- we
882 * don't want to create a cycle in the tree of contracts.
883 */
884 if (tmpl->ctp_subsume && tmpl->ctp_subsume->ct_owner == parent) {
885 cont_process_t *sct = tmpl->ctp_subsume->ct_data;
886 contract_t *ct;
887
888 mutex_enter(&tmpl->ctp_subsume->ct_lock);
889 mutex_enter(&ctp->conp_contract.ct_lock);
890 while (ct = list_head(&sct->conp_inherited)) {
891 mutex_enter(&ct->ct_lock);
892 list_remove(&sct->conp_inherited, ct);
893 list_insert_tail(&ctp->conp_inherited, ct);
894 ct->ct_regent = &ctp->conp_contract;
895 mutex_exit(&ct->ct_lock);
896 }
897 ctp->conp_ninherited += sct->conp_ninherited;
898 sct->conp_ninherited = 0;
899 mutex_exit(&ctp->conp_contract.ct_lock);
900 mutex_exit(&tmpl->ctp_subsume->ct_lock);
901
902 /*
903 * Automatically abandon the contract.
904 */
905 (void) contract_abandon(tmpl->ctp_subsume, parent, 1);
906 }
907
908 mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock);
909
910 return (ctp);
911 }
912
913 /*
914 * contract_process_exit
915 *
916 * Called on process exit. Removes process p from process contract
917 * ctp. Generates an exit event, if requested. Generates an empty
918 * event, if p is the last member of the the process contract and empty
919 * events were requested.
920 */
921 void
contract_process_exit(cont_process_t * ctp,proc_t * p,int exitstatus)922 contract_process_exit(cont_process_t *ctp, proc_t *p, int exitstatus)
923 {
924 contract_t *ct = &ctp->conp_contract;
925 ct_kevent_t *event;
926 int empty;
927
928 /*
929 * Remove self from process contract.
930 */
931 mutex_enter(&ct->ct_lock);
932 list_remove(&ctp->conp_members, p);
933 ctp->conp_nmembers--;
934 mutex_enter(&p->p_lock); /* in case /proc is watching */
935 p->p_ct_process = NULL;
936 mutex_exit(&p->p_lock);
937
938 /*
939 * We check for emptiness before dropping the contract lock to
940 * send the exit event, otherwise we could end up with two
941 * empty events.
942 */
943 empty = (list_head(&ctp->conp_members) == NULL);
944 if (EVSENDP(ctp, CT_PR_EV_EXIT)) {
945 nvlist_t *nvl;
946
947 mutex_exit(&ct->ct_lock);
948 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
949 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
950 VERIFY(nvlist_add_int32(nvl, CTPE_EXITSTATUS, exitstatus) == 0);
951
952 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
953 event->cte_flags = EVINFOP(ctp, CT_PR_EV_EXIT) ? CTE_INFO : 0;
954 event->cte_type = CT_PR_EV_EXIT;
955 (void) cte_publish_all(ct, event, nvl, NULL);
956 mutex_enter(&ct->ct_lock);
957 }
958 if (empty) {
959 /*
960 * Send EMPTY message.
961 */
962 if (EVSENDP(ctp, CT_PR_EV_EMPTY)) {
963 nvlist_t *nvl;
964
965 mutex_exit(&ct->ct_lock);
966 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME,
967 KM_SLEEP) == 0);
968 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
969
970 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
971 event->cte_flags = EVINFOP(ctp, CT_PR_EV_EMPTY) ?
972 CTE_INFO : 0;
973 event->cte_type = CT_PR_EV_EMPTY;
974 (void) cte_publish_all(ct, event, nvl, NULL);
975 mutex_enter(&ct->ct_lock);
976 }
977
978 /*
979 * The last one to leave an orphaned contract turns out
980 * the lights.
981 */
982 if (ct->ct_state == CTS_ORPHAN) {
983 contract_destroy(ct);
984 return;
985 }
986 }
987 mutex_exit(&ct->ct_lock);
988 contract_rele(ct);
989 }
990
991 /*
992 * contract_process_fork
993 *
994 * Called on process fork. If the current lwp has a active process
995 * contract template, we attempt to create a new process contract.
996 * Failure to create a process contract when required is a failure in
997 * fork so, in such an event, we return NULL.
998 *
999 * Assuming we succeeded or skipped the previous step, we add the child
1000 * process to the new contract (success) or to the parent's process
1001 * contract (skip). If requested, we also send a fork event to that
1002 * contract.
1003 *
1004 * Because contract_process_fork() may fail, and because we would
1005 * prefer that process contracts not be created for processes which
1006 * don't complete forking, this should be the last function called
1007 * before the "all clear" point in cfork.
1008 */
1009 cont_process_t *
contract_process_fork(ctmpl_process_t * rtmpl,proc_t * cp,proc_t * pp,int canfail)1010 contract_process_fork(ctmpl_process_t *rtmpl, proc_t *cp, proc_t *pp,
1011 int canfail)
1012 {
1013 contract_t *ct;
1014 cont_process_t *ctp;
1015 ct_kevent_t *event;
1016 ct_template_t *tmpl;
1017
1018 if (rtmpl == NULL && (tmpl = ttolwp(curthread)->lwp_ct_active[
1019 process_type->ct_type_index]) != NULL)
1020 rtmpl = tmpl->ctmpl_data;
1021
1022 if (rtmpl == NULL)
1023 ctp = curproc->p_ct_process;
1024 else if ((ctp = contract_process_create(rtmpl, pp, canfail)) == NULL)
1025 return (NULL);
1026
1027 ct = &ctp->conp_contract;
1028 /*
1029 * Prevent contract_process_kill() from missing forked children
1030 * by failing forks by parents that have just been killed.
1031 * It's not worth hoisting the ctp test since contract creation
1032 * is by no means the common case.
1033 */
1034 mutex_enter(&ct->ct_lock);
1035 mutex_enter(&pp->p_lock);
1036 if (ctp == curproc->p_ct_process && (pp->p_flag & SKILLED) != 0 &&
1037 canfail) {
1038 mutex_exit(&pp->p_lock);
1039 mutex_exit(&ct->ct_lock);
1040 return (NULL);
1041 }
1042 cp->p_ct_process = ctp;
1043 mutex_exit(&pp->p_lock);
1044 contract_hold(ct);
1045 list_insert_head(&ctp->conp_members, cp);
1046 ctp->conp_nmembers++;
1047 mutex_exit(&ct->ct_lock);
1048 if (EVSENDP(ctp, CT_PR_EV_FORK)) {
1049 nvlist_t *nvl;
1050
1051 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1052 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, cp->p_pid) == 0);
1053 VERIFY(nvlist_add_uint32(nvl, CTPE_PPID, pp->p_pid) == 0);
1054
1055 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1056 event->cte_flags = EVINFOP(ctp, CT_PR_EV_FORK) ? CTE_INFO : 0;
1057 event->cte_type = CT_PR_EV_FORK;
1058 (void) cte_publish_all(ct, event, nvl, NULL);
1059 }
1060 return (ctp);
1061 }
1062
1063 /*
1064 * contract_process_core
1065 *
1066 * Called on core file generation attempts. Generates a core event, if
1067 * requested, containing the names of the process, global, and
1068 * system-global ("zone") core files. If dumping core is in the fatal
1069 * event set, calls contract_process_kill().
1070 */
1071 void
contract_process_core(cont_process_t * ctp,proc_t * p,int sig,const char * process,const char * global,const char * zone)1072 contract_process_core(cont_process_t *ctp, proc_t *p, int sig,
1073 const char *process, const char *global, const char *zone)
1074 {
1075 contract_t *ct = &ctp->conp_contract;
1076
1077 if (EVSENDP(ctp, CT_PR_EV_CORE)) {
1078 ct_kevent_t *event;
1079 nvlist_t *nvl, *gnvl = NULL;
1080
1081 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1082 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
1083 VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0);
1084 if (process)
1085 VERIFY(nvlist_add_string(nvl, CTPE_PCOREFILE,
1086 (char *)process) == 0);
1087 if (global)
1088 VERIFY(nvlist_add_string(nvl, CTPE_GCOREFILE,
1089 (char *)global) == 0);
1090
1091 if (zone) {
1092 /*
1093 * Only the global zone is informed of the
1094 * local-zone generated global-zone core.
1095 */
1096 VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME,
1097 KM_SLEEP) == 0);
1098 VERIFY(nvlist_add_string(gnvl, CTPE_ZCOREFILE,
1099 (char *)zone) == 0);
1100 }
1101
1102 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1103 event->cte_flags = EVINFOP(ctp, CT_PR_EV_CORE) ? CTE_INFO : 0;
1104 event->cte_type = CT_PR_EV_CORE;
1105 (void) cte_publish_all(ct, event, nvl, gnvl);
1106 }
1107
1108 if (EVFATALP(ctp, CT_PR_EV_CORE)) {
1109 mutex_enter(&ct->ct_lock);
1110 contract_process_kill(ct, p, B_TRUE);
1111 mutex_exit(&ct->ct_lock);
1112 }
1113 }
1114
1115 /*
1116 * contract_process_hwerr
1117 *
1118 * Called when a process is killed by an unrecoverable hardware error.
1119 * Generates an hwerr event, if requested. If hardware errors are in
1120 * the fatal event set, calls contract_process_kill().
1121 */
1122 void
contract_process_hwerr(cont_process_t * ctp,proc_t * p)1123 contract_process_hwerr(cont_process_t *ctp, proc_t *p)
1124 {
1125 contract_t *ct = &ctp->conp_contract;
1126
1127 if (EVSENDP(ctp, CT_PR_EV_HWERR)) {
1128 ct_kevent_t *event;
1129 nvlist_t *nvl;
1130
1131 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1132 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
1133
1134 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1135 event->cte_flags = EVINFOP(ctp, CT_PR_EV_HWERR) ? CTE_INFO : 0;
1136 event->cte_type = CT_PR_EV_HWERR;
1137 (void) cte_publish_all(ct, event, nvl, NULL);
1138 }
1139
1140 if (EVFATALP(ctp, CT_PR_EV_HWERR)) {
1141 mutex_enter(&ct->ct_lock);
1142 contract_process_kill(ct, p, B_FALSE);
1143 mutex_exit(&ct->ct_lock);
1144 }
1145 }
1146
1147 /*
1148 * contract_process_sig
1149 *
1150 * Called when a process is killed by a signal originating from a
1151 * process outside of its process contract or its process contract's
1152 * holder. Generates an signal event, if requested, containing the
1153 * signal number, and the sender's pid and contract id (if available).
1154 * If signals are in the fatal event set, calls
1155 * contract_process_kill().
1156 */
1157 void
contract_process_sig(cont_process_t * ctp,proc_t * p,int sig,pid_t pid,ctid_t ctid,zoneid_t zoneid)1158 contract_process_sig(cont_process_t *ctp, proc_t *p, int sig, pid_t pid,
1159 ctid_t ctid, zoneid_t zoneid)
1160 {
1161 contract_t *ct = &ctp->conp_contract;
1162
1163 if (EVSENDP(ctp, CT_PR_EV_SIGNAL)) {
1164 ct_kevent_t *event;
1165 nvlist_t *dest, *nvl, *gnvl = NULL;
1166
1167 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1168 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
1169 VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0);
1170
1171 if (zoneid >= 0 && p->p_zone->zone_id != zoneid) {
1172 VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME,
1173 KM_SLEEP) == 0);
1174 dest = gnvl;
1175 } else {
1176 dest = nvl;
1177 }
1178
1179 if (pid != -1)
1180 VERIFY(nvlist_add_uint32(dest, CTPE_SENDER, pid) == 0);
1181 if (ctid != 0)
1182 VERIFY(nvlist_add_uint32(dest, CTPE_SENDCT, ctid) == 0);
1183
1184 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1185 event->cte_flags = EVINFOP(ctp, CT_PR_EV_SIGNAL) ? CTE_INFO : 0;
1186 event->cte_type = CT_PR_EV_SIGNAL;
1187 (void) cte_publish_all(ct, event, nvl, gnvl);
1188 }
1189
1190 if (EVFATALP(ctp, CT_PR_EV_SIGNAL)) {
1191 mutex_enter(&ct->ct_lock);
1192 contract_process_kill(ct, p, B_TRUE);
1193 mutex_exit(&ct->ct_lock);
1194 }
1195 }
1196