xref: /illumos-gate/usr/src/uts/common/contract/process.c (revision 338d6fc1b322c01b220f204edde962e843478a78)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  * Copyright 2019 Joyent, Inc.
25  */
26 
27 #include <sys/mutex.h>
28 #include <sys/debug.h>
29 #include <sys/types.h>
30 #include <sys/param.h>
31 #include <sys/kmem.h>
32 #include <sys/thread.h>
33 #include <sys/id_space.h>
34 #include <sys/avl.h>
35 #include <sys/list.h>
36 #include <sys/sysmacros.h>
37 #include <sys/proc.h>
38 #include <sys/contract.h>
39 #include <sys/contract_impl.h>
40 #include <sys/contract/process.h>
41 #include <sys/contract/process_impl.h>
42 #include <sys/cmn_err.h>
43 #include <sys/nvpair.h>
44 #include <sys/policy.h>
45 #include <sys/refstr.h>
46 #include <sys/sunddi.h>
47 
48 /*
49  * Process Contracts
50  * -----------------
51  *
52  * Generally speaking, a process contract is a contract between a
53  * process and a set of its descendent processes.  In some cases, when
54  * the child processes outlive the author of the contract, the contract
55  * may be held by (and therefore be between the child processes and) a
56  * successor process which adopts the contract after the death of the
57  * original author.
58  *
59  * The process contract adds two new concepts to the Solaris process
60  * model.  The first is that a process contract forms a rigid fault
61  * boundary around a set of processes.  Hardware, software, and even
62  * administrator errors impacting a process in a process contract
63  * generate specific events and can be requested to atomically shutdown
64  * all processes in the contract.  The second is that a process
65  * contract is a process collective whose leader is not a member of the
66  * collective.  This means that the leader can reliably react to events
67  * in the collective, and may also act upon the collective without
68  * special casing itself.
69  *
70  * A composite outcome of these two concepts is that we can now create
71  * a tree of process contracts, rooted at init(1M), which represent
72  * services and subservices that are reliably observed and can be
73  * restarted when fatal errors occur.  The service management framework
74  * (SMF) realizes this structure.
75  *
76  * For more details, see the "restart agreements" case, PSARC 2003/193.
77  *
78  * There are four sets of routines in this file: the process contract
79  * standard template operations, the process contract standard contract
80  * operations, a couple routines used only by the contract subsystem to
81  * handle process contracts' unique role as a temporary holder of
82  * abandoned contracts, and the interfaces which allow the system to
83  * create and act upon process contracts.  The first two are defined by
84  * the contracts framework and won't be discussed further.  As for the
85  * remaining two:
86  *
87  * Special framework interfaces
88  * ----------------------------
89  *
90  * contract_process_accept - determines if a process contract is a
91  *   regent, i.e. if it can inherit other contracts.
92  *
93  * contract_process_take - tells a regent process contract to inherit
94  *   an abandoned contract
95  *
96  * contract_process_adopt - tells a regent process contract that a
97  *   contract it has inherited is being adopted by a process.
98  *
99  * Process contract interfaces
100  * ---------------------------
101  *
102  * contract_process_fork - called when a process is created; adds the
103  *   new process to an existing contract or to a newly created one.
104  *
105  * contract_process_exit - called when a process exits
106  *
107  * contract_process_core - called when a process would have dumped core
108  *   (even if a core file wasn't generated)
109  *
110  * contract_process_hwerr - called when a process was killed because of
111  *   an uncorrectable hardware error
112  *
113  * contract_process_sig - called when a process was killed by a fatal
114  *   signal sent by a process in another process contract
115  *
116  */
117 
118 ct_type_t *process_type;
119 ctmpl_process_t *sys_process_tmpl;
120 refstr_t *conp_svc_aux_default;
121 
122 /*
123  * Macro predicates for determining when events should be sent and how.
124  */
125 #define	EVSENDP(ctp, flag) \
126 	((ctp->conp_contract.ct_ev_info | ctp->conp_contract.ct_ev_crit) & flag)
127 
128 #define	EVINFOP(ctp, flag) \
129 	((ctp->conp_contract.ct_ev_crit & flag) == 0)
130 
131 #define	EVFATALP(ctp, flag) \
132 	(ctp->conp_ev_fatal & flag)
133 
134 
135 /*
136  * Process contract template implementation
137  */
138 
139 /*
140  * ctmpl_process_dup
141  *
142  * The process contract template dup entry point.  Other than the
143  * to-be-subsumed contract, which must be held, this simply copies all
144  * the fields of the original.
145  */
146 static struct ct_template *
147 ctmpl_process_dup(struct ct_template *template)
148 {
149 	ctmpl_process_t *new;
150 	ctmpl_process_t *old = template->ctmpl_data;
151 
152 	new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP);
153 
154 	ctmpl_copy(&new->ctp_ctmpl, template);
155 	new->ctp_ctmpl.ctmpl_data = new;
156 
157 	new->ctp_subsume = old->ctp_subsume;
158 	if (new->ctp_subsume)
159 		contract_hold(new->ctp_subsume);
160 	new->ctp_params = old->ctp_params;
161 	new->ctp_ev_fatal = old->ctp_ev_fatal;
162 	new->ctp_svc_fmri = old->ctp_svc_fmri;
163 	if (new->ctp_svc_fmri != NULL) {
164 		refstr_hold(new->ctp_svc_fmri);
165 	}
166 	new->ctp_svc_aux = old->ctp_svc_aux;
167 	if (new->ctp_svc_aux != NULL) {
168 		refstr_hold(new->ctp_svc_aux);
169 	}
170 
171 	return (&new->ctp_ctmpl);
172 }
173 
174 /*
175  * ctmpl_process_free
176  *
177  * The process contract template free entry point.  Just releases a
178  * to-be-subsumed contract and frees the template.
179  */
180 static void
181 ctmpl_process_free(struct ct_template *template)
182 {
183 	ctmpl_process_t *ctp = template->ctmpl_data;
184 
185 	if (ctp->ctp_subsume)
186 		contract_rele(ctp->ctp_subsume);
187 	if (ctp->ctp_svc_fmri != NULL) {
188 		refstr_rele(ctp->ctp_svc_fmri);
189 	}
190 	if (ctp->ctp_svc_aux != NULL) {
191 		refstr_rele(ctp->ctp_svc_aux);
192 	}
193 	kmem_free(template, sizeof (ctmpl_process_t));
194 }
195 
196 /*
197  * SAFE_EV is the set of events which a non-privileged process is
198  * allowed to make critical but not fatal or if the PGRPONLY parameter
199  * is set.  EXCESS tells us if "value", a critical event set, requires
200  * additional privilege given the template "ctp".
201  */
202 #define	SAFE_EV			(CT_PR_EV_EMPTY)
203 #define	EXCESS(ctp, value)	\
204 	(((value) & ~((ctp)->ctp_ev_fatal | SAFE_EV)) || \
205 	(((value) & ~SAFE_EV) && (ctp->ctp_params & CT_PR_PGRPONLY)))
206 
207 /*
208  * ctmpl_process_set
209  *
210  * The process contract template set entry point.  None of the terms
211  * may be unconditionally set, and setting the parameters or fatal
212  * event set may result in events being implicitly removed from to the
213  * critical event set and added to the informative event set.  The
214  * (admittedly subtle) reason we implicitly change the critical event
215  * set when the parameter or fatal event set is modified but not the
216  * other way around is because a change to the critical event set only
217  * affects the contract's owner, whereas a change to the parameter set
218  * and fatal set can affect the execution of the application running in
219  * the contract (and should therefore be only made explicitly).  We
220  * allow implicit changes at all so that setting contract terms doesn't
221  * become a complex dance dependent on the template's initial state and
222  * the desired terms.
223  */
224 static int
225 ctmpl_process_set(struct ct_template *tmpl, ct_kparam_t *kparam,
226     const cred_t *cr)
227 {
228 	ctmpl_process_t *ctp = tmpl->ctmpl_data;
229 	ct_param_t *param = &kparam->param;
230 	contract_t *ct;
231 	int error;
232 	uint64_t param_value = 0;
233 	char *str_value;
234 
235 	if ((param->ctpm_id == CTPP_SVC_FMRI) ||
236 	    (param->ctpm_id == CTPP_CREATOR_AUX)) {
237 		str_value = (char *)kparam->ctpm_kbuf;
238 		str_value[param->ctpm_size - 1] = '\0';
239 	} else {
240 		if (param->ctpm_size < sizeof (uint64_t))
241 			return (EINVAL);
242 		param_value = *(uint64_t *)kparam->ctpm_kbuf;
243 		/*
244 		 * No process contract parameters are > 32 bits.
245 		 * Unless it is a string.
246 		 */
247 		if (param_value & ~UINT32_MAX)
248 			return (EINVAL);
249 	}
250 
251 	switch (param->ctpm_id) {
252 	case CTPP_SUBSUME:
253 		if (param_value != 0) {
254 			/*
255 			 * Ensure that the contract exists, that we
256 			 * hold the contract, and that the contract is
257 			 * empty.
258 			 */
259 			ct = contract_type_ptr(process_type, param_value,
260 			    curproc->p_zone->zone_uniqid);
261 			if (ct == NULL)
262 				return (ESRCH);
263 			if (ct->ct_owner != curproc) {
264 				contract_rele(ct);
265 				return (EACCES);
266 			}
267 			if (((cont_process_t *)ct->ct_data)->conp_nmembers) {
268 				contract_rele(ct);
269 				return (ENOTEMPTY);
270 			}
271 		} else {
272 			ct = NULL;
273 		}
274 		if (ctp->ctp_subsume)
275 			contract_rele(ctp->ctp_subsume);
276 		ctp->ctp_subsume = ct;
277 		break;
278 	case CTPP_PARAMS:
279 		if (param_value & ~CT_PR_ALLPARAM)
280 			return (EINVAL);
281 		ctp->ctp_params = param_value;
282 		/*
283 		 * If an unprivileged process requests that
284 		 * CT_PR_PGRPONLY be set, remove any unsafe events from
285 		 * the critical event set and add them to the
286 		 * informative event set.
287 		 */
288 		if ((ctp->ctp_params & CT_PR_PGRPONLY) &&
289 		    EXCESS(ctp, tmpl->ctmpl_ev_crit) &&
290 		    !secpolicy_contract_event_choice(cr)) {
291 			tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~SAFE_EV);
292 			tmpl->ctmpl_ev_crit &= SAFE_EV;
293 		}
294 
295 		break;
296 	case CTPP_SVC_FMRI:
297 		if (error = secpolicy_contract_identity(cr))
298 			return (error);
299 		if (ctp->ctp_svc_fmri != NULL)
300 			refstr_rele(ctp->ctp_svc_fmri);
301 		if (strcmp(CT_PR_SVC_DEFAULT, str_value) == 0)
302 			ctp->ctp_svc_fmri = NULL;
303 		else
304 			ctp->ctp_svc_fmri =
305 			    refstr_alloc(str_value);
306 		break;
307 	case CTPP_CREATOR_AUX:
308 		if (ctp->ctp_svc_aux != NULL)
309 			refstr_rele(ctp->ctp_svc_aux);
310 		if (param->ctpm_size == 1) /* empty string */
311 			ctp->ctp_svc_aux = NULL;
312 		else
313 			ctp->ctp_svc_aux =
314 			    refstr_alloc(str_value);
315 		break;
316 	case CTP_EV_CRITICAL:
317 		/*
318 		 * We simply don't allow adding events to the critical
319 		 * event set which aren't permitted by our policy or by
320 		 * privilege.
321 		 */
322 		if (EXCESS(ctp, param_value) &&
323 		    (error = secpolicy_contract_event(cr)) != 0)
324 			return (error);
325 		tmpl->ctmpl_ev_crit = param_value;
326 		break;
327 	case CTPP_EV_FATAL:
328 		if (param_value & ~CT_PR_ALLFATAL)
329 			return (EINVAL);
330 		ctp->ctp_ev_fatal = param_value;
331 		/*
332 		 * Check to see if an unprivileged process is
333 		 * requesting that events be removed from the fatal
334 		 * event set which are still in the critical event set.
335 		 */
336 		if (EXCESS(ctp, tmpl->ctmpl_ev_crit) &&
337 		    !secpolicy_contract_event_choice(cr)) {
338 			int allowed =
339 			    SAFE_EV | (ctp->ctp_params & CT_PR_PGRPONLY) ?
340 			    0 : ctp->ctp_ev_fatal;
341 			tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~allowed);
342 			tmpl->ctmpl_ev_crit &= allowed;
343 		}
344 		break;
345 	default:
346 		return (EINVAL);
347 	}
348 
349 	return (0);
350 }
351 
352 /*
353  * ctmpl_process_get
354  *
355  * The process contract template get entry point.  Simply fetches and
356  * returns the requested term.
357  */
358 static int
359 ctmpl_process_get(struct ct_template *template, ct_kparam_t *kparam)
360 {
361 	ctmpl_process_t *ctp = template->ctmpl_data;
362 	ct_param_t *param = &kparam->param;
363 	uint64_t *param_value = kparam->ctpm_kbuf;
364 
365 	if (param->ctpm_id == CTPP_SUBSUME ||
366 	    param->ctpm_id == CTPP_PARAMS ||
367 	    param->ctpm_id == CTPP_EV_FATAL) {
368 		if (param->ctpm_size < sizeof (uint64_t))
369 			return (EINVAL);
370 		kparam->ret_size = sizeof (uint64_t);
371 	}
372 
373 	switch (param->ctpm_id) {
374 	case CTPP_SUBSUME:
375 		*param_value = ctp->ctp_subsume ?
376 		    ctp->ctp_subsume->ct_id : 0;
377 		break;
378 	case CTPP_PARAMS:
379 		*param_value = ctp->ctp_params;
380 		break;
381 	case CTPP_SVC_FMRI:
382 		if (ctp->ctp_svc_fmri == NULL) {
383 			kparam->ret_size =
384 			    strlcpy((char *)kparam->ctpm_kbuf,
385 			    CT_PR_SVC_DEFAULT, param->ctpm_size);
386 		} else {
387 			kparam->ret_size =
388 			    strlcpy((char *)kparam->ctpm_kbuf,
389 			    refstr_value(ctp->ctp_svc_fmri), param->ctpm_size);
390 		}
391 		kparam->ret_size++;
392 		break;
393 	case CTPP_CREATOR_AUX:
394 		if (ctp->ctp_svc_aux == NULL) {
395 			kparam->ret_size =
396 			    strlcpy((char *)kparam->ctpm_kbuf,
397 			    refstr_value(conp_svc_aux_default),
398 			    param->ctpm_size);
399 		} else {
400 			kparam->ret_size =
401 			    strlcpy((char *)kparam->ctpm_kbuf,
402 			    refstr_value(ctp->ctp_svc_aux), param->ctpm_size);
403 		}
404 		kparam->ret_size++;
405 		break;
406 	case CTPP_EV_FATAL:
407 		*param_value = ctp->ctp_ev_fatal;
408 		break;
409 	default:
410 		return (EINVAL);
411 	}
412 
413 	return (0);
414 }
415 
416 static ctmplops_t ctmpl_process_ops = {
417 	ctmpl_process_dup,		/* ctop_dup */
418 	ctmpl_process_free,		/* ctop_free */
419 	ctmpl_process_set,		/* ctop_set */
420 	ctmpl_process_get,		/* ctop_get */
421 	ctmpl_create_inval,		/* ctop_create */
422 	CT_PR_ALLEVENT
423 };
424 
425 
426 /*
427  * Process contract implementation
428  */
429 
430 /*
431  * ctmpl_process_default
432  *
433  * The process contract default template entry point.  Creates a
434  * process contract template with no parameters set, with informative
435  * core and signal events, critical empty and hwerr events, and fatal
436  * hwerr events.
437  */
438 static ct_template_t *
439 contract_process_default(void)
440 {
441 	ctmpl_process_t *new;
442 
443 	new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP);
444 	ctmpl_init(&new->ctp_ctmpl, &ctmpl_process_ops, process_type, new);
445 
446 	new->ctp_subsume = NULL;
447 	new->ctp_params = 0;
448 	new->ctp_ctmpl.ctmpl_ev_info = CT_PR_EV_CORE | CT_PR_EV_SIGNAL;
449 	new->ctp_ctmpl.ctmpl_ev_crit = CT_PR_EV_EMPTY | CT_PR_EV_HWERR;
450 	new->ctp_ev_fatal = CT_PR_EV_HWERR;
451 	new->ctp_svc_fmri = NULL;
452 	new->ctp_svc_aux = NULL;
453 
454 	return (&new->ctp_ctmpl);
455 }
456 
457 /*
458  * contract_process_free
459  *
460  * The process contract free entry point.
461  */
462 static void
463 contract_process_free(contract_t *ct)
464 {
465 	cont_process_t *ctp = ct->ct_data;
466 	crfree(ctp->conp_cred);
467 	list_destroy(&ctp->conp_members);
468 	list_destroy(&ctp->conp_inherited);
469 	if (ctp->conp_svc_fmri != NULL) {
470 		refstr_rele(ctp->conp_svc_fmri);
471 	}
472 	if (ctp->conp_svc_aux != NULL) {
473 		refstr_rele(ctp->conp_svc_aux);
474 	}
475 	if (ctp->conp_svc_creator != NULL) {
476 		refstr_rele(ctp->conp_svc_creator);
477 	}
478 	kmem_free(ctp, sizeof (cont_process_t));
479 }
480 
481 /*
482  * contract_process_cankill
483  *
484  * Determine if the contract author had or if the process generating
485  * the event, sp, has adequate privileges to kill process tp.
486  */
487 static int
488 contract_process_cankill(proc_t *tp, proc_t *sp, cont_process_t *ctp)
489 {
490 	int cankill;
491 
492 	mutex_enter(&tp->p_crlock);
493 	cankill = hasprocperm(tp->p_cred, ctp->conp_cred);
494 	mutex_exit(&tp->p_crlock);
495 	if (cankill || (sp && prochasprocperm(tp, sp, CRED())))
496 		return (1);
497 
498 	return (0);
499 }
500 
501 /*
502  * contract_process_kill
503  *
504  * Kills all processes in a contract, or all processes in the
505  * intersection of a contract and ex's process group (if ex is non-NULL
506  * and the contract's PGRPONLY parameter is set).  If checkpriv is
507  * true, only those processes which may be signaled by the contract
508  * author or ex are killed.
509  */
510 static void
511 contract_process_kill(contract_t *ct, proc_t *ex, int checkpriv)
512 {
513 	cont_process_t *ctp = ct->ct_data;
514 	proc_t *p;
515 	pid_t pgrp = -1;
516 
517 	ASSERT(MUTEX_HELD(&ct->ct_lock));
518 
519 	if (ex && (ctp->conp_params & CT_PR_PGRPONLY)) {
520 		pgrp = ex->p_pgrp;
521 		mutex_enter(&pidlock);
522 	}
523 
524 	for (p = list_head(&ctp->conp_members); p != NULL;
525 	    p = list_next(&ctp->conp_members, p)) {
526 		if ((p == ex) ||
527 		    (pgrp != -1 && (p->p_stat == SIDL || p->p_pgrp != pgrp)) ||
528 		    (checkpriv && !contract_process_cankill(p, ex, ctp)))
529 			continue;
530 
531 		psignal(p, SIGKILL);
532 	}
533 
534 	if (pgrp != -1)
535 		mutex_exit(&pidlock);
536 }
537 
538 
539 /*
540  * contract_process_accept
541  *
542  * Tests if the process contract is willing to act as a regent for
543  * inherited contracts.  Though brief and only called from one place,
544  * this functionality is kept here to avoid including knowledge of
545  * process contract implementation in the generic contract code.
546  */
547 int
548 contract_process_accept(contract_t *parent)
549 {
550 	cont_process_t *ctp = parent->ct_data;
551 
552 	ASSERT(parent->ct_type == process_type);
553 
554 	return (ctp->conp_params & CT_PR_REGENT);
555 }
556 
557 /*
558  * contract_process_take
559  *
560  * Executes the process contract side of inheriting a contract.
561  */
562 void
563 contract_process_take(contract_t *parent, contract_t *child)
564 {
565 	cont_process_t *ctp = parent->ct_data;
566 
567 	ASSERT(MUTEX_HELD(&parent->ct_lock));
568 	ASSERT(MUTEX_HELD(&child->ct_lock));
569 	ASSERT(parent->ct_type == process_type);
570 	ASSERT(ctp->conp_params & CT_PR_REGENT);
571 
572 	list_insert_head(&ctp->conp_inherited, child);
573 	ctp->conp_ninherited++;
574 }
575 
576 /*
577  * contract_process_adopt
578  *
579  * Executes the process contract side of adopting a contract.
580  */
581 void
582 contract_process_adopt(contract_t *ct, proc_t *p)
583 {
584 	cont_process_t *parent = p->p_ct_process;
585 
586 	ASSERT(MUTEX_HELD(&parent->conp_contract.ct_lock));
587 	ASSERT(MUTEX_HELD(&ct->ct_lock));
588 
589 	list_remove(&parent->conp_inherited, ct);
590 	parent->conp_ninherited--;
591 
592 	/*
593 	 * We drop the parent lock first because a) we are passing the
594 	 * contract reference to the child, and b) contract_adopt
595 	 * expects us to return with the contract lock held.
596 	 */
597 	mutex_exit(&parent->conp_contract.ct_lock);
598 }
599 
600 /*
601  * contract_process_abandon
602  *
603  * The process contract abandon entry point.
604  */
605 static void
606 contract_process_abandon(contract_t *ct)
607 {
608 	cont_process_t *ctp = ct->ct_data;
609 
610 	ASSERT(MUTEX_HELD(&ct->ct_lock));
611 
612 	/*
613 	 * Shall we stay or shall we go?
614 	 */
615 	if (list_head(&ctp->conp_members) == NULL) {
616 		contract_destroy(ct);
617 	} else {
618 		/*
619 		 * Strictly speaking, we actually do orphan the contract.
620 		 * Assuming our credentials allow us to kill all
621 		 * processes in the contract, this is only temporary.
622 		 */
623 		if (ctp->conp_params & CT_PR_NOORPHAN)
624 			contract_process_kill(ct, NULL, B_TRUE);
625 		contract_orphan(ct);
626 		mutex_exit(&ct->ct_lock);
627 		contract_rele(ct);
628 	}
629 }
630 
631 /*
632  * contract_process_destroy
633  *
634  * The process contract destroy entry point.
635  */
636 static void
637 contract_process_destroy(contract_t *ct)
638 {
639 	cont_process_t *ctp = ct->ct_data;
640 	contract_t *cct;
641 
642 	ASSERT(MUTEX_HELD(&ct->ct_lock));
643 
644 	/*
645 	 * contract_destroy all empty children, kill or orphan the rest
646 	 */
647 	while (cct = list_head(&ctp->conp_inherited)) {
648 		mutex_enter(&cct->ct_lock);
649 
650 		ASSERT(cct->ct_state == CTS_INHERITED);
651 
652 		list_remove(&ctp->conp_inherited, cct);
653 		ctp->conp_ninherited--;
654 		cct->ct_regent = NULL;
655 		cct->ct_type->ct_type_ops->contop_abandon(cct);
656 	}
657 }
658 
659 /*
660  * contract_process_status
661  *
662  * The process contract status entry point.
663  */
664 static void
665 contract_process_status(contract_t *ct, zone_t *zone, int detail, nvlist_t *nvl,
666     void *status, model_t model)
667 {
668 	cont_process_t *ctp = ct->ct_data;
669 	uint32_t *pids, *ctids;
670 	uint_t npids, nctids;
671 	uint_t spids, sctids;
672 	ctid_t local_svc_zone_enter;
673 
674 	if (detail == CTD_FIXED) {
675 		mutex_enter(&ct->ct_lock);
676 		contract_status_common(ct, zone, status, model);
677 		local_svc_zone_enter = ctp->conp_svc_zone_enter;
678 		mutex_exit(&ct->ct_lock);
679 	} else {
680 		contract_t *cnext;
681 		proc_t *pnext;
682 		uint_t loc;
683 
684 		ASSERT(detail == CTD_ALL);
685 		mutex_enter(&ct->ct_lock);
686 		for (;;) {
687 			spids = ctp->conp_nmembers + 5;
688 			sctids = ctp->conp_ninherited + 5;
689 			mutex_exit(&ct->ct_lock);
690 
691 			pids = kmem_alloc(spids * sizeof (uint32_t), KM_SLEEP);
692 			ctids = kmem_alloc(sctids * sizeof (uint32_t),
693 			    KM_SLEEP);
694 
695 			mutex_enter(&ct->ct_lock);
696 			npids = ctp->conp_nmembers;
697 			nctids = ctp->conp_ninherited;
698 			if (spids >= npids && sctids >= nctids)
699 				break;
700 
701 			kmem_free(pids, spids * sizeof (uint32_t));
702 			kmem_free(ctids, sctids * sizeof (uint32_t));
703 		}
704 		contract_status_common(ct, zone, status, model);
705 		for (loc = 0, cnext = list_head(&ctp->conp_inherited); cnext;
706 		    cnext = list_next(&ctp->conp_inherited, cnext))
707 			ctids[loc++] = cnext->ct_id;
708 		ASSERT(loc == nctids);
709 		for (loc = 0, pnext = list_head(&ctp->conp_members); pnext;
710 		    pnext = list_next(&ctp->conp_members, pnext))
711 			pids[loc++] = pnext->p_pid;
712 		ASSERT(loc == npids);
713 		local_svc_zone_enter = ctp->conp_svc_zone_enter;
714 		mutex_exit(&ct->ct_lock);
715 	}
716 
717 	/*
718 	 * Contract terms are static; there's no need to hold the
719 	 * contract lock while accessing them.
720 	 */
721 	VERIFY(nvlist_add_uint32(nvl, CTPS_PARAMS, ctp->conp_params) == 0);
722 	VERIFY(nvlist_add_uint32(nvl, CTPS_EV_FATAL, ctp->conp_ev_fatal) == 0);
723 	if (detail == CTD_ALL) {
724 		VERIFY(nvlist_add_uint32_array(nvl, CTPS_MEMBERS, pids,
725 		    npids) == 0);
726 		VERIFY(nvlist_add_uint32_array(nvl, CTPS_CONTRACTS, ctids,
727 		    nctids) == 0);
728 		VERIFY(nvlist_add_string(nvl, CTPS_CREATOR_AUX,
729 		    refstr_value(ctp->conp_svc_aux)) == 0);
730 		VERIFY(nvlist_add_string(nvl, CTPS_SVC_CREATOR,
731 		    refstr_value(ctp->conp_svc_creator)) == 0);
732 		kmem_free(pids, spids * sizeof (uint32_t));
733 		kmem_free(ctids, sctids * sizeof (uint32_t));
734 	}
735 
736 	/*
737 	 * if we are in a local zone and svc_fmri was inherited from
738 	 * the global zone, we provide fake svc_fmri and svc_ctid
739 	 */
740 	if (local_svc_zone_enter == 0 ||
741 	    zone->zone_uniqid == GLOBAL_ZONEUNIQID) {
742 		if (detail > CTD_COMMON) {
743 			VERIFY(nvlist_add_int32(nvl, CTPS_SVC_CTID,
744 			    ctp->conp_svc_ctid) == 0);
745 			VERIFY(nvlist_add_string(nvl, CTPS_SVC_FMRI,
746 			    refstr_value(ctp->conp_svc_fmri)) == 0);
747 		}
748 	} else {
749 		if (detail > CTD_COMMON) {
750 			VERIFY(nvlist_add_int32(nvl, CTPS_SVC_CTID,
751 			    local_svc_zone_enter) == 0);
752 			VERIFY(nvlist_add_string(nvl, CTPS_SVC_FMRI,
753 			    CT_PR_SVC_FMRI_ZONE_ENTER) == 0);
754 		}
755 	}
756 }
757 
758 /*ARGSUSED*/
759 static int
760 contract_process_newct(contract_t *ct)
761 {
762 	return (0);
763 }
764 
765 /* process contracts don't negotiate */
766 static contops_t contract_process_ops = {
767 	contract_process_free,		/* contop_free */
768 	contract_process_abandon,	/* contop_abandon */
769 	contract_process_destroy,	/* contop_destroy */
770 	contract_process_status,	/* contop_status */
771 	contract_ack_inval,		/* contop_ack */
772 	contract_ack_inval,		/* contop_nack */
773 	contract_qack_inval,		/* contop_qack */
774 	contract_process_newct		/* contop_newct */
775 };
776 
777 /*
778  * contract_process_init
779  *
780  * Initializes the process contract type.  Also creates a template for
781  * use by newproc() when it creates user processes.
782  */
783 void
784 contract_process_init(void)
785 {
786 	process_type = contract_type_init(CTT_PROCESS, "process",
787 	    &contract_process_ops, contract_process_default);
788 
789 	/*
790 	 * Create a template for use with init(1M) and other
791 	 * kernel-started processes.
792 	 */
793 	sys_process_tmpl = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP);
794 	ctmpl_init(&sys_process_tmpl->ctp_ctmpl, &ctmpl_process_ops,
795 	    process_type, sys_process_tmpl);
796 	sys_process_tmpl->ctp_subsume = NULL;
797 	sys_process_tmpl->ctp_params = CT_PR_NOORPHAN;
798 	sys_process_tmpl->ctp_ev_fatal = CT_PR_EV_HWERR;
799 	sys_process_tmpl->ctp_svc_fmri =
800 	    refstr_alloc("svc:/system/init:default");
801 	sys_process_tmpl->ctp_svc_aux = refstr_alloc("");
802 	conp_svc_aux_default = sys_process_tmpl->ctp_svc_aux;
803 	refstr_hold(conp_svc_aux_default);
804 }
805 
806 /*
807  * contract_process_create
808  *
809  * create a process contract given template "tmpl" and parent process
810  * "parent".  May fail and return NULL if project.max-contracts would
811  * have been exceeded.
812  */
813 static cont_process_t *
814 contract_process_create(ctmpl_process_t *tmpl, proc_t *parent, int canfail)
815 {
816 	cont_process_t *ctp;
817 
818 	ASSERT(tmpl != NULL);
819 
820 	(void) contract_type_pbundle(process_type, parent);
821 
822 	ctp = kmem_zalloc(sizeof (cont_process_t), KM_SLEEP);
823 
824 	list_create(&ctp->conp_members, sizeof (proc_t),
825 	    offsetof(proc_t, p_ct_member));
826 	list_create(&ctp->conp_inherited, sizeof (contract_t),
827 	    offsetof(contract_t, ct_ctlist));
828 	mutex_enter(&tmpl->ctp_ctmpl.ctmpl_lock);
829 	ctp->conp_params = tmpl->ctp_params;
830 	ctp->conp_ev_fatal = tmpl->ctp_ev_fatal;
831 	crhold(ctp->conp_cred = CRED());
832 
833 	if (contract_ctor(&ctp->conp_contract, process_type, &tmpl->ctp_ctmpl,
834 	    ctp, (ctp->conp_params & CT_PR_INHERIT) ? CTF_INHERIT : 0,
835 	    parent, canfail)) {
836 		mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock);
837 		contract_process_free(&ctp->conp_contract);
838 		return (NULL);
839 	}
840 
841 	/*
842 	 * inherit svc_fmri if not defined by consumer. In this case, inherit
843 	 * also svc_ctid to keep track of the contract id where
844 	 * svc_fmri was set
845 	 */
846 	if (tmpl->ctp_svc_fmri == NULL) {
847 		ctp->conp_svc_fmri = parent->p_ct_process->conp_svc_fmri;
848 		ctp->conp_svc_ctid = parent->p_ct_process->conp_svc_ctid;
849 		ctp->conp_svc_zone_enter =
850 		    parent->p_ct_process->conp_svc_zone_enter;
851 	} else {
852 		ctp->conp_svc_fmri = tmpl->ctp_svc_fmri;
853 		ctp->conp_svc_ctid = ctp->conp_contract.ct_id;
854 		/* make svc_zone_enter flag false when svc_fmri is set */
855 		ctp->conp_svc_zone_enter = 0;
856 	}
857 	refstr_hold(ctp->conp_svc_fmri);
858 	/* set svc_aux to default value if not defined in template */
859 	if (tmpl->ctp_svc_aux == NULL) {
860 		ctp->conp_svc_aux = conp_svc_aux_default;
861 	} else {
862 		ctp->conp_svc_aux = tmpl->ctp_svc_aux;
863 	}
864 	refstr_hold(ctp->conp_svc_aux);
865 	/*
866 	 * set svc_creator to execname
867 	 * We special case pid0 because when newproc() creates
868 	 * the init process, the p_user.u_comm field of sched's proc_t
869 	 * has not been populated yet.
870 	 */
871 	if (parent->p_pidp == &pid0) /* if the kernel is the creator */
872 		ctp->conp_svc_creator = refstr_alloc("sched");
873 	else
874 		ctp->conp_svc_creator = refstr_alloc(parent->p_user.u_comm);
875 
876 	/*
877 	 * Transfer subcontracts only after new contract is visible.
878 	 * Also, only transfer contracts if the parent matches -- we
879 	 * don't want to create a cycle in the tree of contracts.
880 	 */
881 	if (tmpl->ctp_subsume && tmpl->ctp_subsume->ct_owner == parent) {
882 		cont_process_t *sct = tmpl->ctp_subsume->ct_data;
883 		contract_t *ct;
884 
885 		mutex_enter(&tmpl->ctp_subsume->ct_lock);
886 		mutex_enter(&ctp->conp_contract.ct_lock);
887 		while (ct = list_head(&sct->conp_inherited)) {
888 			mutex_enter(&ct->ct_lock);
889 			list_remove(&sct->conp_inherited, ct);
890 			list_insert_tail(&ctp->conp_inherited, ct);
891 			ct->ct_regent = &ctp->conp_contract;
892 			mutex_exit(&ct->ct_lock);
893 		}
894 		ctp->conp_ninherited += sct->conp_ninherited;
895 		sct->conp_ninherited = 0;
896 		mutex_exit(&ctp->conp_contract.ct_lock);
897 		mutex_exit(&tmpl->ctp_subsume->ct_lock);
898 
899 		/*
900 		 * Automatically abandon the contract.
901 		 */
902 		(void) contract_abandon(tmpl->ctp_subsume, parent, 1);
903 	}
904 
905 	mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock);
906 
907 	return (ctp);
908 }
909 
910 /*
911  * contract_process_exit
912  *
913  * Called on process exit.  Removes process p from process contract
914  * ctp.  Generates an exit event, if requested.  Generates an empty
915  * event, if p is the last member of the the process contract and empty
916  * events were requested.
917  */
918 void
919 contract_process_exit(cont_process_t *ctp, proc_t *p, int exitstatus)
920 {
921 	contract_t *ct = &ctp->conp_contract;
922 	ct_kevent_t *event;
923 	int empty;
924 
925 	/*
926 	 * Remove self from process contract.
927 	 */
928 	mutex_enter(&ct->ct_lock);
929 	list_remove(&ctp->conp_members, p);
930 	ctp->conp_nmembers--;
931 	mutex_enter(&p->p_lock);	/* in case /proc is watching */
932 	p->p_ct_process = NULL;
933 	mutex_exit(&p->p_lock);
934 
935 	/*
936 	 * We check for emptiness before dropping the contract lock to
937 	 * send the exit event, otherwise we could end up with two
938 	 * empty events.
939 	 */
940 	empty = (list_head(&ctp->conp_members) == NULL);
941 	if (EVSENDP(ctp, CT_PR_EV_EXIT)) {
942 		nvlist_t *nvl;
943 
944 		mutex_exit(&ct->ct_lock);
945 		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
946 		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
947 		VERIFY(nvlist_add_int32(nvl, CTPE_EXITSTATUS, exitstatus) == 0);
948 
949 		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
950 		event->cte_flags = EVINFOP(ctp, CT_PR_EV_EXIT) ? CTE_INFO : 0;
951 		event->cte_type = CT_PR_EV_EXIT;
952 		(void) cte_publish_all(ct, event, nvl, NULL);
953 		mutex_enter(&ct->ct_lock);
954 	}
955 	if (empty) {
956 		/*
957 		 * Send EMPTY message.
958 		 */
959 		if (EVSENDP(ctp, CT_PR_EV_EMPTY)) {
960 			nvlist_t *nvl;
961 
962 			mutex_exit(&ct->ct_lock);
963 			VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME,
964 			    KM_SLEEP) == 0);
965 			VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
966 
967 			event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
968 			event->cte_flags = EVINFOP(ctp, CT_PR_EV_EMPTY) ?
969 			    CTE_INFO : 0;
970 			event->cte_type = CT_PR_EV_EMPTY;
971 			(void) cte_publish_all(ct, event, nvl, NULL);
972 			mutex_enter(&ct->ct_lock);
973 		}
974 
975 		/*
976 		 * The last one to leave an orphaned contract turns out
977 		 * the lights.
978 		 */
979 		if (ct->ct_state == CTS_ORPHAN) {
980 			contract_destroy(ct);
981 			return;
982 		}
983 	}
984 	mutex_exit(&ct->ct_lock);
985 	contract_rele(ct);
986 }
987 
988 /*
989  * contract_process_fork
990  *
991  * Called on process fork.  If the current lwp has a active process
992  * contract template, we attempt to create a new process contract.
993  * Failure to create a process contract when required is a failure in
994  * fork so, in such an event, we return NULL.
995  *
996  * Assuming we succeeded or skipped the previous step, we add the child
997  * process to the new contract (success) or to the parent's process
998  * contract (skip).  If requested, we also send a fork event to that
999  * contract.
1000  *
1001  * Because contract_process_fork() may fail, and because we would
1002  * prefer that process contracts not be created for processes which
1003  * don't complete forking, this should be the last function called
1004  * before the "all clear" point in cfork.
1005  */
1006 cont_process_t *
1007 contract_process_fork(ctmpl_process_t *rtmpl, proc_t *cp, proc_t *pp,
1008     int canfail)
1009 {
1010 	contract_t *ct;
1011 	cont_process_t *ctp;
1012 	ct_kevent_t *event;
1013 	ct_template_t *tmpl;
1014 
1015 	if (rtmpl == NULL && (tmpl = ttolwp(curthread)->lwp_ct_active[
1016 	    process_type->ct_type_index]) != NULL)
1017 		rtmpl = tmpl->ctmpl_data;
1018 
1019 	if (rtmpl == NULL)
1020 		ctp = curproc->p_ct_process;
1021 	else if ((ctp = contract_process_create(rtmpl, pp, canfail)) == NULL)
1022 		return (NULL);
1023 
1024 	ct = &ctp->conp_contract;
1025 	/*
1026 	 * Prevent contract_process_kill() from missing forked children
1027 	 * by failing forks by parents that have just been killed.
1028 	 * It's not worth hoisting the ctp test since contract creation
1029 	 * is by no means the common case.
1030 	 */
1031 	mutex_enter(&ct->ct_lock);
1032 	mutex_enter(&pp->p_lock);
1033 	if (ctp == curproc->p_ct_process && (pp->p_flag & SKILLED) != 0 &&
1034 	    canfail) {
1035 		mutex_exit(&pp->p_lock);
1036 		mutex_exit(&ct->ct_lock);
1037 		return (NULL);
1038 	}
1039 	cp->p_ct_process = ctp;
1040 	mutex_exit(&pp->p_lock);
1041 	contract_hold(ct);
1042 	list_insert_head(&ctp->conp_members, cp);
1043 	ctp->conp_nmembers++;
1044 	mutex_exit(&ct->ct_lock);
1045 	if (EVSENDP(ctp, CT_PR_EV_FORK)) {
1046 		nvlist_t *nvl;
1047 
1048 		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1049 		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, cp->p_pid) == 0);
1050 		VERIFY(nvlist_add_uint32(nvl, CTPE_PPID, pp->p_pid) == 0);
1051 
1052 		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1053 		event->cte_flags = EVINFOP(ctp, CT_PR_EV_FORK) ? CTE_INFO : 0;
1054 		event->cte_type = CT_PR_EV_FORK;
1055 		(void) cte_publish_all(ct, event, nvl, NULL);
1056 	}
1057 	return (ctp);
1058 }
1059 
1060 /*
1061  * contract_process_core
1062  *
1063  * Called on core file generation attempts.  Generates a core event, if
1064  * requested, containing the names of the process, global, and
1065  * system-global ("zone") core files.  If dumping core is in the fatal
1066  * event set, calls contract_process_kill().
1067  */
1068 void
1069 contract_process_core(cont_process_t *ctp, proc_t *p, int sig,
1070     const char *process, const char *global, const char *zone)
1071 {
1072 	contract_t *ct = &ctp->conp_contract;
1073 
1074 	if (EVSENDP(ctp, CT_PR_EV_CORE)) {
1075 		ct_kevent_t *event;
1076 		nvlist_t *nvl, *gnvl = NULL;
1077 
1078 		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1079 		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
1080 		VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0);
1081 		if (process)
1082 			VERIFY(nvlist_add_string(nvl, CTPE_PCOREFILE,
1083 			    (char *)process) == 0);
1084 		if (global)
1085 			VERIFY(nvlist_add_string(nvl, CTPE_GCOREFILE,
1086 			    (char *)global) == 0);
1087 
1088 		if (zone) {
1089 			/*
1090 			 * Only the global zone is informed of the
1091 			 * local-zone generated global-zone core.
1092 			 */
1093 			VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME,
1094 			    KM_SLEEP) == 0);
1095 			VERIFY(nvlist_add_string(gnvl, CTPE_ZCOREFILE,
1096 			    (char *)zone) == 0);
1097 		}
1098 
1099 		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1100 		event->cte_flags = EVINFOP(ctp, CT_PR_EV_CORE) ? CTE_INFO : 0;
1101 		event->cte_type = CT_PR_EV_CORE;
1102 		(void) cte_publish_all(ct, event, nvl, gnvl);
1103 	}
1104 
1105 	if (EVFATALP(ctp, CT_PR_EV_CORE)) {
1106 		mutex_enter(&ct->ct_lock);
1107 		contract_process_kill(ct, p, B_TRUE);
1108 		mutex_exit(&ct->ct_lock);
1109 	}
1110 }
1111 
1112 /*
1113  * contract_process_hwerr
1114  *
1115  * Called when a process is killed by an unrecoverable hardware error.
1116  * Generates an hwerr event, if requested.  If hardware errors are in
1117  * the fatal event set, calls contract_process_kill().
1118  */
1119 void
1120 contract_process_hwerr(cont_process_t *ctp, proc_t *p)
1121 {
1122 	contract_t *ct = &ctp->conp_contract;
1123 
1124 	if (EVSENDP(ctp, CT_PR_EV_HWERR)) {
1125 		ct_kevent_t *event;
1126 		nvlist_t *nvl;
1127 
1128 		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1129 		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
1130 
1131 		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1132 		event->cte_flags = EVINFOP(ctp, CT_PR_EV_HWERR) ? CTE_INFO : 0;
1133 		event->cte_type = CT_PR_EV_HWERR;
1134 		(void) cte_publish_all(ct, event, nvl, NULL);
1135 	}
1136 
1137 	if (EVFATALP(ctp, CT_PR_EV_HWERR)) {
1138 		mutex_enter(&ct->ct_lock);
1139 		contract_process_kill(ct, p, B_FALSE);
1140 		mutex_exit(&ct->ct_lock);
1141 	}
1142 }
1143 
1144 /*
1145  * contract_process_sig
1146  *
1147  * Called when a process is killed by a signal originating from a
1148  * process outside of its process contract or its process contract's
1149  * holder.  Generates an signal event, if requested, containing the
1150  * signal number, and the sender's pid and contract id (if available).
1151  * If signals are in the fatal event set, calls
1152  * contract_process_kill().
1153  */
1154 void
1155 contract_process_sig(cont_process_t *ctp, proc_t *p, int sig, pid_t pid,
1156     ctid_t ctid, zoneid_t zoneid)
1157 {
1158 	contract_t *ct = &ctp->conp_contract;
1159 
1160 	if (EVSENDP(ctp, CT_PR_EV_SIGNAL)) {
1161 		ct_kevent_t *event;
1162 		nvlist_t *dest, *nvl, *gnvl = NULL;
1163 
1164 		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1165 		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
1166 		VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0);
1167 
1168 		if (zoneid >= 0 && p->p_zone->zone_id != zoneid) {
1169 			VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME,
1170 			    KM_SLEEP) == 0);
1171 			dest = gnvl;
1172 		} else {
1173 			dest = nvl;
1174 		}
1175 
1176 		if (pid != -1)
1177 			VERIFY(nvlist_add_uint32(dest, CTPE_SENDER, pid) == 0);
1178 		if (ctid != 0)
1179 			VERIFY(nvlist_add_uint32(dest, CTPE_SENDCT, ctid) == 0);
1180 
1181 		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1182 		event->cte_flags = EVINFOP(ctp, CT_PR_EV_SIGNAL) ? CTE_INFO : 0;
1183 		event->cte_type = CT_PR_EV_SIGNAL;
1184 		(void) cte_publish_all(ct, event, nvl, gnvl);
1185 	}
1186 
1187 	if (EVFATALP(ctp, CT_PR_EV_SIGNAL)) {
1188 		mutex_enter(&ct->ct_lock);
1189 		contract_process_kill(ct, p, B_TRUE);
1190 		mutex_exit(&ct->ct_lock);
1191 	}
1192 }
1193