1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * Copyright 2019 Joyent, Inc. 25 */ 26 27 #include <sys/mutex.h> 28 #include <sys/debug.h> 29 #include <sys/types.h> 30 #include <sys/param.h> 31 #include <sys/kmem.h> 32 #include <sys/thread.h> 33 #include <sys/id_space.h> 34 #include <sys/avl.h> 35 #include <sys/list.h> 36 #include <sys/sysmacros.h> 37 #include <sys/proc.h> 38 #include <sys/contract.h> 39 #include <sys/contract_impl.h> 40 #include <sys/contract/process.h> 41 #include <sys/contract/process_impl.h> 42 #include <sys/cmn_err.h> 43 #include <sys/nvpair.h> 44 #include <sys/policy.h> 45 #include <sys/refstr.h> 46 #include <sys/sunddi.h> 47 48 /* 49 * Process Contracts 50 * ----------------- 51 * 52 * Generally speaking, a process contract is a contract between a 53 * process and a set of its descendent processes. In some cases, when 54 * the child processes outlive the author of the contract, the contract 55 * may be held by (and therefore be between the child processes and) a 56 * successor process which adopts the contract after the death of the 57 * original author. 58 * 59 * The process contract adds two new concepts to the Solaris process 60 * model. The first is that a process contract forms a rigid fault 61 * boundary around a set of processes. Hardware, software, and even 62 * administrator errors impacting a process in a process contract 63 * generate specific events and can be requested to atomically shutdown 64 * all processes in the contract. The second is that a process 65 * contract is a process collective whose leader is not a member of the 66 * collective. This means that the leader can reliably react to events 67 * in the collective, and may also act upon the collective without 68 * special casing itself. 69 * 70 * A composite outcome of these two concepts is that we can now create 71 * a tree of process contracts, rooted at init(8), which represent 72 * services and subservices that are reliably observed and can be 73 * restarted when fatal errors occur. The service management framework 74 * (SMF) realizes this structure. 75 * 76 * For more details, see the "restart agreements" case, PSARC 2003/193. 77 * 78 * There are four sets of routines in this file: the process contract 79 * standard template operations, the process contract standard contract 80 * operations, a couple routines used only by the contract subsystem to 81 * handle process contracts' unique role as a temporary holder of 82 * abandoned contracts, and the interfaces which allow the system to 83 * create and act upon process contracts. The first two are defined by 84 * the contracts framework and won't be discussed further. As for the 85 * remaining two: 86 * 87 * Special framework interfaces 88 * ---------------------------- 89 * 90 * contract_process_accept - determines if a process contract is a 91 * regent, i.e. if it can inherit other contracts. 92 * 93 * contract_process_take - tells a regent process contract to inherit 94 * an abandoned contract 95 * 96 * contract_process_adopt - tells a regent process contract that a 97 * contract it has inherited is being adopted by a process. 98 * 99 * Process contract interfaces 100 * --------------------------- 101 * 102 * contract_process_fork - called when a process is created; adds the 103 * new process to an existing contract or to a newly created one. 104 * 105 * contract_process_exit - called when a process exits 106 * 107 * contract_process_core - called when a process would have dumped core 108 * (even if a core file wasn't generated) 109 * 110 * contract_process_hwerr - called when a process was killed because of 111 * an uncorrectable hardware error 112 * 113 * contract_process_sig - called when a process was killed by a fatal 114 * signal sent by a process in another process contract 115 * 116 */ 117 118 ct_type_t *process_type; 119 ctmpl_process_t *sys_process_tmpl; 120 refstr_t *conp_svc_aux_default; 121 122 /* 123 * Macro predicates for determining when events should be sent and how. 124 */ 125 #define EVSENDP(ctp, flag) \ 126 ((ctp->conp_contract.ct_ev_info | ctp->conp_contract.ct_ev_crit) & flag) 127 128 #define EVINFOP(ctp, flag) \ 129 ((ctp->conp_contract.ct_ev_crit & flag) == 0) 130 131 #define EVFATALP(ctp, flag) \ 132 (ctp->conp_ev_fatal & flag) 133 134 135 /* 136 * Process contract template implementation 137 */ 138 139 /* 140 * ctmpl_process_dup 141 * 142 * The process contract template dup entry point. Other than the 143 * to-be-subsumed contract, which must be held, this simply copies all 144 * the fields of the original. 145 */ 146 static struct ct_template * 147 ctmpl_process_dup(struct ct_template *template) 148 { 149 ctmpl_process_t *new; 150 ctmpl_process_t *old = template->ctmpl_data; 151 152 new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP); 153 154 ctmpl_copy(&new->ctp_ctmpl, template); 155 new->ctp_ctmpl.ctmpl_data = new; 156 157 new->ctp_subsume = old->ctp_subsume; 158 if (new->ctp_subsume) 159 contract_hold(new->ctp_subsume); 160 new->ctp_params = old->ctp_params; 161 new->ctp_ev_fatal = old->ctp_ev_fatal; 162 new->ctp_svc_fmri = old->ctp_svc_fmri; 163 if (new->ctp_svc_fmri != NULL) { 164 refstr_hold(new->ctp_svc_fmri); 165 } 166 new->ctp_svc_aux = old->ctp_svc_aux; 167 if (new->ctp_svc_aux != NULL) { 168 refstr_hold(new->ctp_svc_aux); 169 } 170 171 return (&new->ctp_ctmpl); 172 } 173 174 /* 175 * ctmpl_process_free 176 * 177 * The process contract template free entry point. Just releases a 178 * to-be-subsumed contract and frees the template. 179 */ 180 static void 181 ctmpl_process_free(struct ct_template *template) 182 { 183 ctmpl_process_t *ctp = template->ctmpl_data; 184 185 if (ctp->ctp_subsume) 186 contract_rele(ctp->ctp_subsume); 187 if (ctp->ctp_svc_fmri != NULL) { 188 refstr_rele(ctp->ctp_svc_fmri); 189 } 190 if (ctp->ctp_svc_aux != NULL) { 191 refstr_rele(ctp->ctp_svc_aux); 192 } 193 kmem_free(template, sizeof (ctmpl_process_t)); 194 } 195 196 /* 197 * SAFE_EV is the set of events which a non-privileged process is 198 * allowed to make critical but not fatal or if the PGRPONLY parameter 199 * is set. EXCESS tells us if "value", a critical event set, requires 200 * additional privilege given the template "ctp". 201 */ 202 #define SAFE_EV (CT_PR_EV_EMPTY) 203 #define EXCESS(ctp, value) \ 204 (((value) & ~((ctp)->ctp_ev_fatal | SAFE_EV)) || \ 205 (((value) & ~SAFE_EV) && (ctp->ctp_params & CT_PR_PGRPONLY))) 206 207 /* 208 * ctmpl_process_set 209 * 210 * The process contract template set entry point. None of the terms 211 * may be unconditionally set, and setting the parameters or fatal 212 * event set may result in events being implicitly removed from to the 213 * critical event set and added to the informative event set. The 214 * (admittedly subtle) reason we implicitly change the critical event 215 * set when the parameter or fatal event set is modified but not the 216 * other way around is because a change to the critical event set only 217 * affects the contract's owner, whereas a change to the parameter set 218 * and fatal set can affect the execution of the application running in 219 * the contract (and should therefore be only made explicitly). We 220 * allow implicit changes at all so that setting contract terms doesn't 221 * become a complex dance dependent on the template's initial state and 222 * the desired terms. 223 */ 224 static int 225 ctmpl_process_set(struct ct_template *tmpl, ct_kparam_t *kparam, 226 const cred_t *cr) 227 { 228 ctmpl_process_t *ctp = tmpl->ctmpl_data; 229 ct_param_t *param = &kparam->param; 230 contract_t *ct; 231 int error; 232 uint64_t param_value = 0; 233 char *str_value; 234 235 if ((param->ctpm_id == CTPP_SVC_FMRI) || 236 (param->ctpm_id == CTPP_CREATOR_AUX)) { 237 str_value = (char *)kparam->ctpm_kbuf; 238 str_value[param->ctpm_size - 1] = '\0'; 239 } else { 240 if (param->ctpm_size < sizeof (uint64_t)) 241 return (EINVAL); 242 param_value = *(uint64_t *)kparam->ctpm_kbuf; 243 /* 244 * No process contract parameters are > 32 bits. 245 * Unless it is a string. 246 */ 247 if (param_value & ~UINT32_MAX) 248 return (EINVAL); 249 } 250 251 switch (param->ctpm_id) { 252 case CTPP_SUBSUME: 253 if (param_value != 0) { 254 /* 255 * Ensure that the contract exists, that we 256 * hold the contract, and that the contract is 257 * empty. 258 */ 259 ct = contract_type_ptr(process_type, param_value, 260 curproc->p_zone->zone_uniqid); 261 if (ct == NULL) 262 return (ESRCH); 263 if (ct->ct_owner != curproc) { 264 contract_rele(ct); 265 return (EACCES); 266 } 267 if (((cont_process_t *)ct->ct_data)->conp_nmembers) { 268 contract_rele(ct); 269 return (ENOTEMPTY); 270 } 271 } else { 272 ct = NULL; 273 } 274 if (ctp->ctp_subsume) 275 contract_rele(ctp->ctp_subsume); 276 ctp->ctp_subsume = ct; 277 break; 278 case CTPP_PARAMS: 279 if (param_value & ~CT_PR_ALLPARAM) 280 return (EINVAL); 281 ctp->ctp_params = param_value; 282 /* 283 * If an unprivileged process requests that 284 * CT_PR_PGRPONLY be set, remove any unsafe events from 285 * the critical event set and add them to the 286 * informative event set. 287 */ 288 if ((ctp->ctp_params & CT_PR_PGRPONLY) && 289 EXCESS(ctp, tmpl->ctmpl_ev_crit) && 290 !secpolicy_contract_event_choice(cr)) { 291 tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~SAFE_EV); 292 tmpl->ctmpl_ev_crit &= SAFE_EV; 293 } 294 295 break; 296 case CTPP_SVC_FMRI: 297 if (error = secpolicy_contract_identity(cr)) 298 return (error); 299 if (ctp->ctp_svc_fmri != NULL) 300 refstr_rele(ctp->ctp_svc_fmri); 301 if (strcmp(CT_PR_SVC_DEFAULT, str_value) == 0) 302 ctp->ctp_svc_fmri = NULL; 303 else 304 ctp->ctp_svc_fmri = 305 refstr_alloc(str_value); 306 break; 307 case CTPP_CREATOR_AUX: 308 if (ctp->ctp_svc_aux != NULL) 309 refstr_rele(ctp->ctp_svc_aux); 310 if (param->ctpm_size == 1) /* empty string */ 311 ctp->ctp_svc_aux = NULL; 312 else 313 ctp->ctp_svc_aux = 314 refstr_alloc(str_value); 315 break; 316 case CTP_EV_CRITICAL: 317 /* 318 * We simply don't allow adding events to the critical 319 * event set which aren't permitted by our policy or by 320 * privilege. 321 */ 322 if (EXCESS(ctp, param_value) && 323 (error = secpolicy_contract_event(cr)) != 0) 324 return (error); 325 tmpl->ctmpl_ev_crit = param_value; 326 break; 327 case CTPP_EV_FATAL: 328 if (param_value & ~CT_PR_ALLFATAL) 329 return (EINVAL); 330 ctp->ctp_ev_fatal = param_value; 331 /* 332 * Check to see if an unprivileged process is 333 * requesting that events be removed from the fatal 334 * event set which are still in the critical event set. 335 */ 336 if (EXCESS(ctp, tmpl->ctmpl_ev_crit) && 337 !secpolicy_contract_event_choice(cr)) { 338 int allowed = 339 SAFE_EV | (ctp->ctp_params & CT_PR_PGRPONLY) ? 340 0 : ctp->ctp_ev_fatal; 341 tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~allowed); 342 tmpl->ctmpl_ev_crit &= allowed; 343 } 344 break; 345 default: 346 return (EINVAL); 347 } 348 349 return (0); 350 } 351 352 /* 353 * ctmpl_process_get 354 * 355 * The process contract template get entry point. Simply fetches and 356 * returns the requested term. 357 */ 358 static int 359 ctmpl_process_get(struct ct_template *template, ct_kparam_t *kparam) 360 { 361 ctmpl_process_t *ctp = template->ctmpl_data; 362 ct_param_t *param = &kparam->param; 363 uint64_t *param_value = kparam->ctpm_kbuf; 364 365 if (param->ctpm_id == CTPP_SUBSUME || 366 param->ctpm_id == CTPP_PARAMS || 367 param->ctpm_id == CTPP_EV_FATAL) { 368 if (param->ctpm_size < sizeof (uint64_t)) 369 return (EINVAL); 370 kparam->ret_size = sizeof (uint64_t); 371 } 372 373 switch (param->ctpm_id) { 374 case CTPP_SUBSUME: 375 *param_value = ctp->ctp_subsume ? 376 ctp->ctp_subsume->ct_id : 0; 377 break; 378 case CTPP_PARAMS: 379 *param_value = ctp->ctp_params; 380 break; 381 case CTPP_SVC_FMRI: 382 if (ctp->ctp_svc_fmri == NULL) { 383 kparam->ret_size = 384 strlcpy((char *)kparam->ctpm_kbuf, 385 CT_PR_SVC_DEFAULT, param->ctpm_size); 386 } else { 387 kparam->ret_size = 388 strlcpy((char *)kparam->ctpm_kbuf, 389 refstr_value(ctp->ctp_svc_fmri), param->ctpm_size); 390 } 391 kparam->ret_size++; 392 break; 393 case CTPP_CREATOR_AUX: 394 if (ctp->ctp_svc_aux == NULL) { 395 kparam->ret_size = 396 strlcpy((char *)kparam->ctpm_kbuf, 397 refstr_value(conp_svc_aux_default), 398 param->ctpm_size); 399 } else { 400 kparam->ret_size = 401 strlcpy((char *)kparam->ctpm_kbuf, 402 refstr_value(ctp->ctp_svc_aux), param->ctpm_size); 403 } 404 kparam->ret_size++; 405 break; 406 case CTPP_EV_FATAL: 407 *param_value = ctp->ctp_ev_fatal; 408 break; 409 default: 410 return (EINVAL); 411 } 412 413 return (0); 414 } 415 416 static ctmplops_t ctmpl_process_ops = { 417 ctmpl_process_dup, /* ctop_dup */ 418 ctmpl_process_free, /* ctop_free */ 419 ctmpl_process_set, /* ctop_set */ 420 ctmpl_process_get, /* ctop_get */ 421 ctmpl_create_inval, /* ctop_create */ 422 CT_PR_ALLEVENT 423 }; 424 425 426 /* 427 * Process contract implementation 428 */ 429 430 /* 431 * ctmpl_process_default 432 * 433 * The process contract default template entry point. Creates a 434 * process contract template with no parameters set, with informative 435 * core and signal events, critical empty and hwerr events, and fatal 436 * hwerr events. 437 */ 438 static ct_template_t * 439 contract_process_default(void) 440 { 441 ctmpl_process_t *new; 442 443 new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP); 444 ctmpl_init(&new->ctp_ctmpl, &ctmpl_process_ops, process_type, new); 445 446 new->ctp_subsume = NULL; 447 new->ctp_params = 0; 448 new->ctp_ctmpl.ctmpl_ev_info = CT_PR_EV_CORE | CT_PR_EV_SIGNAL; 449 new->ctp_ctmpl.ctmpl_ev_crit = CT_PR_EV_EMPTY | CT_PR_EV_HWERR; 450 new->ctp_ev_fatal = CT_PR_EV_HWERR; 451 new->ctp_svc_fmri = NULL; 452 new->ctp_svc_aux = NULL; 453 454 return (&new->ctp_ctmpl); 455 } 456 457 /* 458 * contract_process_free 459 * 460 * The process contract free entry point. 461 */ 462 static void 463 contract_process_free(contract_t *ct) 464 { 465 cont_process_t *ctp = ct->ct_data; 466 crfree(ctp->conp_cred); 467 list_destroy(&ctp->conp_members); 468 list_destroy(&ctp->conp_inherited); 469 if (ctp->conp_svc_fmri != NULL) { 470 refstr_rele(ctp->conp_svc_fmri); 471 } 472 if (ctp->conp_svc_aux != NULL) { 473 refstr_rele(ctp->conp_svc_aux); 474 } 475 if (ctp->conp_svc_creator != NULL) { 476 refstr_rele(ctp->conp_svc_creator); 477 } 478 kmem_free(ctp, sizeof (cont_process_t)); 479 } 480 481 /* 482 * contract_process_cankill 483 * 484 * Determine if the contract author had or if the process generating 485 * the event, sp, has adequate privileges to kill process tp. 486 */ 487 static int 488 contract_process_cankill(proc_t *tp, proc_t *sp, cont_process_t *ctp) 489 { 490 int cankill; 491 492 mutex_enter(&tp->p_crlock); 493 cankill = hasprocperm(tp->p_cred, ctp->conp_cred); 494 mutex_exit(&tp->p_crlock); 495 if (cankill || (sp && prochasprocperm(tp, sp, CRED()))) 496 return (1); 497 498 return (0); 499 } 500 501 /* 502 * contract_process_kill 503 * 504 * Kills all processes in a contract, or all processes in the 505 * intersection of a contract and ex's process group (if ex is non-NULL 506 * and the contract's PGRPONLY parameter is set). If checkpriv is 507 * true, only those processes which may be signaled by the contract 508 * author or ex are killed. 509 */ 510 static void 511 contract_process_kill(contract_t *ct, proc_t *ex, int checkpriv) 512 { 513 cont_process_t *ctp = ct->ct_data; 514 proc_t *p; 515 pid_t pgrp = -1; 516 517 ASSERT(MUTEX_HELD(&ct->ct_lock)); 518 519 if (ex && (ctp->conp_params & CT_PR_PGRPONLY)) { 520 pgrp = ex->p_pgrp; 521 mutex_enter(&pidlock); 522 } 523 524 for (p = list_head(&ctp->conp_members); p != NULL; 525 p = list_next(&ctp->conp_members, p)) { 526 if ((p == ex) || 527 (pgrp != -1 && (p->p_stat == SIDL || p->p_pgrp != pgrp)) || 528 (checkpriv && !contract_process_cankill(p, ex, ctp))) 529 continue; 530 531 psignal(p, SIGKILL); 532 } 533 534 if (pgrp != -1) 535 mutex_exit(&pidlock); 536 } 537 538 539 /* 540 * contract_process_accept 541 * 542 * Tests if the process contract is willing to act as a regent for 543 * inherited contracts. Though brief and only called from one place, 544 * this functionality is kept here to avoid including knowledge of 545 * process contract implementation in the generic contract code. 546 */ 547 int 548 contract_process_accept(contract_t *parent) 549 { 550 cont_process_t *ctp = parent->ct_data; 551 552 ASSERT(parent->ct_type == process_type); 553 554 return (ctp->conp_params & CT_PR_REGENT); 555 } 556 557 /* 558 * contract_process_take 559 * 560 * Executes the process contract side of inheriting a contract. 561 */ 562 void 563 contract_process_take(contract_t *parent, contract_t *child) 564 { 565 cont_process_t *ctp = parent->ct_data; 566 567 ASSERT(MUTEX_HELD(&parent->ct_lock)); 568 ASSERT(MUTEX_HELD(&child->ct_lock)); 569 ASSERT(parent->ct_type == process_type); 570 ASSERT(ctp->conp_params & CT_PR_REGENT); 571 572 list_insert_head(&ctp->conp_inherited, child); 573 ctp->conp_ninherited++; 574 } 575 576 /* 577 * contract_process_adopt 578 * 579 * Executes the process contract side of adopting a contract. 580 */ 581 void 582 contract_process_adopt(contract_t *ct, proc_t *p) 583 { 584 cont_process_t *parent = p->p_ct_process; 585 586 ASSERT(MUTEX_HELD(&parent->conp_contract.ct_lock)); 587 ASSERT(MUTEX_HELD(&ct->ct_lock)); 588 589 list_remove(&parent->conp_inherited, ct); 590 parent->conp_ninherited--; 591 592 /* 593 * We drop the parent lock first because a) we are passing the 594 * contract reference to the child, and b) contract_adopt 595 * expects us to return with the contract lock held. 596 */ 597 mutex_exit(&parent->conp_contract.ct_lock); 598 } 599 600 /* 601 * contract_process_abandon 602 * 603 * The process contract abandon entry point. 604 */ 605 static void 606 contract_process_abandon(contract_t *ct) 607 { 608 cont_process_t *ctp = ct->ct_data; 609 610 ASSERT(MUTEX_HELD(&ct->ct_lock)); 611 612 /* 613 * Shall we stay or shall we go? 614 */ 615 if (list_head(&ctp->conp_members) == NULL) { 616 contract_destroy(ct); 617 } else { 618 /* 619 * Strictly speaking, we actually do orphan the contract. 620 * Assuming our credentials allow us to kill all 621 * processes in the contract, this is only temporary. 622 */ 623 if (ctp->conp_params & CT_PR_NOORPHAN) 624 contract_process_kill(ct, NULL, B_TRUE); 625 contract_orphan(ct); 626 mutex_exit(&ct->ct_lock); 627 contract_rele(ct); 628 } 629 } 630 631 /* 632 * contract_process_destroy 633 * 634 * The process contract destroy entry point. 635 */ 636 static void 637 contract_process_destroy(contract_t *ct) 638 { 639 cont_process_t *ctp = ct->ct_data; 640 contract_t *cct; 641 642 ASSERT(MUTEX_HELD(&ct->ct_lock)); 643 644 /* 645 * contract_destroy all empty children, kill or orphan the rest 646 */ 647 while (cct = list_head(&ctp->conp_inherited)) { 648 mutex_enter(&cct->ct_lock); 649 650 ASSERT(cct->ct_state == CTS_INHERITED); 651 652 list_remove(&ctp->conp_inherited, cct); 653 ctp->conp_ninherited--; 654 cct->ct_regent = NULL; 655 cct->ct_type->ct_type_ops->contop_abandon(cct); 656 } 657 } 658 659 /* 660 * contract_process_status 661 * 662 * The process contract status entry point. 663 */ 664 static void 665 contract_process_status(contract_t *ct, zone_t *zone, int detail, nvlist_t *nvl, 666 void *status, model_t model) 667 { 668 cont_process_t *ctp = ct->ct_data; 669 uint32_t *pids, *ctids; 670 uint_t npids, nctids; 671 uint_t spids, sctids; 672 ctid_t local_svc_zone_enter; 673 674 if (detail == CTD_FIXED) { 675 mutex_enter(&ct->ct_lock); 676 contract_status_common(ct, zone, status, model); 677 local_svc_zone_enter = ctp->conp_svc_zone_enter; 678 mutex_exit(&ct->ct_lock); 679 pids = NULL; 680 ctids = NULL; 681 } else { 682 contract_t *cnext; 683 proc_t *pnext; 684 uint_t loc; 685 686 ASSERT(detail == CTD_ALL); 687 mutex_enter(&ct->ct_lock); 688 for (;;) { 689 spids = ctp->conp_nmembers + 5; 690 sctids = ctp->conp_ninherited + 5; 691 mutex_exit(&ct->ct_lock); 692 693 pids = kmem_alloc(spids * sizeof (uint32_t), KM_SLEEP); 694 ctids = kmem_alloc(sctids * sizeof (uint32_t), 695 KM_SLEEP); 696 697 mutex_enter(&ct->ct_lock); 698 npids = ctp->conp_nmembers; 699 nctids = ctp->conp_ninherited; 700 if (spids >= npids && sctids >= nctids) 701 break; 702 703 kmem_free(pids, spids * sizeof (uint32_t)); 704 kmem_free(ctids, sctids * sizeof (uint32_t)); 705 } 706 contract_status_common(ct, zone, status, model); 707 for (loc = 0, cnext = list_head(&ctp->conp_inherited); cnext; 708 cnext = list_next(&ctp->conp_inherited, cnext)) 709 ctids[loc++] = cnext->ct_id; 710 ASSERT(loc == nctids); 711 for (loc = 0, pnext = list_head(&ctp->conp_members); pnext; 712 pnext = list_next(&ctp->conp_members, pnext)) 713 pids[loc++] = pnext->p_pid; 714 ASSERT(loc == npids); 715 local_svc_zone_enter = ctp->conp_svc_zone_enter; 716 mutex_exit(&ct->ct_lock); 717 } 718 719 /* 720 * Contract terms are static; there's no need to hold the 721 * contract lock while accessing them. 722 */ 723 VERIFY(nvlist_add_uint32(nvl, CTPS_PARAMS, ctp->conp_params) == 0); 724 VERIFY(nvlist_add_uint32(nvl, CTPS_EV_FATAL, ctp->conp_ev_fatal) == 0); 725 if (detail == CTD_ALL) { 726 VERIFY(nvlist_add_uint32_array(nvl, CTPS_MEMBERS, pids, 727 npids) == 0); 728 VERIFY(nvlist_add_uint32_array(nvl, CTPS_CONTRACTS, ctids, 729 nctids) == 0); 730 VERIFY(nvlist_add_string(nvl, CTPS_CREATOR_AUX, 731 refstr_value(ctp->conp_svc_aux)) == 0); 732 VERIFY(nvlist_add_string(nvl, CTPS_SVC_CREATOR, 733 refstr_value(ctp->conp_svc_creator)) == 0); 734 } 735 if (ctids != NULL) 736 kmem_free(ctids, sctids * sizeof (uint32_t)); 737 if (pids != NULL) 738 kmem_free(pids, spids * sizeof (uint32_t)); 739 740 /* 741 * if we are in a local zone and svc_fmri was inherited from 742 * the global zone, we provide fake svc_fmri and svc_ctid 743 */ 744 if (local_svc_zone_enter == 0 || 745 zone->zone_uniqid == GLOBAL_ZONEUNIQID) { 746 if (detail > CTD_COMMON) { 747 VERIFY(nvlist_add_int32(nvl, CTPS_SVC_CTID, 748 ctp->conp_svc_ctid) == 0); 749 VERIFY(nvlist_add_string(nvl, CTPS_SVC_FMRI, 750 refstr_value(ctp->conp_svc_fmri)) == 0); 751 } 752 } else { 753 if (detail > CTD_COMMON) { 754 VERIFY(nvlist_add_int32(nvl, CTPS_SVC_CTID, 755 local_svc_zone_enter) == 0); 756 VERIFY(nvlist_add_string(nvl, CTPS_SVC_FMRI, 757 CT_PR_SVC_FMRI_ZONE_ENTER) == 0); 758 } 759 } 760 } 761 762 /*ARGSUSED*/ 763 static int 764 contract_process_newct(contract_t *ct) 765 { 766 return (0); 767 } 768 769 /* process contracts don't negotiate */ 770 static contops_t contract_process_ops = { 771 contract_process_free, /* contop_free */ 772 contract_process_abandon, /* contop_abandon */ 773 contract_process_destroy, /* contop_destroy */ 774 contract_process_status, /* contop_status */ 775 contract_ack_inval, /* contop_ack */ 776 contract_ack_inval, /* contop_nack */ 777 contract_qack_inval, /* contop_qack */ 778 contract_process_newct /* contop_newct */ 779 }; 780 781 /* 782 * contract_process_init 783 * 784 * Initializes the process contract type. Also creates a template for 785 * use by newproc() when it creates user processes. 786 */ 787 void 788 contract_process_init(void) 789 { 790 process_type = contract_type_init(CTT_PROCESS, "process", 791 &contract_process_ops, contract_process_default); 792 793 /* 794 * Create a template for use with init(8) and other 795 * kernel-started processes. 796 */ 797 sys_process_tmpl = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP); 798 ctmpl_init(&sys_process_tmpl->ctp_ctmpl, &ctmpl_process_ops, 799 process_type, sys_process_tmpl); 800 sys_process_tmpl->ctp_subsume = NULL; 801 sys_process_tmpl->ctp_params = CT_PR_NOORPHAN; 802 sys_process_tmpl->ctp_ev_fatal = CT_PR_EV_HWERR; 803 sys_process_tmpl->ctp_svc_fmri = 804 refstr_alloc("svc:/system/init:default"); 805 sys_process_tmpl->ctp_svc_aux = refstr_alloc(""); 806 conp_svc_aux_default = sys_process_tmpl->ctp_svc_aux; 807 refstr_hold(conp_svc_aux_default); 808 } 809 810 /* 811 * contract_process_create 812 * 813 * create a process contract given template "tmpl" and parent process 814 * "parent". May fail and return NULL if project.max-contracts would 815 * have been exceeded. 816 */ 817 static cont_process_t * 818 contract_process_create(ctmpl_process_t *tmpl, proc_t *parent, int canfail) 819 { 820 cont_process_t *ctp; 821 822 ASSERT(tmpl != NULL); 823 824 (void) contract_type_pbundle(process_type, parent); 825 826 ctp = kmem_zalloc(sizeof (cont_process_t), KM_SLEEP); 827 828 list_create(&ctp->conp_members, sizeof (proc_t), 829 offsetof(proc_t, p_ct_member)); 830 list_create(&ctp->conp_inherited, sizeof (contract_t), 831 offsetof(contract_t, ct_ctlist)); 832 mutex_enter(&tmpl->ctp_ctmpl.ctmpl_lock); 833 ctp->conp_params = tmpl->ctp_params; 834 ctp->conp_ev_fatal = tmpl->ctp_ev_fatal; 835 crhold(ctp->conp_cred = CRED()); 836 837 if (contract_ctor(&ctp->conp_contract, process_type, &tmpl->ctp_ctmpl, 838 ctp, (ctp->conp_params & CT_PR_INHERIT) ? CTF_INHERIT : 0, 839 parent, canfail)) { 840 mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock); 841 contract_process_free(&ctp->conp_contract); 842 return (NULL); 843 } 844 845 /* 846 * inherit svc_fmri if not defined by consumer. In this case, inherit 847 * also svc_ctid to keep track of the contract id where 848 * svc_fmri was set 849 */ 850 if (tmpl->ctp_svc_fmri == NULL) { 851 ctp->conp_svc_fmri = parent->p_ct_process->conp_svc_fmri; 852 ctp->conp_svc_ctid = parent->p_ct_process->conp_svc_ctid; 853 ctp->conp_svc_zone_enter = 854 parent->p_ct_process->conp_svc_zone_enter; 855 } else { 856 ctp->conp_svc_fmri = tmpl->ctp_svc_fmri; 857 ctp->conp_svc_ctid = ctp->conp_contract.ct_id; 858 /* make svc_zone_enter flag false when svc_fmri is set */ 859 ctp->conp_svc_zone_enter = 0; 860 } 861 refstr_hold(ctp->conp_svc_fmri); 862 /* set svc_aux to default value if not defined in template */ 863 if (tmpl->ctp_svc_aux == NULL) { 864 ctp->conp_svc_aux = conp_svc_aux_default; 865 } else { 866 ctp->conp_svc_aux = tmpl->ctp_svc_aux; 867 } 868 refstr_hold(ctp->conp_svc_aux); 869 /* 870 * set svc_creator to execname 871 * We special case pid0 because when newproc() creates 872 * the init process, the p_user.u_comm field of sched's proc_t 873 * has not been populated yet. 874 */ 875 if (parent->p_pidp == &pid0) /* if the kernel is the creator */ 876 ctp->conp_svc_creator = refstr_alloc("sched"); 877 else 878 ctp->conp_svc_creator = refstr_alloc(parent->p_user.u_comm); 879 880 /* 881 * Transfer subcontracts only after new contract is visible. 882 * Also, only transfer contracts if the parent matches -- we 883 * don't want to create a cycle in the tree of contracts. 884 */ 885 if (tmpl->ctp_subsume && tmpl->ctp_subsume->ct_owner == parent) { 886 cont_process_t *sct = tmpl->ctp_subsume->ct_data; 887 contract_t *ct; 888 889 mutex_enter(&tmpl->ctp_subsume->ct_lock); 890 mutex_enter(&ctp->conp_contract.ct_lock); 891 while (ct = list_head(&sct->conp_inherited)) { 892 mutex_enter(&ct->ct_lock); 893 list_remove(&sct->conp_inherited, ct); 894 list_insert_tail(&ctp->conp_inherited, ct); 895 ct->ct_regent = &ctp->conp_contract; 896 mutex_exit(&ct->ct_lock); 897 } 898 ctp->conp_ninherited += sct->conp_ninherited; 899 sct->conp_ninherited = 0; 900 mutex_exit(&ctp->conp_contract.ct_lock); 901 mutex_exit(&tmpl->ctp_subsume->ct_lock); 902 903 /* 904 * Automatically abandon the contract. 905 */ 906 (void) contract_abandon(tmpl->ctp_subsume, parent, 1); 907 } 908 909 mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock); 910 911 return (ctp); 912 } 913 914 /* 915 * contract_process_exit 916 * 917 * Called on process exit. Removes process p from process contract 918 * ctp. Generates an exit event, if requested. Generates an empty 919 * event, if p is the last member of the the process contract and empty 920 * events were requested. 921 */ 922 void 923 contract_process_exit(cont_process_t *ctp, proc_t *p, int exitstatus) 924 { 925 contract_t *ct = &ctp->conp_contract; 926 ct_kevent_t *event; 927 int empty; 928 929 /* 930 * Remove self from process contract. 931 */ 932 mutex_enter(&ct->ct_lock); 933 list_remove(&ctp->conp_members, p); 934 ctp->conp_nmembers--; 935 mutex_enter(&p->p_lock); /* in case /proc is watching */ 936 p->p_ct_process = NULL; 937 mutex_exit(&p->p_lock); 938 939 /* 940 * We check for emptiness before dropping the contract lock to 941 * send the exit event, otherwise we could end up with two 942 * empty events. 943 */ 944 empty = (list_head(&ctp->conp_members) == NULL); 945 if (EVSENDP(ctp, CT_PR_EV_EXIT)) { 946 nvlist_t *nvl; 947 948 mutex_exit(&ct->ct_lock); 949 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 950 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 951 VERIFY(nvlist_add_int32(nvl, CTPE_EXITSTATUS, exitstatus) == 0); 952 953 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 954 event->cte_flags = EVINFOP(ctp, CT_PR_EV_EXIT) ? CTE_INFO : 0; 955 event->cte_type = CT_PR_EV_EXIT; 956 (void) cte_publish_all(ct, event, nvl, NULL); 957 mutex_enter(&ct->ct_lock); 958 } 959 if (empty) { 960 /* 961 * Send EMPTY message. 962 */ 963 if (EVSENDP(ctp, CT_PR_EV_EMPTY)) { 964 nvlist_t *nvl; 965 966 mutex_exit(&ct->ct_lock); 967 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, 968 KM_SLEEP) == 0); 969 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 970 971 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 972 event->cte_flags = EVINFOP(ctp, CT_PR_EV_EMPTY) ? 973 CTE_INFO : 0; 974 event->cte_type = CT_PR_EV_EMPTY; 975 (void) cte_publish_all(ct, event, nvl, NULL); 976 mutex_enter(&ct->ct_lock); 977 } 978 979 /* 980 * The last one to leave an orphaned contract turns out 981 * the lights. 982 */ 983 if (ct->ct_state == CTS_ORPHAN) { 984 contract_destroy(ct); 985 return; 986 } 987 } 988 mutex_exit(&ct->ct_lock); 989 contract_rele(ct); 990 } 991 992 /* 993 * contract_process_fork 994 * 995 * Called on process fork. If the current lwp has a active process 996 * contract template, we attempt to create a new process contract. 997 * Failure to create a process contract when required is a failure in 998 * fork so, in such an event, we return NULL. 999 * 1000 * Assuming we succeeded or skipped the previous step, we add the child 1001 * process to the new contract (success) or to the parent's process 1002 * contract (skip). If requested, we also send a fork event to that 1003 * contract. 1004 * 1005 * Because contract_process_fork() may fail, and because we would 1006 * prefer that process contracts not be created for processes which 1007 * don't complete forking, this should be the last function called 1008 * before the "all clear" point in cfork. 1009 */ 1010 cont_process_t * 1011 contract_process_fork(ctmpl_process_t *rtmpl, proc_t *cp, proc_t *pp, 1012 int canfail) 1013 { 1014 contract_t *ct; 1015 cont_process_t *ctp; 1016 ct_kevent_t *event; 1017 ct_template_t *tmpl; 1018 1019 if (rtmpl == NULL && (tmpl = ttolwp(curthread)->lwp_ct_active[ 1020 process_type->ct_type_index]) != NULL) 1021 rtmpl = tmpl->ctmpl_data; 1022 1023 if (rtmpl == NULL) 1024 ctp = curproc->p_ct_process; 1025 else if ((ctp = contract_process_create(rtmpl, pp, canfail)) == NULL) 1026 return (NULL); 1027 1028 ct = &ctp->conp_contract; 1029 /* 1030 * Prevent contract_process_kill() from missing forked children 1031 * by failing forks by parents that have just been killed. 1032 * It's not worth hoisting the ctp test since contract creation 1033 * is by no means the common case. 1034 */ 1035 mutex_enter(&ct->ct_lock); 1036 mutex_enter(&pp->p_lock); 1037 if (ctp == curproc->p_ct_process && (pp->p_flag & SKILLED) != 0 && 1038 canfail) { 1039 mutex_exit(&pp->p_lock); 1040 mutex_exit(&ct->ct_lock); 1041 return (NULL); 1042 } 1043 cp->p_ct_process = ctp; 1044 mutex_exit(&pp->p_lock); 1045 contract_hold(ct); 1046 list_insert_head(&ctp->conp_members, cp); 1047 ctp->conp_nmembers++; 1048 mutex_exit(&ct->ct_lock); 1049 if (EVSENDP(ctp, CT_PR_EV_FORK)) { 1050 nvlist_t *nvl; 1051 1052 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 1053 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, cp->p_pid) == 0); 1054 VERIFY(nvlist_add_uint32(nvl, CTPE_PPID, pp->p_pid) == 0); 1055 1056 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 1057 event->cte_flags = EVINFOP(ctp, CT_PR_EV_FORK) ? CTE_INFO : 0; 1058 event->cte_type = CT_PR_EV_FORK; 1059 (void) cte_publish_all(ct, event, nvl, NULL); 1060 } 1061 return (ctp); 1062 } 1063 1064 /* 1065 * contract_process_core 1066 * 1067 * Called on core file generation attempts. Generates a core event, if 1068 * requested, containing the names of the process, global, and 1069 * system-global ("zone") core files. If dumping core is in the fatal 1070 * event set, calls contract_process_kill(). 1071 */ 1072 void 1073 contract_process_core(cont_process_t *ctp, proc_t *p, int sig, 1074 const char *process, const char *global, const char *zone) 1075 { 1076 contract_t *ct = &ctp->conp_contract; 1077 1078 if (EVSENDP(ctp, CT_PR_EV_CORE)) { 1079 ct_kevent_t *event; 1080 nvlist_t *nvl, *gnvl = NULL; 1081 1082 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 1083 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 1084 VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0); 1085 if (process) 1086 VERIFY(nvlist_add_string(nvl, CTPE_PCOREFILE, 1087 (char *)process) == 0); 1088 if (global) 1089 VERIFY(nvlist_add_string(nvl, CTPE_GCOREFILE, 1090 (char *)global) == 0); 1091 1092 if (zone) { 1093 /* 1094 * Only the global zone is informed of the 1095 * local-zone generated global-zone core. 1096 */ 1097 VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME, 1098 KM_SLEEP) == 0); 1099 VERIFY(nvlist_add_string(gnvl, CTPE_ZCOREFILE, 1100 (char *)zone) == 0); 1101 } 1102 1103 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 1104 event->cte_flags = EVINFOP(ctp, CT_PR_EV_CORE) ? CTE_INFO : 0; 1105 event->cte_type = CT_PR_EV_CORE; 1106 (void) cte_publish_all(ct, event, nvl, gnvl); 1107 } 1108 1109 if (EVFATALP(ctp, CT_PR_EV_CORE)) { 1110 mutex_enter(&ct->ct_lock); 1111 contract_process_kill(ct, p, B_TRUE); 1112 mutex_exit(&ct->ct_lock); 1113 } 1114 } 1115 1116 /* 1117 * contract_process_hwerr 1118 * 1119 * Called when a process is killed by an unrecoverable hardware error. 1120 * Generates an hwerr event, if requested. If hardware errors are in 1121 * the fatal event set, calls contract_process_kill(). 1122 */ 1123 void 1124 contract_process_hwerr(cont_process_t *ctp, proc_t *p) 1125 { 1126 contract_t *ct = &ctp->conp_contract; 1127 1128 if (EVSENDP(ctp, CT_PR_EV_HWERR)) { 1129 ct_kevent_t *event; 1130 nvlist_t *nvl; 1131 1132 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 1133 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 1134 1135 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 1136 event->cte_flags = EVINFOP(ctp, CT_PR_EV_HWERR) ? CTE_INFO : 0; 1137 event->cte_type = CT_PR_EV_HWERR; 1138 (void) cte_publish_all(ct, event, nvl, NULL); 1139 } 1140 1141 if (EVFATALP(ctp, CT_PR_EV_HWERR)) { 1142 mutex_enter(&ct->ct_lock); 1143 contract_process_kill(ct, p, B_FALSE); 1144 mutex_exit(&ct->ct_lock); 1145 } 1146 } 1147 1148 /* 1149 * contract_process_sig 1150 * 1151 * Called when a process is killed by a signal originating from a 1152 * process outside of its process contract or its process contract's 1153 * holder. Generates an signal event, if requested, containing the 1154 * signal number, and the sender's pid and contract id (if available). 1155 * If signals are in the fatal event set, calls 1156 * contract_process_kill(). 1157 */ 1158 void 1159 contract_process_sig(cont_process_t *ctp, proc_t *p, int sig, pid_t pid, 1160 ctid_t ctid, zoneid_t zoneid) 1161 { 1162 contract_t *ct = &ctp->conp_contract; 1163 1164 if (EVSENDP(ctp, CT_PR_EV_SIGNAL)) { 1165 ct_kevent_t *event; 1166 nvlist_t *dest, *nvl, *gnvl = NULL; 1167 1168 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 1169 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 1170 VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0); 1171 1172 if (zoneid >= 0 && p->p_zone->zone_id != zoneid) { 1173 VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME, 1174 KM_SLEEP) == 0); 1175 dest = gnvl; 1176 } else { 1177 dest = nvl; 1178 } 1179 1180 if (pid != -1) 1181 VERIFY(nvlist_add_uint32(dest, CTPE_SENDER, pid) == 0); 1182 if (ctid != 0) 1183 VERIFY(nvlist_add_uint32(dest, CTPE_SENDCT, ctid) == 0); 1184 1185 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 1186 event->cte_flags = EVINFOP(ctp, CT_PR_EV_SIGNAL) ? CTE_INFO : 0; 1187 event->cte_type = CT_PR_EV_SIGNAL; 1188 (void) cte_publish_all(ct, event, nvl, gnvl); 1189 } 1190 1191 if (EVFATALP(ctp, CT_PR_EV_SIGNAL)) { 1192 mutex_enter(&ct->ct_lock); 1193 contract_process_kill(ct, p, B_TRUE); 1194 mutex_exit(&ct->ct_lock); 1195 } 1196 } 1197