xref: /illumos-gate/usr/src/uts/common/contract/process.c (revision a55b6846f87afedf14b3f9b64fbb8c0d0a3f2fe2)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <sys/mutex.h>
29 #include <sys/debug.h>
30 #include <sys/types.h>
31 #include <sys/param.h>
32 #include <sys/kmem.h>
33 #include <sys/thread.h>
34 #include <sys/id_space.h>
35 #include <sys/avl.h>
36 #include <sys/list.h>
37 #include <sys/sysmacros.h>
38 #include <sys/proc.h>
39 #include <sys/contract.h>
40 #include <sys/contract_impl.h>
41 #include <sys/contract/process.h>
42 #include <sys/contract/process_impl.h>
43 #include <sys/cmn_err.h>
44 #include <sys/nvpair.h>
45 #include <sys/policy.h>
46 
47 /*
48  * Process Contracts
49  * -----------------
50  *
51  * Generally speaking, a process contract is a contract between a
52  * process and a set of its descendent processes.  In some cases, when
53  * the child processes outlive the author of the contract, the contract
54  * may be held by (and therefore be between the child processes and) a
55  * successor process which adopts the contract after the death of the
56  * original author.
57  *
58  * The process contract adds two new concepts to the Solaris process
59  * model.  The first is that a process contract forms a rigid fault
60  * boundary around a set of processes.  Hardware, software, and even
61  * administrator errors impacting a process in a process contract
62  * generate specific events and can be requested to atomically shutdown
63  * all processes in the contract.  The second is that a process
64  * contract is a process collective whose leader is not a member of the
65  * collective.  This means that the leader can reliably react to events
66  * in the collective, and may also act upon the collective without
67  * special casing itself.
68  *
69  * A composite outcome of these two concepts is that we can now create
70  * a tree of process contracts, rooted at init(1M), which represent
71  * services and subservices that are reliably observed and can be
72  * restarted when fatal errors occur.  The service management framework
73  * (SMF) realizes this structure.
74  *
75  * For more details, see the "restart agreements" case, PSARC 2003/193.
76  *
77  * There are four sets of routines in this file: the process contract
78  * standard template operations, the process contract standard contract
79  * operations, a couple routines used only by the contract subsystem to
80  * handle process contracts' unique role as a temporary holder of
81  * abandoned contracts, and the interfaces which allow the system to
82  * create and act upon process contracts.  The first two are defined by
83  * the contracts framework and won't be discussed further.  As for the
84  * remaining two:
85  *
86  * Special framework interfaces
87  * ----------------------------
88  *
89  * contract_process_accept - determines if a process contract is a
90  *   regent, i.e. if it can inherit other contracts.
91  *
92  * contract_process_take - tells a regent process contract to inherit
93  *   an abandoned contract
94  *
95  * contract_process_adopt - tells a regent process contract that a
96  *   contract it has inherited is being adopted by a process.
97  *
98  * Process contract interfaces
99  * ---------------------------
100  *
101  * contract_process_fork - called when a process is created; adds the
102  *   new process to an existing contract or to a newly created one.
103  *
104  * contract_process_exit - called when a process exits
105  *
106  * contract_process_core - called when a process would have dumped core
107  *   (even if a core file wasn't generated)
108  *
109  * contract_process_hwerr - called when a process was killed because of
110  *   an uncorrectable hardware error
111  *
112  * contract_process_sig - called when a process was killed by a fatal
113  *   signal sent by a process in another process contract
114  *
115  */
116 
117 ct_type_t *process_type;
118 ctmpl_process_t *sys_process_tmpl;
119 
120 /*
121  * Macro predicates for determining when events should be sent and how.
122  */
123 #define	EVSENDP(ctp, flag) \
124 	((ctp->conp_contract.ct_ev_info | ctp->conp_contract.ct_ev_crit) & flag)
125 
126 #define	EVINFOP(ctp, flag) \
127 	((ctp->conp_contract.ct_ev_crit & flag) == 0)
128 
129 #define	EVFATALP(ctp, flag) \
130 	(ctp->conp_ev_fatal & flag)
131 
132 
133 /*
134  * Process contract template implementation
135  */
136 
137 /*
138  * ctmpl_process_dup
139  *
140  * The process contract template dup entry point.  Other than the
141  * to-be-subsumed contract, which must be held, this simply copies all
142  * the fields of the original.
143  */
144 static struct ct_template *
145 ctmpl_process_dup(struct ct_template *template)
146 {
147 	ctmpl_process_t *new;
148 	ctmpl_process_t *old = template->ctmpl_data;
149 
150 	new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP);
151 
152 	ctmpl_copy(&new->ctp_ctmpl, template);
153 	new->ctp_ctmpl.ctmpl_data = new;
154 
155 	new->ctp_subsume = old->ctp_subsume;
156 	if (new->ctp_subsume)
157 		contract_hold(new->ctp_subsume);
158 	new->ctp_params = old->ctp_params;
159 	new->ctp_ev_fatal = old->ctp_ev_fatal;
160 
161 	return (&new->ctp_ctmpl);
162 }
163 
164 /*
165  * ctmpl_process_dup
166  *
167  * The process contract template free entry point.  Just releases a
168  * to-be-subsumed contract and frees the template.
169  */
170 static void
171 ctmpl_process_free(struct ct_template *template)
172 {
173 	ctmpl_process_t *ctp = template->ctmpl_data;
174 
175 	if (ctp->ctp_subsume)
176 		contract_rele(ctp->ctp_subsume);
177 	kmem_free(template, sizeof (ctmpl_process_t));
178 }
179 
180 /*
181  * SAFE_EV is the set of events which a non-privileged process is
182  * allowed to make critical but not fatal or if the PGRPONLY parameter
183  * is set.  EXCESS tells us if "value", a critical event set, requires
184  * additional privilege given the template "ctp".
185  */
186 #define	SAFE_EV			(CT_PR_EV_EMPTY)
187 #define	EXCESS(ctp, value)	\
188 	(((value) & ~((ctp)->ctp_ev_fatal | SAFE_EV)) || \
189 	(((value) & ~SAFE_EV) && (ctp->ctp_params & CT_PR_PGRPONLY)))
190 
191 /*
192  * ctmpl_process_set
193  *
194  * The process contract template set entry point.  None of the terms
195  * may be unconditionally set, and setting the parameters or fatal
196  * event set may result in events being implicitly removed from to the
197  * critical event set and added to the informative event set.  The
198  * (admittedly subtle) reason we implicitly change the critical event
199  * set when the parameter or fatal event set is modified but not the
200  * other way around is because a change to the critical event set only
201  * affects the contract's owner, whereas a change to the parameter set
202  * and fatal set can affect the execution of the application running in
203  * the contract (and should therefore be only made explicitly).  We
204  * allow implicit changes at all so that setting contract terms doesn't
205  * become a complex dance dependent on the template's initial state and
206  * the desired terms.
207  */
208 static int
209 ctmpl_process_set(struct ct_template *tmpl, ct_param_t *param, const cred_t *cr)
210 {
211 	ctmpl_process_t *ctp = tmpl->ctmpl_data;
212 	contract_t *ct;
213 	int error;
214 
215 	/*
216 	 * No process contract parameters are > 32 bits.
217 	 */
218 	if (param->ctpm_value & ~UINT32_MAX)
219 		return (EINVAL);
220 
221 	switch (param->ctpm_id) {
222 	case CTPP_SUBSUME:
223 		if (param->ctpm_value != 0) {
224 			/*
225 			 * Ensure that the contract exists, that we
226 			 * hold the contract, and that the contract is
227 			 * empty.
228 			 */
229 			ct = contract_type_ptr(process_type, param->ctpm_value,
230 			    curproc->p_zone->zone_uniqid);
231 			if (ct == NULL)
232 				return (ESRCH);
233 			if (ct->ct_owner != curproc) {
234 				contract_rele(ct);
235 				return (EACCES);
236 			}
237 			if (((cont_process_t *)ct->ct_data)->conp_nmembers) {
238 				contract_rele(ct);
239 				return (ENOTEMPTY);
240 			}
241 		} else {
242 			ct = NULL;
243 		}
244 		if (ctp->ctp_subsume)
245 			contract_rele(ctp->ctp_subsume);
246 		ctp->ctp_subsume = ct;
247 		break;
248 	case CTPP_PARAMS:
249 		if (param->ctpm_value & ~CT_PR_ALLPARAM)
250 			return (EINVAL);
251 		ctp->ctp_params = param->ctpm_value;
252 		/*
253 		 * If an unprivileged process requests that
254 		 * CT_PR_PGRPONLY be set, remove any unsafe events from
255 		 * the critical event set and add them to the
256 		 * informative event set.
257 		 */
258 		if ((ctp->ctp_params & CT_PR_PGRPONLY) &&
259 		    EXCESS(ctp, tmpl->ctmpl_ev_crit) &&
260 		    !secpolicy_contract_event_choice(cr)) {
261 			tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~SAFE_EV);
262 			tmpl->ctmpl_ev_crit &= SAFE_EV;
263 		}
264 
265 		break;
266 	case CTP_EV_CRITICAL:
267 		/*
268 		 * We simply don't allow adding events to the critical
269 		 * event set which aren't permitted by our policy or by
270 		 * privilege.
271 		 */
272 		if (EXCESS(ctp, param->ctpm_value) &&
273 		    (error = secpolicy_contract_event(cr)) != 0)
274 			return (error);
275 		tmpl->ctmpl_ev_crit = param->ctpm_value;
276 		break;
277 	case CTPP_EV_FATAL:
278 		if (param->ctpm_value & ~CT_PR_ALLFATAL)
279 			return (EINVAL);
280 		ctp->ctp_ev_fatal = param->ctpm_value;
281 		/*
282 		 * Check to see if an unprivileged process is
283 		 * requesting that events be removed from the fatal
284 		 * event set which are still in the critical event set.
285 		 */
286 		if (EXCESS(ctp, tmpl->ctmpl_ev_crit) &&
287 		    !secpolicy_contract_event_choice(cr)) {
288 			int allowed =
289 			    SAFE_EV | (ctp->ctp_params & CT_PR_PGRPONLY) ?
290 			    0 : ctp->ctp_ev_fatal;
291 			tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~allowed);
292 			tmpl->ctmpl_ev_crit &= allowed;
293 		}
294 		break;
295 	default:
296 		return (EINVAL);
297 	}
298 
299 	return (0);
300 }
301 
302 /*
303  * ctmpl_process_get
304  *
305  * The process contract template get entry point.  Simply fetches and
306  * returns the requested term.
307  */
308 static int
309 ctmpl_process_get(struct ct_template *template, ct_param_t *param)
310 {
311 	ctmpl_process_t *ctp = template->ctmpl_data;
312 
313 	switch (param->ctpm_id) {
314 	case CTPP_SUBSUME:
315 		param->ctpm_value = ctp->ctp_subsume ?
316 		    ctp->ctp_subsume->ct_id : 0;
317 		break;
318 	case CTPP_PARAMS:
319 		param->ctpm_value = ctp->ctp_params;
320 		break;
321 	case CTPP_EV_FATAL:
322 		param->ctpm_value = ctp->ctp_ev_fatal;
323 		break;
324 	default:
325 		return (EINVAL);
326 	}
327 
328 	return (0);
329 }
330 
331 static ctmplops_t ctmpl_process_ops = {
332 	ctmpl_process_dup,		/* ctop_dup */
333 	ctmpl_process_free,		/* ctop_free */
334 	ctmpl_process_set,		/* ctop_set */
335 	ctmpl_process_get,		/* ctop_get */
336 	ctmpl_create_inval,		/* ctop_create */
337 	CT_PR_ALLEVENT
338 };
339 
340 
341 /*
342  * Process contract implementation
343  */
344 
345 /*
346  * ctmpl_process_default
347  *
348  * The process contract default template entry point.  Creates a
349  * process contract template with no parameters set, with informative
350  * core and signal events, critical empty and hwerr events, and fatal
351  * hwerr events.
352  */
353 static ct_template_t *
354 contract_process_default(void)
355 {
356 	ctmpl_process_t *new;
357 
358 	new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP);
359 	ctmpl_init(&new->ctp_ctmpl, &ctmpl_process_ops, process_type, new);
360 
361 	new->ctp_subsume = NULL;
362 	new->ctp_params = 0;
363 	new->ctp_ctmpl.ctmpl_ev_info = CT_PR_EV_CORE | CT_PR_EV_SIGNAL;
364 	new->ctp_ctmpl.ctmpl_ev_crit = CT_PR_EV_EMPTY | CT_PR_EV_HWERR;
365 	new->ctp_ev_fatal = CT_PR_EV_HWERR;
366 
367 	return (&new->ctp_ctmpl);
368 }
369 
370 /*
371  * contract_process_free
372  *
373  * The process contract free entry point.
374  */
375 static void
376 contract_process_free(contract_t *ct)
377 {
378 	cont_process_t *ctp = ct->ct_data;
379 	crfree(ctp->conp_cred);
380 	list_destroy(&ctp->conp_members);
381 	list_destroy(&ctp->conp_inherited);
382 	kmem_free(ctp, sizeof (cont_process_t));
383 }
384 
385 /*
386  * contract_process_cankill
387  *
388  * Determine if the contract author had or if the process generating
389  * the event, sp, has adequate privileges to kill process tp.
390  */
391 static int
392 contract_process_cankill(proc_t *tp, proc_t *sp, cont_process_t *ctp)
393 {
394 	int cankill;
395 
396 	mutex_enter(&tp->p_crlock);
397 	cankill = hasprocperm(tp->p_cred, ctp->conp_cred);
398 	mutex_exit(&tp->p_crlock);
399 	if (cankill || (sp && prochasprocperm(tp, sp, CRED())))
400 		return (1);
401 
402 	return (0);
403 }
404 
405 /*
406  * contract_process_kill
407  *
408  * Kills all processes in a contract, or all processes in the
409  * intersection of a contract and ex's process group (if ex is non-NULL
410  * and the contract's PGRPONLY parameter is set).  If checkpriv is
411  * true, only those processes which may be signaled by the contract
412  * author or ex are killed.
413  */
414 static void
415 contract_process_kill(contract_t *ct, proc_t *ex, int checkpriv)
416 {
417 	cont_process_t *ctp = ct->ct_data;
418 	proc_t *p;
419 	pid_t pgrp = -1;
420 
421 	ASSERT(MUTEX_HELD(&ct->ct_lock));
422 
423 	if (ex && (ctp->conp_params & CT_PR_PGRPONLY)) {
424 		pgrp = ex->p_pgrp;
425 		mutex_enter(&pidlock);
426 	}
427 
428 	for (p = list_head(&ctp->conp_members); p != NULL;
429 	    p = list_next(&ctp->conp_members, p)) {
430 		if ((p == ex) || (pgrp != -1 && p->p_pgrp != pgrp) ||
431 		    (checkpriv && !contract_process_cankill(p, ex, ctp)))
432 			continue;
433 
434 		psignal(p, SIGKILL);
435 	}
436 
437 	if (pgrp != -1)
438 		mutex_exit(&pidlock);
439 }
440 
441 
442 /*
443  * contract_process_accept
444  *
445  * Tests if the process contract is willing to act as a regent for
446  * inherited contracts.  Though brief and only called from one place,
447  * this functionality is kept here to avoid including knowledge of
448  * process contract implementation in the generic contract code.
449  */
450 int
451 contract_process_accept(contract_t *parent)
452 {
453 	cont_process_t *ctp = parent->ct_data;
454 
455 	ASSERT(parent->ct_type == process_type);
456 
457 	return (ctp->conp_params & CT_PR_REGENT);
458 }
459 
460 /*
461  * contract_process_take
462  *
463  * Executes the process contract side of inheriting a contract.
464  */
465 void
466 contract_process_take(contract_t *parent, contract_t *child)
467 {
468 	cont_process_t *ctp = parent->ct_data;
469 
470 	ASSERT(MUTEX_HELD(&parent->ct_lock));
471 	ASSERT(MUTEX_HELD(&child->ct_lock));
472 	ASSERT(parent->ct_type == process_type);
473 	ASSERT(ctp->conp_params & CT_PR_REGENT);
474 
475 	list_insert_head(&ctp->conp_inherited, child);
476 	ctp->conp_ninherited++;
477 }
478 
479 /*
480  * contract_process_adopt
481  *
482  * Executes the process contract side of adopting a contract.
483  */
484 void
485 contract_process_adopt(contract_t *ct, proc_t *p)
486 {
487 	cont_process_t *parent = p->p_ct_process;
488 
489 	ASSERT(MUTEX_HELD(&parent->conp_contract.ct_lock));
490 	ASSERT(MUTEX_HELD(&ct->ct_lock));
491 
492 	list_remove(&parent->conp_inherited, ct);
493 	parent->conp_ninherited--;
494 
495 	/*
496 	 * We drop the parent lock first because a) we are passing the
497 	 * contract reference to the child, and b) contract_adopt
498 	 * expects us to return with the contract lock held.
499 	 */
500 	mutex_exit(&parent->conp_contract.ct_lock);
501 }
502 
503 /*
504  * contract_process_abandon
505  *
506  * The process contract abandon entry point.
507  */
508 static void
509 contract_process_abandon(contract_t *ct)
510 {
511 	cont_process_t *ctp = ct->ct_data;
512 
513 	ASSERT(MUTEX_HELD(&ct->ct_lock));
514 
515 	/*
516 	 * Shall we stay or shall we go?
517 	 */
518 	if (list_head(&ctp->conp_members) == NULL) {
519 		contract_destroy(ct);
520 	} else {
521 		/*
522 		 * Strictly speaking, we actually do orphan the contract.
523 		 * Assuming our credentials allow us to kill all
524 		 * processes in the contract, this is only temporary.
525 		 */
526 		if (ctp->conp_params & CT_PR_NOORPHAN)
527 			contract_process_kill(ct, NULL, B_TRUE);
528 		contract_orphan(ct);
529 		mutex_exit(&ct->ct_lock);
530 		contract_rele(ct);
531 	}
532 }
533 
534 /*
535  * contract_process_destroy
536  *
537  * The process contract destroy entry point.
538  */
539 static void
540 contract_process_destroy(contract_t *ct)
541 {
542 	cont_process_t *ctp = ct->ct_data;
543 	contract_t *cct;
544 
545 	ASSERT(MUTEX_HELD(&ct->ct_lock));
546 
547 	/*
548 	 * contract_destroy all empty children, kill or orphan the rest
549 	 */
550 	while (cct = list_head(&ctp->conp_inherited)) {
551 		mutex_enter(&cct->ct_lock);
552 
553 		ASSERT(cct->ct_state == CTS_INHERITED);
554 
555 		list_remove(&ctp->conp_inherited, cct);
556 		ctp->conp_ninherited--;
557 		cct->ct_regent = NULL;
558 		cct->ct_type->ct_type_ops->contop_abandon(cct);
559 	}
560 }
561 
562 /*
563  * contract_process_status
564  *
565  * The process contract status entry point.
566  */
567 static void
568 contract_process_status(contract_t *ct, zone_t *zone, int detail, nvlist_t *nvl,
569     void *status, model_t model)
570 {
571 	cont_process_t *ctp = ct->ct_data;
572 	uint32_t *pids, *ctids;
573 	uint_t npids, nctids;
574 	uint_t spids, sctids;
575 
576 	if (detail == CTD_FIXED) {
577 		mutex_enter(&ct->ct_lock);
578 		contract_status_common(ct, zone, status, model);
579 		mutex_exit(&ct->ct_lock);
580 	} else {
581 		contract_t *cnext;
582 		proc_t *pnext;
583 		uint_t loc;
584 
585 		ASSERT(detail == CTD_ALL);
586 		mutex_enter(&ct->ct_lock);
587 		for (;;) {
588 			spids = ctp->conp_nmembers + 5;
589 			sctids = ctp->conp_ninherited + 5;
590 			mutex_exit(&ct->ct_lock);
591 
592 			pids = kmem_alloc(spids * sizeof (uint32_t), KM_SLEEP);
593 			ctids = kmem_alloc(sctids * sizeof (uint32_t),
594 			    KM_SLEEP);
595 
596 			mutex_enter(&ct->ct_lock);
597 			npids = ctp->conp_nmembers;
598 			nctids = ctp->conp_ninherited;
599 			if (spids >= npids && sctids >= nctids)
600 				break;
601 
602 			kmem_free(pids, spids * sizeof (uint32_t));
603 			kmem_free(ctids, sctids * sizeof (uint32_t));
604 		}
605 		contract_status_common(ct, zone, status, model);
606 		for (loc = 0, cnext = list_head(&ctp->conp_inherited); cnext;
607 		    cnext = list_next(&ctp->conp_inherited, cnext))
608 			ctids[loc++] = cnext->ct_id;
609 		ASSERT(loc == nctids);
610 		for (loc = 0, pnext = list_head(&ctp->conp_members); pnext;
611 		    pnext = list_next(&ctp->conp_members, pnext))
612 			pids[loc++] = pnext->p_pid;
613 		ASSERT(loc == npids);
614 		mutex_exit(&ct->ct_lock);
615 
616 	}
617 
618 	/*
619 	 * Contract terms are static; there's no need to hold the
620 	 * contract lock while accessing them.
621 	 */
622 	VERIFY(nvlist_add_uint32(nvl, CTPS_PARAMS, ctp->conp_params) == 0);
623 	VERIFY(nvlist_add_uint32(nvl, CTPS_EV_FATAL, ctp->conp_ev_fatal) == 0);
624 	if (detail == CTD_ALL) {
625 		VERIFY(nvlist_add_uint32_array(nvl, CTPS_MEMBERS, pids,
626 		    npids) == 0);
627 		VERIFY(nvlist_add_uint32_array(nvl, CTPS_CONTRACTS, ctids,
628 		    nctids) == 0);
629 		kmem_free(pids, spids * sizeof (uint32_t));
630 		kmem_free(ctids, sctids * sizeof (uint32_t));
631 	}
632 }
633 
634 /*ARGSUSED*/
635 static int
636 contract_process_newct(contract_t *ct)
637 {
638 	return (0);
639 }
640 
641 /* process contracts don't negotiate */
642 static contops_t contract_process_ops = {
643 	contract_process_free,		/* contop_free */
644 	contract_process_abandon,	/* contop_abandon */
645 	contract_process_destroy,	/* contop_destroy */
646 	contract_process_status,	/* contop_status */
647 	contract_ack_inval,		/* contop_ack */
648 	contract_ack_inval,		/* contop_nack */
649 	contract_qack_inval,		/* contop_qack */
650 	contract_process_newct		/* contop_newct */
651 };
652 
653 /*
654  * contract_process_init
655  *
656  * Initializes the process contract type.  Also creates a template for
657  * use by newproc() when it creates user processes.
658  */
659 void
660 contract_process_init(void)
661 {
662 	process_type = contract_type_init(CTT_PROCESS, "process",
663 	    &contract_process_ops, contract_process_default);
664 
665 	/*
666 	 * Create a template for use with init(1M) and other
667 	 * kernel-started processes.
668 	 */
669 	sys_process_tmpl = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP);
670 	ctmpl_init(&sys_process_tmpl->ctp_ctmpl, &ctmpl_process_ops,
671 	    process_type, sys_process_tmpl);
672 	sys_process_tmpl->ctp_subsume = NULL;
673 	sys_process_tmpl->ctp_params = CT_PR_NOORPHAN;
674 	sys_process_tmpl->ctp_ev_fatal = CT_PR_EV_HWERR;
675 }
676 
677 /*
678  * contract_process_create
679  *
680  * create a process contract given template "tmpl" and parent process
681  * "parent".  May fail and return NULL if project.max-contracts would
682  * have been exceeded.
683  */
684 static cont_process_t *
685 contract_process_create(ctmpl_process_t *tmpl, proc_t *parent, int canfail)
686 {
687 	cont_process_t *ctp;
688 
689 	ASSERT(tmpl != NULL);
690 
691 	(void) contract_type_pbundle(process_type, parent);
692 
693 	ctp = kmem_zalloc(sizeof (cont_process_t), KM_SLEEP);
694 
695 	list_create(&ctp->conp_members, sizeof (proc_t),
696 	    offsetof(proc_t, p_ct_member));
697 	list_create(&ctp->conp_inherited, sizeof (contract_t),
698 	    offsetof(contract_t, ct_ctlist));
699 	mutex_enter(&tmpl->ctp_ctmpl.ctmpl_lock);
700 	ctp->conp_params = tmpl->ctp_params;
701 	ctp->conp_ev_fatal = tmpl->ctp_ev_fatal;
702 	crhold(ctp->conp_cred = CRED());
703 
704 	if (contract_ctor(&ctp->conp_contract, process_type, &tmpl->ctp_ctmpl,
705 	    ctp, (ctp->conp_params & CT_PR_INHERIT) ? CTF_INHERIT : 0,
706 	    parent, canfail)) {
707 		mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock);
708 		contract_process_free(&ctp->conp_contract);
709 		return (NULL);
710 	}
711 
712 	/*
713 	 * Transfer subcontracts only after new contract is visible.
714 	 * Also, only transfer contracts if the parent matches -- we
715 	 * don't want to create a cycle in the tree of contracts.
716 	 */
717 	if (tmpl->ctp_subsume && tmpl->ctp_subsume->ct_owner == parent) {
718 		cont_process_t *sct = tmpl->ctp_subsume->ct_data;
719 		contract_t *ct;
720 
721 		mutex_enter(&tmpl->ctp_subsume->ct_lock);
722 		mutex_enter(&ctp->conp_contract.ct_lock);
723 		while (ct = list_head(&sct->conp_inherited)) {
724 			mutex_enter(&ct->ct_lock);
725 			list_remove(&sct->conp_inherited, ct);
726 			list_insert_tail(&ctp->conp_inherited, ct);
727 			ct->ct_regent = &ctp->conp_contract;
728 			mutex_exit(&ct->ct_lock);
729 		}
730 		ctp->conp_ninherited += sct->conp_ninherited;
731 		sct->conp_ninherited = 0;
732 		mutex_exit(&ctp->conp_contract.ct_lock);
733 		mutex_exit(&tmpl->ctp_subsume->ct_lock);
734 
735 		/*
736 		 * Automatically abandon the contract.
737 		 */
738 		(void) contract_abandon(tmpl->ctp_subsume, parent, 1);
739 	}
740 
741 	mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock);
742 
743 	return (ctp);
744 }
745 
746 /*
747  * contract_process_exit
748  *
749  * Called on process exit.  Removes process p from process contract
750  * ctp.  Generates an exit event, if requested.  Generates an empty
751  * event, if p is the last member of the the process contract and empty
752  * events were requested.
753  */
754 void
755 contract_process_exit(cont_process_t *ctp, proc_t *p, int exitstatus)
756 {
757 	contract_t *ct = &ctp->conp_contract;
758 	ct_kevent_t *event;
759 	int empty;
760 
761 	/*
762 	 * Remove self from process contract.
763 	 */
764 	mutex_enter(&ct->ct_lock);
765 	list_remove(&ctp->conp_members, p);
766 	ctp->conp_nmembers--;
767 	mutex_enter(&p->p_lock);	/* in case /proc is watching */
768 	p->p_ct_process = NULL;
769 	mutex_exit(&p->p_lock);
770 
771 	/*
772 	 * We check for emptiness before dropping the contract lock to
773 	 * send the exit event, otherwise we could end up with two
774 	 * empty events.
775 	 */
776 	empty = (list_head(&ctp->conp_members) == NULL);
777 	if (EVSENDP(ctp, CT_PR_EV_EXIT)) {
778 		nvlist_t *nvl;
779 
780 		mutex_exit(&ct->ct_lock);
781 		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
782 		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
783 		VERIFY(nvlist_add_int32(nvl, CTPE_EXITSTATUS, exitstatus) == 0);
784 
785 		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
786 		event->cte_flags = EVINFOP(ctp, CT_PR_EV_EXIT) ? CTE_INFO : 0;
787 		event->cte_type = CT_PR_EV_EXIT;
788 		(void) cte_publish_all(ct, event, nvl, NULL);
789 		mutex_enter(&ct->ct_lock);
790 	}
791 	if (empty) {
792 		/*
793 		 * Send EMPTY message.
794 		 */
795 		if (EVSENDP(ctp, CT_PR_EV_EMPTY)) {
796 			nvlist_t *nvl;
797 
798 			mutex_exit(&ct->ct_lock);
799 			VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME,
800 			    KM_SLEEP) == 0);
801 			VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
802 
803 			event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
804 			event->cte_flags = EVINFOP(ctp, CT_PR_EV_EMPTY) ?
805 			    CTE_INFO : 0;
806 			event->cte_type = CT_PR_EV_EMPTY;
807 			(void) cte_publish_all(ct, event, nvl, NULL);
808 			mutex_enter(&ct->ct_lock);
809 		}
810 
811 		/*
812 		 * The last one to leave an orphaned contract turns out
813 		 * the lights.
814 		 */
815 		if (ct->ct_state == CTS_ORPHAN) {
816 			contract_destroy(ct);
817 			return;
818 		}
819 	}
820 	mutex_exit(&ct->ct_lock);
821 	contract_rele(ct);
822 }
823 
824 /*
825  * contract_process_fork
826  *
827  * Called on process fork.  If the current lwp has a active process
828  * contract template, we attempt to create a new process contract.
829  * Failure to create a process contract when required is a failure in
830  * fork so, in such an event, we return NULL.
831  *
832  * Assuming we succeeded or skipped the previous step, we add the child
833  * process to the new contract (success) or to the parent's process
834  * contract (skip).  If requested, we also send a fork event to that
835  * contract.
836  *
837  * Because contract_process_fork() may fail, and because we would
838  * prefer that process contracts not be created for processes which
839  * don't complete forking, this should be the last function called
840  * before the "all clear" point in cfork.
841  */
842 cont_process_t *
843 contract_process_fork(ctmpl_process_t *rtmpl, proc_t *cp, proc_t *pp,
844     int canfail)
845 {
846 	contract_t *ct;
847 	cont_process_t *ctp;
848 	ct_kevent_t *event;
849 	ct_template_t *tmpl;
850 
851 	if (rtmpl == NULL && (tmpl = ttolwp(curthread)->lwp_ct_active[
852 	    process_type->ct_type_index]) != NULL)
853 		rtmpl = tmpl->ctmpl_data;
854 
855 	if (rtmpl == NULL)
856 		ctp = curproc->p_ct_process;
857 	else if ((ctp = contract_process_create(rtmpl, pp, canfail)) == NULL)
858 		return (NULL);
859 
860 	ct = &ctp->conp_contract;
861 	/*
862 	 * Prevent contract_process_kill() from missing forked children
863 	 * by failing forks by parents that have just been killed.
864 	 * It's not worth hoisting the ctp test since contract creation
865 	 * is by no means the common case.
866 	 */
867 	mutex_enter(&ct->ct_lock);
868 	mutex_enter(&pp->p_lock);
869 	if (ctp == curproc->p_ct_process && (pp->p_flag & SKILLED) != 0 &&
870 	    canfail) {
871 		mutex_exit(&pp->p_lock);
872 		mutex_exit(&ct->ct_lock);
873 		return (NULL);
874 	}
875 	cp->p_ct_process = ctp;
876 	mutex_exit(&pp->p_lock);
877 	contract_hold(ct);
878 	list_insert_head(&ctp->conp_members, cp);
879 	ctp->conp_nmembers++;
880 	mutex_exit(&ct->ct_lock);
881 	if (EVSENDP(ctp, CT_PR_EV_FORK)) {
882 		nvlist_t *nvl;
883 
884 		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
885 		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, cp->p_pid) == 0);
886 		VERIFY(nvlist_add_uint32(nvl, CTPE_PPID, pp->p_pid) == 0);
887 
888 		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
889 		event->cte_flags = EVINFOP(ctp, CT_PR_EV_FORK) ? CTE_INFO : 0;
890 		event->cte_type = CT_PR_EV_FORK;
891 		(void) cte_publish_all(ct, event, nvl, NULL);
892 	}
893 	return (ctp);
894 }
895 
896 /*
897  * contract_process_core
898  *
899  * Called on core file generation attempts.  Generates a core event, if
900  * requested, containing the names of the process, global, and
901  * system-global ("zone") core files.  If dumping core is in the fatal
902  * event set, calls contract_process_kill().
903  */
904 void
905 contract_process_core(cont_process_t *ctp, proc_t *p, int sig,
906     const char *process, const char *global, const char *zone)
907 {
908 	contract_t *ct = &ctp->conp_contract;
909 
910 	if (EVSENDP(ctp, CT_PR_EV_CORE)) {
911 		ct_kevent_t *event;
912 		nvlist_t *nvl, *gnvl = NULL;
913 
914 		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
915 		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
916 		VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0);
917 		if (process)
918 			VERIFY(nvlist_add_string(nvl, CTPE_PCOREFILE,
919 			    (char *)process) == 0);
920 		if (global)
921 			VERIFY(nvlist_add_string(nvl, CTPE_GCOREFILE,
922 			    (char *)global) == 0);
923 
924 		if (zone) {
925 			/*
926 			 * Only the global zone is informed of the
927 			 * local-zone generated global-zone core.
928 			 */
929 			VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME,
930 			    KM_SLEEP) == 0);
931 			VERIFY(nvlist_add_string(gnvl, CTPE_ZCOREFILE,
932 			    (char *)zone) == 0);
933 		}
934 
935 		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
936 		event->cte_flags = EVINFOP(ctp, CT_PR_EV_CORE) ? CTE_INFO : 0;
937 		event->cte_type = CT_PR_EV_CORE;
938 		(void) cte_publish_all(ct, event, nvl, gnvl);
939 	}
940 
941 	if (EVFATALP(ctp, CT_PR_EV_CORE)) {
942 		mutex_enter(&ct->ct_lock);
943 		contract_process_kill(ct, p, B_TRUE);
944 		mutex_exit(&ct->ct_lock);
945 	}
946 }
947 
948 /*
949  * contract_process_hwerr
950  *
951  * Called when a process is killed by an unrecoverable hardware error.
952  * Generates an hwerr event, if requested.  If hardware errors are in
953  * the fatal event set, calls contract_process_kill().
954  */
955 void
956 contract_process_hwerr(cont_process_t *ctp, proc_t *p)
957 {
958 	contract_t *ct = &ctp->conp_contract;
959 
960 	if (EVSENDP(ctp, CT_PR_EV_HWERR)) {
961 		ct_kevent_t *event;
962 		nvlist_t *nvl;
963 
964 		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
965 		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
966 
967 		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
968 		event->cte_flags = EVINFOP(ctp, CT_PR_EV_HWERR) ? CTE_INFO : 0;
969 		event->cte_type = CT_PR_EV_HWERR;
970 		(void) cte_publish_all(ct, event, nvl, NULL);
971 	}
972 
973 	if (EVFATALP(ctp, CT_PR_EV_HWERR)) {
974 		mutex_enter(&ct->ct_lock);
975 		contract_process_kill(ct, p, B_FALSE);
976 		mutex_exit(&ct->ct_lock);
977 	}
978 }
979 
980 /*
981  * contract_process_sig
982  *
983  * Called when a process is killed by a signal originating from a
984  * process outside of its process contract or its process contract's
985  * holder.  Generates an signal event, if requested, containing the
986  * signal number, and the sender's pid and contract id (if available).
987  * If signals are in the fatal event set, calls
988  * contract_process_kill().
989  */
990 void
991 contract_process_sig(cont_process_t *ctp, proc_t *p, int sig, pid_t pid,
992     ctid_t ctid, zoneid_t zoneid)
993 {
994 	contract_t *ct = &ctp->conp_contract;
995 
996 	if (EVSENDP(ctp, CT_PR_EV_SIGNAL)) {
997 		ct_kevent_t *event;
998 		nvlist_t *dest, *nvl, *gnvl = NULL;
999 
1000 		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1001 		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
1002 		VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0);
1003 
1004 		if (zoneid >= 0 && p->p_zone->zone_id != zoneid) {
1005 			VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME,
1006 			    KM_SLEEP) == 0);
1007 			dest = gnvl;
1008 		} else {
1009 			dest = nvl;
1010 		}
1011 
1012 		if (pid != -1)
1013 			VERIFY(nvlist_add_uint32(dest, CTPE_SENDER, pid) == 0);
1014 		if (ctid != 0)
1015 			VERIFY(nvlist_add_uint32(dest, CTPE_SENDCT, ctid) == 0);
1016 
1017 		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1018 		event->cte_flags = EVINFOP(ctp, CT_PR_EV_SIGNAL) ? CTE_INFO : 0;
1019 		event->cte_type = CT_PR_EV_SIGNAL;
1020 		(void) cte_publish_all(ct, event, nvl, gnvl);
1021 	}
1022 
1023 	if (EVFATALP(ctp, CT_PR_EV_SIGNAL)) {
1024 		mutex_enter(&ct->ct_lock);
1025 		contract_process_kill(ct, p, B_TRUE);
1026 		mutex_exit(&ct->ct_lock);
1027 	}
1028 }
1029