1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 27 #include <sys/stat.h> 28 #include <sys/types.h> 29 30 #include <assert.h> 31 #include <ctype.h> 32 #include <errno.h> 33 #include <fcntl.h> 34 #include <libintl.h> 35 #include <libscf.h> 36 #include <libuutil.h> 37 #include <limits.h> 38 #include <md5.h> 39 #include <pthread.h> 40 #include <stdio.h> 41 #include <stdlib.h> 42 #include <string.h> 43 #include <strings.h> 44 #include <unistd.h> 45 46 #include <manifest_hash.h> 47 48 /* 49 * Translate a file name to property name. Return an allocated string or NULL 50 * if realpath() fails. If deathrow is true, realpath() is skipped. This 51 * allows to return the property name even if the file doesn't exist. 52 */ 53 char * 54 mhash_filename_to_propname(const char *in, boolean_t deathrow) 55 { 56 char *out, *cp, *base; 57 size_t len, piece_len; 58 59 out = uu_zalloc(PATH_MAX + 1); 60 if (deathrow) { 61 /* used only for service deathrow handling */ 62 if (strlcpy(out, in, PATH_MAX + 1) >= (PATH_MAX + 1)) { 63 uu_free(out); 64 return (NULL); 65 } 66 } else { 67 if (realpath(in, out) == NULL) { 68 uu_free(out); 69 return (NULL); 70 } 71 } 72 73 base = getenv("PKG_INSTALL_ROOT"); 74 75 /* 76 * We copy-shift over the basedir and the leading slash, since it's 77 * not relevant to when we boot with this repository. 78 */ 79 80 cp = out + ((base != NULL)? strlen(base) : 0); 81 if (*cp == '/') 82 cp++; 83 (void) memmove(out, cp, strlen(cp) + 1); 84 85 len = strlen(out); 86 if (len > scf_limit(SCF_LIMIT_MAX_NAME_LENGTH)) { 87 /* Use the first half and the second half. */ 88 piece_len = (scf_limit(SCF_LIMIT_MAX_NAME_LENGTH) - 3) / 2; 89 90 (void) strncpy(out + piece_len, "__", 2); 91 92 (void) memmove(out + piece_len + 2, out + (len - piece_len), 93 piece_len + 1); 94 } 95 96 /* 97 * Translate non-property characters to '_', first making sure that 98 * we don't begin with '_'. 99 */ 100 101 if (!isalpha(*out)) 102 *out = 'A'; 103 104 for (cp = out + 1; *cp != '\0'; ++cp) { 105 if (!(isalnum(*cp) || *cp == '_' || *cp == '-')) 106 *cp = '_'; 107 } 108 109 return (out); 110 } 111 112 int 113 mhash_retrieve_entry(scf_handle_t *hndl, const char *name, uchar_t *hash) 114 { 115 scf_scope_t *scope; 116 scf_service_t *svc; 117 scf_propertygroup_t *pg; 118 scf_property_t *prop; 119 scf_value_t *val; 120 ssize_t szret; 121 int result = 0; 122 123 /* 124 * In this implementation the hash for name is the opaque value of 125 * svc:/MHASH_SVC/:properties/name/MHASH_PROP 126 */ 127 128 if ((scope = scf_scope_create(hndl)) == NULL || 129 (svc = scf_service_create(hndl)) == NULL || 130 (pg = scf_pg_create(hndl)) == NULL || 131 (prop = scf_property_create(hndl)) == NULL || 132 (val = scf_value_create(hndl)) == NULL) { 133 result = -1; 134 goto out; 135 } 136 137 if (scf_handle_get_local_scope(hndl, scope) < 0) { 138 result = -1; 139 goto out; 140 } 141 142 if (scf_scope_get_service(scope, MHASH_SVC, svc) < 0) { 143 result = -1; 144 goto out; 145 } 146 147 if (scf_service_get_pg(svc, name, pg) != SCF_SUCCESS) { 148 result = -1; 149 goto out; 150 } 151 152 if (scf_pg_get_property(pg, MHASH_PROP, prop) != SCF_SUCCESS) { 153 result = -1; 154 goto out; 155 } 156 157 if (scf_property_get_value(prop, val) != SCF_SUCCESS) { 158 result = -1; 159 goto out; 160 } 161 162 szret = scf_value_get_opaque(val, hash, MHASH_SIZE); 163 if (szret < 0) { 164 result = -1; 165 goto out; 166 } 167 168 /* 169 * Make sure that the old hash is returned with 170 * remainder of the bytes zeroed. 171 */ 172 if (szret == MHASH_SIZE_OLD) { 173 (void) memset(hash + MHASH_SIZE_OLD, 0, 174 MHASH_SIZE - MHASH_SIZE_OLD); 175 } else if (szret != MHASH_SIZE) { 176 scf_value_destroy(val); 177 result = -1; 178 goto out; 179 } 180 181 out: 182 (void) scf_value_destroy(val); 183 scf_property_destroy(prop); 184 scf_pg_destroy(pg); 185 scf_service_destroy(svc); 186 scf_scope_destroy(scope); 187 188 return (result); 189 } 190 191 int 192 mhash_store_entry(scf_handle_t *hndl, const char *name, uchar_t *hash, 193 char **errstr) 194 { 195 scf_scope_t *scope = NULL; 196 scf_service_t *svc = NULL; 197 scf_propertygroup_t *pg = NULL; 198 scf_property_t *prop = NULL; 199 scf_value_t *val = NULL; 200 scf_transaction_t *tx = NULL; 201 scf_transaction_entry_t *e = NULL; 202 int ret, result = 0; 203 204 int i; 205 206 if ((scope = scf_scope_create(hndl)) == NULL || 207 (svc = scf_service_create(hndl)) == NULL || 208 (pg = scf_pg_create(hndl)) == NULL || 209 (prop = scf_property_create(hndl)) == NULL) { 210 if (errstr != NULL) 211 *errstr = gettext("Could not create scf objects"); 212 result = -1; 213 goto out; 214 } 215 216 if (scf_handle_get_local_scope(hndl, scope) != SCF_SUCCESS) { 217 if (errstr != NULL) 218 *errstr = gettext("Could not get local scope"); 219 result = -1; 220 goto out; 221 } 222 223 for (i = 0; i < 5; ++i) { 224 scf_error_t err; 225 226 if (scf_scope_get_service(scope, MHASH_SVC, svc) == 227 SCF_SUCCESS) 228 break; 229 230 if (scf_error() != SCF_ERROR_NOT_FOUND) { 231 if (errstr != NULL) 232 *errstr = gettext("Could not get manifest hash " 233 "service"); 234 result = -1; 235 goto out; 236 } 237 238 if (scf_scope_add_service(scope, MHASH_SVC, svc) == 239 SCF_SUCCESS) 240 break; 241 242 err = scf_error(); 243 244 if (err == SCF_ERROR_EXISTS) 245 /* Try again. */ 246 continue; 247 else if (err == SCF_ERROR_PERMISSION_DENIED) { 248 if (errstr != NULL) 249 *errstr = gettext("Could not store file hash: " 250 "permission denied.\n"); 251 result = -1; 252 goto out; 253 } 254 255 if (errstr != NULL) 256 *errstr = gettext("Could not add manifest hash " 257 "service"); 258 result = -1; 259 goto out; 260 } 261 262 if (i == 5) { 263 if (errstr != NULL) 264 *errstr = gettext("Could not store file hash: " 265 "service addition contention.\n"); 266 result = -1; 267 goto out; 268 } 269 270 for (i = 0; i < 5; ++i) { 271 scf_error_t err; 272 273 if (scf_service_get_pg(svc, name, pg) == SCF_SUCCESS) 274 break; 275 276 if (scf_error() != SCF_ERROR_NOT_FOUND) { 277 if (errstr != NULL) 278 *errstr = gettext("Could not get service's " 279 "hash record)"); 280 result = -1; 281 goto out; 282 } 283 284 if (scf_service_add_pg(svc, name, MHASH_PG_TYPE, 285 MHASH_PG_FLAGS, pg) == SCF_SUCCESS) 286 break; 287 288 err = scf_error(); 289 290 if (err == SCF_ERROR_EXISTS) 291 /* Try again. */ 292 continue; 293 else if (err == SCF_ERROR_PERMISSION_DENIED) { 294 if (errstr != NULL) 295 *errstr = gettext("Could not store file hash: " 296 "permission denied.\n"); 297 result = -1; 298 goto out; 299 } 300 301 if (errstr != NULL) 302 *errstr = gettext("Could not store file hash"); 303 result = -1; 304 goto out; 305 } 306 if (i == 5) { 307 if (errstr != NULL) 308 *errstr = gettext("Could not store file hash: " 309 "property group addition contention.\n"); 310 result = -1; 311 goto out; 312 } 313 314 if ((e = scf_entry_create(hndl)) == NULL || 315 (val = scf_value_create(hndl)) == NULL) { 316 if (errstr != NULL) 317 *errstr = gettext("Could not store file hash: " 318 "permission denied.\n"); 319 result = -1; 320 goto out; 321 } 322 323 ret = scf_value_set_opaque(val, hash, MHASH_SIZE); 324 assert(ret == SCF_SUCCESS); 325 326 tx = scf_transaction_create(hndl); 327 if (tx == NULL) { 328 if (errstr != NULL) 329 *errstr = gettext("Could not create transaction"); 330 result = -1; 331 goto out; 332 } 333 334 do { 335 if (scf_pg_update(pg) == -1) { 336 if (errstr != NULL) 337 *errstr = gettext("Could not update hash " 338 "entry"); 339 result = -1; 340 goto out; 341 } 342 if (scf_transaction_start(tx, pg) != SCF_SUCCESS) { 343 if (scf_error() != SCF_ERROR_PERMISSION_DENIED) { 344 if (errstr != NULL) 345 *errstr = gettext("Could not start " 346 "hash transaction.\n"); 347 result = -1; 348 goto out; 349 } 350 351 if (errstr != NULL) 352 *errstr = gettext("Could not store file hash: " 353 "permission denied.\n"); 354 result = -1; 355 356 scf_transaction_destroy(tx); 357 (void) scf_entry_destroy(e); 358 goto out; 359 } 360 361 if (scf_transaction_property_new(tx, e, MHASH_PROP, 362 SCF_TYPE_OPAQUE) != SCF_SUCCESS && 363 scf_transaction_property_change_type(tx, e, MHASH_PROP, 364 SCF_TYPE_OPAQUE) != SCF_SUCCESS) { 365 if (errstr != NULL) 366 *errstr = gettext("Could not modify hash " 367 "entry"); 368 result = -1; 369 goto out; 370 } 371 372 ret = scf_entry_add_value(e, val); 373 assert(ret == SCF_SUCCESS); 374 375 ret = scf_transaction_commit(tx); 376 377 if (ret == 0) 378 scf_transaction_reset(tx); 379 } while (ret == 0); 380 381 if (ret < 0) { 382 if (scf_error() != SCF_ERROR_PERMISSION_DENIED) { 383 if (errstr != NULL) 384 *errstr = gettext("Could not store file hash: " 385 "permission denied.\n"); 386 result = -1; 387 goto out; 388 } 389 390 if (errstr != NULL) 391 *errstr = gettext("Could not commit transaction"); 392 result = -1; 393 } 394 395 scf_transaction_destroy(tx); 396 (void) scf_entry_destroy(e); 397 398 out: 399 (void) scf_value_destroy(val); 400 scf_property_destroy(prop); 401 scf_pg_destroy(pg); 402 scf_service_destroy(svc); 403 scf_scope_destroy(scope); 404 405 return (result); 406 } 407 408 /* 409 * Generate the md5 hash of a file; manifest files are smallish 410 * so we can read them in one gulp. 411 */ 412 static int 413 md5_hash_file(const char *file, off64_t sz, uchar_t *hash) 414 { 415 char *buf; 416 int fd; 417 ssize_t res; 418 int ret; 419 420 fd = open(file, O_RDONLY); 421 if (fd < 0) 422 return (-1); 423 424 buf = malloc(sz); 425 if (buf == NULL) { 426 (void) close(fd); 427 return (-1); 428 } 429 430 res = read(fd, buf, (size_t)sz); 431 432 (void) close(fd); 433 434 if (res == sz) { 435 ret = 0; 436 md5_calc(hash, (uchar_t *)buf, (unsigned int) sz); 437 } else { 438 ret = -1; 439 } 440 441 free(buf); 442 return (ret); 443 } 444 445 /* 446 * int mhash_test_file(scf_handle_t *, const char *, uint_t, char **, uchar_t *) 447 * Test the given filename against the hashed metadata in the repository. 448 * The behaviours for import and apply are slightly different. For imports, 449 * if the hash value is absent or different, then the import operation 450 * continues. For profile application, the operation continues only if the 451 * hash value for the file is absent. 452 * 453 * We keep two hashes: one which can be quickly test: the metadata hash, 454 * and one which is more expensive to test: the file contents hash. 455 * 456 * If either hash matches, the file does not need to be re-read. 457 * If only one of the hashes matches, a side effect of this function 458 * is to store the newly computed hash. 459 * If neither hash matches, the hash computed for the new file is returned 460 * and not stored. 461 * 462 * Return values: 463 * MHASH_NEWFILE - the file no longer matches the hash or no hash existed 464 * ONLY in this case we return the new file's hash. 465 * MHASH_FAILURE - an internal error occurred, or the file was not found. 466 * MHASH_RECONCILED- based on the metadata/file hash, the file does 467 * not need to be re-read; if necessary, 468 * the hash was upgraded or reconciled. 469 * 470 * NOTE: no hash is returned UNLESS MHASH_NEWFILE is returned. 471 */ 472 int 473 mhash_test_file(scf_handle_t *hndl, const char *file, uint_t is_profile, 474 char **pnamep, uchar_t *hashbuf) 475 { 476 boolean_t do_hash; 477 struct stat64 st; 478 char *cp; 479 char *data; 480 uchar_t stored_hash[MHASH_SIZE]; 481 uchar_t hash[MHASH_SIZE]; 482 char *pname; 483 int ret; 484 int hashash; 485 int metahashok = 0; 486 487 /* 488 * In the case where we are doing automated imports, we reduce the UID, 489 * the GID, the size, and the mtime into a string (to eliminate 490 * endianness) which we then make opaque as a single MD5 digest. 491 * 492 * The previous hash was composed of the inode number, the UID, the file 493 * size, and the mtime. This formulation was found to be insufficiently 494 * portable for use in highly replicated deployments. The current 495 * algorithm will allow matches of this "v1" hash, but always returns 496 * the effective "v2" hash, such that updates result in the more 497 * portable hash being used. 498 * 499 * An unwanted side effect of a hash based solely on the file 500 * meta data is the fact that we pay no attention to the contents 501 * which may remain the same despite meta data changes. This happens 502 * with (live) upgrades. We extend the V2 hash with an additional 503 * digest of the file contents and the code retrieving the hash 504 * from the repository zero fills the remainder so we can detect 505 * it is missing. 506 * 507 * If the the V2 digest matches, we check for the presence of 508 * the contents digest and compute and store it if missing. 509 * 510 * If the V2 digest doesn't match but we also have a non-zero 511 * file hash, we match the file content digest. If it matches, 512 * we compute and store the new complete hash so that later 513 * checks will find the meta data digest correct. 514 * 515 * If the above matches fail and the V1 hash doesn't match either, 516 * we consider the test to have failed, implying that some aspect 517 * of the manifest has changed. 518 */ 519 520 cp = getenv("SVCCFG_CHECKHASH"); 521 do_hash = (cp != NULL && *cp != '\0'); 522 if (!do_hash) { 523 if (pnamep != NULL) 524 *pnamep = NULL; 525 return (MHASH_NEWFILE); 526 } 527 528 pname = mhash_filename_to_propname(file, B_FALSE); 529 if (pname == NULL) 530 return (MHASH_FAILURE); 531 532 hashash = mhash_retrieve_entry(hndl, pname, stored_hash) == 0; 533 534 /* Never reread a profile. */ 535 if (hashash && is_profile) { 536 uu_free(pname); 537 return (MHASH_RECONCILED); 538 } 539 540 /* 541 * No hash and not interested in one, then don't bother computing it. 542 * We also skip returning the property name in that case. 543 */ 544 if (!hashash && hashbuf == NULL) { 545 uu_free(pname); 546 return (MHASH_NEWFILE); 547 } 548 549 do { 550 ret = stat64(file, &st); 551 } while (ret < 0 && errno == EINTR); 552 if (ret < 0) { 553 uu_free(pname); 554 return (MHASH_FAILURE); 555 } 556 557 data = uu_msprintf(MHASH_FORMAT_V2, st.st_uid, st.st_gid, 558 st.st_size, st.st_mtime); 559 if (data == NULL) { 560 uu_free(pname); 561 return (MHASH_FAILURE); 562 } 563 564 (void) memset(hash, 0, MHASH_SIZE); 565 md5_calc(hash, (uchar_t *)data, strlen(data)); 566 567 uu_free(data); 568 569 /* 570 * Verify the meta data hash. 571 */ 572 if (hashash && memcmp(hash, stored_hash, MD5_DIGEST_LENGTH) == 0) { 573 int i; 574 575 metahashok = 1; 576 /* 577 * The metadata hash matches; now we see if there was a 578 * content hash; if not, we will continue on and compute and 579 * store the updated hash. 580 * If there was no content hash, mhash_retrieve_entry() 581 * will have zero filled it. 582 */ 583 for (i = 0; i < MD5_DIGEST_LENGTH; i++) { 584 if (stored_hash[MD5_DIGEST_LENGTH+i] != 0) { 585 uu_free(pname); 586 return (MHASH_RECONCILED); 587 } 588 } 589 } 590 591 /* 592 * Compute the file hash as we can no longer avoid having to know it. 593 * Note: from this point on "hash" contains the full, current, hash. 594 */ 595 if (md5_hash_file(file, st.st_size, &hash[MHASH_SIZE_OLD]) != 0) { 596 uu_free(pname); 597 return (MHASH_FAILURE); 598 } 599 if (hashash) { 600 uchar_t hash_v1[MHASH_SIZE_OLD]; 601 602 if (metahashok || 603 memcmp(&hash[MHASH_SIZE_OLD], &stored_hash[MHASH_SIZE_OLD], 604 MD5_DIGEST_LENGTH) == 0) { 605 606 /* 607 * Reconcile entry: we get here when either the 608 * meta data hash matches or the content hash matches; 609 * we then update the database with the complete 610 * new hash so we can be a bit quicker next time. 611 */ 612 (void) mhash_store_entry(hndl, pname, hash, NULL); 613 uu_free(pname); 614 return (MHASH_RECONCILED); 615 } 616 617 /* 618 * No match on V2 hash or file content; compare V1 hash. 619 */ 620 data = uu_msprintf(MHASH_FORMAT_V1, st.st_ino, st.st_uid, 621 st.st_size, st.st_mtime); 622 if (data == NULL) { 623 uu_free(pname); 624 return (MHASH_FAILURE); 625 } 626 627 md5_calc(hash_v1, (uchar_t *)data, strlen(data)); 628 629 uu_free(data); 630 631 if (memcmp(hash_v1, stored_hash, MD5_DIGEST_LENGTH) == 0) { 632 /* 633 * Update the new entry so we don't have to go through 634 * all this trouble next time. 635 */ 636 (void) mhash_store_entry(hndl, pname, hash, NULL); 637 uu_free(pname); 638 return (MHASH_RECONCILED); 639 } 640 } 641 642 if (pnamep != NULL) 643 *pnamep = pname; 644 else 645 uu_free(pname); 646 647 if (hashbuf != NULL) 648 (void) memcpy(hashbuf, hash, MHASH_SIZE); 649 650 return (MHASH_NEWFILE); 651 } 652