1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <assert.h> 29 #include <door.h> 30 #include <errno.h> 31 #include <fcntl.h> 32 #include <limits.h> 33 #include <priv.h> 34 #include <procfs.h> 35 #include <pthread.h> 36 #include <signal.h> 37 #include <stdarg.h> 38 #include <stdio.h> 39 #include <stdio_ext.h> 40 #include <stdlib.h> 41 #include <string.h> 42 #include <syslog.h> 43 #include <sys/corectl.h> 44 #include <sys/resource.h> 45 #include <sys/stat.h> 46 #include <sys/wait.h> 47 #include <ucontext.h> 48 #include <unistd.h> 49 50 #include "configd.h" 51 52 /* 53 * This file manages the overall startup and shutdown of configd, as well 54 * as managing its door thread pool and per-thread datastructures. 55 * 56 * 1. Per-thread Datastructures 57 * ----------------------------- 58 * Each configd thread has an associated thread_info_t which contains its 59 * current state. A pointer is kept to this in TSD, keyed by thread_info_key. 60 * The thread_info_ts for all threads in configd are kept on a single global 61 * list, thread_list. After creation, the state in the thread_info structure 62 * is only modified by the associated thread, so no locking is needed. A TSD 63 * destructor removes the thread_info from the global list and frees it at 64 * pthread_exit() time. 65 * 66 * Threads access their per-thread data using thread_self() 67 * 68 * The thread_list is protected by thread_lock, a leaf lock. 69 * 70 * 2. Door Thread Pool Management 71 * ------------------------------ 72 * Whenever door_return(3door) returns from the kernel and there are no 73 * other configd threads waiting for requests, libdoor automatically 74 * invokes a function registered with door_server_create(), to request a new 75 * door server thread. The default function just creates a thread that calls 76 * door_return(3door). Unfortunately, since it can take a while for the new 77 * thread to *get* to door_return(3door), a stream of requests can cause a 78 * large number of threads to be created, even though they aren't all needed. 79 * 80 * In our callback, new_server_needed(), we limit ourself to two new threads 81 * at a time -- this logic is handled in reserve_new_thread(). This keeps 82 * us from creating an absurd number of threads in response to peaking load. 83 */ 84 static pthread_key_t thread_info_key; 85 static pthread_attr_t thread_attr; 86 87 static pthread_mutex_t thread_lock = PTHREAD_MUTEX_INITIALIZER; 88 int num_started; /* number actually running */ 89 int num_servers; /* number in-progress or running */ 90 static uu_list_pool_t *thread_pool; 91 uu_list_t *thread_list; 92 93 static thread_info_t main_thread_info; 94 95 static int finished; 96 97 static pid_t privileged_pid = 0; 98 static int privileged_psinfo_fd = -1; 99 100 static int privileged_user = 0; 101 102 static priv_set_t *privileged_privs; 103 104 static int log_to_syslog = 0; 105 106 int is_main_repository = 1; 107 108 int max_repository_backups = 4; 109 110 #define CONFIGD_MAX_FDS 262144 111 112 /* 113 * Thanks, Mike 114 */ 115 void 116 abort_handler(int sig, siginfo_t *sip, ucontext_t *ucp) 117 { 118 struct sigaction act; 119 120 (void) sigemptyset(&act.sa_mask); 121 act.sa_handler = SIG_DFL; 122 act.sa_flags = 0; 123 (void) sigaction(sig, &act, NULL); 124 125 (void) printstack(2); 126 127 if (sip != NULL && SI_FROMUSER(sip)) 128 (void) pthread_kill(pthread_self(), sig); 129 (void) sigfillset(&ucp->uc_sigmask); 130 (void) sigdelset(&ucp->uc_sigmask, sig); 131 ucp->uc_flags |= UC_SIGMASK; 132 (void) setcontext(ucp); 133 } 134 135 /* 136 * Don't want to have more than a couple thread creates outstanding 137 */ 138 static int 139 reserve_new_thread(void) 140 { 141 (void) pthread_mutex_lock(&thread_lock); 142 assert(num_started >= 0); 143 if (num_servers > num_started + 1) { 144 (void) pthread_mutex_unlock(&thread_lock); 145 return (0); 146 } 147 ++num_servers; 148 (void) pthread_mutex_unlock(&thread_lock); 149 return (1); 150 } 151 152 static void 153 thread_info_free(thread_info_t *ti) 154 { 155 uu_list_node_fini(ti, &ti->ti_node, thread_pool); 156 if (ti->ti_ucred != NULL) 157 uu_free(ti->ti_ucred); 158 uu_free(ti); 159 } 160 161 static void 162 thread_exiting(void *arg) 163 { 164 thread_info_t *ti = arg; 165 166 if (ti != NULL) 167 log_enter(&ti->ti_log); 168 169 (void) pthread_mutex_lock(&thread_lock); 170 if (ti != NULL) { 171 num_started--; 172 uu_list_remove(thread_list, ti); 173 } 174 assert(num_servers > 0); 175 --num_servers; 176 177 if (num_servers == 0) { 178 configd_critical("no door server threads\n"); 179 abort(); 180 } 181 (void) pthread_mutex_unlock(&thread_lock); 182 183 if (ti != NULL && ti != &main_thread_info) 184 thread_info_free(ti); 185 } 186 187 void 188 thread_newstate(thread_info_t *ti, thread_state_t newstate) 189 { 190 ti->ti_ucred_read = 0; /* invalidate cached ucred */ 191 if (newstate != ti->ti_state) { 192 ti->ti_prev_state = ti->ti_state; 193 ti->ti_state = newstate; 194 ti->ti_lastchange = gethrtime(); 195 } 196 } 197 198 thread_info_t * 199 thread_self(void) 200 { 201 return (pthread_getspecific(thread_info_key)); 202 } 203 204 ucred_t * 205 get_ucred(void) 206 { 207 thread_info_t *ti = thread_self(); 208 ucred_t **ret = &ti->ti_ucred; 209 210 if (ti->ti_ucred_read) 211 return (*ret); /* cached value */ 212 213 if (door_ucred(ret) != 0) 214 return (NULL); 215 ti->ti_ucred_read = 1; 216 217 return (*ret); 218 } 219 220 int 221 ucred_is_privileged(ucred_t *uc) 222 { 223 const priv_set_t *ps; 224 225 if ((ps = ucred_getprivset(uc, PRIV_EFFECTIVE)) != NULL) { 226 if (priv_isfullset(ps)) 227 return (1); /* process has all privs */ 228 229 if (privileged_privs != NULL && 230 priv_issubset(privileged_privs, ps)) 231 return (1); /* process has zone privs */ 232 } 233 234 return (0); 235 } 236 237 static void * 238 thread_start(void *arg) 239 { 240 thread_info_t *ti = arg; 241 242 (void) pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL); 243 244 (void) pthread_mutex_lock(&thread_lock); 245 num_started++; 246 (void) uu_list_insert_after(thread_list, uu_list_last(thread_list), 247 ti); 248 (void) pthread_mutex_unlock(&thread_lock); 249 (void) pthread_setspecific(thread_info_key, ti); 250 251 thread_newstate(ti, TI_DOOR_RETURN); 252 253 /* 254 * Start handling door calls 255 */ 256 (void) door_return(NULL, 0, NULL, 0); 257 return (arg); 258 } 259 260 static void 261 new_thread_needed(door_info_t *dip) 262 { 263 thread_info_t *ti; 264 265 sigset_t new, old; 266 267 assert(dip == NULL); 268 269 if (!reserve_new_thread()) 270 return; 271 272 if ((ti = uu_zalloc(sizeof (*ti))) == NULL) 273 goto fail; 274 275 uu_list_node_init(ti, &ti->ti_node, thread_pool); 276 ti->ti_state = TI_CREATED; 277 ti->ti_prev_state = TI_CREATED; 278 279 if ((ti->ti_ucred = uu_zalloc(ucred_size())) == NULL) 280 goto fail; 281 282 (void) sigfillset(&new); 283 (void) pthread_sigmask(SIG_SETMASK, &new, &old); 284 if ((errno = pthread_create(&ti->ti_thread, &thread_attr, thread_start, 285 ti)) != 0) { 286 (void) pthread_sigmask(SIG_SETMASK, &old, NULL); 287 goto fail; 288 } 289 290 (void) pthread_sigmask(SIG_SETMASK, &old, NULL); 291 return; 292 293 fail: 294 /* 295 * Since the thread_info structure was never linked onto the 296 * thread list, thread_exiting() can't handle the cleanup. 297 */ 298 thread_exiting(NULL); 299 if (ti != NULL) 300 thread_info_free(ti); 301 } 302 303 int 304 create_connection(ucred_t *uc, repository_door_request_t *rp, 305 size_t rp_size, int *out_fd) 306 { 307 int flags; 308 int privileged = 0; 309 uint32_t debugflags = 0; 310 psinfo_t info; 311 312 if (privileged_pid != 0) { 313 /* 314 * in privileged pid mode, we only allow connections from 315 * our original parent -- the psinfo read verifies that 316 * it is the same process which we started with. 317 */ 318 if (ucred_getpid(uc) != privileged_pid || 319 read(privileged_psinfo_fd, &info, sizeof (info)) != 320 sizeof (info)) 321 return (REPOSITORY_DOOR_FAIL_PERMISSION_DENIED); 322 323 privileged = 1; /* he gets full privileges */ 324 } else if (privileged_user != 0) { 325 /* 326 * in privileged user mode, only one particular user is 327 * allowed to connect to us, and he can do anything. 328 */ 329 if (ucred_geteuid(uc) != privileged_user) 330 return (REPOSITORY_DOOR_FAIL_PERMISSION_DENIED); 331 332 privileged = 1; 333 } 334 335 /* 336 * Check that rp, of size rp_size, is large enough to 337 * contain field 'f'. If so, write the value into *out, and return 1. 338 * Otherwise, return 0. 339 */ 340 #define GET_ARG(rp, rp_size, f, out) \ 341 (((rp_size) >= offsetofend(repository_door_request_t, f)) ? \ 342 ((*(out) = (rp)->f), 1) : 0) 343 344 if (!GET_ARG(rp, rp_size, rdr_flags, &flags)) 345 return (REPOSITORY_DOOR_FAIL_BAD_REQUEST); 346 347 #if (REPOSITORY_DOOR_FLAG_ALL != REPOSITORY_DOOR_FLAG_DEBUG) 348 #error Need to update flag checks 349 #endif 350 351 if (flags & ~REPOSITORY_DOOR_FLAG_ALL) 352 return (REPOSITORY_DOOR_FAIL_BAD_FLAG); 353 354 if (flags & REPOSITORY_DOOR_FLAG_DEBUG) 355 if (!GET_ARG(rp, rp_size, rdr_debug, &debugflags)) 356 return (REPOSITORY_DOOR_FAIL_BAD_REQUEST); 357 #undef GET_ARG 358 359 return (create_client(ucred_getpid(uc), debugflags, privileged, 360 out_fd)); 361 } 362 363 void 364 configd_vcritical(const char *message, va_list args) 365 { 366 if (log_to_syslog) 367 vsyslog(LOG_CRIT, message, args); 368 else { 369 flockfile(stderr); 370 (void) fprintf(stderr, "svc.configd: Fatal error: "); 371 (void) vfprintf(stderr, message, args); 372 if (message[0] == 0 || message[strlen(message) - 1] != '\n') 373 (void) fprintf(stderr, "\n"); 374 funlockfile(stderr); 375 } 376 } 377 378 void 379 configd_critical(const char *message, ...) 380 { 381 va_list args; 382 va_start(args, message); 383 configd_vcritical(message, args); 384 va_end(args); 385 } 386 387 static void 388 usage(const char *prog, int ret) 389 { 390 (void) fprintf(stderr, 391 "usage: %s [-np] [-d door_path] [-r repository_path]\n" 392 " [-t nonpersist_repository]\n", prog); 393 exit(ret); 394 } 395 396 /*ARGSUSED*/ 397 static void 398 handler(int sig, siginfo_t *info, void *data) 399 { 400 finished = 1; 401 } 402 403 static int pipe_fd = -1; 404 405 static int 406 daemonize_start(void) 407 { 408 char data; 409 int status; 410 411 int filedes[2]; 412 pid_t pid; 413 414 (void) close(0); 415 (void) dup2(2, 1); /* stderr only */ 416 417 if (pipe(filedes) < 0) 418 return (-1); 419 420 if ((pid = fork1()) < 0) 421 return (-1); 422 423 if (pid != 0) { 424 /* 425 * parent 426 */ 427 struct sigaction act; 428 429 act.sa_sigaction = SIG_DFL; 430 (void) sigemptyset(&act.sa_mask); 431 act.sa_flags = 0; 432 433 (void) sigaction(SIGPIPE, &act, NULL); /* ignore SIGPIPE */ 434 435 (void) close(filedes[1]); 436 if (read(filedes[0], &data, 1) == 1) { 437 /* presume success */ 438 _exit(CONFIGD_EXIT_OKAY); 439 } 440 441 status = -1; 442 (void) wait4(pid, &status, 0, NULL); 443 if (WIFEXITED(status)) 444 _exit(WEXITSTATUS(status)); 445 else 446 _exit(-1); 447 } 448 449 /* 450 * child 451 */ 452 pipe_fd = filedes[1]; 453 (void) close(filedes[0]); 454 455 /* 456 * generic Unix setup 457 */ 458 (void) setsid(); 459 (void) umask(0077); 460 461 return (0); 462 } 463 464 static void 465 daemonize_ready(void) 466 { 467 char data = '\0'; 468 469 /* 470 * wake the parent 471 */ 472 (void) write(pipe_fd, &data, 1); 473 (void) close(pipe_fd); 474 } 475 476 const char * 477 regularize_path(const char *dir, const char *base, char *tmpbuf) 478 { 479 if (base == NULL) 480 return (NULL); 481 if (base[0] == '/') 482 return (base); 483 484 if (snprintf(tmpbuf, PATH_MAX, "%s/%s", dir, base) >= PATH_MAX) { 485 (void) fprintf(stderr, "svc.configd: %s/%s: path too long\n", 486 dir, base); 487 exit(CONFIGD_EXIT_BAD_ARGS); 488 } 489 490 return (tmpbuf); 491 } 492 493 int 494 main(int argc, char *argv[]) 495 { 496 thread_info_t *ti = &main_thread_info; 497 498 char pidpath[sizeof ("/proc/" "/psinfo") + 10]; 499 500 struct rlimit fd_new; 501 502 const char *endptr; 503 sigset_t myset; 504 int c; 505 int ret; 506 int fd; 507 508 char curdir[PATH_MAX]; 509 char dbtmp[PATH_MAX]; 510 char npdbtmp[PATH_MAX]; 511 char doortmp[PATH_MAX]; 512 513 const char *dbpath = NULL; 514 const char *npdbpath = NULL; 515 const char *doorpath = REPOSITORY_DOOR_NAME; 516 struct sigaction act; 517 518 int daemonize = 1; /* default to daemonizing */ 519 int have_npdb = 1; 520 521 closefrom(3); /* get rid of extraneous fds */ 522 523 if (getcwd(curdir, sizeof (curdir)) == NULL) { 524 (void) fprintf(stderr, 525 "%s: unable to get current directory: %s\n", 526 argv[0], strerror(errno)); 527 exit(CONFIGD_EXIT_INIT_FAILED); 528 } 529 530 while ((c = getopt(argc, argv, "Dnpd:r:t:")) != -1) { 531 switch (c) { 532 case 'n': 533 daemonize = 0; 534 break; 535 case 'd': 536 doorpath = regularize_path(curdir, optarg, doortmp); 537 is_main_repository = 0; 538 have_npdb = 0; /* default to no non-persist */ 539 break; 540 case 'p': 541 log_to_syslog = 0; /* don't use syslog */ 542 is_main_repository = 0; 543 544 /* 545 * If our parent exits while we're opening its /proc 546 * psinfo, we're vulnerable to a pid wrapping. To 547 * protect against that, re-check our ppid after 548 * opening it. 549 */ 550 privileged_pid = getppid(); 551 (void) snprintf(pidpath, sizeof (pidpath), 552 "/proc/%d/psinfo", privileged_pid); 553 if ((fd = open(pidpath, O_RDONLY)) < 0 || 554 getppid() != privileged_pid) { 555 (void) fprintf(stderr, 556 "%s: unable to get parent info\n", argv[0]); 557 exit(CONFIGD_EXIT_BAD_ARGS); 558 } 559 privileged_psinfo_fd = fd; 560 break; 561 case 'r': 562 dbpath = regularize_path(curdir, optarg, dbtmp); 563 is_main_repository = 0; 564 break; 565 case 't': 566 npdbpath = regularize_path(curdir, optarg, npdbtmp); 567 is_main_repository = 0; 568 break; 569 default: 570 usage(argv[0], CONFIGD_EXIT_BAD_ARGS); 571 break; 572 } 573 } 574 575 /* 576 * If we're not running as root, allow our euid full access, and 577 * everyone else no access. 578 */ 579 if (privileged_pid == 0 && geteuid() != 0) { 580 privileged_user = geteuid(); 581 } 582 583 privileged_privs = priv_str_to_set("zone", "", &endptr); 584 if (endptr != NULL && privileged_privs != NULL) { 585 priv_freeset(privileged_privs); 586 privileged_privs = NULL; 587 } 588 589 openlog("svc.configd", LOG_PID | LOG_CONS, LOG_DAEMON); 590 (void) setlogmask(LOG_UPTO(LOG_NOTICE)); 591 592 /* 593 * if a non-persist db is specified, always enable it 594 */ 595 if (npdbpath) 596 have_npdb = 1; 597 598 if (optind != argc) 599 usage(argv[0], CONFIGD_EXIT_BAD_ARGS); 600 601 if (daemonize) { 602 if (getuid() == 0) 603 (void) chdir("/"); 604 if (daemonize_start() < 0) { 605 (void) perror("unable to daemonize"); 606 exit(CONFIGD_EXIT_INIT_FAILED); 607 } 608 } 609 if (getuid() == 0) 610 (void) core_set_process_path(CONFIGD_CORE, 611 strlen(CONFIGD_CORE) + 1, getpid()); 612 613 /* 614 * this should be enabled once we can drop privileges and still get 615 * a core dump. 616 */ 617 #if 0 618 /* turn off basic privileges we do not need */ 619 (void) priv_set(PRIV_OFF, PRIV_PERMITTED, PRIV_FILE_LINK_ANY, 620 PRIV_PROC_EXEC, PRIV_PROC_FORK, PRIV_PROC_SESSION, NULL); 621 #endif 622 623 /* not that we can exec, but to be safe, shut them all off... */ 624 (void) priv_set(PRIV_SET, PRIV_INHERITABLE, NULL); 625 626 (void) sigfillset(&act.sa_mask); 627 628 /* signals to ignore */ 629 act.sa_sigaction = SIG_IGN; 630 act.sa_flags = 0; 631 (void) sigaction(SIGPIPE, &act, NULL); 632 (void) sigaction(SIGALRM, &act, NULL); 633 (void) sigaction(SIGUSR1, &act, NULL); 634 (void) sigaction(SIGUSR2, &act, NULL); 635 (void) sigaction(SIGPOLL, &act, NULL); 636 637 /* signals to abort on */ 638 act.sa_sigaction = (void (*)(int, siginfo_t *, void *))&abort_handler; 639 act.sa_flags = SA_SIGINFO; 640 641 (void) sigaction(SIGABRT, &act, NULL); 642 643 /* signals to handle */ 644 act.sa_sigaction = &handler; 645 act.sa_flags = SA_SIGINFO; 646 647 (void) sigaction(SIGHUP, &act, NULL); 648 (void) sigaction(SIGINT, &act, NULL); 649 (void) sigaction(SIGTERM, &act, NULL); 650 651 (void) sigemptyset(&myset); 652 (void) sigaddset(&myset, SIGHUP); 653 (void) sigaddset(&myset, SIGINT); 654 (void) sigaddset(&myset, SIGTERM); 655 656 if ((errno = pthread_attr_init(&thread_attr)) != 0) { 657 (void) perror("initializing"); 658 exit(CONFIGD_EXIT_INIT_FAILED); 659 } 660 661 /* 662 * Set the hard and soft limits to CONFIGD_MAX_FDS. 663 */ 664 fd_new.rlim_max = fd_new.rlim_cur = CONFIGD_MAX_FDS; 665 (void) setrlimit(RLIMIT_NOFILE, &fd_new); 666 667 #ifndef NATIVE_BUILD /* Allow building on snv_38 and earlier; remove later. */ 668 (void) enable_extended_FILE_stdio(-1, -1); 669 #endif 670 671 if ((ret = backend_init(dbpath, npdbpath, have_npdb)) != 672 CONFIGD_EXIT_OKAY) 673 exit(ret); 674 675 if (!client_init()) 676 exit(CONFIGD_EXIT_INIT_FAILED); 677 678 if (!rc_node_init()) 679 exit(CONFIGD_EXIT_INIT_FAILED); 680 681 (void) pthread_attr_setdetachstate(&thread_attr, 682 PTHREAD_CREATE_DETACHED); 683 (void) pthread_attr_setscope(&thread_attr, PTHREAD_SCOPE_SYSTEM); 684 685 if ((errno = pthread_key_create(&thread_info_key, 686 thread_exiting)) != 0) { 687 perror("pthread_key_create"); 688 exit(CONFIGD_EXIT_INIT_FAILED); 689 } 690 691 if ((thread_pool = uu_list_pool_create("thread_pool", 692 sizeof (thread_info_t), offsetof(thread_info_t, ti_node), 693 NULL, UU_LIST_POOL_DEBUG)) == NULL) { 694 configd_critical("uu_list_pool_create: %s\n", 695 uu_strerror(uu_error())); 696 exit(CONFIGD_EXIT_INIT_FAILED); 697 } 698 699 if ((thread_list = uu_list_create(thread_pool, NULL, 0)) == NULL) { 700 configd_critical("uu_list_create: %s\n", 701 uu_strerror(uu_error())); 702 exit(CONFIGD_EXIT_INIT_FAILED); 703 } 704 705 (void) memset(ti, '\0', sizeof (*ti)); 706 uu_list_node_init(ti, &ti->ti_node, thread_pool); 707 (void) uu_list_insert_before(thread_list, uu_list_first(thread_list), 708 ti); 709 710 ti->ti_thread = pthread_self(); 711 ti->ti_state = TI_SIGNAL_WAIT; 712 ti->ti_prev_state = TI_SIGNAL_WAIT; 713 714 (void) pthread_setspecific(thread_info_key, ti); 715 716 (void) door_server_create(new_thread_needed); 717 718 if (!setup_main_door(doorpath)) { 719 configd_critical("Setting up main door failed.\n"); 720 exit(CONFIGD_EXIT_DOOR_INIT_FAILED); 721 } 722 723 if (daemonize) 724 daemonize_ready(); 725 726 (void) pthread_sigmask(SIG_BLOCK, &myset, NULL); 727 while (!finished) { 728 int sig = sigwait(&myset); 729 if (sig > 0) { 730 break; 731 } 732 } 733 734 backend_fini(); 735 736 return (CONFIGD_EXIT_OKAY); 737 } 738