1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/mutex.h> 29 #include <sys/debug.h> 30 #include <sys/types.h> 31 #include <sys/param.h> 32 #include <sys/kmem.h> 33 #include <sys/thread.h> 34 #include <sys/id_space.h> 35 #include <sys/avl.h> 36 #include <sys/list.h> 37 #include <sys/sysmacros.h> 38 #include <sys/proc.h> 39 #include <sys/contract.h> 40 #include <sys/contract_impl.h> 41 #include <sys/contract/process.h> 42 #include <sys/contract/process_impl.h> 43 #include <sys/cmn_err.h> 44 #include <sys/nvpair.h> 45 #include <sys/policy.h> 46 47 /* 48 * Process Contracts 49 * ----------------- 50 * 51 * Generally speaking, a process contract is a contract between a 52 * process and a set of its descendent processes. In some cases, when 53 * the child processes outlive the author of the contract, the contract 54 * may be held by (and therefore be between the child processes and) a 55 * successor process which adopts the contract after the death of the 56 * original author. 57 * 58 * The process contract adds two new concepts to the Solaris process 59 * model. The first is that a process contract forms a rigid fault 60 * boundary around a set of processes. Hardware, software, and even 61 * administrator errors impacting a process in a process contract 62 * generate specific events and can be requested to atomically shutdown 63 * all processes in the contract. The second is that a process 64 * contract is a process collective whose leader is not a member of the 65 * collective. This means that the leader can reliably react to events 66 * in the collective, and may also act upon the collective without 67 * special casing itself. 68 * 69 * A composite outcome of these two concepts is that we can now create 70 * a tree of process contracts, rooted at init(1M), which represent 71 * services and subservices that are reliably observed and can be 72 * restarted when fatal errors occur. The service management framework 73 * (SMF) realizes this structure. 74 * 75 * For more details, see the "restart agreements" case, PSARC 2003/193. 76 * 77 * There are four sets of routines in this file: the process contract 78 * standard template operations, the process contract standard contract 79 * operations, a couple routines used only by the contract subsystem to 80 * handle process contracts' unique role as a temporary holder of 81 * abandoned contracts, and the interfaces which allow the system to 82 * create and act upon process contracts. The first two are defined by 83 * the contracts framework and won't be discussed further. As for the 84 * remaining two: 85 * 86 * Special framework interfaces 87 * ---------------------------- 88 * 89 * contract_process_accept - determines if a process contract is a 90 * regent, i.e. if it can inherit other contracts. 91 * 92 * contract_process_take - tells a regent process contract to inherit 93 * an abandoned contract 94 * 95 * contract_process_adopt - tells a regent process contract that a 96 * contract it has inherited is being adopted by a process. 97 * 98 * Process contract interfaces 99 * --------------------------- 100 * 101 * contract_process_fork - called when a process is created; adds the 102 * new process to an existing contract or to a newly created one. 103 * 104 * contract_process_exit - called when a process exits 105 * 106 * contract_process_core - called when a process would have dumped core 107 * (even if a core file wasn't generated) 108 * 109 * contract_process_hwerr - called when a process was killed because of 110 * an uncorrectable hardware error 111 * 112 * contract_process_sig - called when a process was killed by a fatal 113 * signal sent by a process in another process contract 114 * 115 */ 116 117 ct_type_t *process_type; 118 ctmpl_process_t *sys_process_tmpl; 119 120 /* 121 * Macro predicates for determining when events should be sent and how. 122 */ 123 #define EVSENDP(ctp, flag) \ 124 ((ctp->conp_contract.ct_ev_info | ctp->conp_contract.ct_ev_crit) & flag) 125 126 #define EVINFOP(ctp, flag) \ 127 ((ctp->conp_contract.ct_ev_crit & flag) == 0) 128 129 #define EVFATALP(ctp, flag) \ 130 (ctp->conp_ev_fatal & flag) 131 132 133 /* 134 * Process contract template implementation 135 */ 136 137 /* 138 * ctmpl_process_dup 139 * 140 * The process contract template dup entry point. Other than the 141 * to-be-subsumed contract, which must be held, this simply copies all 142 * the fields of the original. 143 */ 144 static struct ct_template * 145 ctmpl_process_dup(struct ct_template *template) 146 { 147 ctmpl_process_t *new; 148 ctmpl_process_t *old = template->ctmpl_data; 149 150 new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP); 151 152 ctmpl_copy(&new->ctp_ctmpl, template); 153 new->ctp_ctmpl.ctmpl_data = new; 154 155 new->ctp_subsume = old->ctp_subsume; 156 if (new->ctp_subsume) 157 contract_hold(new->ctp_subsume); 158 new->ctp_params = old->ctp_params; 159 new->ctp_ev_fatal = old->ctp_ev_fatal; 160 161 return (&new->ctp_ctmpl); 162 } 163 164 /* 165 * ctmpl_process_dup 166 * 167 * The process contract template free entry point. Just releases a 168 * to-be-subsumed contract and frees the template. 169 */ 170 static void 171 ctmpl_process_free(struct ct_template *template) 172 { 173 ctmpl_process_t *ctp = template->ctmpl_data; 174 175 if (ctp->ctp_subsume) 176 contract_rele(ctp->ctp_subsume); 177 kmem_free(template, sizeof (ctmpl_process_t)); 178 } 179 180 /* 181 * SAFE_EV is the set of events which a non-privileged process is 182 * allowed to make critical but not fatal or if the PGRPONLY parameter 183 * is set. EXCESS tells us if "value", a critical event set, requires 184 * additional privilege given the template "ctp". 185 */ 186 #define SAFE_EV (CT_PR_EV_EMPTY) 187 #define EXCESS(ctp, value) \ 188 (((value) & ~((ctp)->ctp_ev_fatal | SAFE_EV)) || \ 189 (((value) & ~SAFE_EV) && (ctp->ctp_params & CT_PR_PGRPONLY))) 190 191 /* 192 * ctmpl_process_set 193 * 194 * The process contract template set entry point. None of the terms 195 * may be unconditionally set, and setting the parameters or fatal 196 * event set may result in events being implicitly removed from to the 197 * critical event set and added to the informative event set. The 198 * (admittedly subtle) reason we implicitly change the critical event 199 * set when the parameter or fatal event set is modified but not the 200 * other way around is because a change to the critical event set only 201 * affects the contract's owner, whereas a change to the parameter set 202 * and fatal set can affect the execution of the application running in 203 * the contract (and should therefore be only made explicitly). We 204 * allow implicit changes at all so that setting contract terms doesn't 205 * become a complex dance dependent on the template's initial state and 206 * the desired terms. 207 */ 208 static int 209 ctmpl_process_set(struct ct_template *tmpl, ct_param_t *param, const cred_t *cr) 210 { 211 ctmpl_process_t *ctp = tmpl->ctmpl_data; 212 contract_t *ct; 213 int error; 214 215 /* 216 * No process contract parameters are > 32 bits. 217 */ 218 if (param->ctpm_value & ~UINT32_MAX) 219 return (EINVAL); 220 221 switch (param->ctpm_id) { 222 case CTPP_SUBSUME: 223 if (param->ctpm_value != 0) { 224 /* 225 * Ensure that the contract exists, that we 226 * hold the contract, and that the contract is 227 * empty. 228 */ 229 ct = contract_type_ptr(process_type, param->ctpm_value, 230 curproc->p_zone->zone_uniqid); 231 if (ct == NULL) 232 return (ESRCH); 233 if (ct->ct_owner != curproc) { 234 contract_rele(ct); 235 return (EACCES); 236 } 237 if (((cont_process_t *)ct->ct_data)->conp_nmembers) { 238 contract_rele(ct); 239 return (ENOTEMPTY); 240 } 241 } else { 242 ct = NULL; 243 } 244 if (ctp->ctp_subsume) 245 contract_rele(ctp->ctp_subsume); 246 ctp->ctp_subsume = ct; 247 break; 248 case CTPP_PARAMS: 249 if (param->ctpm_value & ~CT_PR_ALLPARAM) 250 return (EINVAL); 251 ctp->ctp_params = param->ctpm_value; 252 /* 253 * If an unprivileged process requests that 254 * CT_PR_PGRPONLY be set, remove any unsafe events from 255 * the critical event set and add them to the 256 * informative event set. 257 */ 258 if ((ctp->ctp_params & CT_PR_PGRPONLY) && 259 EXCESS(ctp, tmpl->ctmpl_ev_crit) && 260 !secpolicy_contract_event_choice(cr)) { 261 tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~SAFE_EV); 262 tmpl->ctmpl_ev_crit &= SAFE_EV; 263 } 264 265 break; 266 case CTP_EV_CRITICAL: 267 /* 268 * We simply don't allow adding events to the critical 269 * event set which aren't permitted by our policy or by 270 * privilege. 271 */ 272 if (EXCESS(ctp, param->ctpm_value) && 273 (error = secpolicy_contract_event(cr)) != 0) 274 return (error); 275 tmpl->ctmpl_ev_crit = param->ctpm_value; 276 break; 277 case CTPP_EV_FATAL: 278 if (param->ctpm_value & ~CT_PR_ALLFATAL) 279 return (EINVAL); 280 ctp->ctp_ev_fatal = param->ctpm_value; 281 /* 282 * Check to see if an unprivileged process is 283 * requesting that events be removed from the fatal 284 * event set which are still in the critical event set. 285 */ 286 if (EXCESS(ctp, tmpl->ctmpl_ev_crit) && 287 !secpolicy_contract_event_choice(cr)) { 288 int allowed = 289 SAFE_EV | (ctp->ctp_params & CT_PR_PGRPONLY) ? 290 0 : ctp->ctp_ev_fatal; 291 tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~allowed); 292 tmpl->ctmpl_ev_crit &= allowed; 293 } 294 break; 295 default: 296 return (EINVAL); 297 } 298 299 return (0); 300 } 301 302 /* 303 * ctmpl_process_get 304 * 305 * The process contract template get entry point. Simply fetches and 306 * returns the requested term. 307 */ 308 static int 309 ctmpl_process_get(struct ct_template *template, ct_param_t *param) 310 { 311 ctmpl_process_t *ctp = template->ctmpl_data; 312 313 switch (param->ctpm_id) { 314 case CTPP_SUBSUME: 315 param->ctpm_value = ctp->ctp_subsume ? 316 ctp->ctp_subsume->ct_id : 0; 317 break; 318 case CTPP_PARAMS: 319 param->ctpm_value = ctp->ctp_params; 320 break; 321 case CTPP_EV_FATAL: 322 param->ctpm_value = ctp->ctp_ev_fatal; 323 break; 324 default: 325 return (EINVAL); 326 } 327 328 return (0); 329 } 330 331 static ctmplops_t ctmpl_process_ops = { 332 ctmpl_process_dup, /* ctop_dup */ 333 ctmpl_process_free, /* ctop_free */ 334 ctmpl_process_set, /* ctop_set */ 335 ctmpl_process_get, /* ctop_get */ 336 ctmpl_create_inval, /* ctop_create */ 337 CT_PR_ALLEVENT 338 }; 339 340 341 /* 342 * Process contract implementation 343 */ 344 345 /* 346 * ctmpl_process_default 347 * 348 * The process contract default template entry point. Creates a 349 * process contract template with no parameters set, with informative 350 * core and signal events, critical empty and hwerr events, and fatal 351 * hwerr events. 352 */ 353 static ct_template_t * 354 contract_process_default(void) 355 { 356 ctmpl_process_t *new; 357 358 new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP); 359 ctmpl_init(&new->ctp_ctmpl, &ctmpl_process_ops, process_type, new); 360 361 new->ctp_subsume = NULL; 362 new->ctp_params = 0; 363 new->ctp_ctmpl.ctmpl_ev_info = CT_PR_EV_CORE | CT_PR_EV_SIGNAL; 364 new->ctp_ctmpl.ctmpl_ev_crit = CT_PR_EV_EMPTY | CT_PR_EV_HWERR; 365 new->ctp_ev_fatal = CT_PR_EV_HWERR; 366 367 return (&new->ctp_ctmpl); 368 } 369 370 /* 371 * contract_process_free 372 * 373 * The process contract free entry point. 374 */ 375 static void 376 contract_process_free(contract_t *ct) 377 { 378 cont_process_t *ctp = ct->ct_data; 379 crfree(ctp->conp_cred); 380 list_destroy(&ctp->conp_members); 381 list_destroy(&ctp->conp_inherited); 382 kmem_free(ctp, sizeof (cont_process_t)); 383 } 384 385 /* 386 * contract_process_cankill 387 * 388 * Determine if the contract author had or if the process generating 389 * the event, sp, has adequate privileges to kill process tp. 390 */ 391 static int 392 contract_process_cankill(proc_t *tp, proc_t *sp, cont_process_t *ctp) 393 { 394 int cankill; 395 396 mutex_enter(&tp->p_crlock); 397 cankill = hasprocperm(tp->p_cred, ctp->conp_cred); 398 mutex_exit(&tp->p_crlock); 399 if (cankill || (sp && prochasprocperm(tp, sp, CRED()))) 400 return (1); 401 402 return (0); 403 } 404 405 /* 406 * contract_process_kill 407 * 408 * Kills all processes in a contract, or all processes in the 409 * intersection of a contract and ex's process group (if ex is non-NULL 410 * and the contract's PGRPONLY parameter is set). If checkpriv is 411 * true, only those processes which may be signaled by the contract 412 * author or ex are killed. 413 */ 414 static void 415 contract_process_kill(contract_t *ct, proc_t *ex, int checkpriv) 416 { 417 cont_process_t *ctp = ct->ct_data; 418 proc_t *p; 419 pid_t pgrp = -1; 420 421 ASSERT(MUTEX_HELD(&ct->ct_lock)); 422 423 if (ex && (ctp->conp_params & CT_PR_PGRPONLY)) { 424 pgrp = ex->p_pgrp; 425 mutex_enter(&pidlock); 426 } 427 428 for (p = list_head(&ctp->conp_members); p != NULL; 429 p = list_next(&ctp->conp_members, p)) { 430 if ((p == ex) || (pgrp != -1 && p->p_pgrp != pgrp) || 431 (checkpriv && !contract_process_cankill(p, ex, ctp))) 432 continue; 433 434 psignal(p, SIGKILL); 435 } 436 437 if (pgrp != -1) 438 mutex_exit(&pidlock); 439 } 440 441 442 /* 443 * contract_process_accept 444 * 445 * Tests if the process contract is willing to act as a regent for 446 * inherited contracts. Though brief and only called from one place, 447 * this functionality is kept here to avoid including knowledge of 448 * process contract implementation in the generic contract code. 449 */ 450 int 451 contract_process_accept(contract_t *parent) 452 { 453 cont_process_t *ctp = parent->ct_data; 454 455 ASSERT(parent->ct_type == process_type); 456 457 return (ctp->conp_params & CT_PR_REGENT); 458 } 459 460 /* 461 * contract_process_take 462 * 463 * Executes the process contract side of inheriting a contract. 464 */ 465 void 466 contract_process_take(contract_t *parent, contract_t *child) 467 { 468 cont_process_t *ctp = parent->ct_data; 469 470 ASSERT(MUTEX_HELD(&parent->ct_lock)); 471 ASSERT(MUTEX_HELD(&child->ct_lock)); 472 ASSERT(parent->ct_type == process_type); 473 ASSERT(ctp->conp_params & CT_PR_REGENT); 474 475 list_insert_head(&ctp->conp_inherited, child); 476 ctp->conp_ninherited++; 477 } 478 479 /* 480 * contract_process_adopt 481 * 482 * Executes the process contract side of adopting a contract. 483 */ 484 void 485 contract_process_adopt(contract_t *ct, proc_t *p) 486 { 487 cont_process_t *parent = p->p_ct_process; 488 489 ASSERT(MUTEX_HELD(&parent->conp_contract.ct_lock)); 490 ASSERT(MUTEX_HELD(&ct->ct_lock)); 491 492 list_remove(&parent->conp_inherited, ct); 493 parent->conp_ninherited--; 494 495 /* 496 * We drop the parent lock first because a) we are passing the 497 * contract reference to the child, and b) contract_adopt 498 * expects us to return with the contract lock held. 499 */ 500 mutex_exit(&parent->conp_contract.ct_lock); 501 } 502 503 /* 504 * contract_process_abandon 505 * 506 * The process contract abandon entry point. 507 */ 508 static void 509 contract_process_abandon(contract_t *ct) 510 { 511 cont_process_t *ctp = ct->ct_data; 512 513 ASSERT(MUTEX_HELD(&ct->ct_lock)); 514 515 /* 516 * Shall we stay or shall we go? 517 */ 518 if (list_head(&ctp->conp_members) == NULL) { 519 contract_destroy(ct); 520 } else { 521 /* 522 * Strictly speaking, we actually do orphan the contract. 523 * Assuming our credentials allow us to kill all 524 * processes in the contract, this is only temporary. 525 */ 526 if (ctp->conp_params & CT_PR_NOORPHAN) 527 contract_process_kill(ct, NULL, B_TRUE); 528 contract_orphan(ct); 529 mutex_exit(&ct->ct_lock); 530 contract_rele(ct); 531 } 532 } 533 534 /* 535 * contract_process_destroy 536 * 537 * The process contract destroy entry point. 538 */ 539 static void 540 contract_process_destroy(contract_t *ct) 541 { 542 cont_process_t *ctp = ct->ct_data; 543 contract_t *cct; 544 545 ASSERT(MUTEX_HELD(&ct->ct_lock)); 546 547 /* 548 * contract_destroy all empty children, kill or orphan the rest 549 */ 550 while (cct = list_head(&ctp->conp_inherited)) { 551 mutex_enter(&cct->ct_lock); 552 553 ASSERT(cct->ct_state == CTS_INHERITED); 554 555 list_remove(&ctp->conp_inherited, cct); 556 ctp->conp_ninherited--; 557 cct->ct_regent = NULL; 558 cct->ct_type->ct_type_ops->contop_abandon(cct); 559 } 560 } 561 562 /* 563 * contract_process_status 564 * 565 * The process contract status entry point. 566 */ 567 static void 568 contract_process_status(contract_t *ct, zone_t *zone, int detail, nvlist_t *nvl, 569 void *status, model_t model) 570 { 571 cont_process_t *ctp = ct->ct_data; 572 uint32_t *pids, *ctids; 573 uint_t npids, nctids; 574 uint_t spids, sctids; 575 576 if (detail == CTD_FIXED) { 577 mutex_enter(&ct->ct_lock); 578 contract_status_common(ct, zone, status, model); 579 mutex_exit(&ct->ct_lock); 580 } else { 581 contract_t *cnext; 582 proc_t *pnext; 583 uint_t loc; 584 585 ASSERT(detail == CTD_ALL); 586 mutex_enter(&ct->ct_lock); 587 for (;;) { 588 spids = ctp->conp_nmembers + 5; 589 sctids = ctp->conp_ninherited + 5; 590 mutex_exit(&ct->ct_lock); 591 592 pids = kmem_alloc(spids * sizeof (uint32_t), KM_SLEEP); 593 ctids = kmem_alloc(sctids * sizeof (uint32_t), 594 KM_SLEEP); 595 596 mutex_enter(&ct->ct_lock); 597 npids = ctp->conp_nmembers; 598 nctids = ctp->conp_ninherited; 599 if (spids >= npids && sctids >= nctids) 600 break; 601 602 kmem_free(pids, spids * sizeof (uint32_t)); 603 kmem_free(ctids, sctids * sizeof (uint32_t)); 604 } 605 contract_status_common(ct, zone, status, model); 606 for (loc = 0, cnext = list_head(&ctp->conp_inherited); cnext; 607 cnext = list_next(&ctp->conp_inherited, cnext)) 608 ctids[loc++] = cnext->ct_id; 609 ASSERT(loc == nctids); 610 for (loc = 0, pnext = list_head(&ctp->conp_members); pnext; 611 pnext = list_next(&ctp->conp_members, pnext)) 612 pids[loc++] = pnext->p_pid; 613 ASSERT(loc == npids); 614 mutex_exit(&ct->ct_lock); 615 616 } 617 618 /* 619 * Contract terms are static; there's no need to hold the 620 * contract lock while accessing them. 621 */ 622 VERIFY(nvlist_add_uint32(nvl, CTPS_PARAMS, ctp->conp_params) == 0); 623 VERIFY(nvlist_add_uint32(nvl, CTPS_EV_FATAL, ctp->conp_ev_fatal) == 0); 624 if (detail == CTD_ALL) { 625 VERIFY(nvlist_add_uint32_array(nvl, CTPS_MEMBERS, pids, 626 npids) == 0); 627 VERIFY(nvlist_add_uint32_array(nvl, CTPS_CONTRACTS, ctids, 628 nctids) == 0); 629 kmem_free(pids, spids * sizeof (uint32_t)); 630 kmem_free(ctids, sctids * sizeof (uint32_t)); 631 } 632 } 633 634 /*ARGSUSED*/ 635 static int 636 contract_process_newct(contract_t *ct) 637 { 638 return (0); 639 } 640 641 /* process contracts don't negotiate */ 642 static contops_t contract_process_ops = { 643 contract_process_free, /* contop_free */ 644 contract_process_abandon, /* contop_abandon */ 645 contract_process_destroy, /* contop_destroy */ 646 contract_process_status, /* contop_status */ 647 contract_ack_inval, /* contop_ack */ 648 contract_ack_inval, /* contop_nack */ 649 contract_qack_inval, /* contop_qack */ 650 contract_process_newct /* contop_newct */ 651 }; 652 653 /* 654 * contract_process_init 655 * 656 * Initializes the process contract type. Also creates a template for 657 * use by newproc() when it creates user processes. 658 */ 659 void 660 contract_process_init(void) 661 { 662 process_type = contract_type_init(CTT_PROCESS, "process", 663 &contract_process_ops, contract_process_default); 664 665 /* 666 * Create a template for use with init(1M) and other 667 * kernel-started processes. 668 */ 669 sys_process_tmpl = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP); 670 ctmpl_init(&sys_process_tmpl->ctp_ctmpl, &ctmpl_process_ops, 671 process_type, sys_process_tmpl); 672 sys_process_tmpl->ctp_subsume = NULL; 673 sys_process_tmpl->ctp_params = CT_PR_NOORPHAN; 674 sys_process_tmpl->ctp_ev_fatal = CT_PR_EV_HWERR; 675 } 676 677 /* 678 * contract_process_create 679 * 680 * create a process contract given template "tmpl" and parent process 681 * "parent". May fail and return NULL if project.max-contracts would 682 * have been exceeded. 683 */ 684 static cont_process_t * 685 contract_process_create(ctmpl_process_t *tmpl, proc_t *parent, int canfail) 686 { 687 cont_process_t *ctp; 688 689 ASSERT(tmpl != NULL); 690 691 (void) contract_type_pbundle(process_type, parent); 692 693 ctp = kmem_zalloc(sizeof (cont_process_t), KM_SLEEP); 694 695 list_create(&ctp->conp_members, sizeof (proc_t), 696 offsetof(proc_t, p_ct_member)); 697 list_create(&ctp->conp_inherited, sizeof (contract_t), 698 offsetof(contract_t, ct_ctlist)); 699 mutex_enter(&tmpl->ctp_ctmpl.ctmpl_lock); 700 ctp->conp_params = tmpl->ctp_params; 701 ctp->conp_ev_fatal = tmpl->ctp_ev_fatal; 702 crhold(ctp->conp_cred = CRED()); 703 704 if (contract_ctor(&ctp->conp_contract, process_type, &tmpl->ctp_ctmpl, 705 ctp, (ctp->conp_params & CT_PR_INHERIT) ? CTF_INHERIT : 0, 706 parent, canfail)) { 707 mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock); 708 contract_process_free(&ctp->conp_contract); 709 return (NULL); 710 } 711 712 /* 713 * Transfer subcontracts only after new contract is visible. 714 * Also, only transfer contracts if the parent matches -- we 715 * don't want to create a cycle in the tree of contracts. 716 */ 717 if (tmpl->ctp_subsume && tmpl->ctp_subsume->ct_owner == parent) { 718 cont_process_t *sct = tmpl->ctp_subsume->ct_data; 719 contract_t *ct; 720 721 mutex_enter(&tmpl->ctp_subsume->ct_lock); 722 mutex_enter(&ctp->conp_contract.ct_lock); 723 while (ct = list_head(&sct->conp_inherited)) { 724 mutex_enter(&ct->ct_lock); 725 list_remove(&sct->conp_inherited, ct); 726 list_insert_tail(&ctp->conp_inherited, ct); 727 ct->ct_regent = &ctp->conp_contract; 728 mutex_exit(&ct->ct_lock); 729 } 730 ctp->conp_ninherited += sct->conp_ninherited; 731 sct->conp_ninherited = 0; 732 mutex_exit(&ctp->conp_contract.ct_lock); 733 mutex_exit(&tmpl->ctp_subsume->ct_lock); 734 735 /* 736 * Automatically abandon the contract. 737 */ 738 (void) contract_abandon(tmpl->ctp_subsume, parent, 1); 739 } 740 741 mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock); 742 743 return (ctp); 744 } 745 746 /* 747 * contract_process_exit 748 * 749 * Called on process exit. Removes process p from process contract 750 * ctp. Generates an exit event, if requested. Generates an empty 751 * event, if p is the last member of the the process contract and empty 752 * events were requested. 753 */ 754 void 755 contract_process_exit(cont_process_t *ctp, proc_t *p, int exitstatus) 756 { 757 contract_t *ct = &ctp->conp_contract; 758 ct_kevent_t *event; 759 int empty; 760 761 /* 762 * Remove self from process contract. 763 */ 764 mutex_enter(&ct->ct_lock); 765 list_remove(&ctp->conp_members, p); 766 ctp->conp_nmembers--; 767 mutex_enter(&p->p_lock); /* in case /proc is watching */ 768 p->p_ct_process = NULL; 769 mutex_exit(&p->p_lock); 770 771 /* 772 * We check for emptiness before dropping the contract lock to 773 * send the exit event, otherwise we could end up with two 774 * empty events. 775 */ 776 empty = (list_head(&ctp->conp_members) == NULL); 777 if (EVSENDP(ctp, CT_PR_EV_EXIT)) { 778 nvlist_t *nvl; 779 780 mutex_exit(&ct->ct_lock); 781 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 782 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 783 VERIFY(nvlist_add_int32(nvl, CTPE_EXITSTATUS, exitstatus) == 0); 784 785 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 786 event->cte_flags = EVINFOP(ctp, CT_PR_EV_EXIT) ? CTE_INFO : 0; 787 event->cte_type = CT_PR_EV_EXIT; 788 (void) cte_publish_all(ct, event, nvl, NULL); 789 mutex_enter(&ct->ct_lock); 790 } 791 if (empty) { 792 /* 793 * Send EMPTY message. 794 */ 795 if (EVSENDP(ctp, CT_PR_EV_EMPTY)) { 796 nvlist_t *nvl; 797 798 mutex_exit(&ct->ct_lock); 799 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, 800 KM_SLEEP) == 0); 801 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 802 803 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 804 event->cte_flags = EVINFOP(ctp, CT_PR_EV_EMPTY) ? 805 CTE_INFO : 0; 806 event->cte_type = CT_PR_EV_EMPTY; 807 (void) cte_publish_all(ct, event, nvl, NULL); 808 mutex_enter(&ct->ct_lock); 809 } 810 811 /* 812 * The last one to leave an orphaned contract turns out 813 * the lights. 814 */ 815 if (ct->ct_state == CTS_ORPHAN) { 816 contract_destroy(ct); 817 return; 818 } 819 } 820 mutex_exit(&ct->ct_lock); 821 contract_rele(ct); 822 } 823 824 /* 825 * contract_process_fork 826 * 827 * Called on process fork. If the current lwp has a active process 828 * contract template, we attempt to create a new process contract. 829 * Failure to create a process contract when required is a failure in 830 * fork so, in such an event, we return NULL. 831 * 832 * Assuming we succeeded or skipped the previous step, we add the child 833 * process to the new contract (success) or to the parent's process 834 * contract (skip). If requested, we also send a fork event to that 835 * contract. 836 * 837 * Because contract_process_fork() may fail, and because we would 838 * prefer that process contracts not be created for processes which 839 * don't complete forking, this should be the last function called 840 * before the "all clear" point in cfork. 841 */ 842 cont_process_t * 843 contract_process_fork(ctmpl_process_t *rtmpl, proc_t *cp, proc_t *pp, 844 int canfail) 845 { 846 contract_t *ct; 847 cont_process_t *ctp; 848 ct_kevent_t *event; 849 ct_template_t *tmpl; 850 851 if (rtmpl == NULL && (tmpl = ttolwp(curthread)->lwp_ct_active[ 852 process_type->ct_type_index]) != NULL) 853 rtmpl = tmpl->ctmpl_data; 854 855 if (rtmpl == NULL) 856 ctp = curproc->p_ct_process; 857 else if ((ctp = contract_process_create(rtmpl, pp, canfail)) == NULL) 858 return (NULL); 859 860 ct = &ctp->conp_contract; 861 /* 862 * Prevent contract_process_kill() from missing forked children 863 * by failing forks by parents that have just been killed. 864 * It's not worth hoisting the ctp test since contract creation 865 * is by no means the common case. 866 */ 867 mutex_enter(&ct->ct_lock); 868 mutex_enter(&pp->p_lock); 869 if (ctp == curproc->p_ct_process && (pp->p_flag & SKILLED) != 0 && 870 canfail) { 871 mutex_exit(&pp->p_lock); 872 mutex_exit(&ct->ct_lock); 873 return (NULL); 874 } 875 cp->p_ct_process = ctp; 876 mutex_exit(&pp->p_lock); 877 contract_hold(ct); 878 list_insert_head(&ctp->conp_members, cp); 879 ctp->conp_nmembers++; 880 mutex_exit(&ct->ct_lock); 881 if (EVSENDP(ctp, CT_PR_EV_FORK)) { 882 nvlist_t *nvl; 883 884 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 885 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, cp->p_pid) == 0); 886 VERIFY(nvlist_add_uint32(nvl, CTPE_PPID, pp->p_pid) == 0); 887 888 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 889 event->cte_flags = EVINFOP(ctp, CT_PR_EV_FORK) ? CTE_INFO : 0; 890 event->cte_type = CT_PR_EV_FORK; 891 (void) cte_publish_all(ct, event, nvl, NULL); 892 } 893 return (ctp); 894 } 895 896 /* 897 * contract_process_core 898 * 899 * Called on core file generation attempts. Generates a core event, if 900 * requested, containing the names of the process, global, and 901 * system-global ("zone") core files. If dumping core is in the fatal 902 * event set, calls contract_process_kill(). 903 */ 904 void 905 contract_process_core(cont_process_t *ctp, proc_t *p, int sig, 906 const char *process, const char *global, const char *zone) 907 { 908 contract_t *ct = &ctp->conp_contract; 909 910 if (EVSENDP(ctp, CT_PR_EV_CORE)) { 911 ct_kevent_t *event; 912 nvlist_t *nvl, *gnvl = NULL; 913 914 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 915 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 916 VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0); 917 if (process) 918 VERIFY(nvlist_add_string(nvl, CTPE_PCOREFILE, 919 (char *)process) == 0); 920 if (global) 921 VERIFY(nvlist_add_string(nvl, CTPE_GCOREFILE, 922 (char *)global) == 0); 923 924 if (zone) { 925 /* 926 * Only the global zone is informed of the 927 * local-zone generated global-zone core. 928 */ 929 VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME, 930 KM_SLEEP) == 0); 931 VERIFY(nvlist_add_string(gnvl, CTPE_ZCOREFILE, 932 (char *)zone) == 0); 933 } 934 935 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 936 event->cte_flags = EVINFOP(ctp, CT_PR_EV_CORE) ? CTE_INFO : 0; 937 event->cte_type = CT_PR_EV_CORE; 938 (void) cte_publish_all(ct, event, nvl, gnvl); 939 } 940 941 if (EVFATALP(ctp, CT_PR_EV_CORE)) { 942 mutex_enter(&ct->ct_lock); 943 contract_process_kill(ct, p, B_TRUE); 944 mutex_exit(&ct->ct_lock); 945 } 946 } 947 948 /* 949 * contract_process_hwerr 950 * 951 * Called when a process is killed by an unrecoverable hardware error. 952 * Generates an hwerr event, if requested. If hardware errors are in 953 * the fatal event set, calls contract_process_kill(). 954 */ 955 void 956 contract_process_hwerr(cont_process_t *ctp, proc_t *p) 957 { 958 contract_t *ct = &ctp->conp_contract; 959 960 if (EVSENDP(ctp, CT_PR_EV_HWERR)) { 961 ct_kevent_t *event; 962 nvlist_t *nvl; 963 964 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 965 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 966 967 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 968 event->cte_flags = EVINFOP(ctp, CT_PR_EV_HWERR) ? CTE_INFO : 0; 969 event->cte_type = CT_PR_EV_HWERR; 970 (void) cte_publish_all(ct, event, nvl, NULL); 971 } 972 973 if (EVFATALP(ctp, CT_PR_EV_HWERR)) { 974 mutex_enter(&ct->ct_lock); 975 contract_process_kill(ct, p, B_FALSE); 976 mutex_exit(&ct->ct_lock); 977 } 978 } 979 980 /* 981 * contract_process_sig 982 * 983 * Called when a process is killed by a signal originating from a 984 * process outside of its process contract or its process contract's 985 * holder. Generates an signal event, if requested, containing the 986 * signal number, and the sender's pid and contract id (if available). 987 * If signals are in the fatal event set, calls 988 * contract_process_kill(). 989 */ 990 void 991 contract_process_sig(cont_process_t *ctp, proc_t *p, int sig, pid_t pid, 992 ctid_t ctid, zoneid_t zoneid) 993 { 994 contract_t *ct = &ctp->conp_contract; 995 996 if (EVSENDP(ctp, CT_PR_EV_SIGNAL)) { 997 ct_kevent_t *event; 998 nvlist_t *dest, *nvl, *gnvl = NULL; 999 1000 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 1001 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 1002 VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0); 1003 1004 if (zoneid >= 0 && p->p_zone->zone_id != zoneid) { 1005 VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME, 1006 KM_SLEEP) == 0); 1007 dest = gnvl; 1008 } else { 1009 dest = nvl; 1010 } 1011 1012 if (pid != -1) 1013 VERIFY(nvlist_add_uint32(dest, CTPE_SENDER, pid) == 0); 1014 if (ctid != 0) 1015 VERIFY(nvlist_add_uint32(dest, CTPE_SENDCT, ctid) == 0); 1016 1017 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 1018 event->cte_flags = EVINFOP(ctp, CT_PR_EV_SIGNAL) ? CTE_INFO : 0; 1019 event->cte_type = CT_PR_EV_SIGNAL; 1020 (void) cte_publish_all(ct, event, nvl, gnvl); 1021 } 1022 1023 if (EVFATALP(ctp, CT_PR_EV_SIGNAL)) { 1024 mutex_enter(&ct->ct_lock); 1025 contract_process_kill(ct, p, B_TRUE); 1026 mutex_exit(&ct->ct_lock); 1027 } 1028 } 1029