1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2004 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <sys/mutex.h> 30 #include <sys/debug.h> 31 #include <sys/types.h> 32 #include <sys/param.h> 33 #include <sys/kmem.h> 34 #include <sys/thread.h> 35 #include <sys/id_space.h> 36 #include <sys/avl.h> 37 #include <sys/list.h> 38 #include <sys/sysmacros.h> 39 #include <sys/proc.h> 40 #include <sys/contract.h> 41 #include <sys/contract_impl.h> 42 #include <sys/contract/process.h> 43 #include <sys/contract/process_impl.h> 44 #include <sys/cmn_err.h> 45 #include <sys/nvpair.h> 46 #include <sys/policy.h> 47 48 /* 49 * Process Contracts 50 * ----------------- 51 * 52 * Generally speaking, a process contract is a contract between a 53 * process and a set of its descendent processes. In some cases, when 54 * the child processes outlive the author of the contract, the contract 55 * may be held by (and therefore be between the child processes and) a 56 * successor process which adopts the contract after the death of the 57 * original author. 58 * 59 * The process contract adds two new concepts to the Solaris process 60 * model. The first is that a process contract forms a rigid fault 61 * boundary around a set of processes. Hardware, software, and even 62 * administrator errors impacting a process in a process contract 63 * generate specific events and can be requested to atomically shutdown 64 * all processes in the contract. The second is that a process 65 * contract is a process collective whose leader is not a member of the 66 * collective. This means that the leader can reliably react to events 67 * in the collective, and may also act upon the collective without 68 * special casing itself. 69 * 70 * A composite outcome of these two concepts is that we can now create 71 * a tree of process contracts, rooted at init(1M), which represent 72 * services and subservices that are reliably observed and can be 73 * restarted when fatal errors occur. The service management framework 74 * (SMF) realizes this structure. 75 * 76 * For more details, see the "restart agreements" case, PSARC 2003/193. 77 * 78 * There are four sets of routines in this file: the process contract 79 * standard template operations, the process contract standard contract 80 * operations, a couple routines used only by the contract subsystem to 81 * handle process contracts' unique role as a temporary holder of 82 * abandoned contracts, and the interfaces which allow the system to 83 * create and act upon process contracts. The first two are defined by 84 * the contracts framework and won't be discussed further. As for the 85 * remaining two: 86 * 87 * Special framework interfaces 88 * ---------------------------- 89 * 90 * contract_process_accept - determines if a process contract is a 91 * regent, i.e. if it can inherit other contracts. 92 * 93 * contract_process_take - tells a regent process contract to inherit 94 * an abandoned contract 95 * 96 * contract_process_adopt - tells a regent process contract that a 97 * contract it has inherited is being adopted by a process. 98 * 99 * Process contract interfaces 100 * --------------------------- 101 * 102 * contract_process_fork - called when a process is created; adds the 103 * new process to an existing contract or to a newly created one. 104 * 105 * contract_process_exit - called when a process exits 106 * 107 * contract_process_core - called when a process would have dumped core 108 * (even if a core file wasn't generated) 109 * 110 * contract_process_hwerr - called when a process was killed because of 111 * an uncorrectable hardware error 112 * 113 * contract_process_sig - called when a process was killed by a fatal 114 * signal sent by a process in another process contract 115 * 116 */ 117 118 ct_type_t *process_type; 119 ctmpl_process_t *sys_process_tmpl; 120 121 /* 122 * Macro predicates for determining when events should be sent and how. 123 */ 124 #define EVSENDP(ctp, flag) \ 125 ((ctp->conp_contract.ct_ev_info | ctp->conp_contract.ct_ev_crit) & flag) 126 127 #define EVINFOP(ctp, flag) \ 128 ((ctp->conp_contract.ct_ev_crit & flag) == 0) 129 130 #define EVFATALP(ctp, flag) \ 131 (ctp->conp_ev_fatal & flag) 132 133 134 /* 135 * Process contract template implementation 136 */ 137 138 /* 139 * ctmpl_process_dup 140 * 141 * The process contract template dup entry point. Other than the 142 * to-be-subsumed contract, which must be held, this simply copies all 143 * the fields of the original. 144 */ 145 static struct ct_template * 146 ctmpl_process_dup(struct ct_template *template) 147 { 148 ctmpl_process_t *new; 149 ctmpl_process_t *old = template->ctmpl_data; 150 151 new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP); 152 153 ctmpl_copy(&new->ctp_ctmpl, template); 154 new->ctp_ctmpl.ctmpl_data = new; 155 156 new->ctp_subsume = old->ctp_subsume; 157 if (new->ctp_subsume) 158 contract_hold(new->ctp_subsume); 159 new->ctp_params = old->ctp_params; 160 new->ctp_ev_fatal = old->ctp_ev_fatal; 161 162 return (&new->ctp_ctmpl); 163 } 164 165 /* 166 * ctmpl_process_dup 167 * 168 * The process contract template free entry point. Just releases a 169 * to-be-subsumed contract and frees the template. 170 */ 171 static void 172 ctmpl_process_free(struct ct_template *template) 173 { 174 ctmpl_process_t *ctp = template->ctmpl_data; 175 176 if (ctp->ctp_subsume) 177 contract_rele(ctp->ctp_subsume); 178 kmem_free(template, sizeof (ctmpl_process_t)); 179 } 180 181 /* 182 * SAFE_EV is the set of events which a non-privileged process is 183 * allowed to make critical but not fatal or if the PGRPONLY parameter 184 * is set. EXCESS tells us if "value", a critical event set, requires 185 * additional privilege given the template "ctp". 186 */ 187 #define SAFE_EV (CT_PR_EV_EMPTY) 188 #define EXCESS(ctp, value) \ 189 (((value) & ~((ctp)->ctp_ev_fatal | SAFE_EV)) || \ 190 (((value) & ~SAFE_EV) && (ctp->ctp_params & CT_PR_PGRPONLY))) 191 192 /* 193 * ctmpl_process_set 194 * 195 * The process contract template set entry point. None of the terms 196 * may be unconditionally set, and setting the parameters or fatal 197 * event set may result in events being implicitly removed from to the 198 * critical event set and added to the informative event set. The 199 * (admittedly subtle) reason we implicitly change the critical event 200 * set when the parameter or fatal event set is modified but not the 201 * other way around is because a change to the critical event set only 202 * affects the contract's owner, whereas a change to the parameter set 203 * and fatal set can affect the execution of the application running in 204 * the contract (and should therefore be only made explicitly). We 205 * allow implicit changes at all so that setting contract terms doesn't 206 * become a complex dance dependent on the template's initial state and 207 * the desired terms. 208 */ 209 static int 210 ctmpl_process_set(struct ct_template *tmpl, ct_param_t *param, const cred_t *cr) 211 { 212 ctmpl_process_t *ctp = tmpl->ctmpl_data; 213 contract_t *ct; 214 int error; 215 216 /* 217 * No process contract parameters are > 32 bits. 218 */ 219 if (param->ctpm_value & ~UINT32_MAX) 220 return (EINVAL); 221 222 switch (param->ctpm_id) { 223 case CTPP_SUBSUME: 224 if (param->ctpm_value != 0) { 225 /* 226 * Ensure that the contract exists, that we 227 * hold the contract, and that the contract is 228 * empty. 229 */ 230 ct = contract_type_ptr(process_type, param->ctpm_value, 231 curproc->p_zone->zone_uniqid); 232 if (ct == NULL) 233 return (ESRCH); 234 if (ct->ct_owner != curproc) { 235 contract_rele(ct); 236 return (EACCES); 237 } 238 if (((cont_process_t *)ct->ct_data)->conp_nmembers) { 239 contract_rele(ct); 240 return (ENOTEMPTY); 241 } 242 } else { 243 ct = NULL; 244 } 245 if (ctp->ctp_subsume) 246 contract_rele(ctp->ctp_subsume); 247 ctp->ctp_subsume = ct; 248 break; 249 case CTPP_PARAMS: 250 if (param->ctpm_value & ~CT_PR_ALLPARAM) 251 return (EINVAL); 252 ctp->ctp_params = param->ctpm_value; 253 /* 254 * If an unprivileged process requests that 255 * CT_PR_PGRPONLY be set, remove any unsafe events from 256 * the critical event set and add them to the 257 * informative event set. 258 */ 259 if ((ctp->ctp_params & CT_PR_PGRPONLY) && 260 EXCESS(ctp, tmpl->ctmpl_ev_crit) && 261 !secpolicy_contract_event_choice(cr)) { 262 tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~SAFE_EV); 263 tmpl->ctmpl_ev_crit &= SAFE_EV; 264 } 265 266 break; 267 case CTP_EV_CRITICAL: 268 /* 269 * We simply don't allow adding events to the critical 270 * event set which aren't permitted by our policy or by 271 * privilege. 272 */ 273 if (EXCESS(ctp, param->ctpm_value) && 274 (error = secpolicy_contract_event(cr)) != 0) 275 return (error); 276 tmpl->ctmpl_ev_crit = param->ctpm_value; 277 break; 278 case CTPP_EV_FATAL: 279 if (param->ctpm_value & ~CT_PR_ALLFATAL) 280 return (EINVAL); 281 ctp->ctp_ev_fatal = param->ctpm_value; 282 /* 283 * Check to see if an unprivileged process is 284 * requesting that events be removed from the fatal 285 * event set which are still in the critical event set. 286 */ 287 if (EXCESS(ctp, tmpl->ctmpl_ev_crit) && 288 !secpolicy_contract_event_choice(cr)) { 289 int allowed = 290 SAFE_EV | (ctp->ctp_params & CT_PR_PGRPONLY) ? 291 0 : ctp->ctp_ev_fatal; 292 tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~allowed); 293 tmpl->ctmpl_ev_crit &= allowed; 294 } 295 break; 296 default: 297 return (EINVAL); 298 } 299 300 return (0); 301 } 302 303 /* 304 * ctmpl_process_get 305 * 306 * The process contract template get entry point. Simply fetches and 307 * returns the requested term. 308 */ 309 static int 310 ctmpl_process_get(struct ct_template *template, ct_param_t *param) 311 { 312 ctmpl_process_t *ctp = template->ctmpl_data; 313 314 switch (param->ctpm_id) { 315 case CTPP_SUBSUME: 316 param->ctpm_value = ctp->ctp_subsume ? 317 ctp->ctp_subsume->ct_id : 0; 318 break; 319 case CTPP_PARAMS: 320 param->ctpm_value = ctp->ctp_params; 321 break; 322 case CTPP_EV_FATAL: 323 param->ctpm_value = ctp->ctp_ev_fatal; 324 break; 325 default: 326 return (EINVAL); 327 } 328 329 return (0); 330 } 331 332 static ctmplops_t ctmpl_process_ops = { 333 ctmpl_process_dup, /* ctop_dup */ 334 ctmpl_process_free, /* ctop_free */ 335 ctmpl_process_set, /* ctop_set */ 336 ctmpl_process_get, /* ctop_get */ 337 ctmpl_create_inval, /* ctop_create */ 338 CT_PR_ALLEVENT 339 }; 340 341 342 /* 343 * Process contract implementation 344 */ 345 346 /* 347 * ctmpl_process_default 348 * 349 * The process contract default template entry point. Creates a 350 * process contract template with no parameters set, with informative 351 * core and signal events, critical empty and hwerr events, and fatal 352 * hwerr events. 353 */ 354 static ct_template_t * 355 contract_process_default(void) 356 { 357 ctmpl_process_t *new; 358 359 new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP); 360 ctmpl_init(&new->ctp_ctmpl, &ctmpl_process_ops, process_type, new); 361 362 new->ctp_subsume = NULL; 363 new->ctp_params = 0; 364 new->ctp_ctmpl.ctmpl_ev_info = CT_PR_EV_CORE | CT_PR_EV_SIGNAL; 365 new->ctp_ctmpl.ctmpl_ev_crit = CT_PR_EV_EMPTY | CT_PR_EV_HWERR; 366 new->ctp_ev_fatal = CT_PR_EV_HWERR; 367 368 return (&new->ctp_ctmpl); 369 } 370 371 /* 372 * contract_process_free 373 * 374 * The process contract free entry point. 375 */ 376 static void 377 contract_process_free(contract_t *ct) 378 { 379 cont_process_t *ctp = ct->ct_data; 380 crfree(ctp->conp_cred); 381 list_destroy(&ctp->conp_members); 382 list_destroy(&ctp->conp_inherited); 383 kmem_free(ctp, sizeof (cont_process_t)); 384 } 385 386 /* 387 * contract_process_cankill 388 * 389 * Determine if the contract author had or if the process generating 390 * the event, sp, has adequate privileges to kill process tp. 391 */ 392 static int 393 contract_process_cankill(proc_t *tp, proc_t *sp, cont_process_t *ctp) 394 { 395 int cankill; 396 397 mutex_enter(&tp->p_crlock); 398 cankill = hasprocperm(tp->p_cred, ctp->conp_cred); 399 mutex_exit(&tp->p_crlock); 400 if (cankill || (sp && prochasprocperm(tp, sp, CRED()))) 401 return (1); 402 403 return (0); 404 } 405 406 /* 407 * contract_process_kill 408 * 409 * Kills all processes in a contract, or all processes in the 410 * intersection of a contract and ex's process group (if ex is non-NULL 411 * and the contract's PGRPONLY parameter is set). If checkpriv is 412 * true, only those processes which may be signaled by the contract 413 * author or ex are killed. 414 */ 415 static void 416 contract_process_kill(contract_t *ct, proc_t *ex, int checkpriv) 417 { 418 cont_process_t *ctp = ct->ct_data; 419 proc_t *p; 420 pid_t pgrp = -1; 421 422 ASSERT(MUTEX_HELD(&ct->ct_lock)); 423 424 if (ex && (ctp->conp_params & CT_PR_PGRPONLY)) { 425 pgrp = ex->p_pgrp; 426 mutex_enter(&pidlock); 427 } 428 429 for (p = list_head(&ctp->conp_members); p != NULL; 430 p = list_next(&ctp->conp_members, p)) { 431 if ((p == ex) || (pgrp != -1 && p->p_pgrp != pgrp) || 432 (checkpriv && !contract_process_cankill(p, ex, ctp))) 433 continue; 434 435 psignal(p, SIGKILL); 436 } 437 438 if (pgrp != -1) 439 mutex_exit(&pidlock); 440 } 441 442 443 /* 444 * contract_process_accept 445 * 446 * Tests if the process contract is willing to act as a regent for 447 * inherited contracts. Though brief and only called from one place, 448 * this functionality is kept here to avoid including knowledge of 449 * process contract implementation in the generic contract code. 450 */ 451 int 452 contract_process_accept(contract_t *parent) 453 { 454 cont_process_t *ctp = parent->ct_data; 455 456 ASSERT(parent->ct_type == process_type); 457 458 return (ctp->conp_params & CT_PR_REGENT); 459 } 460 461 /* 462 * contract_process_take 463 * 464 * Executes the process contract side of inheriting a contract. 465 */ 466 void 467 contract_process_take(contract_t *parent, contract_t *child) 468 { 469 cont_process_t *ctp = parent->ct_data; 470 471 ASSERT(MUTEX_HELD(&parent->ct_lock)); 472 ASSERT(MUTEX_HELD(&child->ct_lock)); 473 ASSERT(parent->ct_type == process_type); 474 ASSERT(ctp->conp_params & CT_PR_REGENT); 475 476 list_insert_head(&ctp->conp_inherited, child); 477 ctp->conp_ninherited++; 478 } 479 480 /* 481 * contract_process_adopt 482 * 483 * Executes the process contract side of adopting a contract. 484 */ 485 void 486 contract_process_adopt(contract_t *ct, proc_t *p) 487 { 488 cont_process_t *parent = p->p_ct_process; 489 490 ASSERT(MUTEX_HELD(&parent->conp_contract.ct_lock)); 491 ASSERT(MUTEX_HELD(&ct->ct_lock)); 492 493 list_remove(&parent->conp_inherited, ct); 494 parent->conp_ninherited--; 495 496 /* 497 * We drop the parent lock first because a) we are passing the 498 * contract reference to the child, and b) contract_adopt 499 * expects us to return with the contract lock held. 500 */ 501 mutex_exit(&parent->conp_contract.ct_lock); 502 } 503 504 /* 505 * contract_process_status 506 * 507 * The process contract abandon entry point. 508 */ 509 static void 510 contract_process_abandon(contract_t *ct) 511 { 512 cont_process_t *ctp = ct->ct_data; 513 514 ASSERT(MUTEX_HELD(&ct->ct_lock)); 515 516 /* 517 * Shall we stay or shall we go? 518 */ 519 if (list_head(&ctp->conp_members) == NULL) { 520 contract_destroy(ct); 521 } else { 522 /* 523 * Strictly speaking, we actually do orphan the contract. 524 * Assuming our credentials allow us to kill all 525 * processes in the contract, this is only temporary. 526 */ 527 if (ctp->conp_params & CT_PR_NOORPHAN) 528 contract_process_kill(ct, NULL, B_TRUE); 529 contract_orphan(ct); 530 mutex_exit(&ct->ct_lock); 531 contract_rele(ct); 532 } 533 } 534 535 /* 536 * contract_process_destroy 537 * 538 * The process contract destroy entry point. 539 */ 540 static void 541 contract_process_destroy(contract_t *ct) 542 { 543 cont_process_t *ctp = ct->ct_data; 544 contract_t *cct; 545 546 ASSERT(MUTEX_HELD(&ct->ct_lock)); 547 548 /* 549 * contract_destroy all empty children, kill or orphan the rest 550 */ 551 while (cct = list_head(&ctp->conp_inherited)) { 552 mutex_enter(&cct->ct_lock); 553 554 ASSERT(cct->ct_state == CTS_INHERITED); 555 556 list_remove(&ctp->conp_inherited, cct); 557 ctp->conp_ninherited--; 558 cct->ct_regent = NULL; 559 cct->ct_type->ct_type_ops->contop_abandon(cct); 560 } 561 } 562 563 /* 564 * contract_process_status 565 * 566 * The process contract status entry point. 567 */ 568 static void 569 contract_process_status(contract_t *ct, zone_t *zone, int detail, nvlist_t *nvl, 570 void *status, model_t model) 571 { 572 cont_process_t *ctp = ct->ct_data; 573 uint32_t *pids, *ctids; 574 uint_t npids, nctids; 575 uint_t spids, sctids; 576 577 if (detail == CTD_FIXED) { 578 mutex_enter(&ct->ct_lock); 579 contract_status_common(ct, zone, status, model); 580 mutex_exit(&ct->ct_lock); 581 } else { 582 contract_t *cnext; 583 proc_t *pnext; 584 uint_t loc; 585 586 ASSERT(detail == CTD_ALL); 587 mutex_enter(&ct->ct_lock); 588 for (;;) { 589 spids = ctp->conp_nmembers + 5; 590 sctids = ctp->conp_ninherited + 5; 591 mutex_exit(&ct->ct_lock); 592 593 pids = kmem_alloc(spids * sizeof (uint32_t), KM_SLEEP); 594 ctids = kmem_alloc(sctids * sizeof (uint32_t), 595 KM_SLEEP); 596 597 mutex_enter(&ct->ct_lock); 598 npids = ctp->conp_nmembers; 599 nctids = ctp->conp_ninherited; 600 if (spids >= npids && sctids >= nctids) 601 break; 602 603 kmem_free(pids, spids * sizeof (uint32_t)); 604 kmem_free(ctids, sctids * sizeof (uint32_t)); 605 } 606 contract_status_common(ct, zone, status, model); 607 for (loc = 0, cnext = list_head(&ctp->conp_inherited); cnext; 608 cnext = list_next(&ctp->conp_inherited, cnext)) 609 ctids[loc++] = cnext->ct_id; 610 ASSERT(loc == nctids); 611 for (loc = 0, pnext = list_head(&ctp->conp_members); pnext; 612 pnext = list_next(&ctp->conp_members, pnext)) 613 pids[loc++] = pnext->p_pid; 614 ASSERT(loc == npids); 615 mutex_exit(&ct->ct_lock); 616 617 } 618 619 /* 620 * Contract terms are static; there's no need to hold the 621 * contract lock while accessing them. 622 */ 623 VERIFY(nvlist_add_uint32(nvl, CTPS_PARAMS, ctp->conp_params) == 0); 624 VERIFY(nvlist_add_uint32(nvl, CTPS_EV_FATAL, ctp->conp_ev_fatal) == 0); 625 if (detail == CTD_ALL) { 626 VERIFY(nvlist_add_uint32_array(nvl, CTPS_MEMBERS, pids, 627 npids) == 0); 628 VERIFY(nvlist_add_uint32_array(nvl, CTPS_CONTRACTS, ctids, 629 nctids) == 0); 630 kmem_free(pids, spids * sizeof (uint32_t)); 631 kmem_free(ctids, sctids * sizeof (uint32_t)); 632 } 633 } 634 635 static contops_t contract_process_ops = { 636 contract_process_free, /* contop_free */ 637 contract_process_abandon, /* contop_abandon */ 638 contract_process_destroy, /* contop_destroy */ 639 contract_process_status /* contop_status */ 640 }; 641 642 /* 643 * contract_process_init 644 * 645 * Initializes the process contract type. Also creates a template for 646 * use by newproc() when it creates user processes. 647 */ 648 void 649 contract_process_init(void) 650 { 651 process_type = contract_type_init(CTT_PROCESS, "process", 652 &contract_process_ops, contract_process_default); 653 654 /* 655 * Create a template for use with init(1M) and other 656 * kernel-started processes. 657 */ 658 sys_process_tmpl = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP); 659 ctmpl_init(&sys_process_tmpl->ctp_ctmpl, &ctmpl_process_ops, 660 process_type, sys_process_tmpl); 661 sys_process_tmpl->ctp_subsume = NULL; 662 sys_process_tmpl->ctp_params = CT_PR_NOORPHAN; 663 sys_process_tmpl->ctp_ev_fatal = CT_PR_EV_HWERR; 664 } 665 666 /* 667 * contract_process_create 668 * 669 * create a process contract given template "tmpl" and parent process 670 * "parent". May fail and return NULL if project.max-contracts would 671 * have been exceeded. 672 */ 673 static cont_process_t * 674 contract_process_create(ctmpl_process_t *tmpl, proc_t *parent, int canfail) 675 { 676 cont_process_t *ctp; 677 678 ASSERT(tmpl != NULL); 679 680 (void) contract_type_pbundle(process_type, parent); 681 682 ctp = kmem_zalloc(sizeof (cont_process_t), KM_SLEEP); 683 684 list_create(&ctp->conp_members, sizeof (proc_t), 685 offsetof(proc_t, p_ct_member)); 686 list_create(&ctp->conp_inherited, sizeof (contract_t), 687 offsetof(contract_t, ct_ctlist)); 688 mutex_enter(&tmpl->ctp_ctmpl.ctmpl_lock); 689 ctp->conp_params = tmpl->ctp_params; 690 ctp->conp_ev_fatal = tmpl->ctp_ev_fatal; 691 crhold(ctp->conp_cred = CRED()); 692 693 if (contract_ctor(&ctp->conp_contract, process_type, &tmpl->ctp_ctmpl, 694 ctp, (ctp->conp_params & CT_PR_INHERIT) ? CTF_INHERIT : 0, 695 parent, canfail)) { 696 mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock); 697 contract_process_free(&ctp->conp_contract); 698 return (NULL); 699 } 700 701 /* 702 * Transfer subcontracts only after new contract is visible. 703 * Also, only transfer contracts if the parent matches -- we 704 * don't want to create a cycle in the tree of contracts. 705 */ 706 if (tmpl->ctp_subsume && tmpl->ctp_subsume->ct_owner == parent) { 707 cont_process_t *sct = tmpl->ctp_subsume->ct_data; 708 contract_t *ct; 709 710 mutex_enter(&tmpl->ctp_subsume->ct_lock); 711 mutex_enter(&ctp->conp_contract.ct_lock); 712 while (ct = list_head(&sct->conp_inherited)) { 713 mutex_enter(&ct->ct_lock); 714 list_remove(&sct->conp_inherited, ct); 715 list_insert_tail(&ctp->conp_inherited, ct); 716 ct->ct_regent = &ctp->conp_contract; 717 mutex_exit(&ct->ct_lock); 718 } 719 ctp->conp_ninherited += sct->conp_ninherited; 720 sct->conp_ninherited = 0; 721 mutex_exit(&ctp->conp_contract.ct_lock); 722 mutex_exit(&tmpl->ctp_subsume->ct_lock); 723 724 /* 725 * Automatically abandon the contract. 726 */ 727 (void) contract_abandon(tmpl->ctp_subsume, parent, 1); 728 } 729 730 mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock); 731 732 return (ctp); 733 } 734 735 /* 736 * contract_process_exit 737 * 738 * Called on process exit. Removes process p from process contract 739 * ctp. Generates an exit event, if requested. Generates an empty 740 * event, if p is the last member of the the process contract and empty 741 * events were requested. 742 */ 743 void 744 contract_process_exit(cont_process_t *ctp, proc_t *p, int exitstatus) 745 { 746 contract_t *ct = &ctp->conp_contract; 747 ct_kevent_t *event; 748 int empty; 749 750 /* 751 * Remove self from process contract. 752 */ 753 mutex_enter(&ct->ct_lock); 754 list_remove(&ctp->conp_members, p); 755 ctp->conp_nmembers--; 756 mutex_enter(&p->p_lock); /* in case /proc is watching */ 757 p->p_ct_process = NULL; 758 mutex_exit(&p->p_lock); 759 760 /* 761 * We check for emptiness before dropping the contract lock to 762 * send the exit event, otherwise we could end up with two 763 * empty events. 764 */ 765 empty = (list_head(&ctp->conp_members) == NULL); 766 if (EVSENDP(ctp, CT_PR_EV_EXIT)) { 767 nvlist_t *nvl; 768 769 mutex_exit(&ct->ct_lock); 770 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 771 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 772 VERIFY(nvlist_add_int32(nvl, CTPE_EXITSTATUS, exitstatus) == 0); 773 774 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 775 event->cte_flags = EVINFOP(ctp, CT_PR_EV_EXIT) ? CTE_INFO : 0; 776 event->cte_type = CT_PR_EV_EXIT; 777 cte_publish_all(ct, event, nvl, NULL); 778 mutex_enter(&ct->ct_lock); 779 } 780 if (empty) { 781 /* 782 * Send EMPTY message. 783 */ 784 if (EVSENDP(ctp, CT_PR_EV_EMPTY)) { 785 nvlist_t *nvl; 786 787 mutex_exit(&ct->ct_lock); 788 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, 789 KM_SLEEP) == 0); 790 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 791 792 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 793 event->cte_flags = EVINFOP(ctp, CT_PR_EV_EMPTY) ? 794 CTE_INFO : 0; 795 event->cte_type = CT_PR_EV_EMPTY; 796 cte_publish_all(ct, event, nvl, NULL); 797 mutex_enter(&ct->ct_lock); 798 } 799 800 /* 801 * The last one to leave an orphaned contract turns out 802 * the lights. 803 */ 804 if (ct->ct_state == CTS_ORPHAN) { 805 contract_destroy(ct); 806 return; 807 } 808 } 809 mutex_exit(&ct->ct_lock); 810 contract_rele(ct); 811 } 812 813 /* 814 * contract_process_fork 815 * 816 * Called on process fork. If the current lwp has a active process 817 * contract template, we attempt to create a new process contract. 818 * Failure to create a process contract when required is a failure in 819 * fork so, in such an event, we return NULL. 820 * 821 * Assuming we succeeded or skipped the previous step, we add the child 822 * process to the new contract (success) or to the parent's process 823 * contract (skip). If requested, we also send a fork event to that 824 * contract. 825 * 826 * Because contract_process_fork() may fail, and because we would 827 * prefer that process contracts not be created for processes which 828 * don't complete forking, this should be the last function called 829 * before the "all clear" point in cfork. 830 */ 831 cont_process_t * 832 contract_process_fork(ctmpl_process_t *rtmpl, proc_t *cp, proc_t *pp, 833 int canfail) 834 { 835 contract_t *ct; 836 cont_process_t *ctp; 837 ct_kevent_t *event; 838 ct_template_t *tmpl; 839 840 if (rtmpl == NULL && (tmpl = ttolwp(curthread)->lwp_ct_active[ 841 process_type->ct_type_index]) != NULL) 842 rtmpl = tmpl->ctmpl_data; 843 844 if (rtmpl == NULL) 845 ctp = curproc->p_ct_process; 846 else if ((ctp = contract_process_create(rtmpl, pp, canfail)) == NULL) 847 return (NULL); 848 849 ct = &ctp->conp_contract; 850 /* 851 * Prevent contract_process_kill() from missing forked children 852 * by failing forks by parents that have just been killed. 853 * It's not worth hoisting the ctp test since contract creation 854 * is by no means the common case. 855 */ 856 mutex_enter(&ct->ct_lock); 857 mutex_enter(&pp->p_lock); 858 if (ctp == curproc->p_ct_process && (pp->p_flag & SKILLED) != 0 && 859 canfail) { 860 mutex_exit(&pp->p_lock); 861 mutex_exit(&ct->ct_lock); 862 return (NULL); 863 } 864 cp->p_ct_process = ctp; 865 mutex_exit(&pp->p_lock); 866 contract_hold(ct); 867 list_insert_head(&ctp->conp_members, cp); 868 ctp->conp_nmembers++; 869 mutex_exit(&ct->ct_lock); 870 if (EVSENDP(ctp, CT_PR_EV_FORK)) { 871 nvlist_t *nvl; 872 873 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 874 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, cp->p_pid) == 0); 875 VERIFY(nvlist_add_uint32(nvl, CTPE_PPID, pp->p_pid) == 0); 876 877 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 878 event->cte_flags = EVINFOP(ctp, CT_PR_EV_FORK) ? CTE_INFO : 0; 879 event->cte_type = CT_PR_EV_FORK; 880 cte_publish_all(ct, event, nvl, NULL); 881 } 882 return (ctp); 883 } 884 885 /* 886 * contract_process_core 887 * 888 * Called on core file generation attempts. Generates a core event, if 889 * requested, containing the names of the process, global, and 890 * system-global ("zone") core files. If dumping core is in the fatal 891 * event set, calls contract_process_kill(). 892 */ 893 void 894 contract_process_core(cont_process_t *ctp, proc_t *p, int sig, 895 const char *process, const char *global, const char *zone) 896 { 897 contract_t *ct = &ctp->conp_contract; 898 899 if (EVSENDP(ctp, CT_PR_EV_CORE)) { 900 ct_kevent_t *event; 901 nvlist_t *nvl, *gnvl = NULL; 902 903 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 904 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 905 VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0); 906 if (process) 907 VERIFY(nvlist_add_string(nvl, CTPE_PCOREFILE, 908 (char *)process) == 0); 909 if (global) 910 VERIFY(nvlist_add_string(nvl, CTPE_GCOREFILE, 911 (char *)global) == 0); 912 913 if (zone) { 914 /* 915 * Only the global zone is informed of the 916 * local-zone generated global-zone core. 917 */ 918 VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME, 919 KM_SLEEP) == 0); 920 VERIFY(nvlist_add_string(gnvl, CTPE_ZCOREFILE, 921 (char *)zone) == 0); 922 } 923 924 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 925 event->cte_flags = EVINFOP(ctp, CT_PR_EV_CORE) ? CTE_INFO : 0; 926 event->cte_type = CT_PR_EV_CORE; 927 cte_publish_all(ct, event, nvl, gnvl); 928 } 929 930 if (EVFATALP(ctp, CT_PR_EV_CORE)) { 931 mutex_enter(&ct->ct_lock); 932 contract_process_kill(ct, p, B_TRUE); 933 mutex_exit(&ct->ct_lock); 934 } 935 } 936 937 /* 938 * contract_process_hwerr 939 * 940 * Called when a process is killed by an unrecoverable hardware error. 941 * Generates an hwerr event, if requested. If hardware errors are in 942 * the fatal event set, calls contract_process_kill(). 943 */ 944 void 945 contract_process_hwerr(cont_process_t *ctp, proc_t *p) 946 { 947 contract_t *ct = &ctp->conp_contract; 948 949 if (EVSENDP(ctp, CT_PR_EV_HWERR)) { 950 ct_kevent_t *event; 951 nvlist_t *nvl; 952 953 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 954 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 955 956 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 957 event->cte_flags = EVINFOP(ctp, CT_PR_EV_HWERR) ? CTE_INFO : 0; 958 event->cte_type = CT_PR_EV_HWERR; 959 cte_publish_all(ct, event, nvl, NULL); 960 } 961 962 if (EVFATALP(ctp, CT_PR_EV_HWERR)) { 963 mutex_enter(&ct->ct_lock); 964 contract_process_kill(ct, p, B_FALSE); 965 mutex_exit(&ct->ct_lock); 966 } 967 } 968 969 /* 970 * contract_process_sig 971 * 972 * Called when a process is killed by a signal originating from a 973 * process outside of its process contract or its process contract's 974 * holder. Generates an signal event, if requested, containing the 975 * signal number, and the sender's pid and contract id (if available). 976 * If signals are in the fatal event set, calls 977 * contract_process_kill(). 978 */ 979 void 980 contract_process_sig(cont_process_t *ctp, proc_t *p, int sig, pid_t pid, 981 ctid_t ctid, zoneid_t zoneid) 982 { 983 contract_t *ct = &ctp->conp_contract; 984 985 if (EVSENDP(ctp, CT_PR_EV_SIGNAL)) { 986 ct_kevent_t *event; 987 nvlist_t *dest, *nvl, *gnvl = NULL; 988 989 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 990 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 991 VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0); 992 993 if (zoneid >= 0 && p->p_zone->zone_id != zoneid) { 994 VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME, 995 KM_SLEEP) == 0); 996 dest = gnvl; 997 } else { 998 dest = nvl; 999 } 1000 1001 if (pid != -1) 1002 VERIFY(nvlist_add_uint32(dest, CTPE_SENDER, pid) == 0); 1003 if (ctid != 0) 1004 VERIFY(nvlist_add_uint32(dest, CTPE_SENDCT, ctid) == 0); 1005 1006 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 1007 event->cte_flags = EVINFOP(ctp, CT_PR_EV_SIGNAL) ? CTE_INFO : 0; 1008 event->cte_type = CT_PR_EV_SIGNAL; 1009 cte_publish_all(ct, event, nvl, gnvl); 1010 } 1011 1012 if (EVFATALP(ctp, CT_PR_EV_SIGNAL)) { 1013 mutex_enter(&ct->ct_lock); 1014 contract_process_kill(ct, p, B_TRUE); 1015 mutex_exit(&ct->ct_lock); 1016 } 1017 } 1018