1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/mutex.h> 29 #include <sys/debug.h> 30 #include <sys/types.h> 31 #include <sys/param.h> 32 #include <sys/kmem.h> 33 #include <sys/thread.h> 34 #include <sys/id_space.h> 35 #include <sys/avl.h> 36 #include <sys/list.h> 37 #include <sys/sysmacros.h> 38 #include <sys/proc.h> 39 #include <sys/contract.h> 40 #include <sys/contract_impl.h> 41 #include <sys/contract/process.h> 42 #include <sys/contract/process_impl.h> 43 #include <sys/cmn_err.h> 44 #include <sys/nvpair.h> 45 #include <sys/policy.h> 46 #include <sys/refstr.h> 47 #include <sys/sunddi.h> 48 49 /* 50 * Process Contracts 51 * ----------------- 52 * 53 * Generally speaking, a process contract is a contract between a 54 * process and a set of its descendent processes. In some cases, when 55 * the child processes outlive the author of the contract, the contract 56 * may be held by (and therefore be between the child processes and) a 57 * successor process which adopts the contract after the death of the 58 * original author. 59 * 60 * The process contract adds two new concepts to the Solaris process 61 * model. The first is that a process contract forms a rigid fault 62 * boundary around a set of processes. Hardware, software, and even 63 * administrator errors impacting a process in a process contract 64 * generate specific events and can be requested to atomically shutdown 65 * all processes in the contract. The second is that a process 66 * contract is a process collective whose leader is not a member of the 67 * collective. This means that the leader can reliably react to events 68 * in the collective, and may also act upon the collective without 69 * special casing itself. 70 * 71 * A composite outcome of these two concepts is that we can now create 72 * a tree of process contracts, rooted at init(1M), which represent 73 * services and subservices that are reliably observed and can be 74 * restarted when fatal errors occur. The service management framework 75 * (SMF) realizes this structure. 76 * 77 * For more details, see the "restart agreements" case, PSARC 2003/193. 78 * 79 * There are four sets of routines in this file: the process contract 80 * standard template operations, the process contract standard contract 81 * operations, a couple routines used only by the contract subsystem to 82 * handle process contracts' unique role as a temporary holder of 83 * abandoned contracts, and the interfaces which allow the system to 84 * create and act upon process contracts. The first two are defined by 85 * the contracts framework and won't be discussed further. As for the 86 * remaining two: 87 * 88 * Special framework interfaces 89 * ---------------------------- 90 * 91 * contract_process_accept - determines if a process contract is a 92 * regent, i.e. if it can inherit other contracts. 93 * 94 * contract_process_take - tells a regent process contract to inherit 95 * an abandoned contract 96 * 97 * contract_process_adopt - tells a regent process contract that a 98 * contract it has inherited is being adopted by a process. 99 * 100 * Process contract interfaces 101 * --------------------------- 102 * 103 * contract_process_fork - called when a process is created; adds the 104 * new process to an existing contract or to a newly created one. 105 * 106 * contract_process_exit - called when a process exits 107 * 108 * contract_process_core - called when a process would have dumped core 109 * (even if a core file wasn't generated) 110 * 111 * contract_process_hwerr - called when a process was killed because of 112 * an uncorrectable hardware error 113 * 114 * contract_process_sig - called when a process was killed by a fatal 115 * signal sent by a process in another process contract 116 * 117 */ 118 119 ct_type_t *process_type; 120 ctmpl_process_t *sys_process_tmpl; 121 refstr_t *conp_svc_aux_default; 122 123 /* 124 * Macro predicates for determining when events should be sent and how. 125 */ 126 #define EVSENDP(ctp, flag) \ 127 ((ctp->conp_contract.ct_ev_info | ctp->conp_contract.ct_ev_crit) & flag) 128 129 #define EVINFOP(ctp, flag) \ 130 ((ctp->conp_contract.ct_ev_crit & flag) == 0) 131 132 #define EVFATALP(ctp, flag) \ 133 (ctp->conp_ev_fatal & flag) 134 135 136 /* 137 * Process contract template implementation 138 */ 139 140 /* 141 * ctmpl_process_dup 142 * 143 * The process contract template dup entry point. Other than the 144 * to-be-subsumed contract, which must be held, this simply copies all 145 * the fields of the original. 146 */ 147 static struct ct_template * 148 ctmpl_process_dup(struct ct_template *template) 149 { 150 ctmpl_process_t *new; 151 ctmpl_process_t *old = template->ctmpl_data; 152 153 new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP); 154 155 ctmpl_copy(&new->ctp_ctmpl, template); 156 new->ctp_ctmpl.ctmpl_data = new; 157 158 new->ctp_subsume = old->ctp_subsume; 159 if (new->ctp_subsume) 160 contract_hold(new->ctp_subsume); 161 new->ctp_params = old->ctp_params; 162 new->ctp_ev_fatal = old->ctp_ev_fatal; 163 new->ctp_svc_fmri = old->ctp_svc_fmri; 164 if (new->ctp_svc_fmri != NULL) { 165 refstr_hold(new->ctp_svc_fmri); 166 } 167 new->ctp_svc_aux = old->ctp_svc_aux; 168 if (new->ctp_svc_aux != NULL) { 169 refstr_hold(new->ctp_svc_aux); 170 } 171 172 return (&new->ctp_ctmpl); 173 } 174 175 /* 176 * ctmpl_process_free 177 * 178 * The process contract template free entry point. Just releases a 179 * to-be-subsumed contract and frees the template. 180 */ 181 static void 182 ctmpl_process_free(struct ct_template *template) 183 { 184 ctmpl_process_t *ctp = template->ctmpl_data; 185 186 if (ctp->ctp_subsume) 187 contract_rele(ctp->ctp_subsume); 188 if (ctp->ctp_svc_fmri != NULL) { 189 refstr_rele(ctp->ctp_svc_fmri); 190 } 191 if (ctp->ctp_svc_aux != NULL) { 192 refstr_rele(ctp->ctp_svc_aux); 193 } 194 kmem_free(template, sizeof (ctmpl_process_t)); 195 } 196 197 /* 198 * SAFE_EV is the set of events which a non-privileged process is 199 * allowed to make critical but not fatal or if the PGRPONLY parameter 200 * is set. EXCESS tells us if "value", a critical event set, requires 201 * additional privilege given the template "ctp". 202 */ 203 #define SAFE_EV (CT_PR_EV_EMPTY) 204 #define EXCESS(ctp, value) \ 205 (((value) & ~((ctp)->ctp_ev_fatal | SAFE_EV)) || \ 206 (((value) & ~SAFE_EV) && (ctp->ctp_params & CT_PR_PGRPONLY))) 207 208 /* 209 * ctmpl_process_set 210 * 211 * The process contract template set entry point. None of the terms 212 * may be unconditionally set, and setting the parameters or fatal 213 * event set may result in events being implicitly removed from to the 214 * critical event set and added to the informative event set. The 215 * (admittedly subtle) reason we implicitly change the critical event 216 * set when the parameter or fatal event set is modified but not the 217 * other way around is because a change to the critical event set only 218 * affects the contract's owner, whereas a change to the parameter set 219 * and fatal set can affect the execution of the application running in 220 * the contract (and should therefore be only made explicitly). We 221 * allow implicit changes at all so that setting contract terms doesn't 222 * become a complex dance dependent on the template's initial state and 223 * the desired terms. 224 */ 225 static int 226 ctmpl_process_set(struct ct_template *tmpl, ct_param_t *param, const cred_t *cr) 227 { 228 ctmpl_process_t *ctp = tmpl->ctmpl_data; 229 contract_t *ct; 230 int error; 231 uint64_t param_value; 232 char *str_value; 233 234 if ((param->ctpm_id == CTPP_SVC_FMRI) || 235 (param->ctpm_id == CTPP_CREATOR_AUX)) { 236 str_value = (char *)param->ctpm_value; 237 str_value[param->ctpm_size - 1] = '\0'; 238 } else { 239 param_value = *(uint64_t *)param->ctpm_value; 240 /* 241 * No process contract parameters are > 32 bits. 242 * Unless it is a string. 243 */ 244 if (param_value & ~UINT32_MAX) 245 return (EINVAL); 246 } 247 248 switch (param->ctpm_id) { 249 case CTPP_SUBSUME: 250 if (param_value != 0) { 251 /* 252 * Ensure that the contract exists, that we 253 * hold the contract, and that the contract is 254 * empty. 255 */ 256 ct = contract_type_ptr(process_type, param_value, 257 curproc->p_zone->zone_uniqid); 258 if (ct == NULL) 259 return (ESRCH); 260 if (ct->ct_owner != curproc) { 261 contract_rele(ct); 262 return (EACCES); 263 } 264 if (((cont_process_t *)ct->ct_data)->conp_nmembers) { 265 contract_rele(ct); 266 return (ENOTEMPTY); 267 } 268 } else { 269 ct = NULL; 270 } 271 if (ctp->ctp_subsume) 272 contract_rele(ctp->ctp_subsume); 273 ctp->ctp_subsume = ct; 274 break; 275 case CTPP_PARAMS: 276 if (param_value & ~CT_PR_ALLPARAM) 277 return (EINVAL); 278 ctp->ctp_params = param_value; 279 /* 280 * If an unprivileged process requests that 281 * CT_PR_PGRPONLY be set, remove any unsafe events from 282 * the critical event set and add them to the 283 * informative event set. 284 */ 285 if ((ctp->ctp_params & CT_PR_PGRPONLY) && 286 EXCESS(ctp, tmpl->ctmpl_ev_crit) && 287 !secpolicy_contract_event_choice(cr)) { 288 tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~SAFE_EV); 289 tmpl->ctmpl_ev_crit &= SAFE_EV; 290 } 291 292 break; 293 case CTPP_SVC_FMRI: 294 if (error = secpolicy_contract_identity(cr)) 295 return (error); 296 if (ctp->ctp_svc_fmri != NULL) 297 refstr_rele(ctp->ctp_svc_fmri); 298 if (strcmp(CT_PR_SVC_DEFAULT, str_value) == 0) 299 ctp->ctp_svc_fmri = NULL; 300 else 301 ctp->ctp_svc_fmri = 302 refstr_alloc(str_value); 303 break; 304 case CTPP_CREATOR_AUX: 305 if (ctp->ctp_svc_aux != NULL) 306 refstr_rele(ctp->ctp_svc_aux); 307 if (param->ctpm_size == 1) /* empty string */ 308 ctp->ctp_svc_aux = NULL; 309 else 310 ctp->ctp_svc_aux = 311 refstr_alloc(str_value); 312 break; 313 case CTP_EV_CRITICAL: 314 /* 315 * We simply don't allow adding events to the critical 316 * event set which aren't permitted by our policy or by 317 * privilege. 318 */ 319 if (EXCESS(ctp, param_value) && 320 (error = secpolicy_contract_event(cr)) != 0) 321 return (error); 322 tmpl->ctmpl_ev_crit = param_value; 323 break; 324 case CTPP_EV_FATAL: 325 if (param_value & ~CT_PR_ALLFATAL) 326 return (EINVAL); 327 ctp->ctp_ev_fatal = param_value; 328 /* 329 * Check to see if an unprivileged process is 330 * requesting that events be removed from the fatal 331 * event set which are still in the critical event set. 332 */ 333 if (EXCESS(ctp, tmpl->ctmpl_ev_crit) && 334 !secpolicy_contract_event_choice(cr)) { 335 int allowed = 336 SAFE_EV | (ctp->ctp_params & CT_PR_PGRPONLY) ? 337 0 : ctp->ctp_ev_fatal; 338 tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~allowed); 339 tmpl->ctmpl_ev_crit &= allowed; 340 } 341 break; 342 default: 343 return (EINVAL); 344 } 345 346 return (0); 347 } 348 349 /* 350 * ctmpl_process_get 351 * 352 * The process contract template get entry point. Simply fetches and 353 * returns the requested term. 354 */ 355 static int 356 ctmpl_process_get(struct ct_template *template, ct_param_t *param) 357 { 358 ctmpl_process_t *ctp = template->ctmpl_data; 359 uint64_t *param_value = param->ctpm_value; 360 361 switch (param->ctpm_id) { 362 case CTPP_SUBSUME: 363 *param_value = ctp->ctp_subsume ? 364 ctp->ctp_subsume->ct_id : 0; 365 break; 366 case CTPP_PARAMS: 367 *param_value = ctp->ctp_params; 368 break; 369 case CTPP_SVC_FMRI: 370 if (ctp->ctp_svc_fmri == NULL) { 371 param->ctpm_size = 372 strlcpy((char *)param->ctpm_value, 373 CT_PR_SVC_DEFAULT, param->ctpm_size); 374 } else { 375 param->ctpm_size = 376 strlcpy((char *)param->ctpm_value, 377 refstr_value(ctp->ctp_svc_fmri), param->ctpm_size); 378 } 379 param->ctpm_size++; 380 break; 381 case CTPP_CREATOR_AUX: 382 if (ctp->ctp_svc_aux == NULL) { 383 param->ctpm_size = 384 strlcpy((char *)param->ctpm_value, 385 refstr_value(conp_svc_aux_default), 386 param->ctpm_size); 387 } else { 388 param->ctpm_size = 389 strlcpy((char *)param->ctpm_value, 390 refstr_value(ctp->ctp_svc_aux), param->ctpm_size); 391 } 392 param->ctpm_size++; 393 break; 394 case CTPP_EV_FATAL: 395 *param_value = ctp->ctp_ev_fatal; 396 break; 397 default: 398 return (EINVAL); 399 } 400 401 return (0); 402 } 403 404 static ctmplops_t ctmpl_process_ops = { 405 ctmpl_process_dup, /* ctop_dup */ 406 ctmpl_process_free, /* ctop_free */ 407 ctmpl_process_set, /* ctop_set */ 408 ctmpl_process_get, /* ctop_get */ 409 ctmpl_create_inval, /* ctop_create */ 410 CT_PR_ALLEVENT 411 }; 412 413 414 /* 415 * Process contract implementation 416 */ 417 418 /* 419 * ctmpl_process_default 420 * 421 * The process contract default template entry point. Creates a 422 * process contract template with no parameters set, with informative 423 * core and signal events, critical empty and hwerr events, and fatal 424 * hwerr events. 425 */ 426 static ct_template_t * 427 contract_process_default(void) 428 { 429 ctmpl_process_t *new; 430 431 new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP); 432 ctmpl_init(&new->ctp_ctmpl, &ctmpl_process_ops, process_type, new); 433 434 new->ctp_subsume = NULL; 435 new->ctp_params = 0; 436 new->ctp_ctmpl.ctmpl_ev_info = CT_PR_EV_CORE | CT_PR_EV_SIGNAL; 437 new->ctp_ctmpl.ctmpl_ev_crit = CT_PR_EV_EMPTY | CT_PR_EV_HWERR; 438 new->ctp_ev_fatal = CT_PR_EV_HWERR; 439 new->ctp_svc_fmri = NULL; 440 new->ctp_svc_aux = NULL; 441 442 return (&new->ctp_ctmpl); 443 } 444 445 /* 446 * contract_process_free 447 * 448 * The process contract free entry point. 449 */ 450 static void 451 contract_process_free(contract_t *ct) 452 { 453 cont_process_t *ctp = ct->ct_data; 454 crfree(ctp->conp_cred); 455 list_destroy(&ctp->conp_members); 456 list_destroy(&ctp->conp_inherited); 457 if (ctp->conp_svc_fmri != NULL) { 458 refstr_rele(ctp->conp_svc_fmri); 459 } 460 if (ctp->conp_svc_aux != NULL) { 461 refstr_rele(ctp->conp_svc_aux); 462 } 463 if (ctp->conp_svc_creator != NULL) { 464 refstr_rele(ctp->conp_svc_creator); 465 } 466 kmem_free(ctp, sizeof (cont_process_t)); 467 } 468 469 /* 470 * contract_process_cankill 471 * 472 * Determine if the contract author had or if the process generating 473 * the event, sp, has adequate privileges to kill process tp. 474 */ 475 static int 476 contract_process_cankill(proc_t *tp, proc_t *sp, cont_process_t *ctp) 477 { 478 int cankill; 479 480 mutex_enter(&tp->p_crlock); 481 cankill = hasprocperm(tp->p_cred, ctp->conp_cred); 482 mutex_exit(&tp->p_crlock); 483 if (cankill || (sp && prochasprocperm(tp, sp, CRED()))) 484 return (1); 485 486 return (0); 487 } 488 489 /* 490 * contract_process_kill 491 * 492 * Kills all processes in a contract, or all processes in the 493 * intersection of a contract and ex's process group (if ex is non-NULL 494 * and the contract's PGRPONLY parameter is set). If checkpriv is 495 * true, only those processes which may be signaled by the contract 496 * author or ex are killed. 497 */ 498 static void 499 contract_process_kill(contract_t *ct, proc_t *ex, int checkpriv) 500 { 501 cont_process_t *ctp = ct->ct_data; 502 proc_t *p; 503 pid_t pgrp = -1; 504 505 ASSERT(MUTEX_HELD(&ct->ct_lock)); 506 507 if (ex && (ctp->conp_params & CT_PR_PGRPONLY)) { 508 pgrp = ex->p_pgrp; 509 mutex_enter(&pidlock); 510 } 511 512 for (p = list_head(&ctp->conp_members); p != NULL; 513 p = list_next(&ctp->conp_members, p)) { 514 if ((p == ex) || (pgrp != -1 && p->p_pgrp != pgrp) || 515 (checkpriv && !contract_process_cankill(p, ex, ctp))) 516 continue; 517 518 psignal(p, SIGKILL); 519 } 520 521 if (pgrp != -1) 522 mutex_exit(&pidlock); 523 } 524 525 526 /* 527 * contract_process_accept 528 * 529 * Tests if the process contract is willing to act as a regent for 530 * inherited contracts. Though brief and only called from one place, 531 * this functionality is kept here to avoid including knowledge of 532 * process contract implementation in the generic contract code. 533 */ 534 int 535 contract_process_accept(contract_t *parent) 536 { 537 cont_process_t *ctp = parent->ct_data; 538 539 ASSERT(parent->ct_type == process_type); 540 541 return (ctp->conp_params & CT_PR_REGENT); 542 } 543 544 /* 545 * contract_process_take 546 * 547 * Executes the process contract side of inheriting a contract. 548 */ 549 void 550 contract_process_take(contract_t *parent, contract_t *child) 551 { 552 cont_process_t *ctp = parent->ct_data; 553 554 ASSERT(MUTEX_HELD(&parent->ct_lock)); 555 ASSERT(MUTEX_HELD(&child->ct_lock)); 556 ASSERT(parent->ct_type == process_type); 557 ASSERT(ctp->conp_params & CT_PR_REGENT); 558 559 list_insert_head(&ctp->conp_inherited, child); 560 ctp->conp_ninherited++; 561 } 562 563 /* 564 * contract_process_adopt 565 * 566 * Executes the process contract side of adopting a contract. 567 */ 568 void 569 contract_process_adopt(contract_t *ct, proc_t *p) 570 { 571 cont_process_t *parent = p->p_ct_process; 572 573 ASSERT(MUTEX_HELD(&parent->conp_contract.ct_lock)); 574 ASSERT(MUTEX_HELD(&ct->ct_lock)); 575 576 list_remove(&parent->conp_inherited, ct); 577 parent->conp_ninherited--; 578 579 /* 580 * We drop the parent lock first because a) we are passing the 581 * contract reference to the child, and b) contract_adopt 582 * expects us to return with the contract lock held. 583 */ 584 mutex_exit(&parent->conp_contract.ct_lock); 585 } 586 587 /* 588 * contract_process_abandon 589 * 590 * The process contract abandon entry point. 591 */ 592 static void 593 contract_process_abandon(contract_t *ct) 594 { 595 cont_process_t *ctp = ct->ct_data; 596 597 ASSERT(MUTEX_HELD(&ct->ct_lock)); 598 599 /* 600 * Shall we stay or shall we go? 601 */ 602 if (list_head(&ctp->conp_members) == NULL) { 603 contract_destroy(ct); 604 } else { 605 /* 606 * Strictly speaking, we actually do orphan the contract. 607 * Assuming our credentials allow us to kill all 608 * processes in the contract, this is only temporary. 609 */ 610 if (ctp->conp_params & CT_PR_NOORPHAN) 611 contract_process_kill(ct, NULL, B_TRUE); 612 contract_orphan(ct); 613 mutex_exit(&ct->ct_lock); 614 contract_rele(ct); 615 } 616 } 617 618 /* 619 * contract_process_destroy 620 * 621 * The process contract destroy entry point. 622 */ 623 static void 624 contract_process_destroy(contract_t *ct) 625 { 626 cont_process_t *ctp = ct->ct_data; 627 contract_t *cct; 628 629 ASSERT(MUTEX_HELD(&ct->ct_lock)); 630 631 /* 632 * contract_destroy all empty children, kill or orphan the rest 633 */ 634 while (cct = list_head(&ctp->conp_inherited)) { 635 mutex_enter(&cct->ct_lock); 636 637 ASSERT(cct->ct_state == CTS_INHERITED); 638 639 list_remove(&ctp->conp_inherited, cct); 640 ctp->conp_ninherited--; 641 cct->ct_regent = NULL; 642 cct->ct_type->ct_type_ops->contop_abandon(cct); 643 } 644 } 645 646 /* 647 * contract_process_status 648 * 649 * The process contract status entry point. 650 */ 651 static void 652 contract_process_status(contract_t *ct, zone_t *zone, int detail, nvlist_t *nvl, 653 void *status, model_t model) 654 { 655 cont_process_t *ctp = ct->ct_data; 656 uint32_t *pids, *ctids; 657 uint_t npids, nctids; 658 uint_t spids, sctids; 659 ctid_t local_svc_zone_enter; 660 661 if (detail == CTD_FIXED) { 662 mutex_enter(&ct->ct_lock); 663 contract_status_common(ct, zone, status, model); 664 local_svc_zone_enter = ctp->conp_svc_zone_enter; 665 mutex_exit(&ct->ct_lock); 666 } else { 667 contract_t *cnext; 668 proc_t *pnext; 669 uint_t loc; 670 671 ASSERT(detail == CTD_ALL); 672 mutex_enter(&ct->ct_lock); 673 for (;;) { 674 spids = ctp->conp_nmembers + 5; 675 sctids = ctp->conp_ninherited + 5; 676 mutex_exit(&ct->ct_lock); 677 678 pids = kmem_alloc(spids * sizeof (uint32_t), KM_SLEEP); 679 ctids = kmem_alloc(sctids * sizeof (uint32_t), 680 KM_SLEEP); 681 682 mutex_enter(&ct->ct_lock); 683 npids = ctp->conp_nmembers; 684 nctids = ctp->conp_ninherited; 685 if (spids >= npids && sctids >= nctids) 686 break; 687 688 kmem_free(pids, spids * sizeof (uint32_t)); 689 kmem_free(ctids, sctids * sizeof (uint32_t)); 690 } 691 contract_status_common(ct, zone, status, model); 692 for (loc = 0, cnext = list_head(&ctp->conp_inherited); cnext; 693 cnext = list_next(&ctp->conp_inherited, cnext)) 694 ctids[loc++] = cnext->ct_id; 695 ASSERT(loc == nctids); 696 for (loc = 0, pnext = list_head(&ctp->conp_members); pnext; 697 pnext = list_next(&ctp->conp_members, pnext)) 698 pids[loc++] = pnext->p_pid; 699 ASSERT(loc == npids); 700 local_svc_zone_enter = ctp->conp_svc_zone_enter; 701 mutex_exit(&ct->ct_lock); 702 } 703 704 /* 705 * Contract terms are static; there's no need to hold the 706 * contract lock while accessing them. 707 */ 708 VERIFY(nvlist_add_uint32(nvl, CTPS_PARAMS, ctp->conp_params) == 0); 709 VERIFY(nvlist_add_uint32(nvl, CTPS_EV_FATAL, ctp->conp_ev_fatal) == 0); 710 if (detail == CTD_ALL) { 711 VERIFY(nvlist_add_uint32_array(nvl, CTPS_MEMBERS, pids, 712 npids) == 0); 713 VERIFY(nvlist_add_uint32_array(nvl, CTPS_CONTRACTS, ctids, 714 nctids) == 0); 715 VERIFY(nvlist_add_string(nvl, CTPS_CREATOR_AUX, 716 refstr_value(ctp->conp_svc_aux)) == 0); 717 VERIFY(nvlist_add_string(nvl, CTPS_SVC_CREATOR, 718 refstr_value(ctp->conp_svc_creator)) == 0); 719 kmem_free(pids, spids * sizeof (uint32_t)); 720 kmem_free(ctids, sctids * sizeof (uint32_t)); 721 } 722 723 /* 724 * if we are in a local zone and svc_fmri was inherited from 725 * the global zone, we provide fake svc_fmri and svc_ctid 726 */ 727 if (local_svc_zone_enter == 0|| 728 zone->zone_uniqid == GLOBAL_ZONEUNIQID) { 729 if (detail > CTD_COMMON) { 730 VERIFY(nvlist_add_int32(nvl, CTPS_SVC_CTID, 731 ctp->conp_svc_ctid) == 0); 732 } 733 if (detail == CTD_ALL) { 734 VERIFY(nvlist_add_string(nvl, CTPS_SVC_FMRI, 735 refstr_value(ctp->conp_svc_fmri)) == 0); 736 } 737 } else { 738 if (detail > CTD_COMMON) { 739 VERIFY(nvlist_add_int32(nvl, CTPS_SVC_CTID, 740 local_svc_zone_enter) == 0); 741 } 742 if (detail == CTD_ALL) { 743 VERIFY(nvlist_add_string(nvl, CTPS_SVC_FMRI, 744 CT_PR_SVC_FMRI_ZONE_ENTER) == 0); 745 } 746 } 747 } 748 749 /*ARGSUSED*/ 750 static int 751 contract_process_newct(contract_t *ct) 752 { 753 return (0); 754 } 755 756 /* process contracts don't negotiate */ 757 static contops_t contract_process_ops = { 758 contract_process_free, /* contop_free */ 759 contract_process_abandon, /* contop_abandon */ 760 contract_process_destroy, /* contop_destroy */ 761 contract_process_status, /* contop_status */ 762 contract_ack_inval, /* contop_ack */ 763 contract_ack_inval, /* contop_nack */ 764 contract_qack_inval, /* contop_qack */ 765 contract_process_newct /* contop_newct */ 766 }; 767 768 /* 769 * contract_process_init 770 * 771 * Initializes the process contract type. Also creates a template for 772 * use by newproc() when it creates user processes. 773 */ 774 void 775 contract_process_init(void) 776 { 777 process_type = contract_type_init(CTT_PROCESS, "process", 778 &contract_process_ops, contract_process_default); 779 780 /* 781 * Create a template for use with init(1M) and other 782 * kernel-started processes. 783 */ 784 sys_process_tmpl = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP); 785 ctmpl_init(&sys_process_tmpl->ctp_ctmpl, &ctmpl_process_ops, 786 process_type, sys_process_tmpl); 787 sys_process_tmpl->ctp_subsume = NULL; 788 sys_process_tmpl->ctp_params = CT_PR_NOORPHAN; 789 sys_process_tmpl->ctp_ev_fatal = CT_PR_EV_HWERR; 790 sys_process_tmpl->ctp_svc_fmri = 791 refstr_alloc("svc:/system/init:default"); 792 sys_process_tmpl->ctp_svc_aux = refstr_alloc(""); 793 conp_svc_aux_default = sys_process_tmpl->ctp_svc_aux; 794 refstr_hold(conp_svc_aux_default); 795 } 796 797 /* 798 * contract_process_create 799 * 800 * create a process contract given template "tmpl" and parent process 801 * "parent". May fail and return NULL if project.max-contracts would 802 * have been exceeded. 803 */ 804 static cont_process_t * 805 contract_process_create(ctmpl_process_t *tmpl, proc_t *parent, int canfail) 806 { 807 cont_process_t *ctp; 808 809 ASSERT(tmpl != NULL); 810 811 (void) contract_type_pbundle(process_type, parent); 812 813 ctp = kmem_zalloc(sizeof (cont_process_t), KM_SLEEP); 814 815 list_create(&ctp->conp_members, sizeof (proc_t), 816 offsetof(proc_t, p_ct_member)); 817 list_create(&ctp->conp_inherited, sizeof (contract_t), 818 offsetof(contract_t, ct_ctlist)); 819 mutex_enter(&tmpl->ctp_ctmpl.ctmpl_lock); 820 ctp->conp_params = tmpl->ctp_params; 821 ctp->conp_ev_fatal = tmpl->ctp_ev_fatal; 822 crhold(ctp->conp_cred = CRED()); 823 824 if (contract_ctor(&ctp->conp_contract, process_type, &tmpl->ctp_ctmpl, 825 ctp, (ctp->conp_params & CT_PR_INHERIT) ? CTF_INHERIT : 0, 826 parent, canfail)) { 827 mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock); 828 contract_process_free(&ctp->conp_contract); 829 return (NULL); 830 } 831 832 /* 833 * inherit svc_fmri if not defined by consumer. In this case, inherit 834 * also svc_ctid to keep track of the contract id where 835 * svc_fmri was set 836 */ 837 if (tmpl->ctp_svc_fmri == NULL) { 838 ctp->conp_svc_fmri = parent->p_ct_process->conp_svc_fmri; 839 ctp->conp_svc_ctid = parent->p_ct_process->conp_svc_ctid; 840 ctp->conp_svc_zone_enter = 841 parent->p_ct_process->conp_svc_zone_enter; 842 } else { 843 ctp->conp_svc_fmri = tmpl->ctp_svc_fmri; 844 ctp->conp_svc_ctid = ctp->conp_contract.ct_id; 845 /* make svc_zone_enter flag false when svc_fmri is set */ 846 ctp->conp_svc_zone_enter = 0; 847 } 848 refstr_hold(ctp->conp_svc_fmri); 849 /* set svc_aux to default value if not defined in template */ 850 if (tmpl->ctp_svc_aux == NULL) { 851 ctp->conp_svc_aux = conp_svc_aux_default; 852 } else { 853 ctp->conp_svc_aux = tmpl->ctp_svc_aux; 854 } 855 refstr_hold(ctp->conp_svc_aux); 856 /* 857 * set svc_creator to execname 858 * We special case pid0 because when newproc() creates 859 * the init process, the p_user.u_comm field of sched's proc_t 860 * has not been populated yet. 861 */ 862 if (parent->p_pidp == &pid0) /* if the kernel is the creator */ 863 ctp->conp_svc_creator = refstr_alloc("sched"); 864 else 865 ctp->conp_svc_creator = refstr_alloc(parent->p_user.u_comm); 866 867 /* 868 * Transfer subcontracts only after new contract is visible. 869 * Also, only transfer contracts if the parent matches -- we 870 * don't want to create a cycle in the tree of contracts. 871 */ 872 if (tmpl->ctp_subsume && tmpl->ctp_subsume->ct_owner == parent) { 873 cont_process_t *sct = tmpl->ctp_subsume->ct_data; 874 contract_t *ct; 875 876 mutex_enter(&tmpl->ctp_subsume->ct_lock); 877 mutex_enter(&ctp->conp_contract.ct_lock); 878 while (ct = list_head(&sct->conp_inherited)) { 879 mutex_enter(&ct->ct_lock); 880 list_remove(&sct->conp_inherited, ct); 881 list_insert_tail(&ctp->conp_inherited, ct); 882 ct->ct_regent = &ctp->conp_contract; 883 mutex_exit(&ct->ct_lock); 884 } 885 ctp->conp_ninherited += sct->conp_ninherited; 886 sct->conp_ninherited = 0; 887 mutex_exit(&ctp->conp_contract.ct_lock); 888 mutex_exit(&tmpl->ctp_subsume->ct_lock); 889 890 /* 891 * Automatically abandon the contract. 892 */ 893 (void) contract_abandon(tmpl->ctp_subsume, parent, 1); 894 } 895 896 mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock); 897 898 return (ctp); 899 } 900 901 /* 902 * contract_process_exit 903 * 904 * Called on process exit. Removes process p from process contract 905 * ctp. Generates an exit event, if requested. Generates an empty 906 * event, if p is the last member of the the process contract and empty 907 * events were requested. 908 */ 909 void 910 contract_process_exit(cont_process_t *ctp, proc_t *p, int exitstatus) 911 { 912 contract_t *ct = &ctp->conp_contract; 913 ct_kevent_t *event; 914 int empty; 915 916 /* 917 * Remove self from process contract. 918 */ 919 mutex_enter(&ct->ct_lock); 920 list_remove(&ctp->conp_members, p); 921 ctp->conp_nmembers--; 922 mutex_enter(&p->p_lock); /* in case /proc is watching */ 923 p->p_ct_process = NULL; 924 mutex_exit(&p->p_lock); 925 926 /* 927 * We check for emptiness before dropping the contract lock to 928 * send the exit event, otherwise we could end up with two 929 * empty events. 930 */ 931 empty = (list_head(&ctp->conp_members) == NULL); 932 if (EVSENDP(ctp, CT_PR_EV_EXIT)) { 933 nvlist_t *nvl; 934 935 mutex_exit(&ct->ct_lock); 936 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 937 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 938 VERIFY(nvlist_add_int32(nvl, CTPE_EXITSTATUS, exitstatus) == 0); 939 940 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 941 event->cte_flags = EVINFOP(ctp, CT_PR_EV_EXIT) ? CTE_INFO : 0; 942 event->cte_type = CT_PR_EV_EXIT; 943 (void) cte_publish_all(ct, event, nvl, NULL); 944 mutex_enter(&ct->ct_lock); 945 } 946 if (empty) { 947 /* 948 * Send EMPTY message. 949 */ 950 if (EVSENDP(ctp, CT_PR_EV_EMPTY)) { 951 nvlist_t *nvl; 952 953 mutex_exit(&ct->ct_lock); 954 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, 955 KM_SLEEP) == 0); 956 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 957 958 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 959 event->cte_flags = EVINFOP(ctp, CT_PR_EV_EMPTY) ? 960 CTE_INFO : 0; 961 event->cte_type = CT_PR_EV_EMPTY; 962 (void) cte_publish_all(ct, event, nvl, NULL); 963 mutex_enter(&ct->ct_lock); 964 } 965 966 /* 967 * The last one to leave an orphaned contract turns out 968 * the lights. 969 */ 970 if (ct->ct_state == CTS_ORPHAN) { 971 contract_destroy(ct); 972 return; 973 } 974 } 975 mutex_exit(&ct->ct_lock); 976 contract_rele(ct); 977 } 978 979 /* 980 * contract_process_fork 981 * 982 * Called on process fork. If the current lwp has a active process 983 * contract template, we attempt to create a new process contract. 984 * Failure to create a process contract when required is a failure in 985 * fork so, in such an event, we return NULL. 986 * 987 * Assuming we succeeded or skipped the previous step, we add the child 988 * process to the new contract (success) or to the parent's process 989 * contract (skip). If requested, we also send a fork event to that 990 * contract. 991 * 992 * Because contract_process_fork() may fail, and because we would 993 * prefer that process contracts not be created for processes which 994 * don't complete forking, this should be the last function called 995 * before the "all clear" point in cfork. 996 */ 997 cont_process_t * 998 contract_process_fork(ctmpl_process_t *rtmpl, proc_t *cp, proc_t *pp, 999 int canfail) 1000 { 1001 contract_t *ct; 1002 cont_process_t *ctp; 1003 ct_kevent_t *event; 1004 ct_template_t *tmpl; 1005 1006 if (rtmpl == NULL && (tmpl = ttolwp(curthread)->lwp_ct_active[ 1007 process_type->ct_type_index]) != NULL) 1008 rtmpl = tmpl->ctmpl_data; 1009 1010 if (rtmpl == NULL) 1011 ctp = curproc->p_ct_process; 1012 else if ((ctp = contract_process_create(rtmpl, pp, canfail)) == NULL) 1013 return (NULL); 1014 1015 ct = &ctp->conp_contract; 1016 /* 1017 * Prevent contract_process_kill() from missing forked children 1018 * by failing forks by parents that have just been killed. 1019 * It's not worth hoisting the ctp test since contract creation 1020 * is by no means the common case. 1021 */ 1022 mutex_enter(&ct->ct_lock); 1023 mutex_enter(&pp->p_lock); 1024 if (ctp == curproc->p_ct_process && (pp->p_flag & SKILLED) != 0 && 1025 canfail) { 1026 mutex_exit(&pp->p_lock); 1027 mutex_exit(&ct->ct_lock); 1028 return (NULL); 1029 } 1030 cp->p_ct_process = ctp; 1031 mutex_exit(&pp->p_lock); 1032 contract_hold(ct); 1033 list_insert_head(&ctp->conp_members, cp); 1034 ctp->conp_nmembers++; 1035 mutex_exit(&ct->ct_lock); 1036 if (EVSENDP(ctp, CT_PR_EV_FORK)) { 1037 nvlist_t *nvl; 1038 1039 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 1040 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, cp->p_pid) == 0); 1041 VERIFY(nvlist_add_uint32(nvl, CTPE_PPID, pp->p_pid) == 0); 1042 1043 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 1044 event->cte_flags = EVINFOP(ctp, CT_PR_EV_FORK) ? CTE_INFO : 0; 1045 event->cte_type = CT_PR_EV_FORK; 1046 (void) cte_publish_all(ct, event, nvl, NULL); 1047 } 1048 return (ctp); 1049 } 1050 1051 /* 1052 * contract_process_core 1053 * 1054 * Called on core file generation attempts. Generates a core event, if 1055 * requested, containing the names of the process, global, and 1056 * system-global ("zone") core files. If dumping core is in the fatal 1057 * event set, calls contract_process_kill(). 1058 */ 1059 void 1060 contract_process_core(cont_process_t *ctp, proc_t *p, int sig, 1061 const char *process, const char *global, const char *zone) 1062 { 1063 contract_t *ct = &ctp->conp_contract; 1064 1065 if (EVSENDP(ctp, CT_PR_EV_CORE)) { 1066 ct_kevent_t *event; 1067 nvlist_t *nvl, *gnvl = NULL; 1068 1069 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 1070 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 1071 VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0); 1072 if (process) 1073 VERIFY(nvlist_add_string(nvl, CTPE_PCOREFILE, 1074 (char *)process) == 0); 1075 if (global) 1076 VERIFY(nvlist_add_string(nvl, CTPE_GCOREFILE, 1077 (char *)global) == 0); 1078 1079 if (zone) { 1080 /* 1081 * Only the global zone is informed of the 1082 * local-zone generated global-zone core. 1083 */ 1084 VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME, 1085 KM_SLEEP) == 0); 1086 VERIFY(nvlist_add_string(gnvl, CTPE_ZCOREFILE, 1087 (char *)zone) == 0); 1088 } 1089 1090 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 1091 event->cte_flags = EVINFOP(ctp, CT_PR_EV_CORE) ? CTE_INFO : 0; 1092 event->cte_type = CT_PR_EV_CORE; 1093 (void) cte_publish_all(ct, event, nvl, gnvl); 1094 } 1095 1096 if (EVFATALP(ctp, CT_PR_EV_CORE)) { 1097 mutex_enter(&ct->ct_lock); 1098 contract_process_kill(ct, p, B_TRUE); 1099 mutex_exit(&ct->ct_lock); 1100 } 1101 } 1102 1103 /* 1104 * contract_process_hwerr 1105 * 1106 * Called when a process is killed by an unrecoverable hardware error. 1107 * Generates an hwerr event, if requested. If hardware errors are in 1108 * the fatal event set, calls contract_process_kill(). 1109 */ 1110 void 1111 contract_process_hwerr(cont_process_t *ctp, proc_t *p) 1112 { 1113 contract_t *ct = &ctp->conp_contract; 1114 1115 if (EVSENDP(ctp, CT_PR_EV_HWERR)) { 1116 ct_kevent_t *event; 1117 nvlist_t *nvl; 1118 1119 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 1120 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 1121 1122 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 1123 event->cte_flags = EVINFOP(ctp, CT_PR_EV_HWERR) ? CTE_INFO : 0; 1124 event->cte_type = CT_PR_EV_HWERR; 1125 (void) cte_publish_all(ct, event, nvl, NULL); 1126 } 1127 1128 if (EVFATALP(ctp, CT_PR_EV_HWERR)) { 1129 mutex_enter(&ct->ct_lock); 1130 contract_process_kill(ct, p, B_FALSE); 1131 mutex_exit(&ct->ct_lock); 1132 } 1133 } 1134 1135 /* 1136 * contract_process_sig 1137 * 1138 * Called when a process is killed by a signal originating from a 1139 * process outside of its process contract or its process contract's 1140 * holder. Generates an signal event, if requested, containing the 1141 * signal number, and the sender's pid and contract id (if available). 1142 * If signals are in the fatal event set, calls 1143 * contract_process_kill(). 1144 */ 1145 void 1146 contract_process_sig(cont_process_t *ctp, proc_t *p, int sig, pid_t pid, 1147 ctid_t ctid, zoneid_t zoneid) 1148 { 1149 contract_t *ct = &ctp->conp_contract; 1150 1151 if (EVSENDP(ctp, CT_PR_EV_SIGNAL)) { 1152 ct_kevent_t *event; 1153 nvlist_t *dest, *nvl, *gnvl = NULL; 1154 1155 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 1156 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 1157 VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0); 1158 1159 if (zoneid >= 0 && p->p_zone->zone_id != zoneid) { 1160 VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME, 1161 KM_SLEEP) == 0); 1162 dest = gnvl; 1163 } else { 1164 dest = nvl; 1165 } 1166 1167 if (pid != -1) 1168 VERIFY(nvlist_add_uint32(dest, CTPE_SENDER, pid) == 0); 1169 if (ctid != 0) 1170 VERIFY(nvlist_add_uint32(dest, CTPE_SENDCT, ctid) == 0); 1171 1172 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 1173 event->cte_flags = EVINFOP(ctp, CT_PR_EV_SIGNAL) ? CTE_INFO : 0; 1174 event->cte_type = CT_PR_EV_SIGNAL; 1175 (void) cte_publish_all(ct, event, nvl, gnvl); 1176 } 1177 1178 if (EVFATALP(ctp, CT_PR_EV_SIGNAL)) { 1179 mutex_enter(&ct->ct_lock); 1180 contract_process_kill(ct, p, B_TRUE); 1181 mutex_exit(&ct->ct_lock); 1182 } 1183 } 1184