xref: /titanic_52/usr/src/uts/common/contract/process.c (revision b695575577bae0337af339d76949713bfe1c9013)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <sys/mutex.h>
27 #include <sys/debug.h>
28 #include <sys/types.h>
29 #include <sys/param.h>
30 #include <sys/kmem.h>
31 #include <sys/thread.h>
32 #include <sys/id_space.h>
33 #include <sys/avl.h>
34 #include <sys/list.h>
35 #include <sys/sysmacros.h>
36 #include <sys/proc.h>
37 #include <sys/contract.h>
38 #include <sys/contract_impl.h>
39 #include <sys/contract/process.h>
40 #include <sys/contract/process_impl.h>
41 #include <sys/cmn_err.h>
42 #include <sys/nvpair.h>
43 #include <sys/policy.h>
44 #include <sys/refstr.h>
45 #include <sys/sunddi.h>
46 
47 /*
48  * Process Contracts
49  * -----------------
50  *
51  * Generally speaking, a process contract is a contract between a
52  * process and a set of its descendent processes.  In some cases, when
53  * the child processes outlive the author of the contract, the contract
54  * may be held by (and therefore be between the child processes and) a
55  * successor process which adopts the contract after the death of the
56  * original author.
57  *
58  * The process contract adds two new concepts to the Solaris process
59  * model.  The first is that a process contract forms a rigid fault
60  * boundary around a set of processes.  Hardware, software, and even
61  * administrator errors impacting a process in a process contract
62  * generate specific events and can be requested to atomically shutdown
63  * all processes in the contract.  The second is that a process
64  * contract is a process collective whose leader is not a member of the
65  * collective.  This means that the leader can reliably react to events
66  * in the collective, and may also act upon the collective without
67  * special casing itself.
68  *
69  * A composite outcome of these two concepts is that we can now create
70  * a tree of process contracts, rooted at init(1M), which represent
71  * services and subservices that are reliably observed and can be
72  * restarted when fatal errors occur.  The service management framework
73  * (SMF) realizes this structure.
74  *
75  * For more details, see the "restart agreements" case, PSARC 2003/193.
76  *
77  * There are four sets of routines in this file: the process contract
78  * standard template operations, the process contract standard contract
79  * operations, a couple routines used only by the contract subsystem to
80  * handle process contracts' unique role as a temporary holder of
81  * abandoned contracts, and the interfaces which allow the system to
82  * create and act upon process contracts.  The first two are defined by
83  * the contracts framework and won't be discussed further.  As for the
84  * remaining two:
85  *
86  * Special framework interfaces
87  * ----------------------------
88  *
89  * contract_process_accept - determines if a process contract is a
90  *   regent, i.e. if it can inherit other contracts.
91  *
92  * contract_process_take - tells a regent process contract to inherit
93  *   an abandoned contract
94  *
95  * contract_process_adopt - tells a regent process contract that a
96  *   contract it has inherited is being adopted by a process.
97  *
98  * Process contract interfaces
99  * ---------------------------
100  *
101  * contract_process_fork - called when a process is created; adds the
102  *   new process to an existing contract or to a newly created one.
103  *
104  * contract_process_exit - called when a process exits
105  *
106  * contract_process_core - called when a process would have dumped core
107  *   (even if a core file wasn't generated)
108  *
109  * contract_process_hwerr - called when a process was killed because of
110  *   an uncorrectable hardware error
111  *
112  * contract_process_sig - called when a process was killed by a fatal
113  *   signal sent by a process in another process contract
114  *
115  */
116 
117 ct_type_t *process_type;
118 ctmpl_process_t *sys_process_tmpl;
119 refstr_t *conp_svc_aux_default;
120 
121 /*
122  * Macro predicates for determining when events should be sent and how.
123  */
124 #define	EVSENDP(ctp, flag) \
125 	((ctp->conp_contract.ct_ev_info | ctp->conp_contract.ct_ev_crit) & flag)
126 
127 #define	EVINFOP(ctp, flag) \
128 	((ctp->conp_contract.ct_ev_crit & flag) == 0)
129 
130 #define	EVFATALP(ctp, flag) \
131 	(ctp->conp_ev_fatal & flag)
132 
133 
134 /*
135  * Process contract template implementation
136  */
137 
138 /*
139  * ctmpl_process_dup
140  *
141  * The process contract template dup entry point.  Other than the
142  * to-be-subsumed contract, which must be held, this simply copies all
143  * the fields of the original.
144  */
145 static struct ct_template *
146 ctmpl_process_dup(struct ct_template *template)
147 {
148 	ctmpl_process_t *new;
149 	ctmpl_process_t *old = template->ctmpl_data;
150 
151 	new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP);
152 
153 	ctmpl_copy(&new->ctp_ctmpl, template);
154 	new->ctp_ctmpl.ctmpl_data = new;
155 
156 	new->ctp_subsume = old->ctp_subsume;
157 	if (new->ctp_subsume)
158 		contract_hold(new->ctp_subsume);
159 	new->ctp_params = old->ctp_params;
160 	new->ctp_ev_fatal = old->ctp_ev_fatal;
161 	new->ctp_svc_fmri = old->ctp_svc_fmri;
162 	if (new->ctp_svc_fmri != NULL) {
163 		refstr_hold(new->ctp_svc_fmri);
164 	}
165 	new->ctp_svc_aux = old->ctp_svc_aux;
166 	if (new->ctp_svc_aux != NULL) {
167 		refstr_hold(new->ctp_svc_aux);
168 	}
169 
170 	return (&new->ctp_ctmpl);
171 }
172 
173 /*
174  * ctmpl_process_free
175  *
176  * The process contract template free entry point.  Just releases a
177  * to-be-subsumed contract and frees the template.
178  */
179 static void
180 ctmpl_process_free(struct ct_template *template)
181 {
182 	ctmpl_process_t *ctp = template->ctmpl_data;
183 
184 	if (ctp->ctp_subsume)
185 		contract_rele(ctp->ctp_subsume);
186 	if (ctp->ctp_svc_fmri != NULL) {
187 		refstr_rele(ctp->ctp_svc_fmri);
188 	}
189 	if (ctp->ctp_svc_aux != NULL) {
190 		refstr_rele(ctp->ctp_svc_aux);
191 	}
192 	kmem_free(template, sizeof (ctmpl_process_t));
193 }
194 
195 /*
196  * SAFE_EV is the set of events which a non-privileged process is
197  * allowed to make critical but not fatal or if the PGRPONLY parameter
198  * is set.  EXCESS tells us if "value", a critical event set, requires
199  * additional privilege given the template "ctp".
200  */
201 #define	SAFE_EV			(CT_PR_EV_EMPTY)
202 #define	EXCESS(ctp, value)	\
203 	(((value) & ~((ctp)->ctp_ev_fatal | SAFE_EV)) || \
204 	(((value) & ~SAFE_EV) && (ctp->ctp_params & CT_PR_PGRPONLY)))
205 
206 /*
207  * ctmpl_process_set
208  *
209  * The process contract template set entry point.  None of the terms
210  * may be unconditionally set, and setting the parameters or fatal
211  * event set may result in events being implicitly removed from to the
212  * critical event set and added to the informative event set.  The
213  * (admittedly subtle) reason we implicitly change the critical event
214  * set when the parameter or fatal event set is modified but not the
215  * other way around is because a change to the critical event set only
216  * affects the contract's owner, whereas a change to the parameter set
217  * and fatal set can affect the execution of the application running in
218  * the contract (and should therefore be only made explicitly).  We
219  * allow implicit changes at all so that setting contract terms doesn't
220  * become a complex dance dependent on the template's initial state and
221  * the desired terms.
222  */
223 static int
224 ctmpl_process_set(struct ct_template *tmpl, ct_kparam_t *kparam,
225     const cred_t *cr)
226 {
227 	ctmpl_process_t *ctp = tmpl->ctmpl_data;
228 	ct_param_t *param = &kparam->param;
229 	contract_t *ct;
230 	int error;
231 	uint64_t param_value;
232 	char *str_value;
233 
234 	if ((param->ctpm_id == CTPP_SVC_FMRI) ||
235 	    (param->ctpm_id == CTPP_CREATOR_AUX)) {
236 		str_value = (char *)kparam->ctpm_kbuf;
237 		str_value[param->ctpm_size - 1] = '\0';
238 	} else {
239 		if (param->ctpm_size < sizeof (uint64_t))
240 			return (EINVAL);
241 		param_value = *(uint64_t *)kparam->ctpm_kbuf;
242 		/*
243 		 * No process contract parameters are > 32 bits.
244 		 * Unless it is a string.
245 		 */
246 		if (param_value & ~UINT32_MAX)
247 			return (EINVAL);
248 	}
249 
250 	switch (param->ctpm_id) {
251 	case CTPP_SUBSUME:
252 		if (param_value != 0) {
253 			/*
254 			 * Ensure that the contract exists, that we
255 			 * hold the contract, and that the contract is
256 			 * empty.
257 			 */
258 			ct = contract_type_ptr(process_type, param_value,
259 			    curproc->p_zone->zone_uniqid);
260 			if (ct == NULL)
261 				return (ESRCH);
262 			if (ct->ct_owner != curproc) {
263 				contract_rele(ct);
264 				return (EACCES);
265 			}
266 			if (((cont_process_t *)ct->ct_data)->conp_nmembers) {
267 				contract_rele(ct);
268 				return (ENOTEMPTY);
269 			}
270 		} else {
271 			ct = NULL;
272 		}
273 		if (ctp->ctp_subsume)
274 			contract_rele(ctp->ctp_subsume);
275 		ctp->ctp_subsume = ct;
276 		break;
277 	case CTPP_PARAMS:
278 		if (param_value & ~CT_PR_ALLPARAM)
279 			return (EINVAL);
280 		ctp->ctp_params = param_value;
281 		/*
282 		 * If an unprivileged process requests that
283 		 * CT_PR_PGRPONLY be set, remove any unsafe events from
284 		 * the critical event set and add them to the
285 		 * informative event set.
286 		 */
287 		if ((ctp->ctp_params & CT_PR_PGRPONLY) &&
288 		    EXCESS(ctp, tmpl->ctmpl_ev_crit) &&
289 		    !secpolicy_contract_event_choice(cr)) {
290 			tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~SAFE_EV);
291 			tmpl->ctmpl_ev_crit &= SAFE_EV;
292 		}
293 
294 		break;
295 	case CTPP_SVC_FMRI:
296 		if (error = secpolicy_contract_identity(cr))
297 			return (error);
298 		if (ctp->ctp_svc_fmri != NULL)
299 			refstr_rele(ctp->ctp_svc_fmri);
300 		if (strcmp(CT_PR_SVC_DEFAULT, str_value) == 0)
301 			ctp->ctp_svc_fmri = NULL;
302 		else
303 			ctp->ctp_svc_fmri =
304 			    refstr_alloc(str_value);
305 		break;
306 	case CTPP_CREATOR_AUX:
307 		if (ctp->ctp_svc_aux != NULL)
308 			refstr_rele(ctp->ctp_svc_aux);
309 		if (param->ctpm_size == 1) /* empty string */
310 			ctp->ctp_svc_aux = NULL;
311 		else
312 			ctp->ctp_svc_aux =
313 			    refstr_alloc(str_value);
314 		break;
315 	case CTP_EV_CRITICAL:
316 		/*
317 		 * We simply don't allow adding events to the critical
318 		 * event set which aren't permitted by our policy or by
319 		 * privilege.
320 		 */
321 		if (EXCESS(ctp, param_value) &&
322 		    (error = secpolicy_contract_event(cr)) != 0)
323 			return (error);
324 		tmpl->ctmpl_ev_crit = param_value;
325 		break;
326 	case CTPP_EV_FATAL:
327 		if (param_value & ~CT_PR_ALLFATAL)
328 			return (EINVAL);
329 		ctp->ctp_ev_fatal = param_value;
330 		/*
331 		 * Check to see if an unprivileged process is
332 		 * requesting that events be removed from the fatal
333 		 * event set which are still in the critical event set.
334 		 */
335 		if (EXCESS(ctp, tmpl->ctmpl_ev_crit) &&
336 		    !secpolicy_contract_event_choice(cr)) {
337 			int allowed =
338 			    SAFE_EV | (ctp->ctp_params & CT_PR_PGRPONLY) ?
339 			    0 : ctp->ctp_ev_fatal;
340 			tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~allowed);
341 			tmpl->ctmpl_ev_crit &= allowed;
342 		}
343 		break;
344 	default:
345 		return (EINVAL);
346 	}
347 
348 	return (0);
349 }
350 
351 /*
352  * ctmpl_process_get
353  *
354  * The process contract template get entry point.  Simply fetches and
355  * returns the requested term.
356  */
357 static int
358 ctmpl_process_get(struct ct_template *template, ct_kparam_t *kparam)
359 {
360 	ctmpl_process_t *ctp = template->ctmpl_data;
361 	ct_param_t *param = &kparam->param;
362 	uint64_t *param_value = kparam->ctpm_kbuf;
363 
364 	if (param->ctpm_id == CTPP_SUBSUME ||
365 	    param->ctpm_id == CTPP_PARAMS ||
366 	    param->ctpm_id == CTPP_EV_FATAL) {
367 		if (param->ctpm_size < sizeof (uint64_t))
368 			return (EINVAL);
369 		kparam->ret_size = sizeof (uint64_t);
370 	}
371 
372 	switch (param->ctpm_id) {
373 	case CTPP_SUBSUME:
374 		*param_value = ctp->ctp_subsume ?
375 		    ctp->ctp_subsume->ct_id : 0;
376 		break;
377 	case CTPP_PARAMS:
378 		*param_value = ctp->ctp_params;
379 		break;
380 	case CTPP_SVC_FMRI:
381 		if (ctp->ctp_svc_fmri == NULL) {
382 			kparam->ret_size =
383 			    strlcpy((char *)kparam->ctpm_kbuf,
384 			    CT_PR_SVC_DEFAULT, param->ctpm_size);
385 		} else {
386 			kparam->ret_size =
387 			    strlcpy((char *)kparam->ctpm_kbuf,
388 			    refstr_value(ctp->ctp_svc_fmri), param->ctpm_size);
389 		}
390 		kparam->ret_size++;
391 		break;
392 	case CTPP_CREATOR_AUX:
393 		if (ctp->ctp_svc_aux == NULL) {
394 			kparam->ret_size =
395 			    strlcpy((char *)kparam->ctpm_kbuf,
396 			    refstr_value(conp_svc_aux_default),
397 			    param->ctpm_size);
398 		} else {
399 			kparam->ret_size =
400 			    strlcpy((char *)kparam->ctpm_kbuf,
401 			    refstr_value(ctp->ctp_svc_aux), param->ctpm_size);
402 		}
403 		kparam->ret_size++;
404 		break;
405 	case CTPP_EV_FATAL:
406 		*param_value = ctp->ctp_ev_fatal;
407 		break;
408 	default:
409 		return (EINVAL);
410 	}
411 
412 	return (0);
413 }
414 
415 static ctmplops_t ctmpl_process_ops = {
416 	ctmpl_process_dup,		/* ctop_dup */
417 	ctmpl_process_free,		/* ctop_free */
418 	ctmpl_process_set,		/* ctop_set */
419 	ctmpl_process_get,		/* ctop_get */
420 	ctmpl_create_inval,		/* ctop_create */
421 	CT_PR_ALLEVENT
422 };
423 
424 
425 /*
426  * Process contract implementation
427  */
428 
429 /*
430  * ctmpl_process_default
431  *
432  * The process contract default template entry point.  Creates a
433  * process contract template with no parameters set, with informative
434  * core and signal events, critical empty and hwerr events, and fatal
435  * hwerr events.
436  */
437 static ct_template_t *
438 contract_process_default(void)
439 {
440 	ctmpl_process_t *new;
441 
442 	new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP);
443 	ctmpl_init(&new->ctp_ctmpl, &ctmpl_process_ops, process_type, new);
444 
445 	new->ctp_subsume = NULL;
446 	new->ctp_params = 0;
447 	new->ctp_ctmpl.ctmpl_ev_info = CT_PR_EV_CORE | CT_PR_EV_SIGNAL;
448 	new->ctp_ctmpl.ctmpl_ev_crit = CT_PR_EV_EMPTY | CT_PR_EV_HWERR;
449 	new->ctp_ev_fatal = CT_PR_EV_HWERR;
450 	new->ctp_svc_fmri = NULL;
451 	new->ctp_svc_aux = NULL;
452 
453 	return (&new->ctp_ctmpl);
454 }
455 
456 /*
457  * contract_process_free
458  *
459  * The process contract free entry point.
460  */
461 static void
462 contract_process_free(contract_t *ct)
463 {
464 	cont_process_t *ctp = ct->ct_data;
465 	crfree(ctp->conp_cred);
466 	list_destroy(&ctp->conp_members);
467 	list_destroy(&ctp->conp_inherited);
468 	if (ctp->conp_svc_fmri != NULL) {
469 		refstr_rele(ctp->conp_svc_fmri);
470 	}
471 	if (ctp->conp_svc_aux != NULL) {
472 		refstr_rele(ctp->conp_svc_aux);
473 	}
474 	if (ctp->conp_svc_creator != NULL) {
475 		refstr_rele(ctp->conp_svc_creator);
476 	}
477 	kmem_free(ctp, sizeof (cont_process_t));
478 }
479 
480 /*
481  * contract_process_cankill
482  *
483  * Determine if the contract author had or if the process generating
484  * the event, sp, has adequate privileges to kill process tp.
485  */
486 static int
487 contract_process_cankill(proc_t *tp, proc_t *sp, cont_process_t *ctp)
488 {
489 	int cankill;
490 
491 	mutex_enter(&tp->p_crlock);
492 	cankill = hasprocperm(tp->p_cred, ctp->conp_cred);
493 	mutex_exit(&tp->p_crlock);
494 	if (cankill || (sp && prochasprocperm(tp, sp, CRED())))
495 		return (1);
496 
497 	return (0);
498 }
499 
500 /*
501  * contract_process_kill
502  *
503  * Kills all processes in a contract, or all processes in the
504  * intersection of a contract and ex's process group (if ex is non-NULL
505  * and the contract's PGRPONLY parameter is set).  If checkpriv is
506  * true, only those processes which may be signaled by the contract
507  * author or ex are killed.
508  */
509 static void
510 contract_process_kill(contract_t *ct, proc_t *ex, int checkpriv)
511 {
512 	cont_process_t *ctp = ct->ct_data;
513 	proc_t *p;
514 	pid_t pgrp = -1;
515 
516 	ASSERT(MUTEX_HELD(&ct->ct_lock));
517 
518 	if (ex && (ctp->conp_params & CT_PR_PGRPONLY)) {
519 		pgrp = ex->p_pgrp;
520 		mutex_enter(&pidlock);
521 	}
522 
523 	for (p = list_head(&ctp->conp_members); p != NULL;
524 	    p = list_next(&ctp->conp_members, p)) {
525 		if ((p == ex) ||
526 		    (pgrp != -1 && (p->p_stat == SIDL || p->p_pgrp != pgrp)) ||
527 		    (checkpriv && !contract_process_cankill(p, ex, ctp)))
528 			continue;
529 
530 		psignal(p, SIGKILL);
531 	}
532 
533 	if (pgrp != -1)
534 		mutex_exit(&pidlock);
535 }
536 
537 
538 /*
539  * contract_process_accept
540  *
541  * Tests if the process contract is willing to act as a regent for
542  * inherited contracts.  Though brief and only called from one place,
543  * this functionality is kept here to avoid including knowledge of
544  * process contract implementation in the generic contract code.
545  */
546 int
547 contract_process_accept(contract_t *parent)
548 {
549 	cont_process_t *ctp = parent->ct_data;
550 
551 	ASSERT(parent->ct_type == process_type);
552 
553 	return (ctp->conp_params & CT_PR_REGENT);
554 }
555 
556 /*
557  * contract_process_take
558  *
559  * Executes the process contract side of inheriting a contract.
560  */
561 void
562 contract_process_take(contract_t *parent, contract_t *child)
563 {
564 	cont_process_t *ctp = parent->ct_data;
565 
566 	ASSERT(MUTEX_HELD(&parent->ct_lock));
567 	ASSERT(MUTEX_HELD(&child->ct_lock));
568 	ASSERT(parent->ct_type == process_type);
569 	ASSERT(ctp->conp_params & CT_PR_REGENT);
570 
571 	list_insert_head(&ctp->conp_inherited, child);
572 	ctp->conp_ninherited++;
573 }
574 
575 /*
576  * contract_process_adopt
577  *
578  * Executes the process contract side of adopting a contract.
579  */
580 void
581 contract_process_adopt(contract_t *ct, proc_t *p)
582 {
583 	cont_process_t *parent = p->p_ct_process;
584 
585 	ASSERT(MUTEX_HELD(&parent->conp_contract.ct_lock));
586 	ASSERT(MUTEX_HELD(&ct->ct_lock));
587 
588 	list_remove(&parent->conp_inherited, ct);
589 	parent->conp_ninherited--;
590 
591 	/*
592 	 * We drop the parent lock first because a) we are passing the
593 	 * contract reference to the child, and b) contract_adopt
594 	 * expects us to return with the contract lock held.
595 	 */
596 	mutex_exit(&parent->conp_contract.ct_lock);
597 }
598 
599 /*
600  * contract_process_abandon
601  *
602  * The process contract abandon entry point.
603  */
604 static void
605 contract_process_abandon(contract_t *ct)
606 {
607 	cont_process_t *ctp = ct->ct_data;
608 
609 	ASSERT(MUTEX_HELD(&ct->ct_lock));
610 
611 	/*
612 	 * Shall we stay or shall we go?
613 	 */
614 	if (list_head(&ctp->conp_members) == NULL) {
615 		contract_destroy(ct);
616 	} else {
617 		/*
618 		 * Strictly speaking, we actually do orphan the contract.
619 		 * Assuming our credentials allow us to kill all
620 		 * processes in the contract, this is only temporary.
621 		 */
622 		if (ctp->conp_params & CT_PR_NOORPHAN)
623 			contract_process_kill(ct, NULL, B_TRUE);
624 		contract_orphan(ct);
625 		mutex_exit(&ct->ct_lock);
626 		contract_rele(ct);
627 	}
628 }
629 
630 /*
631  * contract_process_destroy
632  *
633  * The process contract destroy entry point.
634  */
635 static void
636 contract_process_destroy(contract_t *ct)
637 {
638 	cont_process_t *ctp = ct->ct_data;
639 	contract_t *cct;
640 
641 	ASSERT(MUTEX_HELD(&ct->ct_lock));
642 
643 	/*
644 	 * contract_destroy all empty children, kill or orphan the rest
645 	 */
646 	while (cct = list_head(&ctp->conp_inherited)) {
647 		mutex_enter(&cct->ct_lock);
648 
649 		ASSERT(cct->ct_state == CTS_INHERITED);
650 
651 		list_remove(&ctp->conp_inherited, cct);
652 		ctp->conp_ninherited--;
653 		cct->ct_regent = NULL;
654 		cct->ct_type->ct_type_ops->contop_abandon(cct);
655 	}
656 }
657 
658 /*
659  * contract_process_status
660  *
661  * The process contract status entry point.
662  */
663 static void
664 contract_process_status(contract_t *ct, zone_t *zone, int detail, nvlist_t *nvl,
665     void *status, model_t model)
666 {
667 	cont_process_t *ctp = ct->ct_data;
668 	uint32_t *pids, *ctids;
669 	uint_t npids, nctids;
670 	uint_t spids, sctids;
671 	ctid_t local_svc_zone_enter;
672 
673 	if (detail == CTD_FIXED) {
674 		mutex_enter(&ct->ct_lock);
675 		contract_status_common(ct, zone, status, model);
676 		local_svc_zone_enter = ctp->conp_svc_zone_enter;
677 		mutex_exit(&ct->ct_lock);
678 	} else {
679 		contract_t *cnext;
680 		proc_t *pnext;
681 		uint_t loc;
682 
683 		ASSERT(detail == CTD_ALL);
684 		mutex_enter(&ct->ct_lock);
685 		for (;;) {
686 			spids = ctp->conp_nmembers + 5;
687 			sctids = ctp->conp_ninherited + 5;
688 			mutex_exit(&ct->ct_lock);
689 
690 			pids = kmem_alloc(spids * sizeof (uint32_t), KM_SLEEP);
691 			ctids = kmem_alloc(sctids * sizeof (uint32_t),
692 			    KM_SLEEP);
693 
694 			mutex_enter(&ct->ct_lock);
695 			npids = ctp->conp_nmembers;
696 			nctids = ctp->conp_ninherited;
697 			if (spids >= npids && sctids >= nctids)
698 				break;
699 
700 			kmem_free(pids, spids * sizeof (uint32_t));
701 			kmem_free(ctids, sctids * sizeof (uint32_t));
702 		}
703 		contract_status_common(ct, zone, status, model);
704 		for (loc = 0, cnext = list_head(&ctp->conp_inherited); cnext;
705 		    cnext = list_next(&ctp->conp_inherited, cnext))
706 			ctids[loc++] = cnext->ct_id;
707 		ASSERT(loc == nctids);
708 		for (loc = 0, pnext = list_head(&ctp->conp_members); pnext;
709 		    pnext = list_next(&ctp->conp_members, pnext))
710 			pids[loc++] = pnext->p_pid;
711 		ASSERT(loc == npids);
712 		local_svc_zone_enter = ctp->conp_svc_zone_enter;
713 		mutex_exit(&ct->ct_lock);
714 	}
715 
716 	/*
717 	 * Contract terms are static; there's no need to hold the
718 	 * contract lock while accessing them.
719 	 */
720 	VERIFY(nvlist_add_uint32(nvl, CTPS_PARAMS, ctp->conp_params) == 0);
721 	VERIFY(nvlist_add_uint32(nvl, CTPS_EV_FATAL, ctp->conp_ev_fatal) == 0);
722 	if (detail == CTD_ALL) {
723 		VERIFY(nvlist_add_uint32_array(nvl, CTPS_MEMBERS, pids,
724 		    npids) == 0);
725 		VERIFY(nvlist_add_uint32_array(nvl, CTPS_CONTRACTS, ctids,
726 		    nctids) == 0);
727 		VERIFY(nvlist_add_string(nvl, CTPS_CREATOR_AUX,
728 		    refstr_value(ctp->conp_svc_aux)) == 0);
729 		VERIFY(nvlist_add_string(nvl, CTPS_SVC_CREATOR,
730 		    refstr_value(ctp->conp_svc_creator)) == 0);
731 		kmem_free(pids, spids * sizeof (uint32_t));
732 		kmem_free(ctids, sctids * sizeof (uint32_t));
733 	}
734 
735 	/*
736 	 * if we are in a local zone and svc_fmri was inherited from
737 	 * the global zone, we provide fake svc_fmri and svc_ctid
738 	 */
739 	if (local_svc_zone_enter == 0||
740 	    zone->zone_uniqid == GLOBAL_ZONEUNIQID) {
741 		if (detail > CTD_COMMON) {
742 			VERIFY(nvlist_add_int32(nvl, CTPS_SVC_CTID,
743 			    ctp->conp_svc_ctid) == 0);
744 		}
745 		if (detail == CTD_ALL) {
746 			VERIFY(nvlist_add_string(nvl, CTPS_SVC_FMRI,
747 			    refstr_value(ctp->conp_svc_fmri)) == 0);
748 		}
749 	} else {
750 		if (detail > CTD_COMMON) {
751 			VERIFY(nvlist_add_int32(nvl, CTPS_SVC_CTID,
752 			    local_svc_zone_enter) == 0);
753 		}
754 		if (detail == CTD_ALL) {
755 			VERIFY(nvlist_add_string(nvl, CTPS_SVC_FMRI,
756 			    CT_PR_SVC_FMRI_ZONE_ENTER) == 0);
757 		}
758 	}
759 }
760 
761 /*ARGSUSED*/
762 static int
763 contract_process_newct(contract_t *ct)
764 {
765 	return (0);
766 }
767 
768 /* process contracts don't negotiate */
769 static contops_t contract_process_ops = {
770 	contract_process_free,		/* contop_free */
771 	contract_process_abandon,	/* contop_abandon */
772 	contract_process_destroy,	/* contop_destroy */
773 	contract_process_status,	/* contop_status */
774 	contract_ack_inval,		/* contop_ack */
775 	contract_ack_inval,		/* contop_nack */
776 	contract_qack_inval,		/* contop_qack */
777 	contract_process_newct		/* contop_newct */
778 };
779 
780 /*
781  * contract_process_init
782  *
783  * Initializes the process contract type.  Also creates a template for
784  * use by newproc() when it creates user processes.
785  */
786 void
787 contract_process_init(void)
788 {
789 	process_type = contract_type_init(CTT_PROCESS, "process",
790 	    &contract_process_ops, contract_process_default);
791 
792 	/*
793 	 * Create a template for use with init(1M) and other
794 	 * kernel-started processes.
795 	 */
796 	sys_process_tmpl = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP);
797 	ctmpl_init(&sys_process_tmpl->ctp_ctmpl, &ctmpl_process_ops,
798 	    process_type, sys_process_tmpl);
799 	sys_process_tmpl->ctp_subsume = NULL;
800 	sys_process_tmpl->ctp_params = CT_PR_NOORPHAN;
801 	sys_process_tmpl->ctp_ev_fatal = CT_PR_EV_HWERR;
802 	sys_process_tmpl->ctp_svc_fmri =
803 	    refstr_alloc("svc:/system/init:default");
804 	sys_process_tmpl->ctp_svc_aux = refstr_alloc("");
805 	conp_svc_aux_default = sys_process_tmpl->ctp_svc_aux;
806 	refstr_hold(conp_svc_aux_default);
807 }
808 
809 /*
810  * contract_process_create
811  *
812  * create a process contract given template "tmpl" and parent process
813  * "parent".  May fail and return NULL if project.max-contracts would
814  * have been exceeded.
815  */
816 static cont_process_t *
817 contract_process_create(ctmpl_process_t *tmpl, proc_t *parent, int canfail)
818 {
819 	cont_process_t *ctp;
820 
821 	ASSERT(tmpl != NULL);
822 
823 	(void) contract_type_pbundle(process_type, parent);
824 
825 	ctp = kmem_zalloc(sizeof (cont_process_t), KM_SLEEP);
826 
827 	list_create(&ctp->conp_members, sizeof (proc_t),
828 	    offsetof(proc_t, p_ct_member));
829 	list_create(&ctp->conp_inherited, sizeof (contract_t),
830 	    offsetof(contract_t, ct_ctlist));
831 	mutex_enter(&tmpl->ctp_ctmpl.ctmpl_lock);
832 	ctp->conp_params = tmpl->ctp_params;
833 	ctp->conp_ev_fatal = tmpl->ctp_ev_fatal;
834 	crhold(ctp->conp_cred = CRED());
835 
836 	if (contract_ctor(&ctp->conp_contract, process_type, &tmpl->ctp_ctmpl,
837 	    ctp, (ctp->conp_params & CT_PR_INHERIT) ? CTF_INHERIT : 0,
838 	    parent, canfail)) {
839 		mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock);
840 		contract_process_free(&ctp->conp_contract);
841 		return (NULL);
842 	}
843 
844 	/*
845 	 * inherit svc_fmri if not defined by consumer. In this case, inherit
846 	 * also svc_ctid to keep track of the contract id where
847 	 * svc_fmri was set
848 	 */
849 	if (tmpl->ctp_svc_fmri == NULL) {
850 		ctp->conp_svc_fmri = parent->p_ct_process->conp_svc_fmri;
851 		ctp->conp_svc_ctid = parent->p_ct_process->conp_svc_ctid;
852 		ctp->conp_svc_zone_enter =
853 		    parent->p_ct_process->conp_svc_zone_enter;
854 	} else {
855 		ctp->conp_svc_fmri = tmpl->ctp_svc_fmri;
856 		ctp->conp_svc_ctid = ctp->conp_contract.ct_id;
857 		/* make svc_zone_enter flag false when svc_fmri is set */
858 		ctp->conp_svc_zone_enter = 0;
859 	}
860 	refstr_hold(ctp->conp_svc_fmri);
861 	/* set svc_aux to default value if not defined in template */
862 	if (tmpl->ctp_svc_aux == NULL) {
863 		ctp->conp_svc_aux = conp_svc_aux_default;
864 	} else {
865 		ctp->conp_svc_aux = tmpl->ctp_svc_aux;
866 	}
867 	refstr_hold(ctp->conp_svc_aux);
868 	/*
869 	 * set svc_creator to execname
870 	 * We special case pid0 because when newproc() creates
871 	 * the init process, the p_user.u_comm field of sched's proc_t
872 	 * has not been populated yet.
873 	 */
874 	if (parent->p_pidp == &pid0) /* if the kernel is the creator */
875 		ctp->conp_svc_creator = refstr_alloc("sched");
876 	else
877 		ctp->conp_svc_creator = refstr_alloc(parent->p_user.u_comm);
878 
879 	/*
880 	 * Transfer subcontracts only after new contract is visible.
881 	 * Also, only transfer contracts if the parent matches -- we
882 	 * don't want to create a cycle in the tree of contracts.
883 	 */
884 	if (tmpl->ctp_subsume && tmpl->ctp_subsume->ct_owner == parent) {
885 		cont_process_t *sct = tmpl->ctp_subsume->ct_data;
886 		contract_t *ct;
887 
888 		mutex_enter(&tmpl->ctp_subsume->ct_lock);
889 		mutex_enter(&ctp->conp_contract.ct_lock);
890 		while (ct = list_head(&sct->conp_inherited)) {
891 			mutex_enter(&ct->ct_lock);
892 			list_remove(&sct->conp_inherited, ct);
893 			list_insert_tail(&ctp->conp_inherited, ct);
894 			ct->ct_regent = &ctp->conp_contract;
895 			mutex_exit(&ct->ct_lock);
896 		}
897 		ctp->conp_ninherited += sct->conp_ninherited;
898 		sct->conp_ninherited = 0;
899 		mutex_exit(&ctp->conp_contract.ct_lock);
900 		mutex_exit(&tmpl->ctp_subsume->ct_lock);
901 
902 		/*
903 		 * Automatically abandon the contract.
904 		 */
905 		(void) contract_abandon(tmpl->ctp_subsume, parent, 1);
906 	}
907 
908 	mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock);
909 
910 	return (ctp);
911 }
912 
913 /*
914  * contract_process_exit
915  *
916  * Called on process exit.  Removes process p from process contract
917  * ctp.  Generates an exit event, if requested.  Generates an empty
918  * event, if p is the last member of the the process contract and empty
919  * events were requested.
920  */
921 void
922 contract_process_exit(cont_process_t *ctp, proc_t *p, int exitstatus)
923 {
924 	contract_t *ct = &ctp->conp_contract;
925 	ct_kevent_t *event;
926 	int empty;
927 
928 	/*
929 	 * Remove self from process contract.
930 	 */
931 	mutex_enter(&ct->ct_lock);
932 	list_remove(&ctp->conp_members, p);
933 	ctp->conp_nmembers--;
934 	mutex_enter(&p->p_lock);	/* in case /proc is watching */
935 	p->p_ct_process = NULL;
936 	mutex_exit(&p->p_lock);
937 
938 	/*
939 	 * We check for emptiness before dropping the contract lock to
940 	 * send the exit event, otherwise we could end up with two
941 	 * empty events.
942 	 */
943 	empty = (list_head(&ctp->conp_members) == NULL);
944 	if (EVSENDP(ctp, CT_PR_EV_EXIT)) {
945 		nvlist_t *nvl;
946 
947 		mutex_exit(&ct->ct_lock);
948 		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
949 		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
950 		VERIFY(nvlist_add_int32(nvl, CTPE_EXITSTATUS, exitstatus) == 0);
951 
952 		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
953 		event->cte_flags = EVINFOP(ctp, CT_PR_EV_EXIT) ? CTE_INFO : 0;
954 		event->cte_type = CT_PR_EV_EXIT;
955 		(void) cte_publish_all(ct, event, nvl, NULL);
956 		mutex_enter(&ct->ct_lock);
957 	}
958 	if (empty) {
959 		/*
960 		 * Send EMPTY message.
961 		 */
962 		if (EVSENDP(ctp, CT_PR_EV_EMPTY)) {
963 			nvlist_t *nvl;
964 
965 			mutex_exit(&ct->ct_lock);
966 			VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME,
967 			    KM_SLEEP) == 0);
968 			VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
969 
970 			event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
971 			event->cte_flags = EVINFOP(ctp, CT_PR_EV_EMPTY) ?
972 			    CTE_INFO : 0;
973 			event->cte_type = CT_PR_EV_EMPTY;
974 			(void) cte_publish_all(ct, event, nvl, NULL);
975 			mutex_enter(&ct->ct_lock);
976 		}
977 
978 		/*
979 		 * The last one to leave an orphaned contract turns out
980 		 * the lights.
981 		 */
982 		if (ct->ct_state == CTS_ORPHAN) {
983 			contract_destroy(ct);
984 			return;
985 		}
986 	}
987 	mutex_exit(&ct->ct_lock);
988 	contract_rele(ct);
989 }
990 
991 /*
992  * contract_process_fork
993  *
994  * Called on process fork.  If the current lwp has a active process
995  * contract template, we attempt to create a new process contract.
996  * Failure to create a process contract when required is a failure in
997  * fork so, in such an event, we return NULL.
998  *
999  * Assuming we succeeded or skipped the previous step, we add the child
1000  * process to the new contract (success) or to the parent's process
1001  * contract (skip).  If requested, we also send a fork event to that
1002  * contract.
1003  *
1004  * Because contract_process_fork() may fail, and because we would
1005  * prefer that process contracts not be created for processes which
1006  * don't complete forking, this should be the last function called
1007  * before the "all clear" point in cfork.
1008  */
1009 cont_process_t *
1010 contract_process_fork(ctmpl_process_t *rtmpl, proc_t *cp, proc_t *pp,
1011     int canfail)
1012 {
1013 	contract_t *ct;
1014 	cont_process_t *ctp;
1015 	ct_kevent_t *event;
1016 	ct_template_t *tmpl;
1017 
1018 	if (rtmpl == NULL && (tmpl = ttolwp(curthread)->lwp_ct_active[
1019 	    process_type->ct_type_index]) != NULL)
1020 		rtmpl = tmpl->ctmpl_data;
1021 
1022 	if (rtmpl == NULL)
1023 		ctp = curproc->p_ct_process;
1024 	else if ((ctp = contract_process_create(rtmpl, pp, canfail)) == NULL)
1025 		return (NULL);
1026 
1027 	ct = &ctp->conp_contract;
1028 	/*
1029 	 * Prevent contract_process_kill() from missing forked children
1030 	 * by failing forks by parents that have just been killed.
1031 	 * It's not worth hoisting the ctp test since contract creation
1032 	 * is by no means the common case.
1033 	 */
1034 	mutex_enter(&ct->ct_lock);
1035 	mutex_enter(&pp->p_lock);
1036 	if (ctp == curproc->p_ct_process && (pp->p_flag & SKILLED) != 0 &&
1037 	    canfail) {
1038 		mutex_exit(&pp->p_lock);
1039 		mutex_exit(&ct->ct_lock);
1040 		return (NULL);
1041 	}
1042 	cp->p_ct_process = ctp;
1043 	mutex_exit(&pp->p_lock);
1044 	contract_hold(ct);
1045 	list_insert_head(&ctp->conp_members, cp);
1046 	ctp->conp_nmembers++;
1047 	mutex_exit(&ct->ct_lock);
1048 	if (EVSENDP(ctp, CT_PR_EV_FORK)) {
1049 		nvlist_t *nvl;
1050 
1051 		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1052 		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, cp->p_pid) == 0);
1053 		VERIFY(nvlist_add_uint32(nvl, CTPE_PPID, pp->p_pid) == 0);
1054 
1055 		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1056 		event->cte_flags = EVINFOP(ctp, CT_PR_EV_FORK) ? CTE_INFO : 0;
1057 		event->cte_type = CT_PR_EV_FORK;
1058 		(void) cte_publish_all(ct, event, nvl, NULL);
1059 	}
1060 	return (ctp);
1061 }
1062 
1063 /*
1064  * contract_process_core
1065  *
1066  * Called on core file generation attempts.  Generates a core event, if
1067  * requested, containing the names of the process, global, and
1068  * system-global ("zone") core files.  If dumping core is in the fatal
1069  * event set, calls contract_process_kill().
1070  */
1071 void
1072 contract_process_core(cont_process_t *ctp, proc_t *p, int sig,
1073     const char *process, const char *global, const char *zone)
1074 {
1075 	contract_t *ct = &ctp->conp_contract;
1076 
1077 	if (EVSENDP(ctp, CT_PR_EV_CORE)) {
1078 		ct_kevent_t *event;
1079 		nvlist_t *nvl, *gnvl = NULL;
1080 
1081 		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1082 		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
1083 		VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0);
1084 		if (process)
1085 			VERIFY(nvlist_add_string(nvl, CTPE_PCOREFILE,
1086 			    (char *)process) == 0);
1087 		if (global)
1088 			VERIFY(nvlist_add_string(nvl, CTPE_GCOREFILE,
1089 			    (char *)global) == 0);
1090 
1091 		if (zone) {
1092 			/*
1093 			 * Only the global zone is informed of the
1094 			 * local-zone generated global-zone core.
1095 			 */
1096 			VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME,
1097 			    KM_SLEEP) == 0);
1098 			VERIFY(nvlist_add_string(gnvl, CTPE_ZCOREFILE,
1099 			    (char *)zone) == 0);
1100 		}
1101 
1102 		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1103 		event->cte_flags = EVINFOP(ctp, CT_PR_EV_CORE) ? CTE_INFO : 0;
1104 		event->cte_type = CT_PR_EV_CORE;
1105 		(void) cte_publish_all(ct, event, nvl, gnvl);
1106 	}
1107 
1108 	if (EVFATALP(ctp, CT_PR_EV_CORE)) {
1109 		mutex_enter(&ct->ct_lock);
1110 		contract_process_kill(ct, p, B_TRUE);
1111 		mutex_exit(&ct->ct_lock);
1112 	}
1113 }
1114 
1115 /*
1116  * contract_process_hwerr
1117  *
1118  * Called when a process is killed by an unrecoverable hardware error.
1119  * Generates an hwerr event, if requested.  If hardware errors are in
1120  * the fatal event set, calls contract_process_kill().
1121  */
1122 void
1123 contract_process_hwerr(cont_process_t *ctp, proc_t *p)
1124 {
1125 	contract_t *ct = &ctp->conp_contract;
1126 
1127 	if (EVSENDP(ctp, CT_PR_EV_HWERR)) {
1128 		ct_kevent_t *event;
1129 		nvlist_t *nvl;
1130 
1131 		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1132 		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
1133 
1134 		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1135 		event->cte_flags = EVINFOP(ctp, CT_PR_EV_HWERR) ? CTE_INFO : 0;
1136 		event->cte_type = CT_PR_EV_HWERR;
1137 		(void) cte_publish_all(ct, event, nvl, NULL);
1138 	}
1139 
1140 	if (EVFATALP(ctp, CT_PR_EV_HWERR)) {
1141 		mutex_enter(&ct->ct_lock);
1142 		contract_process_kill(ct, p, B_FALSE);
1143 		mutex_exit(&ct->ct_lock);
1144 	}
1145 }
1146 
1147 /*
1148  * contract_process_sig
1149  *
1150  * Called when a process is killed by a signal originating from a
1151  * process outside of its process contract or its process contract's
1152  * holder.  Generates an signal event, if requested, containing the
1153  * signal number, and the sender's pid and contract id (if available).
1154  * If signals are in the fatal event set, calls
1155  * contract_process_kill().
1156  */
1157 void
1158 contract_process_sig(cont_process_t *ctp, proc_t *p, int sig, pid_t pid,
1159     ctid_t ctid, zoneid_t zoneid)
1160 {
1161 	contract_t *ct = &ctp->conp_contract;
1162 
1163 	if (EVSENDP(ctp, CT_PR_EV_SIGNAL)) {
1164 		ct_kevent_t *event;
1165 		nvlist_t *dest, *nvl, *gnvl = NULL;
1166 
1167 		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1168 		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
1169 		VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0);
1170 
1171 		if (zoneid >= 0 && p->p_zone->zone_id != zoneid) {
1172 			VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME,
1173 			    KM_SLEEP) == 0);
1174 			dest = gnvl;
1175 		} else {
1176 			dest = nvl;
1177 		}
1178 
1179 		if (pid != -1)
1180 			VERIFY(nvlist_add_uint32(dest, CTPE_SENDER, pid) == 0);
1181 		if (ctid != 0)
1182 			VERIFY(nvlist_add_uint32(dest, CTPE_SENDCT, ctid) == 0);
1183 
1184 		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1185 		event->cte_flags = EVINFOP(ctp, CT_PR_EV_SIGNAL) ? CTE_INFO : 0;
1186 		event->cte_type = CT_PR_EV_SIGNAL;
1187 		(void) cte_publish_all(ct, event, nvl, gnvl);
1188 	}
1189 
1190 	if (EVFATALP(ctp, CT_PR_EV_SIGNAL)) {
1191 		mutex_enter(&ct->ct_lock);
1192 		contract_process_kill(ct, p, B_TRUE);
1193 		mutex_exit(&ct->ct_lock);
1194 	}
1195 }
1196