xref: /titanic_52/usr/src/uts/common/contract/process.c (revision e1c679fa4b0ab8c4bcaa6263974ca0c46e5b027f)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 #include <sys/mutex.h>
30 #include <sys/debug.h>
31 #include <sys/types.h>
32 #include <sys/param.h>
33 #include <sys/kmem.h>
34 #include <sys/thread.h>
35 #include <sys/id_space.h>
36 #include <sys/avl.h>
37 #include <sys/list.h>
38 #include <sys/sysmacros.h>
39 #include <sys/proc.h>
40 #include <sys/contract.h>
41 #include <sys/contract_impl.h>
42 #include <sys/contract/process.h>
43 #include <sys/contract/process_impl.h>
44 #include <sys/cmn_err.h>
45 #include <sys/nvpair.h>
46 #include <sys/policy.h>
47 
48 /*
49  * Process Contracts
50  * -----------------
51  *
52  * Generally speaking, a process contract is a contract between a
53  * process and a set of its descendent processes.  In some cases, when
54  * the child processes outlive the author of the contract, the contract
55  * may be held by (and therefore be between the child processes and) a
56  * successor process which adopts the contract after the death of the
57  * original author.
58  *
59  * The process contract adds two new concepts to the Solaris process
60  * model.  The first is that a process contract forms a rigid fault
61  * boundary around a set of processes.  Hardware, software, and even
62  * administrator errors impacting a process in a process contract
63  * generate specific events and can be requested to atomically shutdown
64  * all processes in the contract.  The second is that a process
65  * contract is a process collective whose leader is not a member of the
66  * collective.  This means that the leader can reliably react to events
67  * in the collective, and may also act upon the collective without
68  * special casing itself.
69  *
70  * A composite outcome of these two concepts is that we can now create
71  * a tree of process contracts, rooted at init(1M), which represent
72  * services and subservices that are reliably observed and can be
73  * restarted when fatal errors occur.  The service management framework
74  * (SMF) realizes this structure.
75  *
76  * For more details, see the "restart agreements" case, PSARC 2003/193.
77  *
78  * There are four sets of routines in this file: the process contract
79  * standard template operations, the process contract standard contract
80  * operations, a couple routines used only by the contract subsystem to
81  * handle process contracts' unique role as a temporary holder of
82  * abandoned contracts, and the interfaces which allow the system to
83  * create and act upon process contracts.  The first two are defined by
84  * the contracts framework and won't be discussed further.  As for the
85  * remaining two:
86  *
87  * Special framework interfaces
88  * ----------------------------
89  *
90  * contract_process_accept - determines if a process contract is a
91  *   regent, i.e. if it can inherit other contracts.
92  *
93  * contract_process_take - tells a regent process contract to inherit
94  *   an abandoned contract
95  *
96  * contract_process_adopt - tells a regent process contract that a
97  *   contract it has inherited is being adopted by a process.
98  *
99  * Process contract interfaces
100  * ---------------------------
101  *
102  * contract_process_fork - called when a process is created; adds the
103  *   new process to an existing contract or to a newly created one.
104  *
105  * contract_process_exit - called when a process exits
106  *
107  * contract_process_core - called when a process would have dumped core
108  *   (even if a core file wasn't generated)
109  *
110  * contract_process_hwerr - called when a process was killed because of
111  *   an uncorrectable hardware error
112  *
113  * contract_process_sig - called when a process was killed by a fatal
114  *   signal sent by a process in another process contract
115  *
116  */
117 
118 ct_type_t *process_type;
119 ctmpl_process_t *sys_process_tmpl;
120 
121 /*
122  * Macro predicates for determining when events should be sent and how.
123  */
124 #define	EVSENDP(ctp, flag) \
125 	((ctp->conp_contract.ct_ev_info | ctp->conp_contract.ct_ev_crit) & flag)
126 
127 #define	EVINFOP(ctp, flag) \
128 	((ctp->conp_contract.ct_ev_crit & flag) == 0)
129 
130 #define	EVFATALP(ctp, flag) \
131 	(ctp->conp_ev_fatal & flag)
132 
133 
134 /*
135  * Process contract template implementation
136  */
137 
138 /*
139  * ctmpl_process_dup
140  *
141  * The process contract template dup entry point.  Other than the
142  * to-be-subsumed contract, which must be held, this simply copies all
143  * the fields of the original.
144  */
145 static struct ct_template *
146 ctmpl_process_dup(struct ct_template *template)
147 {
148 	ctmpl_process_t *new;
149 	ctmpl_process_t *old = template->ctmpl_data;
150 
151 	new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP);
152 
153 	ctmpl_copy(&new->ctp_ctmpl, template);
154 	new->ctp_ctmpl.ctmpl_data = new;
155 
156 	new->ctp_subsume = old->ctp_subsume;
157 	if (new->ctp_subsume)
158 		contract_hold(new->ctp_subsume);
159 	new->ctp_params = old->ctp_params;
160 	new->ctp_ev_fatal = old->ctp_ev_fatal;
161 
162 	return (&new->ctp_ctmpl);
163 }
164 
165 /*
166  * ctmpl_process_dup
167  *
168  * The process contract template free entry point.  Just releases a
169  * to-be-subsumed contract and frees the template.
170  */
171 static void
172 ctmpl_process_free(struct ct_template *template)
173 {
174 	ctmpl_process_t *ctp = template->ctmpl_data;
175 
176 	if (ctp->ctp_subsume)
177 		contract_rele(ctp->ctp_subsume);
178 	kmem_free(template, sizeof (ctmpl_process_t));
179 }
180 
181 /*
182  * SAFE_EV is the set of events which a non-privileged process is
183  * allowed to make critical but not fatal or if the PGRPONLY parameter
184  * is set.  EXCESS tells us if "value", a critical event set, requires
185  * additional privilege given the template "ctp".
186  */
187 #define	SAFE_EV			(CT_PR_EV_EMPTY)
188 #define	EXCESS(ctp, value)	\
189 	(((value) & ~((ctp)->ctp_ev_fatal | SAFE_EV)) || \
190 	(((value) & ~SAFE_EV) && (ctp->ctp_params & CT_PR_PGRPONLY)))
191 
192 /*
193  * ctmpl_process_set
194  *
195  * The process contract template set entry point.  None of the terms
196  * may be unconditionally set, and setting the parameters or fatal
197  * event set may result in events being implicitly removed from to the
198  * critical event set and added to the informative event set.  The
199  * (admittedly subtle) reason we implicitly change the critical event
200  * set when the parameter or fatal event set is modified but not the
201  * other way around is because a change to the critical event set only
202  * affects the contract's owner, whereas a change to the parameter set
203  * and fatal set can affect the execution of the application running in
204  * the contract (and should therefore be only made explicitly).  We
205  * allow implicit changes at all so that setting contract terms doesn't
206  * become a complex dance dependent on the template's initial state and
207  * the desired terms.
208  */
209 static int
210 ctmpl_process_set(struct ct_template *tmpl, ct_param_t *param, const cred_t *cr)
211 {
212 	ctmpl_process_t *ctp = tmpl->ctmpl_data;
213 	contract_t *ct;
214 	int error;
215 
216 	/*
217 	 * No process contract parameters are > 32 bits.
218 	 */
219 	if (param->ctpm_value & ~UINT32_MAX)
220 		return (EINVAL);
221 
222 	switch (param->ctpm_id) {
223 	case CTPP_SUBSUME:
224 		if (param->ctpm_value != 0) {
225 			/*
226 			 * Ensure that the contract exists, that we
227 			 * hold the contract, and that the contract is
228 			 * empty.
229 			 */
230 			ct = contract_type_ptr(process_type, param->ctpm_value,
231 			    curproc->p_zone->zone_uniqid);
232 			if (ct == NULL)
233 				return (ESRCH);
234 			if (ct->ct_owner != curproc) {
235 				contract_rele(ct);
236 				return (EACCES);
237 			}
238 			if (((cont_process_t *)ct->ct_data)->conp_nmembers) {
239 				contract_rele(ct);
240 				return (ENOTEMPTY);
241 			}
242 		} else {
243 			ct = NULL;
244 		}
245 		if (ctp->ctp_subsume)
246 			contract_rele(ctp->ctp_subsume);
247 		ctp->ctp_subsume = ct;
248 		break;
249 	case CTPP_PARAMS:
250 		if (param->ctpm_value & ~CT_PR_ALLPARAM)
251 			return (EINVAL);
252 		ctp->ctp_params = param->ctpm_value;
253 		/*
254 		 * If an unprivileged process requests that
255 		 * CT_PR_PGRPONLY be set, remove any unsafe events from
256 		 * the critical event set and add them to the
257 		 * informative event set.
258 		 */
259 		if ((ctp->ctp_params & CT_PR_PGRPONLY) &&
260 		    EXCESS(ctp, tmpl->ctmpl_ev_crit) &&
261 		    !secpolicy_contract_event_choice(cr)) {
262 			tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~SAFE_EV);
263 			tmpl->ctmpl_ev_crit &= SAFE_EV;
264 		}
265 
266 		break;
267 	case CTP_EV_CRITICAL:
268 		/*
269 		 * We simply don't allow adding events to the critical
270 		 * event set which aren't permitted by our policy or by
271 		 * privilege.
272 		 */
273 		if (EXCESS(ctp, param->ctpm_value) &&
274 		    (error = secpolicy_contract_event(cr)) != 0)
275 			return (error);
276 		tmpl->ctmpl_ev_crit = param->ctpm_value;
277 		break;
278 	case CTPP_EV_FATAL:
279 		if (param->ctpm_value & ~CT_PR_ALLFATAL)
280 			return (EINVAL);
281 		ctp->ctp_ev_fatal = param->ctpm_value;
282 		/*
283 		 * Check to see if an unprivileged process is
284 		 * requesting that events be removed from the fatal
285 		 * event set which are still in the critical event set.
286 		 */
287 		if (EXCESS(ctp, tmpl->ctmpl_ev_crit) &&
288 		    !secpolicy_contract_event_choice(cr)) {
289 			int allowed =
290 			    SAFE_EV | (ctp->ctp_params & CT_PR_PGRPONLY) ?
291 			    0 : ctp->ctp_ev_fatal;
292 			tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~allowed);
293 			tmpl->ctmpl_ev_crit &= allowed;
294 		}
295 		break;
296 	default:
297 		return (EINVAL);
298 	}
299 
300 	return (0);
301 }
302 
303 /*
304  * ctmpl_process_get
305  *
306  * The process contract template get entry point.  Simply fetches and
307  * returns the requested term.
308  */
309 static int
310 ctmpl_process_get(struct ct_template *template, ct_param_t *param)
311 {
312 	ctmpl_process_t *ctp = template->ctmpl_data;
313 
314 	switch (param->ctpm_id) {
315 	case CTPP_SUBSUME:
316 		param->ctpm_value = ctp->ctp_subsume ?
317 		    ctp->ctp_subsume->ct_id : 0;
318 		break;
319 	case CTPP_PARAMS:
320 		param->ctpm_value = ctp->ctp_params;
321 		break;
322 	case CTPP_EV_FATAL:
323 		param->ctpm_value = ctp->ctp_ev_fatal;
324 		break;
325 	default:
326 		return (EINVAL);
327 	}
328 
329 	return (0);
330 }
331 
332 static ctmplops_t ctmpl_process_ops = {
333 	ctmpl_process_dup,		/* ctop_dup */
334 	ctmpl_process_free,		/* ctop_free */
335 	ctmpl_process_set,		/* ctop_set */
336 	ctmpl_process_get,		/* ctop_get */
337 	ctmpl_create_inval,		/* ctop_create */
338 	CT_PR_ALLEVENT
339 };
340 
341 
342 /*
343  * Process contract implementation
344  */
345 
346 /*
347  * ctmpl_process_default
348  *
349  * The process contract default template entry point.  Creates a
350  * process contract template with no parameters set, with informative
351  * core and signal events, critical empty and hwerr events, and fatal
352  * hwerr events.
353  */
354 static ct_template_t *
355 contract_process_default(void)
356 {
357 	ctmpl_process_t *new;
358 
359 	new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP);
360 	ctmpl_init(&new->ctp_ctmpl, &ctmpl_process_ops, process_type, new);
361 
362 	new->ctp_subsume = NULL;
363 	new->ctp_params = 0;
364 	new->ctp_ctmpl.ctmpl_ev_info = CT_PR_EV_CORE | CT_PR_EV_SIGNAL;
365 	new->ctp_ctmpl.ctmpl_ev_crit = CT_PR_EV_EMPTY | CT_PR_EV_HWERR;
366 	new->ctp_ev_fatal = CT_PR_EV_HWERR;
367 
368 	return (&new->ctp_ctmpl);
369 }
370 
371 /*
372  * contract_process_free
373  *
374  * The process contract free entry point.
375  */
376 static void
377 contract_process_free(contract_t *ct)
378 {
379 	cont_process_t *ctp = ct->ct_data;
380 	crfree(ctp->conp_cred);
381 	list_destroy(&ctp->conp_members);
382 	list_destroy(&ctp->conp_inherited);
383 	kmem_free(ctp, sizeof (cont_process_t));
384 }
385 
386 /*
387  * contract_process_cankill
388  *
389  * Determine if the contract author had or if the process generating
390  * the event, sp, has adequate privileges to kill process tp.
391  */
392 static int
393 contract_process_cankill(proc_t *tp, proc_t *sp, cont_process_t *ctp)
394 {
395 	int cankill;
396 
397 	mutex_enter(&tp->p_crlock);
398 	cankill = hasprocperm(tp->p_cred, ctp->conp_cred);
399 	mutex_exit(&tp->p_crlock);
400 	if (cankill || (sp && prochasprocperm(tp, sp, CRED())))
401 		return (1);
402 
403 	return (0);
404 }
405 
406 /*
407  * contract_process_kill
408  *
409  * Kills all processes in a contract, or all processes in the
410  * intersection of a contract and ex's process group (if ex is non-NULL
411  * and the contract's PGRPONLY parameter is set).  If checkpriv is
412  * true, only those processes which may be signaled by the contract
413  * author or ex are killed.
414  */
415 static void
416 contract_process_kill(contract_t *ct, proc_t *ex, int checkpriv)
417 {
418 	cont_process_t *ctp = ct->ct_data;
419 	proc_t *p;
420 	pid_t pgrp = -1;
421 
422 	ASSERT(MUTEX_HELD(&ct->ct_lock));
423 
424 	if (ex && (ctp->conp_params & CT_PR_PGRPONLY)) {
425 		pgrp = ex->p_pgrp;
426 		mutex_enter(&pidlock);
427 	}
428 
429 	for (p = list_head(&ctp->conp_members); p != NULL;
430 	    p = list_next(&ctp->conp_members, p)) {
431 		if ((p == ex) || (pgrp != -1 && p->p_pgrp != pgrp) ||
432 		    (checkpriv && !contract_process_cankill(p, ex, ctp)))
433 			continue;
434 
435 		psignal(p, SIGKILL);
436 	}
437 
438 	if (pgrp != -1)
439 		mutex_exit(&pidlock);
440 }
441 
442 
443 /*
444  * contract_process_accept
445  *
446  * Tests if the process contract is willing to act as a regent for
447  * inherited contracts.  Though brief and only called from one place,
448  * this functionality is kept here to avoid including knowledge of
449  * process contract implementation in the generic contract code.
450  */
451 int
452 contract_process_accept(contract_t *parent)
453 {
454 	cont_process_t *ctp = parent->ct_data;
455 
456 	ASSERT(parent->ct_type == process_type);
457 
458 	return (ctp->conp_params & CT_PR_REGENT);
459 }
460 
461 /*
462  * contract_process_take
463  *
464  * Executes the process contract side of inheriting a contract.
465  */
466 void
467 contract_process_take(contract_t *parent, contract_t *child)
468 {
469 	cont_process_t *ctp = parent->ct_data;
470 
471 	ASSERT(MUTEX_HELD(&parent->ct_lock));
472 	ASSERT(MUTEX_HELD(&child->ct_lock));
473 	ASSERT(parent->ct_type == process_type);
474 	ASSERT(ctp->conp_params & CT_PR_REGENT);
475 
476 	list_insert_head(&ctp->conp_inherited, child);
477 	ctp->conp_ninherited++;
478 }
479 
480 /*
481  * contract_process_adopt
482  *
483  * Executes the process contract side of adopting a contract.
484  */
485 void
486 contract_process_adopt(contract_t *ct, proc_t *p)
487 {
488 	cont_process_t *parent = p->p_ct_process;
489 
490 	ASSERT(MUTEX_HELD(&parent->conp_contract.ct_lock));
491 	ASSERT(MUTEX_HELD(&ct->ct_lock));
492 
493 	list_remove(&parent->conp_inherited, ct);
494 	parent->conp_ninherited--;
495 
496 	/*
497 	 * We drop the parent lock first because a) we are passing the
498 	 * contract reference to the child, and b) contract_adopt
499 	 * expects us to return with the contract lock held.
500 	 */
501 	mutex_exit(&parent->conp_contract.ct_lock);
502 }
503 
504 /*
505  * contract_process_status
506  *
507  * The process contract abandon entry point.
508  */
509 static void
510 contract_process_abandon(contract_t *ct)
511 {
512 	cont_process_t *ctp = ct->ct_data;
513 
514 	ASSERT(MUTEX_HELD(&ct->ct_lock));
515 
516 	/*
517 	 * Shall we stay or shall we go?
518 	 */
519 	if (list_head(&ctp->conp_members) == NULL) {
520 		contract_destroy(ct);
521 	} else {
522 		/*
523 		 * Strictly speaking, we actually do orphan the contract.
524 		 * Assuming our credentials allow us to kill all
525 		 * processes in the contract, this is only temporary.
526 		 */
527 		if (ctp->conp_params & CT_PR_NOORPHAN)
528 			contract_process_kill(ct, NULL, B_TRUE);
529 		contract_orphan(ct);
530 		mutex_exit(&ct->ct_lock);
531 		contract_rele(ct);
532 	}
533 }
534 
535 /*
536  * contract_process_destroy
537  *
538  * The process contract destroy entry point.
539  */
540 static void
541 contract_process_destroy(contract_t *ct)
542 {
543 	cont_process_t *ctp = ct->ct_data;
544 	contract_t *cct;
545 
546 	ASSERT(MUTEX_HELD(&ct->ct_lock));
547 
548 	/*
549 	 * contract_destroy all empty children, kill or orphan the rest
550 	 */
551 	while (cct = list_head(&ctp->conp_inherited)) {
552 		mutex_enter(&cct->ct_lock);
553 
554 		ASSERT(cct->ct_state == CTS_INHERITED);
555 
556 		list_remove(&ctp->conp_inherited, cct);
557 		ctp->conp_ninherited--;
558 		cct->ct_regent = NULL;
559 		cct->ct_type->ct_type_ops->contop_abandon(cct);
560 	}
561 }
562 
563 /*
564  * contract_process_status
565  *
566  * The process contract status entry point.
567  */
568 static void
569 contract_process_status(contract_t *ct, zone_t *zone, int detail, nvlist_t *nvl,
570     void *status, model_t model)
571 {
572 	cont_process_t *ctp = ct->ct_data;
573 	uint32_t *pids, *ctids;
574 	uint_t npids, nctids;
575 	uint_t spids, sctids;
576 
577 	if (detail == CTD_FIXED) {
578 		mutex_enter(&ct->ct_lock);
579 		contract_status_common(ct, zone, status, model);
580 		mutex_exit(&ct->ct_lock);
581 	} else {
582 		contract_t *cnext;
583 		proc_t *pnext;
584 		uint_t loc;
585 
586 		ASSERT(detail == CTD_ALL);
587 		mutex_enter(&ct->ct_lock);
588 		for (;;) {
589 			spids = ctp->conp_nmembers + 5;
590 			sctids = ctp->conp_ninherited + 5;
591 			mutex_exit(&ct->ct_lock);
592 
593 			pids = kmem_alloc(spids * sizeof (uint32_t), KM_SLEEP);
594 			ctids = kmem_alloc(sctids * sizeof (uint32_t),
595 			    KM_SLEEP);
596 
597 			mutex_enter(&ct->ct_lock);
598 			npids = ctp->conp_nmembers;
599 			nctids = ctp->conp_ninherited;
600 			if (spids >= npids && sctids >= nctids)
601 				break;
602 
603 			kmem_free(pids, spids * sizeof (uint32_t));
604 			kmem_free(ctids, sctids * sizeof (uint32_t));
605 		}
606 		contract_status_common(ct, zone, status, model);
607 		for (loc = 0, cnext = list_head(&ctp->conp_inherited); cnext;
608 		    cnext = list_next(&ctp->conp_inherited, cnext))
609 			ctids[loc++] = cnext->ct_id;
610 		ASSERT(loc == nctids);
611 		for (loc = 0, pnext = list_head(&ctp->conp_members); pnext;
612 		    pnext = list_next(&ctp->conp_members, pnext))
613 			pids[loc++] = pnext->p_pid;
614 		ASSERT(loc == npids);
615 		mutex_exit(&ct->ct_lock);
616 
617 	}
618 
619 	/*
620 	 * Contract terms are static; there's no need to hold the
621 	 * contract lock while accessing them.
622 	 */
623 	VERIFY(nvlist_add_uint32(nvl, CTPS_PARAMS, ctp->conp_params) == 0);
624 	VERIFY(nvlist_add_uint32(nvl, CTPS_EV_FATAL, ctp->conp_ev_fatal) == 0);
625 	if (detail == CTD_ALL) {
626 		VERIFY(nvlist_add_uint32_array(nvl, CTPS_MEMBERS, pids,
627 		    npids) == 0);
628 		VERIFY(nvlist_add_uint32_array(nvl, CTPS_CONTRACTS, ctids,
629 		    nctids) == 0);
630 		kmem_free(pids, spids * sizeof (uint32_t));
631 		kmem_free(ctids, sctids * sizeof (uint32_t));
632 	}
633 }
634 
635 static contops_t contract_process_ops = {
636 	contract_process_free,		/* contop_free */
637 	contract_process_abandon,	/* contop_abandon */
638 	contract_process_destroy,	/* contop_destroy */
639 	contract_process_status		/* contop_status */
640 };
641 
642 /*
643  * contract_process_init
644  *
645  * Initializes the process contract type.  Also creates a template for
646  * use by newproc() when it creates user processes.
647  */
648 void
649 contract_process_init(void)
650 {
651 	process_type = contract_type_init(CTT_PROCESS, "process",
652 	    &contract_process_ops, contract_process_default);
653 
654 	/*
655 	 * Create a template for use with init(1M) and other
656 	 * kernel-started processes.
657 	 */
658 	sys_process_tmpl = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP);
659 	ctmpl_init(&sys_process_tmpl->ctp_ctmpl, &ctmpl_process_ops,
660 	    process_type, sys_process_tmpl);
661 	sys_process_tmpl->ctp_subsume = NULL;
662 	sys_process_tmpl->ctp_params = CT_PR_NOORPHAN;
663 	sys_process_tmpl->ctp_ev_fatal = CT_PR_EV_HWERR;
664 }
665 
666 /*
667  * contract_process_create
668  *
669  * create a process contract given template "tmpl" and parent process
670  * "parent".  May fail and return NULL if project.max-contracts would
671  * have been exceeded.
672  */
673 static cont_process_t *
674 contract_process_create(ctmpl_process_t *tmpl, proc_t *parent, int canfail)
675 {
676 	cont_process_t *ctp;
677 
678 	ASSERT(tmpl != NULL);
679 
680 	(void) contract_type_pbundle(process_type, parent);
681 
682 	ctp = kmem_zalloc(sizeof (cont_process_t), KM_SLEEP);
683 
684 	list_create(&ctp->conp_members, sizeof (proc_t),
685 	    offsetof(proc_t, p_ct_member));
686 	list_create(&ctp->conp_inherited, sizeof (contract_t),
687 	    offsetof(contract_t, ct_ctlist));
688 	mutex_enter(&tmpl->ctp_ctmpl.ctmpl_lock);
689 	ctp->conp_params = tmpl->ctp_params;
690 	ctp->conp_ev_fatal = tmpl->ctp_ev_fatal;
691 	crhold(ctp->conp_cred = CRED());
692 
693 	if (contract_ctor(&ctp->conp_contract, process_type, &tmpl->ctp_ctmpl,
694 	    ctp, (ctp->conp_params & CT_PR_INHERIT) ? CTF_INHERIT : 0,
695 	    parent, canfail)) {
696 		mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock);
697 		contract_process_free(&ctp->conp_contract);
698 		return (NULL);
699 	}
700 
701 	/*
702 	 * Transfer subcontracts only after new contract is visible.
703 	 * Also, only transfer contracts if the parent matches -- we
704 	 * don't want to create a cycle in the tree of contracts.
705 	 */
706 	if (tmpl->ctp_subsume && tmpl->ctp_subsume->ct_owner == parent) {
707 		cont_process_t *sct = tmpl->ctp_subsume->ct_data;
708 		contract_t *ct;
709 
710 		mutex_enter(&tmpl->ctp_subsume->ct_lock);
711 		mutex_enter(&ctp->conp_contract.ct_lock);
712 		while (ct = list_head(&sct->conp_inherited)) {
713 			mutex_enter(&ct->ct_lock);
714 			list_remove(&sct->conp_inherited, ct);
715 			list_insert_tail(&ctp->conp_inherited, ct);
716 			ct->ct_regent = &ctp->conp_contract;
717 			mutex_exit(&ct->ct_lock);
718 		}
719 		ctp->conp_ninherited += sct->conp_ninherited;
720 		sct->conp_ninherited = 0;
721 		mutex_exit(&ctp->conp_contract.ct_lock);
722 		mutex_exit(&tmpl->ctp_subsume->ct_lock);
723 
724 		/*
725 		 * Automatically abandon the contract.
726 		 */
727 		(void) contract_abandon(tmpl->ctp_subsume, parent, 1);
728 	}
729 
730 	mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock);
731 
732 	return (ctp);
733 }
734 
735 /*
736  * contract_process_exit
737  *
738  * Called on process exit.  Removes process p from process contract
739  * ctp.  Generates an exit event, if requested.  Generates an empty
740  * event, if p is the last member of the the process contract and empty
741  * events were requested.
742  */
743 void
744 contract_process_exit(cont_process_t *ctp, proc_t *p, int exitstatus)
745 {
746 	contract_t *ct = &ctp->conp_contract;
747 	ct_kevent_t *event;
748 	int empty;
749 
750 	/*
751 	 * Remove self from process contract.
752 	 */
753 	mutex_enter(&ct->ct_lock);
754 	list_remove(&ctp->conp_members, p);
755 	ctp->conp_nmembers--;
756 	mutex_enter(&p->p_lock);	/* in case /proc is watching */
757 	p->p_ct_process = NULL;
758 	mutex_exit(&p->p_lock);
759 
760 	/*
761 	 * We check for emptiness before dropping the contract lock to
762 	 * send the exit event, otherwise we could end up with two
763 	 * empty events.
764 	 */
765 	empty = (list_head(&ctp->conp_members) == NULL);
766 	if (EVSENDP(ctp, CT_PR_EV_EXIT)) {
767 		nvlist_t *nvl;
768 
769 		mutex_exit(&ct->ct_lock);
770 		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
771 		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
772 		VERIFY(nvlist_add_int32(nvl, CTPE_EXITSTATUS, exitstatus) == 0);
773 
774 		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
775 		event->cte_flags = EVINFOP(ctp, CT_PR_EV_EXIT) ? CTE_INFO : 0;
776 		event->cte_type = CT_PR_EV_EXIT;
777 		cte_publish_all(ct, event, nvl, NULL);
778 		mutex_enter(&ct->ct_lock);
779 	}
780 	if (empty) {
781 		/*
782 		 * Send EMPTY message.
783 		 */
784 		if (EVSENDP(ctp, CT_PR_EV_EMPTY)) {
785 			nvlist_t *nvl;
786 
787 			mutex_exit(&ct->ct_lock);
788 			VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME,
789 			    KM_SLEEP) == 0);
790 			VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
791 
792 			event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
793 			event->cte_flags = EVINFOP(ctp, CT_PR_EV_EMPTY) ?
794 			    CTE_INFO : 0;
795 			event->cte_type = CT_PR_EV_EMPTY;
796 			cte_publish_all(ct, event, nvl, NULL);
797 			mutex_enter(&ct->ct_lock);
798 		}
799 
800 		/*
801 		 * The last one to leave an orphaned contract turns out
802 		 * the lights.
803 		 */
804 		if (ct->ct_state == CTS_ORPHAN) {
805 			contract_destroy(ct);
806 			return;
807 		}
808 	}
809 	mutex_exit(&ct->ct_lock);
810 	contract_rele(ct);
811 }
812 
813 /*
814  * contract_process_fork
815  *
816  * Called on process fork.  If the current lwp has a active process
817  * contract template, we attempt to create a new process contract.
818  * Failure to create a process contract when required is a failure in
819  * fork so, in such an event, we return NULL.
820  *
821  * Assuming we succeeded or skipped the previous step, we add the child
822  * process to the new contract (success) or to the parent's process
823  * contract (skip).  If requested, we also send a fork event to that
824  * contract.
825  *
826  * Because contract_process_fork() may fail, and because we would
827  * prefer that process contracts not be created for processes which
828  * don't complete forking, this should be the last function called
829  * before the "all clear" point in cfork.
830  */
831 cont_process_t *
832 contract_process_fork(ctmpl_process_t *rtmpl, proc_t *cp, proc_t *pp,
833     int canfail)
834 {
835 	contract_t *ct;
836 	cont_process_t *ctp;
837 	ct_kevent_t *event;
838 	ct_template_t *tmpl;
839 
840 	if (rtmpl == NULL && (tmpl = ttolwp(curthread)->lwp_ct_active[
841 	    process_type->ct_type_index]) != NULL)
842 		rtmpl = tmpl->ctmpl_data;
843 
844 	if (rtmpl == NULL)
845 		ctp = curproc->p_ct_process;
846 	else if ((ctp = contract_process_create(rtmpl, pp, canfail)) == NULL)
847 		return (NULL);
848 
849 	ct = &ctp->conp_contract;
850 	/*
851 	 * Prevent contract_process_kill() from missing forked children
852 	 * by failing forks by parents that have just been killed.
853 	 * It's not worth hoisting the ctp test since contract creation
854 	 * is by no means the common case.
855 	 */
856 	mutex_enter(&ct->ct_lock);
857 	mutex_enter(&pp->p_lock);
858 	if (ctp == curproc->p_ct_process && (pp->p_flag & SKILLED) != 0 &&
859 	    canfail) {
860 		mutex_exit(&pp->p_lock);
861 		mutex_exit(&ct->ct_lock);
862 		return (NULL);
863 	}
864 	cp->p_ct_process = ctp;
865 	mutex_exit(&pp->p_lock);
866 	contract_hold(ct);
867 	list_insert_head(&ctp->conp_members, cp);
868 	ctp->conp_nmembers++;
869 	mutex_exit(&ct->ct_lock);
870 	if (EVSENDP(ctp, CT_PR_EV_FORK)) {
871 		nvlist_t *nvl;
872 
873 		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
874 		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, cp->p_pid) == 0);
875 		VERIFY(nvlist_add_uint32(nvl, CTPE_PPID, pp->p_pid) == 0);
876 
877 		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
878 		event->cte_flags = EVINFOP(ctp, CT_PR_EV_FORK) ? CTE_INFO : 0;
879 		event->cte_type = CT_PR_EV_FORK;
880 		cte_publish_all(ct, event, nvl, NULL);
881 	}
882 	return (ctp);
883 }
884 
885 /*
886  * contract_process_core
887  *
888  * Called on core file generation attempts.  Generates a core event, if
889  * requested, containing the names of the process, global, and
890  * system-global ("zone") core files.  If dumping core is in the fatal
891  * event set, calls contract_process_kill().
892  */
893 void
894 contract_process_core(cont_process_t *ctp, proc_t *p, int sig,
895     const char *process, const char *global, const char *zone)
896 {
897 	contract_t *ct = &ctp->conp_contract;
898 
899 	if (EVSENDP(ctp, CT_PR_EV_CORE)) {
900 		ct_kevent_t *event;
901 		nvlist_t *nvl, *gnvl = NULL;
902 
903 		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
904 		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
905 		VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0);
906 		if (process)
907 			VERIFY(nvlist_add_string(nvl, CTPE_PCOREFILE,
908 			    (char *)process) == 0);
909 		if (global)
910 			VERIFY(nvlist_add_string(nvl, CTPE_GCOREFILE,
911 			    (char *)global) == 0);
912 
913 		if (zone) {
914 			/*
915 			 * Only the global zone is informed of the
916 			 * local-zone generated global-zone core.
917 			 */
918 			VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME,
919 			    KM_SLEEP) == 0);
920 			VERIFY(nvlist_add_string(gnvl, CTPE_ZCOREFILE,
921 			    (char *)zone) == 0);
922 		}
923 
924 		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
925 		event->cte_flags = EVINFOP(ctp, CT_PR_EV_CORE) ? CTE_INFO : 0;
926 		event->cte_type = CT_PR_EV_CORE;
927 		cte_publish_all(ct, event, nvl, gnvl);
928 	}
929 
930 	if (EVFATALP(ctp, CT_PR_EV_CORE)) {
931 		mutex_enter(&ct->ct_lock);
932 		contract_process_kill(ct, p, B_TRUE);
933 		mutex_exit(&ct->ct_lock);
934 	}
935 }
936 
937 /*
938  * contract_process_hwerr
939  *
940  * Called when a process is killed by an unrecoverable hardware error.
941  * Generates an hwerr event, if requested.  If hardware errors are in
942  * the fatal event set, calls contract_process_kill().
943  */
944 void
945 contract_process_hwerr(cont_process_t *ctp, proc_t *p)
946 {
947 	contract_t *ct = &ctp->conp_contract;
948 
949 	if (EVSENDP(ctp, CT_PR_EV_HWERR)) {
950 		ct_kevent_t *event;
951 		nvlist_t *nvl;
952 
953 		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
954 		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
955 
956 		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
957 		event->cte_flags = EVINFOP(ctp, CT_PR_EV_HWERR) ? CTE_INFO : 0;
958 		event->cte_type = CT_PR_EV_HWERR;
959 		cte_publish_all(ct, event, nvl, NULL);
960 	}
961 
962 	if (EVFATALP(ctp, CT_PR_EV_HWERR)) {
963 		mutex_enter(&ct->ct_lock);
964 		contract_process_kill(ct, p, B_FALSE);
965 		mutex_exit(&ct->ct_lock);
966 	}
967 }
968 
969 /*
970  * contract_process_sig
971  *
972  * Called when a process is killed by a signal originating from a
973  * process outside of its process contract or its process contract's
974  * holder.  Generates an signal event, if requested, containing the
975  * signal number, and the sender's pid and contract id (if available).
976  * If signals are in the fatal event set, calls
977  * contract_process_kill().
978  */
979 void
980 contract_process_sig(cont_process_t *ctp, proc_t *p, int sig, pid_t pid,
981     ctid_t ctid, zoneid_t zoneid)
982 {
983 	contract_t *ct = &ctp->conp_contract;
984 
985 	if (EVSENDP(ctp, CT_PR_EV_SIGNAL)) {
986 		ct_kevent_t *event;
987 		nvlist_t *dest, *nvl, *gnvl = NULL;
988 
989 		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
990 		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
991 		VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0);
992 
993 		if (zoneid >= 0 && p->p_zone->zone_id != zoneid) {
994 			VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME,
995 			    KM_SLEEP) == 0);
996 			dest = gnvl;
997 		} else {
998 			dest = nvl;
999 		}
1000 
1001 		if (pid != -1)
1002 			VERIFY(nvlist_add_uint32(dest, CTPE_SENDER, pid) == 0);
1003 		if (ctid != 0)
1004 			VERIFY(nvlist_add_uint32(dest, CTPE_SENDCT, ctid) == 0);
1005 
1006 		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1007 		event->cte_flags = EVINFOP(ctp, CT_PR_EV_SIGNAL) ? CTE_INFO : 0;
1008 		event->cte_type = CT_PR_EV_SIGNAL;
1009 		cte_publish_all(ct, event, nvl, gnvl);
1010 	}
1011 
1012 	if (EVFATALP(ctp, CT_PR_EV_SIGNAL)) {
1013 		mutex_enter(&ct->ct_lock);
1014 		contract_process_kill(ct, p, B_TRUE);
1015 		mutex_exit(&ct->ct_lock);
1016 	}
1017 }
1018