1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/mutex.h> 29 #include <sys/debug.h> 30 #include <sys/types.h> 31 #include <sys/param.h> 32 #include <sys/kmem.h> 33 #include <sys/thread.h> 34 #include <sys/id_space.h> 35 #include <sys/avl.h> 36 #include <sys/list.h> 37 #include <sys/sysmacros.h> 38 #include <sys/proc.h> 39 #include <sys/contract.h> 40 #include <sys/contract_impl.h> 41 #include <sys/contract/process.h> 42 #include <sys/contract/process_impl.h> 43 #include <sys/cmn_err.h> 44 #include <sys/nvpair.h> 45 #include <sys/policy.h> 46 #include <sys/refstr.h> 47 #include <sys/sunddi.h> 48 49 /* 50 * Process Contracts 51 * ----------------- 52 * 53 * Generally speaking, a process contract is a contract between a 54 * process and a set of its descendent processes. In some cases, when 55 * the child processes outlive the author of the contract, the contract 56 * may be held by (and therefore be between the child processes and) a 57 * successor process which adopts the contract after the death of the 58 * original author. 59 * 60 * The process contract adds two new concepts to the Solaris process 61 * model. The first is that a process contract forms a rigid fault 62 * boundary around a set of processes. Hardware, software, and even 63 * administrator errors impacting a process in a process contract 64 * generate specific events and can be requested to atomically shutdown 65 * all processes in the contract. The second is that a process 66 * contract is a process collective whose leader is not a member of the 67 * collective. This means that the leader can reliably react to events 68 * in the collective, and may also act upon the collective without 69 * special casing itself. 70 * 71 * A composite outcome of these two concepts is that we can now create 72 * a tree of process contracts, rooted at init(1M), which represent 73 * services and subservices that are reliably observed and can be 74 * restarted when fatal errors occur. The service management framework 75 * (SMF) realizes this structure. 76 * 77 * For more details, see the "restart agreements" case, PSARC 2003/193. 78 * 79 * There are four sets of routines in this file: the process contract 80 * standard template operations, the process contract standard contract 81 * operations, a couple routines used only by the contract subsystem to 82 * handle process contracts' unique role as a temporary holder of 83 * abandoned contracts, and the interfaces which allow the system to 84 * create and act upon process contracts. The first two are defined by 85 * the contracts framework and won't be discussed further. As for the 86 * remaining two: 87 * 88 * Special framework interfaces 89 * ---------------------------- 90 * 91 * contract_process_accept - determines if a process contract is a 92 * regent, i.e. if it can inherit other contracts. 93 * 94 * contract_process_take - tells a regent process contract to inherit 95 * an abandoned contract 96 * 97 * contract_process_adopt - tells a regent process contract that a 98 * contract it has inherited is being adopted by a process. 99 * 100 * Process contract interfaces 101 * --------------------------- 102 * 103 * contract_process_fork - called when a process is created; adds the 104 * new process to an existing contract or to a newly created one. 105 * 106 * contract_process_exit - called when a process exits 107 * 108 * contract_process_core - called when a process would have dumped core 109 * (even if a core file wasn't generated) 110 * 111 * contract_process_hwerr - called when a process was killed because of 112 * an uncorrectable hardware error 113 * 114 * contract_process_sig - called when a process was killed by a fatal 115 * signal sent by a process in another process contract 116 * 117 */ 118 119 ct_type_t *process_type; 120 ctmpl_process_t *sys_process_tmpl; 121 refstr_t *conp_svc_aux_default; 122 123 /* 124 * Macro predicates for determining when events should be sent and how. 125 */ 126 #define EVSENDP(ctp, flag) \ 127 ((ctp->conp_contract.ct_ev_info | ctp->conp_contract.ct_ev_crit) & flag) 128 129 #define EVINFOP(ctp, flag) \ 130 ((ctp->conp_contract.ct_ev_crit & flag) == 0) 131 132 #define EVFATALP(ctp, flag) \ 133 (ctp->conp_ev_fatal & flag) 134 135 136 /* 137 * Process contract template implementation 138 */ 139 140 /* 141 * ctmpl_process_dup 142 * 143 * The process contract template dup entry point. Other than the 144 * to-be-subsumed contract, which must be held, this simply copies all 145 * the fields of the original. 146 */ 147 static struct ct_template * 148 ctmpl_process_dup(struct ct_template *template) 149 { 150 ctmpl_process_t *new; 151 ctmpl_process_t *old = template->ctmpl_data; 152 153 new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP); 154 155 ctmpl_copy(&new->ctp_ctmpl, template); 156 new->ctp_ctmpl.ctmpl_data = new; 157 158 new->ctp_subsume = old->ctp_subsume; 159 if (new->ctp_subsume) 160 contract_hold(new->ctp_subsume); 161 new->ctp_params = old->ctp_params; 162 new->ctp_ev_fatal = old->ctp_ev_fatal; 163 new->ctp_svc_fmri = old->ctp_svc_fmri; 164 if (new->ctp_svc_fmri != NULL) { 165 refstr_hold(new->ctp_svc_fmri); 166 } 167 new->ctp_svc_aux = old->ctp_svc_aux; 168 if (new->ctp_svc_aux != NULL) { 169 refstr_hold(new->ctp_svc_aux); 170 } 171 172 return (&new->ctp_ctmpl); 173 } 174 175 /* 176 * ctmpl_process_free 177 * 178 * The process contract template free entry point. Just releases a 179 * to-be-subsumed contract and frees the template. 180 */ 181 static void 182 ctmpl_process_free(struct ct_template *template) 183 { 184 ctmpl_process_t *ctp = template->ctmpl_data; 185 186 if (ctp->ctp_subsume) 187 contract_rele(ctp->ctp_subsume); 188 if (ctp->ctp_svc_fmri != NULL) { 189 refstr_rele(ctp->ctp_svc_fmri); 190 } 191 if (ctp->ctp_svc_aux != NULL) { 192 refstr_rele(ctp->ctp_svc_aux); 193 } 194 kmem_free(template, sizeof (ctmpl_process_t)); 195 } 196 197 /* 198 * SAFE_EV is the set of events which a non-privileged process is 199 * allowed to make critical but not fatal or if the PGRPONLY parameter 200 * is set. EXCESS tells us if "value", a critical event set, requires 201 * additional privilege given the template "ctp". 202 */ 203 #define SAFE_EV (CT_PR_EV_EMPTY) 204 #define EXCESS(ctp, value) \ 205 (((value) & ~((ctp)->ctp_ev_fatal | SAFE_EV)) || \ 206 (((value) & ~SAFE_EV) && (ctp->ctp_params & CT_PR_PGRPONLY))) 207 208 /* 209 * ctmpl_process_set 210 * 211 * The process contract template set entry point. None of the terms 212 * may be unconditionally set, and setting the parameters or fatal 213 * event set may result in events being implicitly removed from to the 214 * critical event set and added to the informative event set. The 215 * (admittedly subtle) reason we implicitly change the critical event 216 * set when the parameter or fatal event set is modified but not the 217 * other way around is because a change to the critical event set only 218 * affects the contract's owner, whereas a change to the parameter set 219 * and fatal set can affect the execution of the application running in 220 * the contract (and should therefore be only made explicitly). We 221 * allow implicit changes at all so that setting contract terms doesn't 222 * become a complex dance dependent on the template's initial state and 223 * the desired terms. 224 */ 225 static int 226 ctmpl_process_set(struct ct_template *tmpl, ct_param_t *param, const cred_t *cr) 227 { 228 ctmpl_process_t *ctp = tmpl->ctmpl_data; 229 contract_t *ct; 230 int error; 231 uint64_t param_value; 232 char *str_value; 233 234 if ((param->ctpm_id == CTPP_SVC_FMRI) || 235 (param->ctpm_id == CTPP_CREATOR_AUX)) { 236 str_value = (char *)param->ctpm_value; 237 str_value[param->ctpm_size - 1] = '\0'; 238 } else { 239 if (param->ctpm_size < sizeof (uint64_t)) 240 return (EINVAL); 241 param_value = *(uint64_t *)param->ctpm_value; 242 /* 243 * No process contract parameters are > 32 bits. 244 * Unless it is a string. 245 */ 246 if (param_value & ~UINT32_MAX) 247 return (EINVAL); 248 } 249 250 switch (param->ctpm_id) { 251 case CTPP_SUBSUME: 252 if (param_value != 0) { 253 /* 254 * Ensure that the contract exists, that we 255 * hold the contract, and that the contract is 256 * empty. 257 */ 258 ct = contract_type_ptr(process_type, param_value, 259 curproc->p_zone->zone_uniqid); 260 if (ct == NULL) 261 return (ESRCH); 262 if (ct->ct_owner != curproc) { 263 contract_rele(ct); 264 return (EACCES); 265 } 266 if (((cont_process_t *)ct->ct_data)->conp_nmembers) { 267 contract_rele(ct); 268 return (ENOTEMPTY); 269 } 270 } else { 271 ct = NULL; 272 } 273 if (ctp->ctp_subsume) 274 contract_rele(ctp->ctp_subsume); 275 ctp->ctp_subsume = ct; 276 break; 277 case CTPP_PARAMS: 278 if (param_value & ~CT_PR_ALLPARAM) 279 return (EINVAL); 280 ctp->ctp_params = param_value; 281 /* 282 * If an unprivileged process requests that 283 * CT_PR_PGRPONLY be set, remove any unsafe events from 284 * the critical event set and add them to the 285 * informative event set. 286 */ 287 if ((ctp->ctp_params & CT_PR_PGRPONLY) && 288 EXCESS(ctp, tmpl->ctmpl_ev_crit) && 289 !secpolicy_contract_event_choice(cr)) { 290 tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~SAFE_EV); 291 tmpl->ctmpl_ev_crit &= SAFE_EV; 292 } 293 294 break; 295 case CTPP_SVC_FMRI: 296 if (error = secpolicy_contract_identity(cr)) 297 return (error); 298 if (ctp->ctp_svc_fmri != NULL) 299 refstr_rele(ctp->ctp_svc_fmri); 300 if (strcmp(CT_PR_SVC_DEFAULT, str_value) == 0) 301 ctp->ctp_svc_fmri = NULL; 302 else 303 ctp->ctp_svc_fmri = 304 refstr_alloc(str_value); 305 break; 306 case CTPP_CREATOR_AUX: 307 if (ctp->ctp_svc_aux != NULL) 308 refstr_rele(ctp->ctp_svc_aux); 309 if (param->ctpm_size == 1) /* empty string */ 310 ctp->ctp_svc_aux = NULL; 311 else 312 ctp->ctp_svc_aux = 313 refstr_alloc(str_value); 314 break; 315 case CTP_EV_CRITICAL: 316 /* 317 * We simply don't allow adding events to the critical 318 * event set which aren't permitted by our policy or by 319 * privilege. 320 */ 321 if (EXCESS(ctp, param_value) && 322 (error = secpolicy_contract_event(cr)) != 0) 323 return (error); 324 tmpl->ctmpl_ev_crit = param_value; 325 break; 326 case CTPP_EV_FATAL: 327 if (param_value & ~CT_PR_ALLFATAL) 328 return (EINVAL); 329 ctp->ctp_ev_fatal = param_value; 330 /* 331 * Check to see if an unprivileged process is 332 * requesting that events be removed from the fatal 333 * event set which are still in the critical event set. 334 */ 335 if (EXCESS(ctp, tmpl->ctmpl_ev_crit) && 336 !secpolicy_contract_event_choice(cr)) { 337 int allowed = 338 SAFE_EV | (ctp->ctp_params & CT_PR_PGRPONLY) ? 339 0 : ctp->ctp_ev_fatal; 340 tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~allowed); 341 tmpl->ctmpl_ev_crit &= allowed; 342 } 343 break; 344 default: 345 return (EINVAL); 346 } 347 348 return (0); 349 } 350 351 /* 352 * ctmpl_process_get 353 * 354 * The process contract template get entry point. Simply fetches and 355 * returns the requested term. 356 */ 357 static int 358 ctmpl_process_get(struct ct_template *template, ct_param_t *param) 359 { 360 ctmpl_process_t *ctp = template->ctmpl_data; 361 uint64_t *param_value = param->ctpm_value; 362 363 if (param->ctpm_id == CTPP_SUBSUME || 364 param->ctpm_id == CTPP_PARAMS || 365 param->ctpm_id == CTPP_EV_FATAL) { 366 if (param->ctpm_size < sizeof (uint64_t)) 367 return (EINVAL); 368 param->ctpm_size = sizeof (uint64_t); 369 } 370 371 switch (param->ctpm_id) { 372 case CTPP_SUBSUME: 373 *param_value = ctp->ctp_subsume ? 374 ctp->ctp_subsume->ct_id : 0; 375 break; 376 case CTPP_PARAMS: 377 *param_value = ctp->ctp_params; 378 break; 379 case CTPP_SVC_FMRI: 380 if (ctp->ctp_svc_fmri == NULL) { 381 param->ctpm_size = 382 strlcpy((char *)param->ctpm_value, 383 CT_PR_SVC_DEFAULT, param->ctpm_size); 384 } else { 385 param->ctpm_size = 386 strlcpy((char *)param->ctpm_value, 387 refstr_value(ctp->ctp_svc_fmri), param->ctpm_size); 388 } 389 param->ctpm_size++; 390 break; 391 case CTPP_CREATOR_AUX: 392 if (ctp->ctp_svc_aux == NULL) { 393 param->ctpm_size = 394 strlcpy((char *)param->ctpm_value, 395 refstr_value(conp_svc_aux_default), 396 param->ctpm_size); 397 } else { 398 param->ctpm_size = 399 strlcpy((char *)param->ctpm_value, 400 refstr_value(ctp->ctp_svc_aux), param->ctpm_size); 401 } 402 param->ctpm_size++; 403 break; 404 case CTPP_EV_FATAL: 405 *param_value = ctp->ctp_ev_fatal; 406 break; 407 default: 408 return (EINVAL); 409 } 410 411 return (0); 412 } 413 414 static ctmplops_t ctmpl_process_ops = { 415 ctmpl_process_dup, /* ctop_dup */ 416 ctmpl_process_free, /* ctop_free */ 417 ctmpl_process_set, /* ctop_set */ 418 ctmpl_process_get, /* ctop_get */ 419 ctmpl_create_inval, /* ctop_create */ 420 CT_PR_ALLEVENT 421 }; 422 423 424 /* 425 * Process contract implementation 426 */ 427 428 /* 429 * ctmpl_process_default 430 * 431 * The process contract default template entry point. Creates a 432 * process contract template with no parameters set, with informative 433 * core and signal events, critical empty and hwerr events, and fatal 434 * hwerr events. 435 */ 436 static ct_template_t * 437 contract_process_default(void) 438 { 439 ctmpl_process_t *new; 440 441 new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP); 442 ctmpl_init(&new->ctp_ctmpl, &ctmpl_process_ops, process_type, new); 443 444 new->ctp_subsume = NULL; 445 new->ctp_params = 0; 446 new->ctp_ctmpl.ctmpl_ev_info = CT_PR_EV_CORE | CT_PR_EV_SIGNAL; 447 new->ctp_ctmpl.ctmpl_ev_crit = CT_PR_EV_EMPTY | CT_PR_EV_HWERR; 448 new->ctp_ev_fatal = CT_PR_EV_HWERR; 449 new->ctp_svc_fmri = NULL; 450 new->ctp_svc_aux = NULL; 451 452 return (&new->ctp_ctmpl); 453 } 454 455 /* 456 * contract_process_free 457 * 458 * The process contract free entry point. 459 */ 460 static void 461 contract_process_free(contract_t *ct) 462 { 463 cont_process_t *ctp = ct->ct_data; 464 crfree(ctp->conp_cred); 465 list_destroy(&ctp->conp_members); 466 list_destroy(&ctp->conp_inherited); 467 if (ctp->conp_svc_fmri != NULL) { 468 refstr_rele(ctp->conp_svc_fmri); 469 } 470 if (ctp->conp_svc_aux != NULL) { 471 refstr_rele(ctp->conp_svc_aux); 472 } 473 if (ctp->conp_svc_creator != NULL) { 474 refstr_rele(ctp->conp_svc_creator); 475 } 476 kmem_free(ctp, sizeof (cont_process_t)); 477 } 478 479 /* 480 * contract_process_cankill 481 * 482 * Determine if the contract author had or if the process generating 483 * the event, sp, has adequate privileges to kill process tp. 484 */ 485 static int 486 contract_process_cankill(proc_t *tp, proc_t *sp, cont_process_t *ctp) 487 { 488 int cankill; 489 490 mutex_enter(&tp->p_crlock); 491 cankill = hasprocperm(tp->p_cred, ctp->conp_cred); 492 mutex_exit(&tp->p_crlock); 493 if (cankill || (sp && prochasprocperm(tp, sp, CRED()))) 494 return (1); 495 496 return (0); 497 } 498 499 /* 500 * contract_process_kill 501 * 502 * Kills all processes in a contract, or all processes in the 503 * intersection of a contract and ex's process group (if ex is non-NULL 504 * and the contract's PGRPONLY parameter is set). If checkpriv is 505 * true, only those processes which may be signaled by the contract 506 * author or ex are killed. 507 */ 508 static void 509 contract_process_kill(contract_t *ct, proc_t *ex, int checkpriv) 510 { 511 cont_process_t *ctp = ct->ct_data; 512 proc_t *p; 513 pid_t pgrp = -1; 514 515 ASSERT(MUTEX_HELD(&ct->ct_lock)); 516 517 if (ex && (ctp->conp_params & CT_PR_PGRPONLY)) { 518 pgrp = ex->p_pgrp; 519 mutex_enter(&pidlock); 520 } 521 522 for (p = list_head(&ctp->conp_members); p != NULL; 523 p = list_next(&ctp->conp_members, p)) { 524 if ((p == ex) || (pgrp != -1 && p->p_pgrp != pgrp) || 525 (checkpriv && !contract_process_cankill(p, ex, ctp))) 526 continue; 527 528 psignal(p, SIGKILL); 529 } 530 531 if (pgrp != -1) 532 mutex_exit(&pidlock); 533 } 534 535 536 /* 537 * contract_process_accept 538 * 539 * Tests if the process contract is willing to act as a regent for 540 * inherited contracts. Though brief and only called from one place, 541 * this functionality is kept here to avoid including knowledge of 542 * process contract implementation in the generic contract code. 543 */ 544 int 545 contract_process_accept(contract_t *parent) 546 { 547 cont_process_t *ctp = parent->ct_data; 548 549 ASSERT(parent->ct_type == process_type); 550 551 return (ctp->conp_params & CT_PR_REGENT); 552 } 553 554 /* 555 * contract_process_take 556 * 557 * Executes the process contract side of inheriting a contract. 558 */ 559 void 560 contract_process_take(contract_t *parent, contract_t *child) 561 { 562 cont_process_t *ctp = parent->ct_data; 563 564 ASSERT(MUTEX_HELD(&parent->ct_lock)); 565 ASSERT(MUTEX_HELD(&child->ct_lock)); 566 ASSERT(parent->ct_type == process_type); 567 ASSERT(ctp->conp_params & CT_PR_REGENT); 568 569 list_insert_head(&ctp->conp_inherited, child); 570 ctp->conp_ninherited++; 571 } 572 573 /* 574 * contract_process_adopt 575 * 576 * Executes the process contract side of adopting a contract. 577 */ 578 void 579 contract_process_adopt(contract_t *ct, proc_t *p) 580 { 581 cont_process_t *parent = p->p_ct_process; 582 583 ASSERT(MUTEX_HELD(&parent->conp_contract.ct_lock)); 584 ASSERT(MUTEX_HELD(&ct->ct_lock)); 585 586 list_remove(&parent->conp_inherited, ct); 587 parent->conp_ninherited--; 588 589 /* 590 * We drop the parent lock first because a) we are passing the 591 * contract reference to the child, and b) contract_adopt 592 * expects us to return with the contract lock held. 593 */ 594 mutex_exit(&parent->conp_contract.ct_lock); 595 } 596 597 /* 598 * contract_process_abandon 599 * 600 * The process contract abandon entry point. 601 */ 602 static void 603 contract_process_abandon(contract_t *ct) 604 { 605 cont_process_t *ctp = ct->ct_data; 606 607 ASSERT(MUTEX_HELD(&ct->ct_lock)); 608 609 /* 610 * Shall we stay or shall we go? 611 */ 612 if (list_head(&ctp->conp_members) == NULL) { 613 contract_destroy(ct); 614 } else { 615 /* 616 * Strictly speaking, we actually do orphan the contract. 617 * Assuming our credentials allow us to kill all 618 * processes in the contract, this is only temporary. 619 */ 620 if (ctp->conp_params & CT_PR_NOORPHAN) 621 contract_process_kill(ct, NULL, B_TRUE); 622 contract_orphan(ct); 623 mutex_exit(&ct->ct_lock); 624 contract_rele(ct); 625 } 626 } 627 628 /* 629 * contract_process_destroy 630 * 631 * The process contract destroy entry point. 632 */ 633 static void 634 contract_process_destroy(contract_t *ct) 635 { 636 cont_process_t *ctp = ct->ct_data; 637 contract_t *cct; 638 639 ASSERT(MUTEX_HELD(&ct->ct_lock)); 640 641 /* 642 * contract_destroy all empty children, kill or orphan the rest 643 */ 644 while (cct = list_head(&ctp->conp_inherited)) { 645 mutex_enter(&cct->ct_lock); 646 647 ASSERT(cct->ct_state == CTS_INHERITED); 648 649 list_remove(&ctp->conp_inherited, cct); 650 ctp->conp_ninherited--; 651 cct->ct_regent = NULL; 652 cct->ct_type->ct_type_ops->contop_abandon(cct); 653 } 654 } 655 656 /* 657 * contract_process_status 658 * 659 * The process contract status entry point. 660 */ 661 static void 662 contract_process_status(contract_t *ct, zone_t *zone, int detail, nvlist_t *nvl, 663 void *status, model_t model) 664 { 665 cont_process_t *ctp = ct->ct_data; 666 uint32_t *pids, *ctids; 667 uint_t npids, nctids; 668 uint_t spids, sctids; 669 ctid_t local_svc_zone_enter; 670 671 if (detail == CTD_FIXED) { 672 mutex_enter(&ct->ct_lock); 673 contract_status_common(ct, zone, status, model); 674 local_svc_zone_enter = ctp->conp_svc_zone_enter; 675 mutex_exit(&ct->ct_lock); 676 } else { 677 contract_t *cnext; 678 proc_t *pnext; 679 uint_t loc; 680 681 ASSERT(detail == CTD_ALL); 682 mutex_enter(&ct->ct_lock); 683 for (;;) { 684 spids = ctp->conp_nmembers + 5; 685 sctids = ctp->conp_ninherited + 5; 686 mutex_exit(&ct->ct_lock); 687 688 pids = kmem_alloc(spids * sizeof (uint32_t), KM_SLEEP); 689 ctids = kmem_alloc(sctids * sizeof (uint32_t), 690 KM_SLEEP); 691 692 mutex_enter(&ct->ct_lock); 693 npids = ctp->conp_nmembers; 694 nctids = ctp->conp_ninherited; 695 if (spids >= npids && sctids >= nctids) 696 break; 697 698 kmem_free(pids, spids * sizeof (uint32_t)); 699 kmem_free(ctids, sctids * sizeof (uint32_t)); 700 } 701 contract_status_common(ct, zone, status, model); 702 for (loc = 0, cnext = list_head(&ctp->conp_inherited); cnext; 703 cnext = list_next(&ctp->conp_inherited, cnext)) 704 ctids[loc++] = cnext->ct_id; 705 ASSERT(loc == nctids); 706 for (loc = 0, pnext = list_head(&ctp->conp_members); pnext; 707 pnext = list_next(&ctp->conp_members, pnext)) 708 pids[loc++] = pnext->p_pid; 709 ASSERT(loc == npids); 710 local_svc_zone_enter = ctp->conp_svc_zone_enter; 711 mutex_exit(&ct->ct_lock); 712 } 713 714 /* 715 * Contract terms are static; there's no need to hold the 716 * contract lock while accessing them. 717 */ 718 VERIFY(nvlist_add_uint32(nvl, CTPS_PARAMS, ctp->conp_params) == 0); 719 VERIFY(nvlist_add_uint32(nvl, CTPS_EV_FATAL, ctp->conp_ev_fatal) == 0); 720 if (detail == CTD_ALL) { 721 VERIFY(nvlist_add_uint32_array(nvl, CTPS_MEMBERS, pids, 722 npids) == 0); 723 VERIFY(nvlist_add_uint32_array(nvl, CTPS_CONTRACTS, ctids, 724 nctids) == 0); 725 VERIFY(nvlist_add_string(nvl, CTPS_CREATOR_AUX, 726 refstr_value(ctp->conp_svc_aux)) == 0); 727 VERIFY(nvlist_add_string(nvl, CTPS_SVC_CREATOR, 728 refstr_value(ctp->conp_svc_creator)) == 0); 729 kmem_free(pids, spids * sizeof (uint32_t)); 730 kmem_free(ctids, sctids * sizeof (uint32_t)); 731 } 732 733 /* 734 * if we are in a local zone and svc_fmri was inherited from 735 * the global zone, we provide fake svc_fmri and svc_ctid 736 */ 737 if (local_svc_zone_enter == 0|| 738 zone->zone_uniqid == GLOBAL_ZONEUNIQID) { 739 if (detail > CTD_COMMON) { 740 VERIFY(nvlist_add_int32(nvl, CTPS_SVC_CTID, 741 ctp->conp_svc_ctid) == 0); 742 } 743 if (detail == CTD_ALL) { 744 VERIFY(nvlist_add_string(nvl, CTPS_SVC_FMRI, 745 refstr_value(ctp->conp_svc_fmri)) == 0); 746 } 747 } else { 748 if (detail > CTD_COMMON) { 749 VERIFY(nvlist_add_int32(nvl, CTPS_SVC_CTID, 750 local_svc_zone_enter) == 0); 751 } 752 if (detail == CTD_ALL) { 753 VERIFY(nvlist_add_string(nvl, CTPS_SVC_FMRI, 754 CT_PR_SVC_FMRI_ZONE_ENTER) == 0); 755 } 756 } 757 } 758 759 /*ARGSUSED*/ 760 static int 761 contract_process_newct(contract_t *ct) 762 { 763 return (0); 764 } 765 766 /* process contracts don't negotiate */ 767 static contops_t contract_process_ops = { 768 contract_process_free, /* contop_free */ 769 contract_process_abandon, /* contop_abandon */ 770 contract_process_destroy, /* contop_destroy */ 771 contract_process_status, /* contop_status */ 772 contract_ack_inval, /* contop_ack */ 773 contract_ack_inval, /* contop_nack */ 774 contract_qack_inval, /* contop_qack */ 775 contract_process_newct /* contop_newct */ 776 }; 777 778 /* 779 * contract_process_init 780 * 781 * Initializes the process contract type. Also creates a template for 782 * use by newproc() when it creates user processes. 783 */ 784 void 785 contract_process_init(void) 786 { 787 process_type = contract_type_init(CTT_PROCESS, "process", 788 &contract_process_ops, contract_process_default); 789 790 /* 791 * Create a template for use with init(1M) and other 792 * kernel-started processes. 793 */ 794 sys_process_tmpl = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP); 795 ctmpl_init(&sys_process_tmpl->ctp_ctmpl, &ctmpl_process_ops, 796 process_type, sys_process_tmpl); 797 sys_process_tmpl->ctp_subsume = NULL; 798 sys_process_tmpl->ctp_params = CT_PR_NOORPHAN; 799 sys_process_tmpl->ctp_ev_fatal = CT_PR_EV_HWERR; 800 sys_process_tmpl->ctp_svc_fmri = 801 refstr_alloc("svc:/system/init:default"); 802 sys_process_tmpl->ctp_svc_aux = refstr_alloc(""); 803 conp_svc_aux_default = sys_process_tmpl->ctp_svc_aux; 804 refstr_hold(conp_svc_aux_default); 805 } 806 807 /* 808 * contract_process_create 809 * 810 * create a process contract given template "tmpl" and parent process 811 * "parent". May fail and return NULL if project.max-contracts would 812 * have been exceeded. 813 */ 814 static cont_process_t * 815 contract_process_create(ctmpl_process_t *tmpl, proc_t *parent, int canfail) 816 { 817 cont_process_t *ctp; 818 819 ASSERT(tmpl != NULL); 820 821 (void) contract_type_pbundle(process_type, parent); 822 823 ctp = kmem_zalloc(sizeof (cont_process_t), KM_SLEEP); 824 825 list_create(&ctp->conp_members, sizeof (proc_t), 826 offsetof(proc_t, p_ct_member)); 827 list_create(&ctp->conp_inherited, sizeof (contract_t), 828 offsetof(contract_t, ct_ctlist)); 829 mutex_enter(&tmpl->ctp_ctmpl.ctmpl_lock); 830 ctp->conp_params = tmpl->ctp_params; 831 ctp->conp_ev_fatal = tmpl->ctp_ev_fatal; 832 crhold(ctp->conp_cred = CRED()); 833 834 if (contract_ctor(&ctp->conp_contract, process_type, &tmpl->ctp_ctmpl, 835 ctp, (ctp->conp_params & CT_PR_INHERIT) ? CTF_INHERIT : 0, 836 parent, canfail)) { 837 mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock); 838 contract_process_free(&ctp->conp_contract); 839 return (NULL); 840 } 841 842 /* 843 * inherit svc_fmri if not defined by consumer. In this case, inherit 844 * also svc_ctid to keep track of the contract id where 845 * svc_fmri was set 846 */ 847 if (tmpl->ctp_svc_fmri == NULL) { 848 ctp->conp_svc_fmri = parent->p_ct_process->conp_svc_fmri; 849 ctp->conp_svc_ctid = parent->p_ct_process->conp_svc_ctid; 850 ctp->conp_svc_zone_enter = 851 parent->p_ct_process->conp_svc_zone_enter; 852 } else { 853 ctp->conp_svc_fmri = tmpl->ctp_svc_fmri; 854 ctp->conp_svc_ctid = ctp->conp_contract.ct_id; 855 /* make svc_zone_enter flag false when svc_fmri is set */ 856 ctp->conp_svc_zone_enter = 0; 857 } 858 refstr_hold(ctp->conp_svc_fmri); 859 /* set svc_aux to default value if not defined in template */ 860 if (tmpl->ctp_svc_aux == NULL) { 861 ctp->conp_svc_aux = conp_svc_aux_default; 862 } else { 863 ctp->conp_svc_aux = tmpl->ctp_svc_aux; 864 } 865 refstr_hold(ctp->conp_svc_aux); 866 /* 867 * set svc_creator to execname 868 * We special case pid0 because when newproc() creates 869 * the init process, the p_user.u_comm field of sched's proc_t 870 * has not been populated yet. 871 */ 872 if (parent->p_pidp == &pid0) /* if the kernel is the creator */ 873 ctp->conp_svc_creator = refstr_alloc("sched"); 874 else 875 ctp->conp_svc_creator = refstr_alloc(parent->p_user.u_comm); 876 877 /* 878 * Transfer subcontracts only after new contract is visible. 879 * Also, only transfer contracts if the parent matches -- we 880 * don't want to create a cycle in the tree of contracts. 881 */ 882 if (tmpl->ctp_subsume && tmpl->ctp_subsume->ct_owner == parent) { 883 cont_process_t *sct = tmpl->ctp_subsume->ct_data; 884 contract_t *ct; 885 886 mutex_enter(&tmpl->ctp_subsume->ct_lock); 887 mutex_enter(&ctp->conp_contract.ct_lock); 888 while (ct = list_head(&sct->conp_inherited)) { 889 mutex_enter(&ct->ct_lock); 890 list_remove(&sct->conp_inherited, ct); 891 list_insert_tail(&ctp->conp_inherited, ct); 892 ct->ct_regent = &ctp->conp_contract; 893 mutex_exit(&ct->ct_lock); 894 } 895 ctp->conp_ninherited += sct->conp_ninherited; 896 sct->conp_ninherited = 0; 897 mutex_exit(&ctp->conp_contract.ct_lock); 898 mutex_exit(&tmpl->ctp_subsume->ct_lock); 899 900 /* 901 * Automatically abandon the contract. 902 */ 903 (void) contract_abandon(tmpl->ctp_subsume, parent, 1); 904 } 905 906 mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock); 907 908 return (ctp); 909 } 910 911 /* 912 * contract_process_exit 913 * 914 * Called on process exit. Removes process p from process contract 915 * ctp. Generates an exit event, if requested. Generates an empty 916 * event, if p is the last member of the the process contract and empty 917 * events were requested. 918 */ 919 void 920 contract_process_exit(cont_process_t *ctp, proc_t *p, int exitstatus) 921 { 922 contract_t *ct = &ctp->conp_contract; 923 ct_kevent_t *event; 924 int empty; 925 926 /* 927 * Remove self from process contract. 928 */ 929 mutex_enter(&ct->ct_lock); 930 list_remove(&ctp->conp_members, p); 931 ctp->conp_nmembers--; 932 mutex_enter(&p->p_lock); /* in case /proc is watching */ 933 p->p_ct_process = NULL; 934 mutex_exit(&p->p_lock); 935 936 /* 937 * We check for emptiness before dropping the contract lock to 938 * send the exit event, otherwise we could end up with two 939 * empty events. 940 */ 941 empty = (list_head(&ctp->conp_members) == NULL); 942 if (EVSENDP(ctp, CT_PR_EV_EXIT)) { 943 nvlist_t *nvl; 944 945 mutex_exit(&ct->ct_lock); 946 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 947 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 948 VERIFY(nvlist_add_int32(nvl, CTPE_EXITSTATUS, exitstatus) == 0); 949 950 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 951 event->cte_flags = EVINFOP(ctp, CT_PR_EV_EXIT) ? CTE_INFO : 0; 952 event->cte_type = CT_PR_EV_EXIT; 953 (void) cte_publish_all(ct, event, nvl, NULL); 954 mutex_enter(&ct->ct_lock); 955 } 956 if (empty) { 957 /* 958 * Send EMPTY message. 959 */ 960 if (EVSENDP(ctp, CT_PR_EV_EMPTY)) { 961 nvlist_t *nvl; 962 963 mutex_exit(&ct->ct_lock); 964 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, 965 KM_SLEEP) == 0); 966 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 967 968 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 969 event->cte_flags = EVINFOP(ctp, CT_PR_EV_EMPTY) ? 970 CTE_INFO : 0; 971 event->cte_type = CT_PR_EV_EMPTY; 972 (void) cte_publish_all(ct, event, nvl, NULL); 973 mutex_enter(&ct->ct_lock); 974 } 975 976 /* 977 * The last one to leave an orphaned contract turns out 978 * the lights. 979 */ 980 if (ct->ct_state == CTS_ORPHAN) { 981 contract_destroy(ct); 982 return; 983 } 984 } 985 mutex_exit(&ct->ct_lock); 986 contract_rele(ct); 987 } 988 989 /* 990 * contract_process_fork 991 * 992 * Called on process fork. If the current lwp has a active process 993 * contract template, we attempt to create a new process contract. 994 * Failure to create a process contract when required is a failure in 995 * fork so, in such an event, we return NULL. 996 * 997 * Assuming we succeeded or skipped the previous step, we add the child 998 * process to the new contract (success) or to the parent's process 999 * contract (skip). If requested, we also send a fork event to that 1000 * contract. 1001 * 1002 * Because contract_process_fork() may fail, and because we would 1003 * prefer that process contracts not be created for processes which 1004 * don't complete forking, this should be the last function called 1005 * before the "all clear" point in cfork. 1006 */ 1007 cont_process_t * 1008 contract_process_fork(ctmpl_process_t *rtmpl, proc_t *cp, proc_t *pp, 1009 int canfail) 1010 { 1011 contract_t *ct; 1012 cont_process_t *ctp; 1013 ct_kevent_t *event; 1014 ct_template_t *tmpl; 1015 1016 if (rtmpl == NULL && (tmpl = ttolwp(curthread)->lwp_ct_active[ 1017 process_type->ct_type_index]) != NULL) 1018 rtmpl = tmpl->ctmpl_data; 1019 1020 if (rtmpl == NULL) 1021 ctp = curproc->p_ct_process; 1022 else if ((ctp = contract_process_create(rtmpl, pp, canfail)) == NULL) 1023 return (NULL); 1024 1025 ct = &ctp->conp_contract; 1026 /* 1027 * Prevent contract_process_kill() from missing forked children 1028 * by failing forks by parents that have just been killed. 1029 * It's not worth hoisting the ctp test since contract creation 1030 * is by no means the common case. 1031 */ 1032 mutex_enter(&ct->ct_lock); 1033 mutex_enter(&pp->p_lock); 1034 if (ctp == curproc->p_ct_process && (pp->p_flag & SKILLED) != 0 && 1035 canfail) { 1036 mutex_exit(&pp->p_lock); 1037 mutex_exit(&ct->ct_lock); 1038 return (NULL); 1039 } 1040 cp->p_ct_process = ctp; 1041 mutex_exit(&pp->p_lock); 1042 contract_hold(ct); 1043 list_insert_head(&ctp->conp_members, cp); 1044 ctp->conp_nmembers++; 1045 mutex_exit(&ct->ct_lock); 1046 if (EVSENDP(ctp, CT_PR_EV_FORK)) { 1047 nvlist_t *nvl; 1048 1049 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 1050 VERIFY(nvlis