1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright 2019 Joyent, Inc.
25 */
26
27 #include <sys/mutex.h>
28 #include <sys/debug.h>
29 #include <sys/types.h>
30 #include <sys/param.h>
31 #include <sys/kmem.h>
32 #include <sys/thread.h>
33 #include <sys/id_space.h>
34 #include <sys/avl.h>
35 #include <sys/list.h>
36 #include <sys/sysmacros.h>
37 #include <sys/proc.h>
38 #include <sys/contract.h>
39 #include <sys/contract_impl.h>
40 #include <sys/contract/process.h>
41 #include <sys/contract/process_impl.h>
42 #include <sys/cmn_err.h>
43 #include <sys/nvpair.h>
44 #include <sys/policy.h>
45 #include <sys/refstr.h>
46 #include <sys/sunddi.h>
47
48 /*
49 * Process Contracts
50 * -----------------
51 *
52 * Generally speaking, a process contract is a contract between a
53 * process and a set of its descendent processes. In some cases, when
54 * the child processes outlive the author of the contract, the contract
55 * may be held by (and therefore be between the child processes and) a
56 * successor process which adopts the contract after the death of the
57 * original author.
58 *
59 * The process contract adds two new concepts to the Solaris process
60 * model. The first is that a process contract forms a rigid fault
61 * boundary around a set of processes. Hardware, software, and even
62 * administrator errors impacting a process in a process contract
63 * generate specific events and can be requested to atomically shutdown
64 * all processes in the contract. The second is that a process
65 * contract is a process collective whose leader is not a member of the
66 * collective. This means that the leader can reliably react to events
67 * in the collective, and may also act upon the collective without
68 * special casing itself.
69 *
70 * A composite outcome of these two concepts is that we can now create
71 * a tree of process contracts, rooted at init(1M), which represent
72 * services and subservices that are reliably observed and can be
73 * restarted when fatal errors occur. The service management framework
74 * (SMF) realizes this structure.
75 *
76 * For more details, see the "restart agreements" case, PSARC 2003/193.
77 *
78 * There are four sets of routines in this file: the process contract
79 * standard template operations, the process contract standard contract
80 * operations, a couple routines used only by the contract subsystem to
81 * handle process contracts' unique role as a temporary holder of
82 * abandoned contracts, and the interfaces which allow the system to
83 * create and act upon process contracts. The first two are defined by
84 * the contracts framework and won't be discussed further. As for the
85 * remaining two:
86 *
87 * Special framework interfaces
88 * ----------------------------
89 *
90 * contract_process_accept - determines if a process contract is a
91 * regent, i.e. if it can inherit other contracts.
92 *
93 * contract_process_take - tells a regent process contract to inherit
94 * an abandoned contract
95 *
96 * contract_process_adopt - tells a regent process contract that a
97 * contract it has inherited is being adopted by a process.
98 *
99 * Process contract interfaces
100 * ---------------------------
101 *
102 * contract_process_fork - called when a process is created; adds the
103 * new process to an existing contract or to a newly created one.
104 *
105 * contract_process_exit - called when a process exits
106 *
107 * contract_process_core - called when a process would have dumped core
108 * (even if a core file wasn't generated)
109 *
110 * contract_process_hwerr - called when a process was killed because of
111 * an uncorrectable hardware error
112 *
113 * contract_process_sig - called when a process was killed by a fatal
114 * signal sent by a process in another process contract
115 *
116 */
117
118 ct_type_t *process_type;
119 ctmpl_process_t *sys_process_tmpl;
120 refstr_t *conp_svc_aux_default;
121
122 /*
123 * Macro predicates for determining when events should be sent and how.
124 */
125 #define EVSENDP(ctp, flag) \
126 ((ctp->conp_contract.ct_ev_info | ctp->conp_contract.ct_ev_crit) & flag)
127
128 #define EVINFOP(ctp, flag) \
129 ((ctp->conp_contract.ct_ev_crit & flag) == 0)
130
131 #define EVFATALP(ctp, flag) \
132 (ctp->conp_ev_fatal & flag)
133
134
135 /*
136 * Process contract template implementation
137 */
138
139 /*
140 * ctmpl_process_dup
141 *
142 * The process contract template dup entry point. Other than the
143 * to-be-subsumed contract, which must be held, this simply copies all
144 * the fields of the original.
145 */
146 static struct ct_template *
147 ctmpl_process_dup(struct ct_template *template)
148 {
149 ctmpl_process_t *new;
150 ctmpl_process_t *old = template->ctmpl_data;
151
152 new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP);
153
154 ctmpl_copy(&new->ctp_ctmpl, template);
155 new->ctp_ctmpl.ctmpl_data = new;
156
157 new->ctp_subsume = old->ctp_subsume;
158 if (new->ctp_subsume)
159 contract_hold(new->ctp_subsume);
160 new->ctp_params = old->ctp_params;
161 new->ctp_ev_fatal = old->ctp_ev_fatal;
162 new->ctp_svc_fmri = old->ctp_svc_fmri;
163 if (new->ctp_svc_fmri != NULL) {
164 refstr_hold(new->ctp_svc_fmri);
165 }
166 new->ctp_svc_aux = old->ctp_svc_aux;
167 if (new->ctp_svc_aux != NULL) {
168 refstr_hold(new->ctp_svc_aux);
169 }
170
171 return (&new->ctp_ctmpl);
172 }
173
174 /*
175 * ctmpl_process_free
176 *
177 * The process contract template free entry point. Just releases a
178 * to-be-subsumed contract and frees the template.
179 */
180 static void
181 ctmpl_process_free(struct ct_template *template)
182 {
183 ctmpl_process_t *ctp = template->ctmpl_data;
184
185 if (ctp->ctp_subsume)
186 contract_rele(ctp->ctp_subsume);
187 if (ctp->ctp_svc_fmri != NULL) {
188 refstr_rele(ctp->ctp_svc_fmri);
189 }
190 if (ctp->ctp_svc_aux != NULL) {
191 refstr_rele(ctp->ctp_svc_aux);
192 }
193 kmem_free(template, sizeof (ctmpl_process_t));
194 }
195
196 /*
197 * SAFE_EV is the set of events which a non-privileged process is
198 * allowed to make critical but not fatal or if the PGRPONLY parameter
199 * is set. EXCESS tells us if "value", a critical event set, requires
200 * additional privilege given the template "ctp".
201 */
202 #define SAFE_EV (CT_PR_EV_EMPTY)
203 #define EXCESS(ctp, value) \
204 (((value) & ~((ctp)->ctp_ev_fatal | SAFE_EV)) || \
205 (((value) & ~SAFE_EV) && (ctp->ctp_params & CT_PR_PGRPONLY)))
206
207 /*
208 * ctmpl_process_set
209 *
210 * The process contract template set entry point. None of the terms
211 * may be unconditionally set, and setting the parameters or fatal
212 * event set may result in events being implicitly removed from to the
213 * critical event set and added to the informative event set. The
214 * (admittedly subtle) reason we implicitly change the critical event
215 * set when the parameter or fatal event set is modified but not the
216 * other way around is because a change to the critical event set only
217 * affects the contract's owner, whereas a change to the parameter set
218 * and fatal set can affect the execution of the application running in
219 * the contract (and should therefore be only made explicitly). We
220 * allow implicit changes at all so that setting contract terms doesn't
221 * become a complex dance dependent on the template's initial state and
222 * the desired terms.
223 */
224 static int
225 ctmpl_process_set(struct ct_template *tmpl, ct_kparam_t *kparam,
226 const cred_t *cr)
227 {
228 ctmpl_process_t *ctp = tmpl->ctmpl_data;
229 ct_param_t *param = &kparam->param;
230 contract_t *ct;
231 int error;
232 uint64_t param_value;
233 char *str_value;
234
235 if ((param->ctpm_id == CTPP_SVC_FMRI) ||
236 (param->ctpm_id == CTPP_CREATOR_AUX)) {
237 str_value = (char *)kparam->ctpm_kbuf;
238 str_value[param->ctpm_size - 1] = '\0';
239 } else {
240 if (param->ctpm_size < sizeof (uint64_t))
241 return (EINVAL);
242 param_value = *(uint64_t *)kparam->ctpm_kbuf;
243 /*
244 * No process contract parameters are > 32 bits.
245 * Unless it is a string.
246 */
247 if (param_value & ~UINT32_MAX)
248 return (EINVAL);
249 }
250
251 switch (param->ctpm_id) {
252 case CTPP_SUBSUME:
253 if (param_value != 0) {
254 /*
255 * Ensure that the contract exists, that we
256 * hold the contract, and that the contract is
257 * empty.
258 */
259 ct = contract_type_ptr(process_type, param_value,
260 curproc->p_zone->zone_uniqid);
261 if (ct == NULL)
262 return (ESRCH);
263 if (ct->ct_owner != curproc) {
264 contract_rele(ct);
265 return (EACCES);
266 }
267 if (((cont_process_t *)ct->ct_data)->conp_nmembers) {
268 contract_rele(ct);
269 return (ENOTEMPTY);
270 }
271 } else {
272 ct = NULL;
273 }
274 if (ctp->ctp_subsume)
275 contract_rele(ctp->ctp_subsume);
276 ctp->ctp_subsume = ct;
277 break;
278 case CTPP_PARAMS:
279 if (param_value & ~CT_PR_ALLPARAM)
280 return (EINVAL);
281 ctp->ctp_params = param_value;
282 /*
283 * If an unprivileged process requests that
284 * CT_PR_PGRPONLY be set, remove any unsafe events from
285 * the critical event set and add them to the
286 * informative event set.
287 */
288 if ((ctp->ctp_params & CT_PR_PGRPONLY) &&
289 EXCESS(ctp, tmpl->ctmpl_ev_crit) &&
290 !secpolicy_contract_event_choice(cr)) {
291 tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~SAFE_EV);
292 tmpl->ctmpl_ev_crit &= SAFE_EV;
293 }
294
295 break;
296 case CTPP_SVC_FMRI:
297 if (error = secpolicy_contract_identity(cr))
298 return (error);
299 if (ctp->ctp_svc_fmri != NULL)
300 refstr_rele(ctp->ctp_svc_fmri);
301 if (strcmp(CT_PR_SVC_DEFAULT, str_value) == 0)
302 ctp->ctp_svc_fmri = NULL;
303 else
304 ctp->ctp_svc_fmri =
305 refstr_alloc(str_value);
306 break;
307 case CTPP_CREATOR_AUX:
308 if (ctp->ctp_svc_aux != NULL)
309 refstr_rele(ctp->ctp_svc_aux);
310 if (param->ctpm_size == 1) /* empty string */
311 ctp->ctp_svc_aux = NULL;
312 else
313 ctp->ctp_svc_aux =
314 refstr_alloc(str_value);
315 break;
316 case CTP_EV_CRITICAL:
317 /*
318 * We simply don't allow adding events to the critical
319 * event set which aren't permitted by our policy or by
320 * privilege.
321 */
322 if (EXCESS(ctp, param_value) &&
323 (error = secpolicy_contract_event(cr)) != 0)
324 return (error);
325 tmpl->ctmpl_ev_crit = param_value;
326 break;
327 case CTPP_EV_FATAL:
328 if (param_value & ~CT_PR_ALLFATAL)
329 return (EINVAL);
330 ctp->ctp_ev_fatal = param_value;
331 /*
332 * Check to see if an unprivileged process is
333 * requesting that events be removed from the fatal
334 * event set which are still in the critical event set.
335 */
336 if (EXCESS(ctp, tmpl->ctmpl_ev_crit) &&
337 !secpolicy_contract_event_choice(cr)) {
338 int allowed =
339 SAFE_EV | (ctp->ctp_params & CT_PR_PGRPONLY) ?
340 0 : ctp->ctp_ev_fatal;
341 tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~allowed);
342 tmpl->ctmpl_ev_crit &= allowed;
343 }
344 break;
345 default:
346 return (EINVAL);
347 }
348
349 return (0);
350 }
351
352 /*
353 * ctmpl_process_get
354 *
355 * The process contract template get entry point. Simply fetches and
356 * returns the requested term.
357 */
358 static int
359 ctmpl_process_get(struct ct_template *template, ct_kparam_t *kparam)
360 {
361 ctmpl_process_t *ctp = template->ctmpl_data;
362 ct_param_t *param = &kparam->param;
363 uint64_t *param_value = kparam->ctpm_kbuf;
364
365 if (param->ctpm_id == CTPP_SUBSUME ||
366 param->ctpm_id == CTPP_PARAMS ||
367 param->ctpm_id == CTPP_EV_FATAL) {
368 if (param->ctpm_size < sizeof (uint64_t))
369 return (EINVAL);
370 kparam->ret_size = sizeof (uint64_t);
371 }
372
373 switch (param->ctpm_id) {
374 case CTPP_SUBSUME:
375 *param_value = ctp->ctp_subsume ?
376 ctp->ctp_subsume->ct_id : 0;
377 break;
378 case CTPP_PARAMS:
379 *param_value = ctp->ctp_params;
380 break;
381 case CTPP_SVC_FMRI:
382 if (ctp->ctp_svc_fmri == NULL) {
383 kparam->ret_size =
384 strlcpy((char *)kparam->ctpm_kbuf,
385 CT_PR_SVC_DEFAULT, param->ctpm_size);
386 } else {
387 kparam->ret_size =
388 strlcpy((char *)kparam->ctpm_kbuf,
389 refstr_value(ctp->ctp_svc_fmri), param->ctpm_size);
390 }
391 kparam->ret_size++;
392 break;
393 case CTPP_CREATOR_AUX:
394 if (ctp->ctp_svc_aux == NULL) {
395 kparam->ret_size =
396 strlcpy((char *)kparam->ctpm_kbuf,
397 refstr_value(conp_svc_aux_default),
398 param->ctpm_size);
399 } else {
400 kparam->ret_size =
401 strlcpy((char *)kparam->ctpm_kbuf,
402 refstr_value(ctp->ctp_svc_aux), param->ctpm_size);
403 }
404 kparam->ret_size++;
405 break;
406 case CTPP_EV_FATAL:
407 *param_value = ctp->ctp_ev_fatal;
408 break;
409 default:
410 return (EINVAL);
411 }
412
413 return (0);
414 }
415
416 static ctmplops_t ctmpl_process_ops = {
417 ctmpl_process_dup, /* ctop_dup */
418 ctmpl_process_free, /* ctop_free */
419 ctmpl_process_set, /* ctop_set */
420 ctmpl_process_get, /* ctop_get */
421 ctmpl_create_inval, /* ctop_create */
422 CT_PR_ALLEVENT
423 };
424
425
426 /*
427 * Process contract implementation
428 */
429
430 /*
431 * ctmpl_process_default
432 *
433 * The process contract default template entry point. Creates a
434 * process contract template with no parameters set, with informative
435 * core and signal events, critical empty and hwerr events, and fatal
436 * hwerr events.
437 */
438 static ct_template_t *
439 contract_process_default(void)
440 {
441 ctmpl_process_t *new;
442
443 new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP);
444 ctmpl_init(&new->ctp_ctmpl, &ctmpl_process_ops, process_type, new);
445
446 new->ctp_subsume = NULL;
447 new->ctp_params = 0;
448 new->ctp_ctmpl.ctmpl_ev_info = CT_PR_EV_CORE | CT_PR_EV_SIGNAL;
449 new->ctp_ctmpl.ctmpl_ev_crit = CT_PR_EV_EMPTY | CT_PR_EV_HWERR;
450 new->ctp_ev_fatal = CT_PR_EV_HWERR;
451 new->ctp_svc_fmri = NULL;
452 new->ctp_svc_aux = NULL;
453
454 return (&new->ctp_ctmpl);
455 }
456
457 /*
458 * contract_process_free
459 *
460 * The process contract free entry point.
461 */
462 static void
463 contract_process_free(contract_t *ct)
464 {
465 cont_process_t *ctp = ct->ct_data;
466 crfree(ctp->conp_cred);
467 list_destroy(&ctp->conp_members);
468 list_destroy(&ctp->conp_inherited);
469 if (ctp->conp_svc_fmri != NULL) {
470 refstr_rele(ctp->conp_svc_fmri);
471 }
472 if (ctp->conp_svc_aux != NULL) {
473 refstr_rele(ctp->conp_svc_aux);
474 }
475 if (ctp->conp_svc_creator != NULL) {
476 refstr_rele(ctp->conp_svc_creator);
477 }
478 kmem_free(ctp, sizeof (cont_process_t));
479 }
480
481 /*
482 * contract_process_cankill
483 *
484 * Determine if the contract author had or if the process generating
485 * the event, sp, has adequate privileges to kill process tp.
486 */
487 static int
488 contract_process_cankill(proc_t *tp, proc_t *sp, cont_process_t *ctp)
489 {
490 int cankill;
491
492 mutex_enter(&tp->p_crlock);
493 cankill = hasprocperm(tp->p_cred, ctp->conp_cred);
494 mutex_exit(&tp->p_crlock);
495 if (cankill || (sp && prochasprocperm(tp, sp, CRED())))
496 return (1);
497
498 return (0);
499 }
500
501 /*
502 * contract_process_kill
503 *
504 * Kills all processes in a contract, or all processes in the
505 * intersection of a contract and ex's process group (if ex is non-NULL
506 * and the contract's PGRPONLY parameter is set). If checkpriv is
507 * true, only those processes which may be signaled by the contract
508 * author or ex are killed.
509 */
510 static void
511 contract_process_kill(contract_t *ct, proc_t *ex, int checkpriv)
512 {
513 cont_process_t *ctp = ct->ct_data;
514 proc_t *p;
515 pid_t pgrp = -1;
516
517 ASSERT(MUTEX_HELD(&ct->ct_lock));
518
519 if (ex && (ctp->conp_params & CT_PR_PGRPONLY)) {
520 pgrp = ex->p_pgrp;
521 mutex_enter(&pidlock);
522 }
523
524 for (p = list_head(&ctp->conp_members); p != NULL;
525 p = list_next(&ctp->conp_members, p)) {
526 if ((p == ex) ||
527 (pgrp != -1 && (p->p_stat == SIDL || p->p_pgrp != pgrp)) ||
528 (checkpriv && !contract_process_cankill(p, ex, ctp)))
529 continue;
530
531 psignal(p, SIGKILL);
532 }
533
534 if (pgrp != -1)
535 mutex_exit(&pidlock);
536 }
537
538
539 /*
540 * contract_process_accept
541 *
542 * Tests if the process contract is willing to act as a regent for
543 * inherited contracts. Though brief and only called from one place,
544 * this functionality is kept here to avoid including knowledge of
545 * process contract implementation in the generic contract code.
546 */
547 int
548 contract_process_accept(contract_t *parent)
549 {
550 cont_process_t *ctp = parent->ct_data;
551
552 ASSERT(parent->ct_type == process_type);
553
554 return (ctp->conp_params & CT_PR_REGENT);
555 }
556
557 /*
558 * contract_process_take
559 *
560 * Executes the process contract side of inheriting a contract.
561 */
562 void
563 contract_process_take(contract_t *parent, contract_t *child)
564 {
565 cont_process_t *ctp = parent->ct_data;
566
567 ASSERT(MUTEX_HELD(&parent->ct_lock));
568 ASSERT(MUTEX_HELD(&child->ct_lock));
569 ASSERT(parent->ct_type == process_type);
570 ASSERT(ctp->conp_params & CT_PR_REGENT);
571
572 list_insert_head(&ctp->conp_inherited, child);
573 ctp->conp_ninherited++;
574 }
575
576 /*
577 * contract_process_adopt
578 *
579 * Executes the process contract side of adopting a contract.
580 */
581 void
582 contract_process_adopt(contract_t *ct, proc_t *p)
583 {
584 cont_process_t *parent = p->p_ct_process;
585
586 ASSERT(MUTEX_HELD(&parent->conp_contract.ct_lock));
587 ASSERT(MUTEX_HELD(&ct->ct_lock));
588
589 list_remove(&parent->conp_inherited, ct);
590 parent->conp_ninherited--;
591
592 /*
593 * We drop the parent lock first because a) we are passing the
594 * contract reference to the child, and b) contract_adopt
595 * expects us to return with the contract lock held.
596 */
597 mutex_exit(&parent->conp_contract.ct_lock);
598 }
599
600 /*
601 * contract_process_abandon
602 *
603 * The process contract abandon entry point.
604 */
605 static void
606 contract_process_abandon(contract_t *ct)
607 {
608 cont_process_t *ctp = ct->ct_data;
609
610 ASSERT(MUTEX_HELD(&ct->ct_lock));
611
612 /*
613 * Shall we stay or shall we go?
614 */
615 if (list_head(&ctp->conp_members) == NULL) {
616 contract_destroy(ct);
617 } else {
618 /*
619 * Strictly speaking, we actually do orphan the contract.
620 * Assuming our credentials allow us to kill all
621 * processes in the contract, this is only temporary.
622 */
623 if (ctp->conp_params & CT_PR_NOORPHAN)
624 contract_process_kill(ct, NULL, B_TRUE);
625 contract_orphan(ct);
626 mutex_exit(&ct->ct_lock);
627 contract_rele(ct);
628 }
629 }
630
631 /*
632 * contract_process_destroy
633 *
634 * The process contract destroy entry point.
635 */
636 static void
637 contract_process_destroy(contract_t *ct)
638 {
639 cont_process_t *ctp = ct->ct_data;
640 contract_t *cct;
641
642 ASSERT(MUTEX_HELD(&ct->ct_lock));
643
644 /*
645 * contract_destroy all empty children, kill or orphan the rest
646 */
647 while (cct = list_head(&ctp->conp_inherited)) {
648 mutex_enter(&cct->ct_lock);
649
650 ASSERT(cct->ct_state == CTS_INHERITED);
651
652 list_remove(&ctp->conp_inherited, cct);
653 ctp->conp_ninherited--;
654 cct->ct_regent = NULL;
655 cct->ct_type->ct_type_ops->contop_abandon(cct);
656 }
657 }
658
659 /*
660 * contract_process_status
661 *
662 * The process contract status entry point.
663 */
664 static void
665 contract_process_status(contract_t *ct, zone_t *zone, int detail, nvlist_t *nvl,
666 void *status, model_t model)
667 {
668 cont_process_t *ctp = ct->ct_data;
669 uint32_t *pids, *ctids;
670 uint_t npids, nctids;
671 uint_t spids, sctids;
672 ctid_t local_svc_zone_enter;
673
674 if (detail == CTD_FIXED) {
675 mutex_enter(&ct->ct_lock);
676 contract_status_common(ct, zone, status, model);
677 local_svc_zone_enter = ctp->conp_svc_zone_enter;
678 mutex_exit(&ct->ct_lock);
679 } else {
680 contract_t *cnext;
681 proc_t *pnext;
682 uint_t loc;
683
684 ASSERT(detail == CTD_ALL);
685 mutex_enter(&ct->ct_lock);
686 for (;;) {
687 spids = ctp->conp_nmembers + 5;
688 sctids = ctp->conp_ninherited + 5;
689 mutex_exit(&ct->ct_lock);
690
691 pids = kmem_alloc(spids * sizeof (uint32_t), KM_SLEEP);
692 ctids = kmem_alloc(sctids * sizeof (uint32_t),
693 KM_SLEEP);
694
695 mutex_enter(&ct->ct_lock);
696 npids = ctp->conp_nmembers;
697 nctids = ctp->conp_ninherited;
698 if (spids >= npids && sctids >= nctids)
699 break;
700
701 kmem_free(pids, spids * sizeof (uint32_t));
702 kmem_free(ctids, sctids * sizeof (uint32_t));
703 }
704 contract_status_common(ct, zone, status, model);
705 for (loc = 0, cnext = list_head(&ctp->conp_inherited); cnext;
706 cnext = list_next(&ctp->conp_inherited, cnext))
707 ctids[loc++] = cnext->ct_id;
708 ASSERT(loc == nctids);
709 for (loc = 0, pnext = list_head(&ctp->conp_members); pnext;
710 pnext = list_next(&ctp->conp_members, pnext))
711 pids[loc++] = pnext->p_pid;
712 ASSERT(loc == npids);
713 local_svc_zone_enter = ctp->conp_svc_zone_enter;
714 mutex_exit(&ct->ct_lock);
715 }
716
717 /*
718 * Contract terms are static; there's no need to hold the
719 * contract lock while accessing them.
720 */
721 VERIFY(nvlist_add_uint32(nvl, CTPS_PARAMS, ctp->conp_params) == 0);
722 VERIFY(nvlist_add_uint32(nvl, CTPS_EV_FATAL, ctp->conp_ev_fatal) == 0);
723 if (detail == CTD_ALL) {
724 VERIFY(nvlist_add_uint32_array(nvl, CTPS_MEMBERS, pids,
725 npids) == 0);
726 VERIFY(nvlist_add_uint32_array(nvl, CTPS_CONTRACTS, ctids,
727 nctids) == 0);
728 VERIFY(nvlist_add_string(nvl, CTPS_CREATOR_AUX,
729 refstr_value(ctp->conp_svc_aux)) == 0);
730 VERIFY(nvlist_add_string(nvl, CTPS_SVC_CREATOR,
731 refstr_value(ctp->conp_svc_creator)) == 0);
732 kmem_free(pids, spids * sizeof (uint32_t));
733 kmem_free(ctids, sctids * sizeof (uint32_t));
734 }
735
736 /*
737 * if we are in a local zone and svc_fmri was inherited from
738 * the global zone, we provide fake svc_fmri and svc_ctid
739 */
740 if (local_svc_zone_enter == 0 ||
741 zone->zone_uniqid == GLOBAL_ZONEUNIQID) {
742 if (detail > CTD_COMMON) {
743 VERIFY(nvlist_add_int32(nvl, CTPS_SVC_CTID,
744 ctp->conp_svc_ctid) == 0);
745 VERIFY(nvlist_add_string(nvl, CTPS_SVC_FMRI,
746 refstr_value(ctp->conp_svc_fmri)) == 0);
747 }
748 } else {
749 if (detail > CTD_COMMON) {
750 VERIFY(nvlist_add_int32(nvl, CTPS_SVC_CTID,
751 local_svc_zone_enter) == 0);
752 VERIFY(nvlist_add_string(nvl, CTPS_SVC_FMRI,
753 CT_PR_SVC_FMRI_ZONE_ENTER) == 0);
754 }
755 }
756 }
757
758 /*ARGSUSED*/
759 static int
760 contract_process_newct(contract_t *ct)
761 {
762 return (0);
763 }
764
765 /* process contracts don't negotiate */
766 static contops_t contract_process_ops = {
767 contract_process_free, /* contop_free */
768 contract_process_abandon, /* contop_abandon */
769 contract_process_destroy, /* contop_destroy */
770 contract_process_status, /* contop_status */
771 contract_ack_inval, /* contop_ack */
772 contract_ack_inval, /* contop_nack */
773 contract_qack_inval, /* contop_qack */
774 contract_process_newct /* contop_newct */
775 };
776
777 /*
778 * contract_process_init
779 *
780 * Initializes the process contract type. Also creates a template for
781 * use by newproc() when it creates user processes.
782 */
783 void
784 contract_process_init(void)
785 {
786 process_type = contract_type_init(CTT_PROCESS, "process",
787 &contract_process_ops, contract_process_default);
788
789 /*
790 * Create a template for use with init(1M) and other
791 * kernel-started processes.
792 */
793 sys_process_tmpl = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP);
794 ctmpl_init(&sys_process_tmpl->ctp_ctmpl, &ctmpl_process_ops,
795 process_type, sys_process_tmpl);
796 sys_process_tmpl->ctp_subsume = NULL;
797 sys_process_tmpl->ctp_params = CT_PR_NOORPHAN;
798 sys_process_tmpl->ctp_ev_fatal = CT_PR_EV_HWERR;
799 sys_process_tmpl->ctp_svc_fmri =
800 refstr_alloc("svc:/system/init:default");
801 sys_process_tmpl->ctp_svc_aux = refstr_alloc("");
802 conp_svc_aux_default = sys_process_tmpl->ctp_svc_aux;
803 refstr_hold(conp_svc_aux_default);
804 }
805
806 /*
807 * contract_process_create
808 *
809 * create a process contract given template "tmpl" and parent process
810 * "parent". May fail and return NULL if project.max-contracts would
811 * have been exceeded.
812 */
813 static cont_process_t *
814 contract_process_create(ctmpl_process_t *tmpl, proc_t *parent, int canfail)
815 {
816 cont_process_t *ctp;
817
818 ASSERT(tmpl != NULL);
819
820 (void) contract_type_pbundle(process_type, parent);
821
822 ctp = kmem_zalloc(sizeof (cont_process_t), KM_SLEEP);
823
824 list_create(&ctp->conp_members, sizeof (proc_t),
825 offsetof(proc_t, p_ct_member));
826 list_create(&ctp->conp_inherited, sizeof (contract_t),
827 offsetof(contract_t, ct_ctlist));
828 mutex_enter(&tmpl->ctp_ctmpl.ctmpl_lock);
829 ctp->conp_params = tmpl->ctp_params;
830 ctp->conp_ev_fatal = tmpl->ctp_ev_fatal;
831 crhold(ctp->conp_cred = CRED());
832
833 if (contract_ctor(&ctp->conp_contract, process_type, &tmpl->ctp_ctmpl,
834 ctp, (ctp->conp_params & CT_PR_INHERIT) ? CTF_INHERIT : 0,
835 parent, canfail)) {
836 mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock);
837 contract_process_free(&ctp->conp_contract);
838 return (NULL);
839 }
840
841 /*
842 * inherit svc_fmri if not defined by consumer. In this case, inherit
843 * also svc_ctid to keep track of the contract id where
844 * svc_fmri was set
845 */
846 if (tmpl->ctp_svc_fmri == NULL) {
847 ctp->conp_svc_fmri = parent->p_ct_process->conp_svc_fmri;
848 ctp->conp_svc_ctid = parent->p_ct_process->conp_svc_ctid;
849 ctp->conp_svc_zone_enter =
850 parent->p_ct_process->conp_svc_zone_enter;
851 } else {
852 ctp->conp_svc_fmri = tmpl->ctp_svc_fmri;
853 ctp->conp_svc_ctid = ctp->conp_contract.ct_id;
854 /* make svc_zone_enter flag false when svc_fmri is set */
855 ctp->conp_svc_zone_enter = 0;
856 }
857 refstr_hold(ctp->conp_svc_fmri);
858 /* set svc_aux to default value if not defined in template */
859 if (tmpl->ctp_svc_aux == NULL) {
860 ctp->conp_svc_aux = conp_svc_aux_default;
861 } else {
862 ctp->conp_svc_aux = tmpl->ctp_svc_aux;
863 }
864 refstr_hold(ctp->conp_svc_aux);
865 /*
866 * set svc_creator to execname
867 * We special case pid0 because when newproc() creates
868 * the init process, the p_user.u_comm field of sched's proc_t
869 * has not been populated yet.
870 */
871 if (parent->p_pidp == &pid0) /* if the kernel is the creator */
872 ctp->conp_svc_creator = refstr_alloc("sched");
873 else
874 ctp->conp_svc_creator = refstr_alloc(parent->p_user.u_comm);
875
876 /*
877 * Transfer subcontracts only after new contract is visible.
878 * Also, only transfer contracts if the parent matches -- we
879 * don't want to create a cycle in the tree of contracts.
880 */
881 if (tmpl->ctp_subsume && tmpl->ctp_subsume->ct_owner == parent) {
882 cont_process_t *sct = tmpl->ctp_subsume->ct_data;
883 contract_t *ct;
884
885 mutex_enter(&tmpl->ctp_subsume->ct_lock);
886 mutex_enter(&ctp->conp_contract.ct_lock);
887 while (ct = list_head(&sct->conp_inherited)) {
888 mutex_enter(&ct->ct_lock);
889 list_remove(&sct->conp_inherited, ct);
890 list_insert_tail(&ctp->conp_inherited, ct);
891 ct->ct_regent = &ctp->conp_contract;
892 mutex_exit(&ct->ct_lock);
893 }
894 ctp->conp_ninherited += sct->conp_ninherited;
895 sct->conp_ninherited = 0;
896 mutex_exit(&ctp->conp_contract.ct_lock);
897 mutex_exit(&tmpl->ctp_subsume->ct_lock);
898
899 /*
900 * Automatically abandon the contract.
901 */
902 (void) contract_abandon(tmpl->ctp_subsume, parent, 1);
903 }
904
905 mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock);
906
907 return (ctp);
908 }
909
910 /*
911 * contract_process_exit
912 *
913 * Called on process exit. Removes process p from process contract
914 * ctp. Generates an exit event, if requested. Generates an empty
915 * event, if p is the last member of the the process contract and empty
916 * events were requested.
917 */
918 void
919 contract_process_exit(cont_process_t *ctp, proc_t *p, int exitstatus)
920 {
921 contract_t *ct = &ctp->conp_contract;
922 ct_kevent_t *event;
923 int empty;
924
925 /*
926 * Remove self from process contract.
927 */
928 mutex_enter(&ct->ct_lock);
929 list_remove(&ctp->conp_members, p);
930 ctp->conp_nmembers--;
931 mutex_enter(&p->p_lock); /* in case /proc is watching */
932 p->p_ct_process = NULL;
933 mutex_exit(&p->p_lock);
934
935 /*
936 * We check for emptiness before dropping the contract lock to
937 * send the exit event, otherwise we could end up with two
938 * empty events.
939 */
940 empty = (list_head(&ctp->conp_members) == NULL);
941 if (EVSENDP(ctp, CT_PR_EV_EXIT)) {
942 nvlist_t *nvl;
943
944 mutex_exit(&ct->ct_lock);
945 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
946 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
947 VERIFY(nvlist_add_int32(nvl, CTPE_EXITSTATUS, exitstatus) == 0);
948
949 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
950 event->cte_flags = EVINFOP(ctp, CT_PR_EV_EXIT) ? CTE_INFO : 0;
951 event->cte_type = CT_PR_EV_EXIT;
952 (void) cte_publish_all(ct, event, nvl, NULL);
953 mutex_enter(&ct->ct_lock);
954 }
955 if (empty) {
956 /*
957 * Send EMPTY message.
958 */
959 if (EVSENDP(ctp, CT_PR_EV_EMPTY)) {
960 nvlist_t *nvl;
961
962 mutex_exit(&ct->ct_lock);
963 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME,
964 KM_SLEEP) == 0);
965 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
966
967 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
968 event->cte_flags = EVINFOP(ctp, CT_PR_EV_EMPTY) ?
969 CTE_INFO : 0;
970 event->cte_type = CT_PR_EV_EMPTY;
971 (void) cte_publish_all(ct, event, nvl, NULL);
972 mutex_enter(&ct->ct_lock);
973 }
974
975 /*
976 * The last one to leave an orphaned contract turns out
977 * the lights.
978 */
979 if (ct->ct_state == CTS_ORPHAN) {
980 contract_destroy(ct);
981 return;
982 }
983 }
984 mutex_exit(&ct->ct_lock);
985 contract_rele(ct);
986 }
987
988 /*
989 * contract_process_fork
990 *
991 * Called on process fork. If the current lwp has a active process
992 * contract template, we attempt to create a new process contract.
993 * Failure to create a process contract when required is a failure in
994 * fork so, in such an event, we return NULL.
995 *
996 * Assuming we succeeded or skipped the previous step, we add the child
997 * process to the new contract (success) or to the parent's process
998 * contract (skip). If requested, we also send a fork event to that
999 * contract.
1000 *
1001 * Because contract_process_fork() may fail, and because we would
1002 * prefer that process contracts not be created for processes which
1003 * don't complete forking, this should be the last function called
1004 * before the "all clear" point in cfork.
1005 */
1006 cont_process_t *
1007 contract_process_fork(ctmpl_process_t *rtmpl, proc_t *cp, proc_t *pp,
1008 int canfail)
1009 {
1010 contract_t *ct;
1011 cont_process_t *ctp;
1012 ct_kevent_t *event;
1013 ct_template_t *tmpl;
1014
1015 if (rtmpl == NULL && (tmpl = ttolwp(curthread)->lwp_ct_active[
1016 process_type->ct_type_index]) != NULL)
1017 rtmpl = tmpl->ctmpl_data;
1018
1019 if (rtmpl == NULL)
1020 ctp = curproc->p_ct_process;
1021 else if ((ctp = contract_process_create(rtmpl, pp, canfail)) == NULL)
1022 return (NULL);
1023
1024 ct = &ctp->conp_contract;
1025 /*
1026 * Prevent contract_process_kill() from missing forked children
1027 * by failing forks by parents that have just been killed.
1028 * It's not worth hoisting the ctp test since contract creation
1029 * is by no means the common case.
1030 */
1031 mutex_enter(&ct->ct_lock);
1032 mutex_enter(&pp->p_lock);
1033 if (ctp == curproc->p_ct_process && (pp->p_flag & SKILLED) != 0 &&
1034 canfail) {
1035 mutex_exit(&pp->p_lock);
1036 mutex_exit(&ct->ct_lock);
1037 return (NULL);
1038 }
1039 cp->p_ct_process = ctp;
1040 mutex_exit(&pp->p_lock);
1041 contract_hold(ct);
1042 list_insert_head(&ctp->conp_members, cp);
1043 ctp->conp_nmembers++;
1044 mutex_exit(&ct->ct_lock);
1045 if (EVSENDP(ctp, CT_PR_EV_FORK)) {
1046 nvlist_t *nvl;
1047
1048 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1049 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, cp->p_pid) == 0);
1050 VERIFY(nvlist_add_uint32(nvl, CTPE_PPID, pp->p_pid) == 0);
1051
1052 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1053 event->cte_flags = EVINFOP(ctp, CT_PR_EV_FORK) ? CTE_INFO : 0;
1054 event->cte_type = CT_PR_EV_FORK;
1055 (void) cte_publish_all(ct, event, nvl, NULL);
1056 }
1057 return (ctp);
1058 }
1059
1060 /*
1061 * contract_process_core
1062 *
1063 * Called on core file generation attempts. Generates a core event, if
1064 * requested, containing the names of the process, global, and
1065 * system-global ("zone") core files. If dumping core is in the fatal
1066 * event set, calls contract_process_kill().
1067 */
1068 void
1069 contract_process_core(cont_process_t *ctp, proc_t *p, int sig,
1070 const char *process, const char *global, const char *zone)
1071 {
1072 contract_t *ct = &ctp->conp_contract;
1073
1074 if (EVSENDP(ctp, CT_PR_EV_CORE)) {
1075 ct_kevent_t *event;
1076 nvlist_t *nvl, *gnvl = NULL;
1077
1078 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1079 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
1080 VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0);
1081 if (process)
1082 VERIFY(nvlist_add_string(nvl, CTPE_PCOREFILE,
1083 (char *)process) == 0);
1084 if (global)
1085 VERIFY(nvlist_add_string(nvl, CTPE_GCOREFILE,
1086 (char *)global) == 0);
1087
1088 if (zone) {
1089 /*
1090 * Only the global zone is informed of the
1091 * local-zone generated global-zone core.
1092 */
1093 VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME,
1094 KM_SLEEP) == 0);
1095 VERIFY(nvlist_add_string(gnvl, CTPE_ZCOREFILE,
1096 (char *)zone) == 0);
1097 }
1098
1099 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1100 event->cte_flags = EVINFOP(ctp, CT_PR_EV_CORE) ? CTE_INFO : 0;
1101 event->cte_type = CT_PR_EV_CORE;
1102 (void) cte_publish_all(ct, event, nvl, gnvl);
1103 }
1104
1105 if (EVFATALP(ctp, CT_PR_EV_CORE)) {
1106 mutex_enter(&ct->ct_lock);
1107 contract_process_kill(ct, p, B_TRUE);
1108 mutex_exit(&ct->ct_lock);
1109 }
1110 }
1111
1112 /*
1113 * contract_process_hwerr
1114 *
1115 * Called when a process is killed by an unrecoverable hardware error.
1116 * Generates an hwerr event, if requested. If hardware errors are in
1117 * the fatal event set, calls contract_process_kill().
1118 */
1119 void
1120 contract_process_hwerr(cont_process_t *ctp, proc_t *p)
1121 {
1122 contract_t *ct = &ctp->conp_contract;
1123
1124 if (EVSENDP(ctp, CT_PR_EV_HWERR)) {
1125 ct_kevent_t *event;
1126 nvlist_t *nvl;
1127
1128 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1129 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
1130
1131 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1132 event->cte_flags = EVINFOP(ctp, CT_PR_EV_HWERR) ? CTE_INFO : 0;
1133 event->cte_type = CT_PR_EV_HWERR;
1134 (void) cte_publish_all(ct, event, nvl, NULL);
1135 }
1136
1137 if (EVFATALP(ctp, CT_PR_EV_HWERR)) {
1138 mutex_enter(&ct->ct_lock);
1139 contract_process_kill(ct, p, B_FALSE);
1140 mutex_exit(&ct->ct_lock);
1141 }
1142 }
1143
1144 /*
1145 * contract_process_sig
1146 *
1147 * Called when a process is killed by a signal originating from a
1148 * process outside of its process contract or its process contract's
1149 * holder. Generates an signal event, if requested, containing the
1150 * signal number, and the sender's pid and contract id (if available).
1151 * If signals are in the fatal event set, calls
1152 * contract_process_kill().
1153 */
1154 void
1155 contract_process_sig(cont_process_t *ctp, proc_t *p, int sig, pid_t pid,
1156 ctid_t ctid, zoneid_t zoneid)
1157 {
1158 contract_t *ct = &ctp->conp_contract;
1159
1160 if (EVSENDP(ctp, CT_PR_EV_SIGNAL)) {
1161 ct_kevent_t *event;
1162 nvlist_t *dest, *nvl, *gnvl = NULL;
1163
1164 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1165 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
1166 VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0);
1167
1168 if (zoneid >= 0 && p->p_zone->zone_id != zoneid) {
1169 VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME,
1170 KM_SLEEP) == 0);
1171 dest = gnvl;
1172 } else {
1173 dest = nvl;
1174 }
1175
1176 if (pid != -1)
1177 VERIFY(nvlist_add_uint32(dest, CTPE_SENDER, pid) == 0);
1178 if (ctid != 0)
1179 VERIFY(nvlist_add_uint32(dest, CTPE_SENDCT, ctid) == 0);
1180
1181 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1182 event->cte_flags = EVINFOP(ctp, CT_PR_EV_SIGNAL) ? CTE_INFO : 0;
1183 event->cte_type = CT_PR_EV_SIGNAL;
1184 (void) cte_publish_all(ct, event, nvl, gnvl);
1185 }
1186
1187 if (EVFATALP(ctp, CT_PR_EV_SIGNAL)) {
1188 mutex_enter(&ct->ct_lock);
1189 contract_process_kill(ct, p, B_TRUE);
1190 mutex_exit(&ct->ct_lock);
1191 }
1192 }