1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/mutex.h> 27 #include <sys/debug.h> 28 #include <sys/types.h> 29 #include <sys/param.h> 30 #include <sys/kmem.h> 31 #include <sys/thread.h> 32 #include <sys/id_space.h> 33 #include <sys/avl.h> 34 #include <sys/list.h> 35 #include <sys/sysmacros.h> 36 #include <sys/proc.h> 37 #include <sys/contract.h> 38 #include <sys/contract_impl.h> 39 #include <sys/contract/process.h> 40 #include <sys/contract/process_impl.h> 41 #include <sys/cmn_err.h> 42 #include <sys/nvpair.h> 43 #include <sys/policy.h> 44 #include <sys/refstr.h> 45 #include <sys/sunddi.h> 46 47 /* 48 * Process Contracts 49 * ----------------- 50 * 51 * Generally speaking, a process contract is a contract between a 52 * process and a set of its descendent processes. In some cases, when 53 * the child processes outlive the author of the contract, the contract 54 * may be held by (and therefore be between the child processes and) a 55 * successor process which adopts the contract after the death of the 56 * original author. 57 * 58 * The process contract adds two new concepts to the Solaris process 59 * model. The first is that a process contract forms a rigid fault 60 * boundary around a set of processes. Hardware, software, and even 61 * administrator errors impacting a process in a process contract 62 * generate specific events and can be requested to atomically shutdown 63 * all processes in the contract. The second is that a process 64 * contract is a process collective whose leader is not a member of the 65 * collective. This means that the leader can reliably react to events 66 * in the collective, and may also act upon the collective without 67 * special casing itself. 68 * 69 * A composite outcome of these two concepts is that we can now create 70 * a tree of process contracts, rooted at init(1M), which represent 71 * services and subservices that are reliably observed and can be 72 * restarted when fatal errors occur. The service management framework 73 * (SMF) realizes this structure. 74 * 75 * For more details, see the "restart agreements" case, PSARC 2003/193. 76 * 77 * There are four sets of routines in this file: the process contract 78 * standard template operations, the process contract standard contract 79 * operations, a couple routines used only by the contract subsystem to 80 * handle process contracts' unique role as a temporary holder of 81 * abandoned contracts, and the interfaces which allow the system to 82 * create and act upon process contracts. The first two are defined by 83 * the contracts framework and won't be discussed further. As for the 84 * remaining two: 85 * 86 * Special framework interfaces 87 * ---------------------------- 88 * 89 * contract_process_accept - determines if a process contract is a 90 * regent, i.e. if it can inherit other contracts. 91 * 92 * contract_process_take - tells a regent process contract to inherit 93 * an abandoned contract 94 * 95 * contract_process_adopt - tells a regent process contract that a 96 * contract it has inherited is being adopted by a process. 97 * 98 * Process contract interfaces 99 * --------------------------- 100 * 101 * contract_process_fork - called when a process is created; adds the 102 * new process to an existing contract or to a newly created one. 103 * 104 * contract_process_exit - called when a process exits 105 * 106 * contract_process_core - called when a process would have dumped core 107 * (even if a core file wasn't generated) 108 * 109 * contract_process_hwerr - called when a process was killed because of 110 * an uncorrectable hardware error 111 * 112 * contract_process_sig - called when a process was killed by a fatal 113 * signal sent by a process in another process contract 114 * 115 */ 116 117 ct_type_t *process_type; 118 ctmpl_process_t *sys_process_tmpl; 119 refstr_t *conp_svc_aux_default; 120 121 /* 122 * Macro predicates for determining when events should be sent and how. 123 */ 124 #define EVSENDP(ctp, flag) \ 125 ((ctp->conp_contract.ct_ev_info | ctp->conp_contract.ct_ev_crit) & flag) 126 127 #define EVINFOP(ctp, flag) \ 128 ((ctp->conp_contract.ct_ev_crit & flag) == 0) 129 130 #define EVFATALP(ctp, flag) \ 131 (ctp->conp_ev_fatal & flag) 132 133 134 /* 135 * Process contract template implementation 136 */ 137 138 /* 139 * ctmpl_process_dup 140 * 141 * The process contract template dup entry point. Other than the 142 * to-be-subsumed contract, which must be held, this simply copies all 143 * the fields of the original. 144 */ 145 static struct ct_template * 146 ctmpl_process_dup(struct ct_template *template) 147 { 148 ctmpl_process_t *new; 149 ctmpl_process_t *old = template->ctmpl_data; 150 151 new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP); 152 153 ctmpl_copy(&new->ctp_ctmpl, template); 154 new->ctp_ctmpl.ctmpl_data = new; 155 156 new->ctp_subsume = old->ctp_subsume; 157 if (new->ctp_subsume) 158 contract_hold(new->ctp_subsume); 159 new->ctp_params = old->ctp_params; 160 new->ctp_ev_fatal = old->ctp_ev_fatal; 161 new->ctp_svc_fmri = old->ctp_svc_fmri; 162 if (new->ctp_svc_fmri != NULL) { 163 refstr_hold(new->ctp_svc_fmri); 164 } 165 new->ctp_svc_aux = old->ctp_svc_aux; 166 if (new->ctp_svc_aux != NULL) { 167 refstr_hold(new->ctp_svc_aux); 168 } 169 170 return (&new->ctp_ctmpl); 171 } 172 173 /* 174 * ctmpl_process_free 175 * 176 * The process contract template free entry point. Just releases a 177 * to-be-subsumed contract and frees the template. 178 */ 179 static void 180 ctmpl_process_free(struct ct_template *template) 181 { 182 ctmpl_process_t *ctp = template->ctmpl_data; 183 184 if (ctp->ctp_subsume) 185 contract_rele(ctp->ctp_subsume); 186 if (ctp->ctp_svc_fmri != NULL) { 187 refstr_rele(ctp->ctp_svc_fmri); 188 } 189 if (ctp->ctp_svc_aux != NULL) { 190 refstr_rele(ctp->ctp_svc_aux); 191 } 192 kmem_free(template, sizeof (ctmpl_process_t)); 193 } 194 195 /* 196 * SAFE_EV is the set of events which a non-privileged process is 197 * allowed to make critical but not fatal or if the PGRPONLY parameter 198 * is set. EXCESS tells us if "value", a critical event set, requires 199 * additional privilege given the template "ctp". 200 */ 201 #define SAFE_EV (CT_PR_EV_EMPTY) 202 #define EXCESS(ctp, value) \ 203 (((value) & ~((ctp)->ctp_ev_fatal | SAFE_EV)) || \ 204 (((value) & ~SAFE_EV) && (ctp->ctp_params & CT_PR_PGRPONLY))) 205 206 /* 207 * ctmpl_process_set 208 * 209 * The process contract template set entry point. None of the terms 210 * may be unconditionally set, and setting the parameters or fatal 211 * event set may result in events being implicitly removed from to the 212 * critical event set and added to the informative event set. The 213 * (admittedly subtle) reason we implicitly change the critical event 214 * set when the parameter or fatal event set is modified but not the 215 * other way around is because a change to the critical event set only 216 * affects the contract's owner, whereas a change to the parameter set 217 * and fatal set can affect the execution of the application running in 218 * the contract (and should therefore be only made explicitly). We 219 * allow implicit changes at all so that setting contract terms doesn't 220 * become a complex dance dependent on the template's initial state and 221 * the desired terms. 222 */ 223 static int 224 ctmpl_process_set(struct ct_template *tmpl, ct_kparam_t *kparam, 225 const cred_t *cr) 226 { 227 ctmpl_process_t *ctp = tmpl->ctmpl_data; 228 ct_param_t *param = &kparam->param; 229 contract_t *ct; 230 int error; 231 uint64_t param_value; 232 char *str_value; 233 234 if ((param->ctpm_id == CTPP_SVC_FMRI) || 235 (param->ctpm_id == CTPP_CREATOR_AUX)) { 236 str_value = (char *)kparam->ctpm_kbuf; 237 str_value[param->ctpm_size - 1] = '\0'; 238 } else { 239 if (param->ctpm_size < sizeof (uint64_t)) 240 return (EINVAL); 241 param_value = *(uint64_t *)kparam->ctpm_kbuf; 242 /* 243 * No process contract parameters are > 32 bits. 244 * Unless it is a string. 245 */ 246 if (param_value & ~UINT32_MAX) 247 return (EINVAL); 248 } 249 250 switch (param->ctpm_id) { 251 case CTPP_SUBSUME: 252 if (param_value != 0) { 253 /* 254 * Ensure that the contract exists, that we 255 * hold the contract, and that the contract is 256 * empty. 257 */ 258 ct = contract_type_ptr(process_type, param_value, 259 curproc->p_zone->zone_uniqid); 260 if (ct == NULL) 261 return (ESRCH); 262 if (ct->ct_owner != curproc) { 263 contract_rele(ct); 264 return (EACCES); 265 } 266 if (((cont_process_t *)ct->ct_data)->conp_nmembers) { 267 contract_rele(ct); 268 return (ENOTEMPTY); 269 } 270 } else { 271 ct = NULL; 272 } 273 if (ctp->ctp_subsume) 274 contract_rele(ctp->ctp_subsume); 275 ctp->ctp_subsume = ct; 276 break; 277 case CTPP_PARAMS: 278 if (param_value & ~CT_PR_ALLPARAM) 279 return (EINVAL); 280 ctp->ctp_params = param_value; 281 /* 282 * If an unprivileged process requests that 283 * CT_PR_PGRPONLY be set, remove any unsafe events from 284 * the critical event set and add them to the 285 * informative event set. 286 */ 287 if ((ctp->ctp_params & CT_PR_PGRPONLY) && 288 EXCESS(ctp, tmpl->ctmpl_ev_crit) && 289 !secpolicy_contract_event_choice(cr)) { 290 tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~SAFE_EV); 291 tmpl->ctmpl_ev_crit &= SAFE_EV; 292 } 293 294 break; 295 case CTPP_SVC_FMRI: 296 if (error = secpolicy_contract_identity(cr)) 297 return (error); 298 if (ctp->ctp_svc_fmri != NULL) 299 refstr_rele(ctp->ctp_svc_fmri); 300 if (strcmp(CT_PR_SVC_DEFAULT, str_value) == 0) 301 ctp->ctp_svc_fmri = NULL; 302 else 303 ctp->ctp_svc_fmri = 304 refstr_alloc(str_value); 305 break; 306 case CTPP_CREATOR_AUX: 307 if (ctp->ctp_svc_aux != NULL) 308 refstr_rele(ctp->ctp_svc_aux); 309 if (param->ctpm_size == 1) /* empty string */ 310 ctp->ctp_svc_aux = NULL; 311 else 312 ctp->ctp_svc_aux = 313 refstr_alloc(str_value); 314 break; 315 case CTP_EV_CRITICAL: 316 /* 317 * We simply don't allow adding events to the critical 318 * event set which aren't permitted by our policy or by 319 * privilege. 320 */ 321 if (EXCESS(ctp, param_value) && 322 (error = secpolicy_contract_event(cr)) != 0) 323 return (error); 324 tmpl->ctmpl_ev_crit = param_value; 325 break; 326 case CTPP_EV_FATAL: 327 if (param_value & ~CT_PR_ALLFATAL) 328 return (EINVAL); 329 ctp->ctp_ev_fatal = param_value; 330 /* 331 * Check to see if an unprivileged process is 332 * requesting that events be removed from the fatal 333 * event set which are still in the critical event set. 334 */ 335 if (EXCESS(ctp, tmpl->ctmpl_ev_crit) && 336 !secpolicy_contract_event_choice(cr)) { 337 int allowed = 338 SAFE_EV | (ctp->ctp_params & CT_PR_PGRPONLY) ? 339 0 : ctp->ctp_ev_fatal; 340 tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~allowed); 341 tmpl->ctmpl_ev_crit &= allowed; 342 } 343 break; 344 default: 345 return (EINVAL); 346 } 347 348 return (0); 349 } 350 351 /* 352 * ctmpl_process_get 353 * 354 * The process contract template get entry point. Simply fetches and 355 * returns the requested term. 356 */ 357 static int 358 ctmpl_process_get(struct ct_template *template, ct_kparam_t *kparam) 359 { 360 ctmpl_process_t *ctp = template->ctmpl_data; 361 ct_param_t *param = &kparam->param; 362 uint64_t *param_value = kparam->ctpm_kbuf; 363 364 if (param->ctpm_id == CTPP_SUBSUME || 365 param->ctpm_id == CTPP_PARAMS || 366 param->ctpm_id == CTPP_EV_FATAL) { 367 if (param->ctpm_size < sizeof (uint64_t)) 368 return (EINVAL); 369 kparam->ret_size = sizeof (uint64_t); 370 } 371 372 switch (param->ctpm_id) { 373 case CTPP_SUBSUME: 374 *param_value = ctp->ctp_subsume ? 375 ctp->ctp_subsume->ct_id : 0; 376 break; 377 case CTPP_PARAMS: 378 *param_value = ctp->ctp_params; 379 break; 380 case CTPP_SVC_FMRI: 381 if (ctp->ctp_svc_fmri == NULL) { 382 kparam->ret_size = 383 strlcpy((char *)kparam->ctpm_kbuf, 384 CT_PR_SVC_DEFAULT, param->ctpm_size); 385 } else { 386 kparam->ret_size = 387 strlcpy((char *)kparam->ctpm_kbuf, 388 refstr_value(ctp->ctp_svc_fmri), param->ctpm_size); 389 } 390 kparam->ret_size++; 391 break; 392 case CTPP_CREATOR_AUX: 393 if (ctp->ctp_svc_aux == NULL) { 394 kparam->ret_size = 395 strlcpy((char *)kparam->ctpm_kbuf, 396 refstr_value(conp_svc_aux_default), 397 param->ctpm_size); 398 } else { 399 kparam->ret_size = 400 strlcpy((char *)kparam->ctpm_kbuf, 401 refstr_value(ctp->ctp_svc_aux), param->ctpm_size); 402 } 403 kparam->ret_size++; 404 break; 405 case CTPP_EV_FATAL: 406 *param_value = ctp->ctp_ev_fatal; 407 break; 408 default: 409 return (EINVAL); 410 } 411 412 return (0); 413 } 414 415 static ctmplops_t ctmpl_process_ops = { 416 ctmpl_process_dup, /* ctop_dup */ 417 ctmpl_process_free, /* ctop_free */ 418 ctmpl_process_set, /* ctop_set */ 419 ctmpl_process_get, /* ctop_get */ 420 ctmpl_create_inval, /* ctop_create */ 421 CT_PR_ALLEVENT 422 }; 423 424 425 /* 426 * Process contract implementation 427 */ 428 429 /* 430 * ctmpl_process_default 431 * 432 * The process contract default template entry point. Creates a 433 * process contract template with no parameters set, with informative 434 * core and signal events, critical empty and hwerr events, and fatal 435 * hwerr events. 436 */ 437 static ct_template_t * 438 contract_process_default(void) 439 { 440 ctmpl_process_t *new; 441 442 new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP); 443 ctmpl_init(&new->ctp_ctmpl, &ctmpl_process_ops, process_type, new); 444 445 new->ctp_subsume = NULL; 446 new->ctp_params = 0; 447 new->ctp_ctmpl.ctmpl_ev_info = CT_PR_EV_CORE | CT_PR_EV_SIGNAL; 448 new->ctp_ctmpl.ctmpl_ev_crit = CT_PR_EV_EMPTY | CT_PR_EV_HWERR; 449 new->ctp_ev_fatal = CT_PR_EV_HWERR; 450 new->ctp_svc_fmri = NULL; 451 new->ctp_svc_aux = NULL; 452 453 return (&new->ctp_ctmpl); 454 } 455 456 /* 457 * contract_process_free 458 * 459 * The process contract free entry point. 460 */ 461 static void 462 contract_process_free(contract_t *ct) 463 { 464 cont_process_t *ctp = ct->ct_data; 465 crfree(ctp->conp_cred); 466 list_destroy(&ctp->conp_members); 467 list_destroy(&ctp->conp_inherited); 468 if (ctp->conp_svc_fmri != NULL) { 469 refstr_rele(ctp->conp_svc_fmri); 470 } 471 if (ctp->conp_svc_aux != NULL) { 472 refstr_rele(ctp->conp_svc_aux); 473 } 474 if (ctp->conp_svc_creator != NULL) { 475 refstr_rele(ctp->conp_svc_creator); 476 } 477 kmem_free(ctp, sizeof (cont_process_t)); 478 } 479 480 /* 481 * contract_process_cankill 482 * 483 * Determine if the contract author had or if the process generating 484 * the event, sp, has adequate privileges to kill process tp. 485 */ 486 static int 487 contract_process_cankill(proc_t *tp, proc_t *sp, cont_process_t *ctp) 488 { 489 int cankill; 490 491 mutex_enter(&tp->p_crlock); 492 cankill = hasprocperm(tp->p_cred, ctp->conp_cred); 493 mutex_exit(&tp->p_crlock); 494 if (cankill || (sp && prochasprocperm(tp, sp, CRED()))) 495 return (1); 496 497 return (0); 498 } 499 500 /* 501 * contract_process_kill 502 * 503 * Kills all processes in a contract, or all processes in the 504 * intersection of a contract and ex's process group (if ex is non-NULL 505 * and the contract's PGRPONLY parameter is set). If checkpriv is 506 * true, only those processes which may be signaled by the contract 507 * author or ex are killed. 508 */ 509 static void 510 contract_process_kill(contract_t *ct, proc_t *ex, int checkpriv) 511 { 512 cont_process_t *ctp = ct->ct_data; 513 proc_t *p; 514 pid_t pgrp = -1; 515 516 ASSERT(MUTEX_HELD(&ct->ct_lock)); 517 518 if (ex && (ctp->conp_params & CT_PR_PGRPONLY)) { 519 pgrp = ex->p_pgrp; 520 mutex_enter(&pidlock); 521 } 522 523 for (p = list_head(&ctp->conp_members); p != NULL; 524 p = list_next(&ctp->conp_members, p)) { 525 if ((p == ex) || 526 (pgrp != -1 && (p->p_stat == SIDL || p->p_pgrp != pgrp)) || 527 (checkpriv && !contract_process_cankill(p, ex, ctp))) 528 continue; 529 530 psignal(p, SIGKILL); 531 } 532 533 if (pgrp != -1) 534 mutex_exit(&pidlock); 535 } 536 537 538 /* 539 * contract_process_accept 540 * 541 * Tests if the process contract is willing to act as a regent for 542 * inherited contracts. Though brief and only called from one place, 543 * this functionality is kept here to avoid including knowledge of 544 * process contract implementation in the generic contract code. 545 */ 546 int 547 contract_process_accept(contract_t *parent) 548 { 549 cont_process_t *ctp = parent->ct_data; 550 551 ASSERT(parent->ct_type == process_type); 552 553 return (ctp->conp_params & CT_PR_REGENT); 554 } 555 556 /* 557 * contract_process_take 558 * 559 * Executes the process contract side of inheriting a contract. 560 */ 561 void 562 contract_process_take(contract_t *parent, contract_t *child) 563 { 564 cont_process_t *ctp = parent->ct_data; 565 566 ASSERT(MUTEX_HELD(&parent->ct_lock)); 567 ASSERT(MUTEX_HELD(&child->ct_lock)); 568 ASSERT(parent->ct_type == process_type); 569 ASSERT(ctp->conp_params & CT_PR_REGENT); 570 571 list_insert_head(&ctp->conp_inherited, child); 572 ctp->conp_ninherited++; 573 } 574 575 /* 576 * contract_process_adopt 577 * 578 * Executes the process contract side of adopting a contract. 579 */ 580 void 581 contract_process_adopt(contract_t *ct, proc_t *p) 582 { 583 cont_process_t *parent = p->p_ct_process; 584 585 ASSERT(MUTEX_HELD(&parent->conp_contract.ct_lock)); 586 ASSERT(MUTEX_HELD(&ct->ct_lock)); 587 588 list_remove(&parent->conp_inherited, ct); 589 parent->conp_ninherited--; 590 591 /* 592 * We drop the parent lock first because a) we are passing the 593 * contract reference to the child, and b) contract_adopt 594 * expects us to return with the contract lock held. 595 */ 596 mutex_exit(&parent->conp_contract.ct_lock); 597 } 598 599 /* 600 * contract_process_abandon 601 * 602 * The process contract abandon entry point. 603 */ 604 static void 605 contract_process_abandon(contract_t *ct) 606 { 607 cont_process_t *ctp = ct->ct_data; 608 609 ASSERT(MUTEX_HELD(&ct->ct_lock)); 610 611 /* 612 * Shall we stay or shall we go? 613 */ 614 if (list_head(&ctp->conp_members) == NULL) { 615 contract_destroy(ct); 616 } else { 617 /* 618 * Strictly speaking, we actually do orphan the contract. 619 * Assuming our credentials allow us to kill all 620 * processes in the contract, this is only temporary. 621 */ 622 if (ctp->conp_params & CT_PR_NOORPHAN) 623 contract_process_kill(ct, NULL, B_TRUE); 624 contract_orphan(ct); 625 mutex_exit(&ct->ct_lock); 626 contract_rele(ct); 627 } 628 } 629 630 /* 631 * contract_process_destroy 632 * 633 * The process contract destroy entry point. 634 */ 635 static void 636 contract_process_destroy(contract_t *ct) 637 { 638 cont_process_t *ctp = ct->ct_data; 639 contract_t *cct; 640 641 ASSERT(MUTEX_HELD(&ct->ct_lock)); 642 643 /* 644 * contract_destroy all empty children, kill or orphan the rest 645 */ 646 while (cct = list_head(&ctp->conp_inherited)) { 647 mutex_enter(&cct->ct_lock); 648 649 ASSERT(cct->ct_state == CTS_INHERITED); 650 651 list_remove(&ctp->conp_inherited, cct); 652 ctp->conp_ninherited--; 653 cct->ct_regent = NULL; 654 cct->ct_type->ct_type_ops->contop_abandon(cct); 655 } 656 } 657 658 /* 659 * contract_process_status 660 * 661 * The process contract status entry point. 662 */ 663 static void 664 contract_process_status(contract_t *ct, zone_t *zone, int detail, nvlist_t *nvl, 665 void *status, model_t model) 666 { 667 cont_process_t *ctp = ct->ct_data; 668 uint32_t *pids, *ctids; 669 uint_t npids, nctids; 670 uint_t spids, sctids; 671 ctid_t local_svc_zone_enter; 672 673 if (detail == CTD_FIXED) { 674 mutex_enter(&ct->ct_lock); 675 contract_status_common(ct, zone, status, model); 676 local_svc_zone_enter = ctp->conp_svc_zone_enter; 677 mutex_exit(&ct->ct_lock); 678 } else { 679 contract_t *cnext; 680 proc_t *pnext; 681 uint_t loc; 682 683 ASSERT(detail == CTD_ALL); 684 mutex_enter(&ct->ct_lock); 685 for (;;) { 686 spids = ctp->conp_nmembers + 5; 687 sctids = ctp->conp_ninherited + 5; 688 mutex_exit(&ct->ct_lock); 689 690 pids = kmem_alloc(spids * sizeof (uint32_t), KM_SLEEP); 691 ctids = kmem_alloc(sctids * sizeof (uint32_t), 692 KM_SLEEP); 693 694 mutex_enter(&ct->ct_lock); 695 npids = ctp->conp_nmembers; 696 nctids = ctp->conp_ninherited; 697 if (spids >= npids && sctids >= nctids) 698 break; 699 700 kmem_free(pids, spids * sizeof (uint32_t)); 701 kmem_free(ctids, sctids * sizeof (uint32_t)); 702 } 703 contract_status_common(ct, zone, status, model); 704 for (loc = 0, cnext = list_head(&ctp->conp_inherited); cnext; 705 cnext = list_next(&ctp->conp_inherited, cnext)) 706 ctids[loc++] = cnext->ct_id; 707 ASSERT(loc == nctids); 708 for (loc = 0, pnext = list_head(&ctp->conp_members); pnext; 709 pnext = list_next(&ctp->conp_members, pnext)) 710 pids[loc++] = pnext->p_pid; 711 ASSERT(loc == npids); 712 local_svc_zone_enter = ctp->conp_svc_zone_enter; 713 mutex_exit(&ct->ct_lock); 714 } 715 716 /* 717 * Contract terms are static; there's no need to hold the 718 * contract lock while accessing them. 719 */ 720 VERIFY(nvlist_add_uint32(nvl, CTPS_PARAMS, ctp->conp_params) == 0); 721 VERIFY(nvlist_add_uint32(nvl, CTPS_EV_FATAL, ctp->conp_ev_fatal) == 0); 722 if (detail == CTD_ALL) { 723 VERIFY(nvlist_add_uint32_array(nvl, CTPS_MEMBERS, pids, 724 npids) == 0); 725 VERIFY(nvlist_add_uint32_array(nvl, CTPS_CONTRACTS, ctids, 726 nctids) == 0); 727 VERIFY(nvlist_add_string(nvl, CTPS_CREATOR_AUX, 728 refstr_value(ctp->conp_svc_aux)) == 0); 729 VERIFY(nvlist_add_string(nvl, CTPS_SVC_CREATOR, 730 refstr_value(ctp->conp_svc_creator)) == 0); 731 kmem_free(pids, spids * sizeof (uint32_t)); 732 kmem_free(ctids, sctids * sizeof (uint32_t)); 733 } 734 735 /* 736 * if we are in a local zone and svc_fmri was inherited from 737 * the global zone, we provide fake svc_fmri and svc_ctid 738 */ 739 if (local_svc_zone_enter == 0|| 740 zone->zone_uniqid == GLOBAL_ZONEUNIQID) { 741 if (detail > CTD_COMMON) { 742 VERIFY(nvlist_add_int32(nvl, CTPS_SVC_CTID, 743 ctp->conp_svc_ctid) == 0); 744 } 745 if (detail == CTD_ALL) { 746 VERIFY(nvlist_add_string(nvl, CTPS_SVC_FMRI, 747 refstr_value(ctp->conp_svc_fmri)) == 0); 748 } 749 } else { 750 if (detail > CTD_COMMON) { 751 VERIFY(nvlist_add_int32(nvl, CTPS_SVC_CTID, 752 local_svc_zone_enter) == 0); 753 } 754 if (detail == CTD_ALL) { 755 VERIFY(nvlist_add_string(nvl, CTPS_SVC_FMRI, 756 CT_PR_SVC_FMRI_ZONE_ENTER) == 0); 757 } 758 } 759 } 760 761 /*ARGSUSED*/ 762 static int 763 contract_process_newct(contract_t *ct) 764 { 765 return (0); 766 } 767 768 /* process contracts don't negotiate */ 769 static contops_t contract_process_ops = { 770 contract_process_free, /* contop_free */ 771 contract_process_abandon, /* contop_abandon */ 772 contract_process_destroy, /* contop_destroy */ 773 contract_process_status, /* contop_status */ 774 contract_ack_inval, /* contop_ack */ 775 contract_ack_inval, /* contop_nack */ 776 contract_qack_inval, /* contop_qack */ 777 contract_process_newct /* contop_newct */ 778 }; 779 780 /* 781 * contract_process_init 782 * 783 * Initializes the process contract type. Also creates a template for 784 * use by newproc() when it creates user processes. 785 */ 786 void 787 contract_process_init(void) 788 { 789 process_type = contract_type_init(CTT_PROCESS, "process", 790 &contract_process_ops, contract_process_default); 791 792 /* 793 * Create a template for use with init(1M) and other 794 * kernel-started processes. 795 */ 796 sys_process_tmpl = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP); 797 ctmpl_init(&sys_process_tmpl->ctp_ctmpl, &ctmpl_process_ops, 798 process_type, sys_process_tmpl); 799 sys_process_tmpl->ctp_subsume = NULL; 800 sys_process_tmpl->ctp_params = CT_PR_NOORPHAN; 801 sys_process_tmpl->ctp_ev_fatal = CT_PR_EV_HWERR; 802 sys_process_tmpl->ctp_svc_fmri = 803 refstr_alloc("svc:/system/init:default"); 804 sys_process_tmpl->ctp_svc_aux = refstr_alloc(""); 805 conp_svc_aux_default = sys_process_tmpl->ctp_svc_aux; 806 refstr_hold(conp_svc_aux_default); 807 } 808 809 /* 810 * contract_process_create 811 * 812 * create a process contract given template "tmpl" and parent process 813 * "parent". May fail and return NULL if project.max-contracts would 814 * have been exceeded. 815 */ 816 static cont_process_t * 817 contract_process_create(ctmpl_process_t *tmpl, proc_t *parent, int canfail) 818 { 819 cont_process_t *ctp; 820 821 ASSERT(tmpl != NULL); 822 823 (void) contract_type_pbundle(process_type, parent); 824 825 ctp = kmem_zalloc(sizeof (cont_process_t), KM_SLEEP); 826 827 list_create(&ctp->conp_members, sizeof (proc_t), 828 offsetof(proc_t, p_ct_member)); 829 list_create(&ctp->conp_inherited, sizeof (contract_t), 830 offsetof(contract_t, ct_ctlist)); 831 mutex_enter(&tmpl->ctp_ctmpl.ctmpl_lock); 832 ctp->conp_params = tmpl->ctp_params; 833 ctp->conp_ev_fatal = tmpl->ctp_ev_fatal; 834 crhold(ctp->conp_cred = CRED()); 835 836 if (contract_ctor(&ctp->conp_contract, process_type, &tmpl->ctp_ctmpl, 837 ctp, (ctp->conp_params & CT_PR_INHERIT) ? CTF_INHERIT : 0, 838 parent, canfail)) { 839 mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock); 840 contract_process_free(&ctp->conp_contract); 841 return (NULL); 842 } 843 844 /* 845 * inherit svc_fmri if not defined by consumer. In this case, inherit 846 * also svc_ctid to keep track of the contract id where 847 * svc_fmri was set 848 */ 849 if (tmpl->ctp_svc_fmri == NULL) { 850 ctp->conp_svc_fmri = parent->p_ct_process->conp_svc_fmri; 851 ctp->conp_svc_ctid = parent->p_ct_process->conp_svc_ctid; 852 ctp->conp_svc_zone_enter = 853 parent->p_ct_process->conp_svc_zone_enter; 854 } else { 855 ctp->conp_svc_fmri = tmpl->ctp_svc_fmri; 856 ctp->conp_svc_ctid = ctp->conp_contract.ct_id; 857 /* make svc_zone_enter flag false when svc_fmri is set */ 858 ctp->conp_svc_zone_enter = 0; 859 } 860 refstr_hold(ctp->conp_svc_fmri); 861 /* set svc_aux to default value if not defined in template */ 862 if (tmpl->ctp_svc_aux == NULL) { 863 ctp->conp_svc_aux = conp_svc_aux_default; 864 } else { 865 ctp->conp_svc_aux = tmpl->ctp_svc_aux; 866 } 867 refstr_hold(ctp->conp_svc_aux); 868 /* 869 * set svc_creator to execname 870 * We special case pid0 because when newproc() creates 871 * the init process, the p_user.u_comm field of sched's proc_t 872 * has not been populated yet. 873 */ 874 if (parent->p_pidp == &pid0) /* if the kernel is the creator */ 875 ctp->conp_svc_creator = refstr_alloc("sched"); 876 else 877 ctp->conp_svc_creator = refstr_alloc(parent->p_user.u_comm); 878 879 /* 880 * Transfer subcontracts only after new contract is visible. 881 * Also, only transfer contracts if the parent matches -- we 882 * don't want to create a cycle in the tree of contracts. 883 */ 884 if (tmpl->ctp_subsume && tmpl->ctp_subsume->ct_owner == parent) { 885 cont_process_t *sct = tmpl->ctp_subsume->ct_data; 886 contract_t *ct; 887 888 mutex_enter(&tmpl->ctp_subsume->ct_lock); 889 mutex_enter(&ctp->conp_contract.ct_lock); 890 while (ct = list_head(&sct->conp_inherited)) { 891 mutex_enter(&ct->ct_lock); 892 list_remove(&sct->conp_inherited, ct); 893 list_insert_tail(&ctp->conp_inherited, ct); 894 ct->ct_regent = &ctp->conp_contract; 895 mutex_exit(&ct->ct_lock); 896 } 897 ctp->conp_ninherited += sct->conp_ninherited; 898 sct->conp_ninherited = 0; 899 mutex_exit(&ctp->conp_contract.ct_lock); 900 mutex_exit(&tmpl->ctp_subsume->ct_lock); 901 902 /* 903 * Automatically abandon the contract. 904 */ 905 (void) contract_abandon(tmpl->ctp_subsume, parent, 1); 906 } 907 908 mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock); 909 910 return (ctp); 911 } 912 913 /* 914 * contract_process_exit 915 * 916 * Called on process exit. Removes process p from process contract 917 * ctp. Generates an exit event, if requested. Generates an empty 918 * event, if p is the last member of the the process contract and empty 919 * events were requested. 920 */ 921 void 922 contract_process_exit(cont_process_t *ctp, proc_t *p, int exitstatus) 923 { 924 contract_t *ct = &ctp->conp_contract; 925 ct_kevent_t *event; 926 int empty; 927 928 /* 929 * Remove self from process contract. 930 */ 931 mutex_enter(&ct->ct_lock); 932 list_remove(&ctp->conp_members, p); 933 ctp->conp_nmembers--; 934 mutex_enter(&p->p_lock); /* in case /proc is watching */ 935 p->p_ct_process = NULL; 936 mutex_exit(&p->p_lock); 937 938 /* 939 * We check for emptiness before dropping the contract lock to 940 * send the exit event, otherwise we could end up with two 941 * empty events. 942 */ 943 empty = (list_head(&ctp->conp_members) == NULL); 944 if (EVSENDP(ctp, CT_PR_EV_EXIT)) { 945 nvlist_t *nvl; 946 947 mutex_exit(&ct->ct_lock); 948 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 949 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 950 VERIFY(nvlist_add_int32(nvl, CTPE_EXITSTATUS, exitstatus) == 0); 951 952 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 953 event->cte_flags = EVINFOP(ctp, CT_PR_EV_EXIT) ? CTE_INFO : 0; 954 event->cte_type = CT_PR_EV_EXIT; 955 (void) cte_publish_all(ct, event, nvl, NULL); 956 mutex_enter(&ct->ct_lock); 957 } 958 if (empty) { 959 /* 960 * Send EMPTY message. 961 */ 962 if (EVSENDP(ctp, CT_PR_EV_EMPTY)) { 963 nvlist_t *nvl; 964 965 mutex_exit(&ct->ct_lock); 966 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, 967 KM_SLEEP) == 0); 968 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 969 970 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 971 event->cte_flags = EVINFOP(ctp, CT_PR_EV_EMPTY) ? 972 CTE_INFO : 0; 973 event->cte_type = CT_PR_EV_EMPTY; 974 (void) cte_publish_all(ct, event, nvl, NULL); 975 mutex_enter(&ct->ct_lock); 976 } 977 978 /* 979 * The last one to leave an orphaned contract turns out 980 * the lights. 981 */ 982 if (ct->ct_state == CTS_ORPHAN) { 983 contract_destroy(ct); 984 return; 985 } 986 } 987 mutex_exit(&ct->ct_lock); 988 contract_rele(ct); 989 } 990 991 /* 992 * contract_process_fork 993 * 994 * Called on process fork. If the current lwp has a active process 995 * contract template, we attempt to create a new process contract. 996 * Failure to create a process contract when required is a failure in 997 * fork so, in such an event, we return NULL. 998 * 999 * Assuming we succeeded or skipped the previous step, we add the child 1000 * process to the new contract (success) or to the parent's process 1001 * contract (skip). If requested, we also send a fork event to that 1002 * contract. 1003 * 1004 * Because contract_process_fork() may fail, and because we would 1005 * prefer that process contracts not be created for processes which 1006 * don't complete forking, this should be the last function called 1007 * before the "all clear" point in cfork. 1008 */ 1009 cont_process_t * 1010 contract_process_fork(ctmpl_process_t *rtmpl, proc_t *cp, proc_t *pp, 1011 int canfail) 1012 { 1013 contract_t *ct; 1014 cont_process_t *ctp; 1015 ct_kevent_t *event; 1016 ct_template_t *tmpl; 1017 1018 if (rtmpl == NULL && (tmpl = ttolwp(curthread)->lwp_ct_active[ 1019 process_type->ct_type_index]) != NULL) 1020 rtmpl = tmpl->ctmpl_data; 1021 1022 if (rtmpl == NULL) 1023 ctp = curproc->p_ct_process; 1024 else if ((ctp = contract_process_create(rtmpl, pp, canfail)) == NULL) 1025 return (NULL); 1026 1027 ct = &ctp->conp_contract; 1028 /* 1029 * Prevent contract_process_kill() from missing forked children 1030 * by failing forks by parents that have just been killed. 1031 * It's not worth hoisting the ctp test since contract creation 1032 * is by no means the common case. 1033 */ 1034 mutex_enter(&ct->ct_lock); 1035 mutex_enter(&pp->p_lock); 1036 if (ctp == curproc->p_ct_process && (pp->p_flag & SKILLED) != 0 && 1037 canfail) { 1038 mutex_exit(&pp->p_lock); 1039 mutex_exit(&ct->ct_lock); 1040 return (NULL); 1041 } 1042 cp->p_ct_process = ctp; 1043 mutex_exit(&pp->p_lock); 1044 contract_hold(ct); 1045 list_insert_head(&ctp->conp_members, cp); 1046 ctp->conp_nmembers++; 1047 mutex_exit(&ct->ct_lock); 1048 if (EVSENDP(ctp, CT_PR_EV_FORK)) { 1049 nvlist_t *nvl; 1050 1051 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 1052 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, cp->p_pid) == 0); 1053 VERIFY(nvlist_add_uint32(nvl, CTPE_PPID, pp->p_pid) == 0); 1054 1055 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 1056 event->cte_flags = EVINFOP(ctp, CT_PR_EV_FORK) ? CTE_INFO : 0; 1057 event->cte_type = CT_PR_EV_FORK; 1058 (void) cte_publish_all(ct, event, nvl, NULL); 1059 } 1060 return (ctp); 1061 } 1062 1063 /* 1064 * contract_process_core 1065 * 1066 * Called on core file generation attempts. Generates a core event, if 1067 * requested, containing the names of the process, global, and 1068 * system-global ("zone") core files. If dumping core is in the fatal 1069 * event set, calls contract_process_kill(). 1070 */ 1071 void 1072 contract_process_core(cont_process_t *ctp, proc_t *p, int sig, 1073 const char *process, const char *global, const char *zone) 1074 { 1075 contract_t *ct = &ctp->conp_contract; 1076 1077 if (EVSENDP(ctp, CT_PR_EV_CORE)) { 1078 ct_kevent_t *event; 1079 nvlist_t *nvl, *gnvl = NULL; 1080 1081 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 1082 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 1083 VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0); 1084 if (process) 1085 VERIFY(nvlist_add_string(nvl, CTPE_PCOREFILE, 1086 (char *)process) == 0); 1087 if (global) 1088 VERIFY(nvlist_add_string(nvl, CTPE_GCOREFILE, 1089 (char *)global) == 0); 1090 1091 if (zone) { 1092 /* 1093 * Only the global zone is informed of the 1094 * local-zone generated global-zone core. 1095 */ 1096 VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME, 1097 KM_SLEEP) == 0); 1098 VERIFY(nvlist_add_string(gnvl, CTPE_ZCOREFILE, 1099 (char *)zone) == 0); 1100 } 1101 1102 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 1103 event->cte_flags = EVINFOP(ctp, CT_PR_EV_CORE) ? CTE_INFO : 0; 1104 event->cte_type = CT_PR_EV_CORE; 1105 (void) cte_publish_all(ct, event, nvl, gnvl); 1106 } 1107 1108 if (EVFATALP(ctp, CT_PR_EV_CORE)) { 1109 mutex_enter(&ct->ct_lock); 1110 contract_process_kill(ct, p, B_TRUE); 1111 mutex_exit(&ct->ct_lock); 1112 } 1113 } 1114 1115 /* 1116 * contract_process_hwerr 1117 * 1118 * Called when a process is killed by an unrecoverable hardware error. 1119 * Generates an hwerr event, if requested. If hardware errors are in 1120 * the fatal event set, calls contract_process_kill(). 1121 */ 1122 void 1123 contract_process_hwerr(cont_process_t *ctp, proc_t *p) 1124 { 1125 contract_t *ct = &ctp->conp_contract; 1126 1127 if (EVSENDP(ctp, CT_PR_EV_HWERR)) { 1128 ct_kevent_t *event; 1129 nvlist_t *nvl; 1130 1131 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 1132 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 1133 1134 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 1135 event->cte_flags = EVINFOP(ctp, CT_PR_EV_HWERR) ? CTE_INFO : 0; 1136 event->cte_type = CT_PR_EV_HWERR; 1137 (void) cte_publish_all(ct, event, nvl, NULL); 1138 } 1139 1140 if (EVFATALP(ctp, CT_PR_EV_HWERR)) { 1141 mutex_enter(&ct->ct_lock); 1142 contract_process_kill(ct, p, B_FALSE); 1143 mutex_exit(&ct->ct_lock); 1144 } 1145 } 1146 1147 /* 1148 * contract_process_sig 1149 * 1150 * Called when a process is killed by a signal originating from a 1151 * process outside of its process contract or its process contract's 1152 * holder. Generates an signal event, if requested, containing the 1153 * signal number, and the sender's pid and contract id (if available). 1154 * If signals are in the fatal event set, calls 1155 * contract_process_kill(). 1156 */ 1157 void 1158 contract_process_sig(cont_process_t *ctp, proc_t *p, int sig, pid_t pid, 1159 ctid_t ctid, zoneid_t zoneid) 1160 { 1161 contract_t *ct = &ctp->conp_contract; 1162 1163 if (EVSENDP(ctp, CT_PR_EV_SIGNAL)) { 1164 ct_kevent_t *event; 1165 nvlist_t *dest, *nvl, *gnvl = NULL; 1166 1167 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0); 1168 VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0); 1169 VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0); 1170 1171 if (zoneid >= 0 && p->p_zone->zone_id != zoneid) { 1172 VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME, 1173 KM_SLEEP) == 0); 1174 dest = gnvl; 1175 } else { 1176 dest = nvl; 1177 } 1178 1179 if (pid != -1) 1180 VERIFY(nvlist_add_uint32(dest, CTPE_SENDER, pid) == 0); 1181 if (ctid != 0) 1182 VERIFY(nvlist_add_uint32(dest, CTPE_SENDCT, ctid) == 0); 1183 1184 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP); 1185 event->cte_flags = EVINFOP(ctp, CT_PR_EV_SIGNAL) ? CTE_INFO : 0; 1186 event->cte_type = CT_PR_EV_SIGNAL; 1187 (void) cte_publish_all(ct, event, nvl, gnvl); 1188 } 1189 1190 if (EVFATALP(ctp, CT_PR_EV_SIGNAL)) { 1191 mutex_enter(&ct->ct_lock); 1192 contract_process_kill(ct, p, B_TRUE); 1193 mutex_exit(&ct->ct_lock); 1194 } 1195 }