4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
26 #include <sys/mutex.h>
27 #include <sys/debug.h>
28 #include <sys/types.h>
29 #include <sys/param.h>
31 #include <sys/thread.h>
32 #include <sys/id_space.h>
35 #include <sys/sysmacros.h>
37 #include <sys/contract.h>
38 #include <sys/contract_impl.h>
39 #include <sys/contract/process.h>
40 #include <sys/contract/process_impl.h>
41 #include <sys/cmn_err.h>
42 #include <sys/nvpair.h>
43 #include <sys/policy.h>
44 #include <sys/refstr.h>
45 #include <sys/sunddi.h>
51 * Generally speaking, a process contract is a contract between a
52 * process and a set of its descendent processes. In some cases, when
53 * the child processes outlive the author of the contract, the contract
54 * may be held by (and therefore be between the child processes and) a
55 * successor process which adopts the contract after the death of the
58 * The process contract adds two new concepts to the Solaris process
59 * model. The first is that a process contract forms a rigid fault
60 * boundary around a set of processes. Hardware, software, and even
61 * administrator errors impacting a process in a process contract
62 * generate specific events and can be requested to atomically shutdown
63 * all processes in the contract. The second is that a process
64 * contract is a process collective whose leader is not a member of the
65 * collective. This means that the leader can reliably react to events
66 * in the collective, and may also act upon the collective without
67 * special casing itself.
69 * A composite outcome of these two concepts is that we can now create
70 * a tree of process contracts, rooted at init(8), which represent
71 * services and subservices that are reliably observed and can be
72 * restarted when fatal errors occur. The service management framework
73 * (SMF) realizes this structure.
75 * For more details, see the "restart agreements" case, PSARC 2003/193.
77 * There are four sets of routines in this file: the process contract
78 * standard template operations, the process contract standard contract
79 * operations, a couple routines used only by the contract subsystem to
80 * handle process contracts' unique role as a temporary holder of
81 * abandoned contracts, and the interfaces which allow the system to
82 * create and act upon process contracts. The first two are defined by
83 * the contracts framework and won't be discussed further. As for the
86 * Special framework interfaces
87 * ----------------------------
89 * contract_process_accept - determines if a process contract is a
90 * regent, i.e. if it can inherit other contracts.
92 * contract_process_take - tells a regent process contract to inherit
93 * an abandoned contract
95 * contract_process_adopt - tells a regent process contract that a
96 * contract it has inherited is being adopted by a process.
98 * Process contract interfaces
99 * ---------------------------
101 * contract_process_fork - called when a process is created; adds the
102 * new process to an existing contract or to a newly created one.
104 * contract_process_exit - called when a process exits
106 * contract_process_core - called when a process would have dumped core
107 * (even if a core file wasn't generated)
109 * contract_process_hwerr - called when a process was killed because of
110 * an uncorrectable hardware error
112 * contract_process_sig - called when a process was killed by a fatal
113 * signal sent by a process in another process contract
117 ct_type_t
*process_type
;
118 ctmpl_process_t
*sys_process_tmpl
;
119 refstr_t
*conp_svc_aux_default
;
122 * Macro predicates for determining when events should be sent and how.
124 #define EVSENDP(ctp, flag) \
125 ((ctp->conp_contract.ct_ev_info | ctp->conp_contract.ct_ev_crit) & flag)
127 #define EVINFOP(ctp, flag) \
128 ((ctp->conp_contract.ct_ev_crit & flag) == 0)
130 #define EVFATALP(ctp, flag) \
131 (ctp->conp_ev_fatal & flag)
135 * Process contract template implementation
141 * The process contract template dup entry point. Other than the
142 * to-be-subsumed contract, which must be held, this simply copies all
143 * the fields of the original.
145 static struct ct_template
*
146 ctmpl_process_dup(struct ct_template
*template)
148 ctmpl_process_t
*new;
149 ctmpl_process_t
*old
= template->ctmpl_data
;
151 new = kmem_alloc(sizeof (ctmpl_process_t
), KM_SLEEP
);
153 ctmpl_copy(&new->ctp_ctmpl
, template);
154 new->ctp_ctmpl
.ctmpl_data
= new;
156 new->ctp_subsume
= old
->ctp_subsume
;
157 if (new->ctp_subsume
)
158 contract_hold(new->ctp_subsume
);
159 new->ctp_params
= old
->ctp_params
;
160 new->ctp_ev_fatal
= old
->ctp_ev_fatal
;
161 new->ctp_svc_fmri
= old
->ctp_svc_fmri
;
162 if (new->ctp_svc_fmri
!= NULL
) {
163 refstr_hold(new->ctp_svc_fmri
);
165 new->ctp_svc_aux
= old
->ctp_svc_aux
;
166 if (new->ctp_svc_aux
!= NULL
) {
167 refstr_hold(new->ctp_svc_aux
);
170 return (&new->ctp_ctmpl
);
176 * The process contract template free entry point. Just releases a
177 * to-be-subsumed contract and frees the template.
180 ctmpl_process_free(struct ct_template
*template)
182 ctmpl_process_t
*ctp
= template->ctmpl_data
;
184 if (ctp
->ctp_subsume
)
185 contract_rele(ctp
->ctp_subsume
);
186 if (ctp
->ctp_svc_fmri
!= NULL
) {
187 refstr_rele(ctp
->ctp_svc_fmri
);
189 if (ctp
->ctp_svc_aux
!= NULL
) {
190 refstr_rele(ctp
->ctp_svc_aux
);
192 kmem_free(template, sizeof (ctmpl_process_t
));
196 * SAFE_EV is the set of events which a non-privileged process is
197 * allowed to make critical but not fatal or if the PGRPONLY parameter
198 * is set. EXCESS tells us if "value", a critical event set, requires
199 * additional privilege given the template "ctp".
201 #define SAFE_EV (CT_PR_EV_EMPTY)
202 #define EXCESS(ctp, value) \
203 (((value) & ~((ctp)->ctp_ev_fatal | SAFE_EV)) || \
204 (((value) & ~SAFE_EV) && (ctp->ctp_params & CT_PR_PGRPONLY)))
209 * The process contract template set entry point. None of the terms
210 * may be unconditionally set, and setting the parameters or fatal
211 * event set may result in events being implicitly removed from to the
212 * critical event set and added to the informative event set. The
213 * (admittedly subtle) reason we implicitly change the critical event
214 * set when the parameter or fatal event set is modified but not the
215 * other way around is because a change to the critical event set only
216 * affects the contract's owner, whereas a change to the parameter set
217 * and fatal set can affect the execution of the application running in
218 * the contract (and should therefore be only made explicitly). We
219 * allow implicit changes at all so that setting contract terms doesn't
220 * become a complex dance dependent on the template's initial state and
224 ctmpl_process_set(struct ct_template
*tmpl
, ct_kparam_t
*kparam
,
227 ctmpl_process_t
*ctp
= tmpl
->ctmpl_data
;
228 ct_param_t
*param
= &kparam
->param
;
231 uint64_t param_value
;
234 if ((param
->ctpm_id
== CTPP_SVC_FMRI
) ||
235 (param
->ctpm_id
== CTPP_CREATOR_AUX
)) {
236 str_value
= (char *)kparam
->ctpm_kbuf
;
237 str_value
[param
->ctpm_size
- 1] = '\0';
239 if (param
->ctpm_size
< sizeof (uint64_t))
241 param_value
= *(uint64_t *)kparam
->ctpm_kbuf
;
243 * No process contract parameters are > 32 bits.
244 * Unless it is a string.
246 if (param_value
& ~UINT32_MAX
)
250 switch (param
->ctpm_id
) {
252 if (param_value
!= 0) {
254 * Ensure that the contract exists, that we
255 * hold the contract, and that the contract is
258 ct
= contract_type_ptr(process_type
, param_value
,
259 curproc
->p_zone
->zone_uniqid
);
262 if (ct
->ct_owner
!= curproc
) {
266 if (((cont_process_t
*)ct
->ct_data
)->conp_nmembers
) {
273 if (ctp
->ctp_subsume
)
274 contract_rele(ctp
->ctp_subsume
);
275 ctp
->ctp_subsume
= ct
;
278 if (param_value
& ~CT_PR_ALLPARAM
)
280 ctp
->ctp_params
= param_value
;
282 * If an unprivileged process requests that
283 * CT_PR_PGRPONLY be set, remove any unsafe events from
284 * the critical event set and add them to the
285 * informative event set.
287 if ((ctp
->ctp_params
& CT_PR_PGRPONLY
) &&
288 EXCESS(ctp
, tmpl
->ctmpl_ev_crit
) &&
289 !secpolicy_contract_event_choice(cr
)) {
290 tmpl
->ctmpl_ev_info
|= (tmpl
->ctmpl_ev_crit
& ~SAFE_EV
);
291 tmpl
->ctmpl_ev_crit
&= SAFE_EV
;
296 if (error
= secpolicy_contract_identity(cr
))
298 if (ctp
->ctp_svc_fmri
!= NULL
)
299 refstr_rele(ctp
->ctp_svc_fmri
);
300 if (strcmp(CT_PR_SVC_DEFAULT
, str_value
) == 0)
301 ctp
->ctp_svc_fmri
= NULL
;
304 refstr_alloc(str_value
);
306 case CTPP_CREATOR_AUX
:
307 if (ctp
->ctp_svc_aux
!= NULL
)
308 refstr_rele(ctp
->ctp_svc_aux
);
309 if (param
->ctpm_size
== 1) /* empty string */
310 ctp
->ctp_svc_aux
= NULL
;
313 refstr_alloc(str_value
);
315 case CTP_EV_CRITICAL
:
317 * We simply don't allow adding events to the critical
318 * event set which aren't permitted by our policy or by
321 if (EXCESS(ctp
, param_value
) &&
322 (error
= secpolicy_contract_event(cr
)) != 0)
324 tmpl
->ctmpl_ev_crit
= param_value
;
327 if (param_value
& ~CT_PR_ALLFATAL
)
329 ctp
->ctp_ev_fatal
= param_value
;
331 * Check to see if an unprivileged process is
332 * requesting that events be removed from the fatal
333 * event set which are still in the critical event set.
335 if (EXCESS(ctp
, tmpl
->ctmpl_ev_crit
) &&
336 !secpolicy_contract_event_choice(cr
)) {
338 SAFE_EV
| (ctp
->ctp_params
& CT_PR_PGRPONLY
) ?
339 0 : ctp
->ctp_ev_fatal
;
340 tmpl
->ctmpl_ev_info
|= (tmpl
->ctmpl_ev_crit
& ~allowed
);
341 tmpl
->ctmpl_ev_crit
&= allowed
;
354 * The process contract template get entry point. Simply fetches and
355 * returns the requested term.
358 ctmpl_process_get(struct ct_template
*template, ct_kparam_t
*kparam
)
360 ctmpl_process_t
*ctp
= template->ctmpl_data
;
361 ct_param_t
*param
= &kparam
->param
;
362 uint64_t *param_value
= kparam
->ctpm_kbuf
;
364 if (param
->ctpm_id
== CTPP_SUBSUME
||
365 param
->ctpm_id
== CTPP_PARAMS
||
366 param
->ctpm_id
== CTPP_EV_FATAL
) {
367 if (param
->ctpm_size
< sizeof (uint64_t))
369 kparam
->ret_size
= sizeof (uint64_t);
372 switch (param
->ctpm_id
) {
374 *param_value
= ctp
->ctp_subsume
?
375 ctp
->ctp_subsume
->ct_id
: 0;
378 *param_value
= ctp
->ctp_params
;
381 if (ctp
->ctp_svc_fmri
== NULL
) {
383 strlcpy((char *)kparam
->ctpm_kbuf
,
384 CT_PR_SVC_DEFAULT
, param
->ctpm_size
);
387 strlcpy((char *)kparam
->ctpm_kbuf
,
388 refstr_value(ctp
->ctp_svc_fmri
), param
->ctpm_size
);
392 case CTPP_CREATOR_AUX
:
393 if (ctp
->ctp_svc_aux
== NULL
) {
395 strlcpy((char *)kparam
->ctpm_kbuf
,
396 refstr_value(conp_svc_aux_default
),
400 strlcpy((char *)kparam
->ctpm_kbuf
,
401 refstr_value(ctp
->ctp_svc_aux
), param
->ctpm_size
);
406 *param_value
= ctp
->ctp_ev_fatal
;
415 static ctmplops_t ctmpl_process_ops
= {
416 ctmpl_process_dup
, /* ctop_dup */
417 ctmpl_process_free
, /* ctop_free */
418 ctmpl_process_set
, /* ctop_set */
419 ctmpl_process_get
, /* ctop_get */
420 ctmpl_create_inval
, /* ctop_create */
426 * Process contract implementation
430 * ctmpl_process_default
432 * The process contract default template entry point. Creates a
433 * process contract template with no parameters set, with informative
434 * core and signal events, critical empty and hwerr events, and fatal
437 static ct_template_t
*
438 contract_process_default(void)
440 ctmpl_process_t
*new;
442 new = kmem_alloc(sizeof (ctmpl_process_t
), KM_SLEEP
);
443 ctmpl_init(&new->ctp_ctmpl
, &ctmpl_process_ops
, process_type
, new);
445 new->ctp_subsume
= NULL
;
447 new->ctp_ctmpl
.ctmpl_ev_info
= CT_PR_EV_CORE
| CT_PR_EV_SIGNAL
;
448 new->ctp_ctmpl
.ctmpl_ev_crit
= CT_PR_EV_EMPTY
| CT_PR_EV_HWERR
;
449 new->ctp_ev_fatal
= CT_PR_EV_HWERR
;
450 new->ctp_svc_fmri
= NULL
;
451 new->ctp_svc_aux
= NULL
;
453 return (&new->ctp_ctmpl
);
457 * contract_process_free
459 * The process contract free entry point.
462 contract_process_free(contract_t
*ct
)
464 cont_process_t
*ctp
= ct
->ct_data
;
465 crfree(ctp
->conp_cred
);
466 list_destroy(&ctp
->conp_members
);
467 list_destroy(&ctp
->conp_inherited
);
468 if (ctp
->conp_svc_fmri
!= NULL
) {
469 refstr_rele(ctp
->conp_svc_fmri
);
471 if (ctp
->conp_svc_aux
!= NULL
) {
472 refstr_rele(ctp
->conp_svc_aux
);
474 if (ctp
->conp_svc_creator
!= NULL
) {
475 refstr_rele(ctp
->conp_svc_creator
);
477 kmem_free(ctp
, sizeof (cont_process_t
));
481 * contract_process_cankill
483 * Determine if the contract author had or if the process generating
484 * the event, sp, has adequate privileges to kill process tp.
487 contract_process_cankill(proc_t
*tp
, proc_t
*sp
, cont_process_t
*ctp
)
491 mutex_enter(&tp
->p_crlock
);
492 cankill
= hasprocperm(tp
->p_cred
, ctp
->conp_cred
);
493 mutex_exit(&tp
->p_crlock
);
494 if (cankill
|| (sp
&& prochasprocperm(tp
, sp
, CRED())))
501 * contract_process_kill
503 * Kills all processes in a contract, or all processes in the
504 * intersection of a contract and ex's process group (if ex is non-NULL
505 * and the contract's PGRPONLY parameter is set). If checkpriv is
506 * true, only those processes which may be signaled by the contract
507 * author or ex are killed.
510 contract_process_kill(contract_t
*ct
, proc_t
*ex
, int checkpriv
)
512 cont_process_t
*ctp
= ct
->ct_data
;
516 ASSERT(MUTEX_HELD(&ct
->ct_lock
));
518 if (ex
&& (ctp
->conp_params
& CT_PR_PGRPONLY
)) {
520 mutex_enter(&pidlock
);
523 for (p
= list_head(&ctp
->conp_members
); p
!= NULL
;
524 p
= list_next(&ctp
->conp_members
, p
)) {
526 (pgrp
!= -1 && (p
->p_stat
== SIDL
|| p
->p_pgrp
!= pgrp
)) ||
527 (checkpriv
&& !contract_process_cankill(p
, ex
, ctp
)))
534 mutex_exit(&pidlock
);
539 * contract_process_accept
541 * Tests if the process contract is willing to act as a regent for
542 * inherited contracts. Though brief and only called from one place,
543 * this functionality is kept here to avoid including knowledge of
544 * process contract implementation in the generic contract code.
547 contract_process_accept(contract_t
*parent
)
549 cont_process_t
*ctp
= parent
->ct_data
;
551 ASSERT(parent
->ct_type
== process_type
);
553 return (ctp
->conp_params
& CT_PR_REGENT
);
557 * contract_process_take
559 * Executes the process contract side of inheriting a contract.
562 contract_process_take(contract_t
*parent
, contract_t
*child
)
564 cont_process_t
*ctp
= parent
->ct_data
;
566 ASSERT(MUTEX_HELD(&parent
->ct_lock
));
567 ASSERT(MUTEX_HELD(&child
->ct_lock
));
568 ASSERT(parent
->ct_type
== process_type
);
569 ASSERT(ctp
->conp_params
& CT_PR_REGENT
);
571 list_insert_head(&ctp
->conp_inherited
, child
);
572 ctp
->conp_ninherited
++;
576 * contract_process_adopt
578 * Executes the process contract side of adopting a contract.
581 contract_process_adopt(contract_t
*ct
, proc_t
*p
)
583 cont_process_t
*parent
= p
->p_ct_process
;
585 ASSERT(MUTEX_HELD(&parent
->conp_contract
.ct_lock
));
586 ASSERT(MUTEX_HELD(&ct
->ct_lock
));
588 list_remove(&parent
->conp_inherited
, ct
);
589 parent
->conp_ninherited
--;
592 * We drop the parent lock first because a) we are passing the
593 * contract reference to the child, and b) contract_adopt
594 * expects us to return with the contract lock held.
596 mutex_exit(&parent
->conp_contract
.ct_lock
);
600 * contract_process_abandon
602 * The process contract abandon entry point.
605 contract_process_abandon(contract_t
*ct
)
607 cont_process_t
*ctp
= ct
->ct_data
;
609 ASSERT(MUTEX_HELD(&ct
->ct_lock
));
612 * Shall we stay or shall we go?
614 if (list_head(&ctp
->conp_members
) == NULL
) {
615 contract_destroy(ct
);
618 * Strictly speaking, we actually do orphan the contract.
619 * Assuming our credentials allow us to kill all
620 * processes in the contract, this is only temporary.
622 if (ctp
->conp_params
& CT_PR_NOORPHAN
)
623 contract_process_kill(ct
, NULL
, B_TRUE
);
625 mutex_exit(&ct
->ct_lock
);
631 * contract_process_destroy
633 * The process contract destroy entry point.
636 contract_process_destroy(contract_t
*ct
)
638 cont_process_t
*ctp
= ct
->ct_data
;
641 ASSERT(MUTEX_HELD(&ct
->ct_lock
));
644 * contract_destroy all empty children, kill or orphan the rest
646 while (cct
= list_head(&ctp
->conp_inherited
)) {
647 mutex_enter(&cct
->ct_lock
);
649 ASSERT(cct
->ct_state
== CTS_INHERITED
);
651 list_remove(&ctp
->conp_inherited
, cct
);
652 ctp
->conp_ninherited
--;
653 cct
->ct_regent
= NULL
;
654 cct
->ct_type
->ct_type_ops
->contop_abandon(cct
);
659 * contract_process_status
661 * The process contract status entry point.
664 contract_process_status(contract_t
*ct
, zone_t
*zone
, int detail
, nvlist_t
*nvl
,
665 void *status
, model_t model
)
667 cont_process_t
*ctp
= ct
->ct_data
;
668 uint32_t *pids
, *ctids
;
669 uint_t npids
, nctids
;
670 uint_t spids
, sctids
;
671 ctid_t local_svc_zone_enter
;
673 if (detail
== CTD_FIXED
) {
674 mutex_enter(&ct
->ct_lock
);
675 contract_status_common(ct
, zone
, status
, model
);
676 local_svc_zone_enter
= ctp
->conp_svc_zone_enter
;
677 mutex_exit(&ct
->ct_lock
);
683 ASSERT(detail
== CTD_ALL
);
684 mutex_enter(&ct
->ct_lock
);
686 spids
= ctp
->conp_nmembers
+ 5;
687 sctids
= ctp
->conp_ninherited
+ 5;
688 mutex_exit(&ct
->ct_lock
);
690 pids
= kmem_alloc(spids
* sizeof (uint32_t), KM_SLEEP
);
691 ctids
= kmem_alloc(sctids
* sizeof (uint32_t),
694 mutex_enter(&ct
->ct_lock
);
695 npids
= ctp
->conp_nmembers
;
696 nctids
= ctp
->conp_ninherited
;
697 if (spids
>= npids
&& sctids
>= nctids
)
700 kmem_free(pids
, spids
* sizeof (uint32_t));
701 kmem_free(ctids
, sctids
* sizeof (uint32_t));
703 contract_status_common(ct
, zone
, status
, model
);
704 for (loc
= 0, cnext
= list_head(&ctp
->conp_inherited
); cnext
;
705 cnext
= list_next(&ctp
->conp_inherited
, cnext
))
706 ctids
[loc
++] = cnext
->ct_id
;
707 ASSERT(loc
== nctids
);
708 for (loc
= 0, pnext
= list_head(&ctp
->conp_members
); pnext
;
709 pnext
= list_next(&ctp
->conp_members
, pnext
))
710 pids
[loc
++] = pnext
->p_pid
;
711 ASSERT(loc
== npids
);
712 local_svc_zone_enter
= ctp
->conp_svc_zone_enter
;
713 mutex_exit(&ct
->ct_lock
);
717 * Contract terms are static; there's no need to hold the
718 * contract lock while accessing them.
720 VERIFY(nvlist_add_uint32(nvl
, CTPS_PARAMS
, ctp
->conp_params
) == 0);
721 VERIFY(nvlist_add_uint32(nvl
, CTPS_EV_FATAL
, ctp
->conp_ev_fatal
) == 0);
722 if (detail
== CTD_ALL
) {
723 VERIFY(nvlist_add_uint32_array(nvl
, CTPS_MEMBERS
, pids
,
725 VERIFY(nvlist_add_uint32_array(nvl
, CTPS_CONTRACTS
, ctids
,
727 VERIFY(nvlist_add_string(nvl
, CTPS_CREATOR_AUX
,
728 refstr_value(ctp
->conp_svc_aux
)) == 0);
729 VERIFY(nvlist_add_string(nvl
, CTPS_SVC_CREATOR
,
730 refstr_value(ctp
->conp_svc_creator
)) == 0);
731 kmem_free(pids
, spids
* sizeof (uint32_t));
732 kmem_free(ctids
, sctids
* sizeof (uint32_t));
736 * if we are in a local zone and svc_fmri was inherited from
737 * the global zone, we provide fake svc_fmri and svc_ctid
739 if (local_svc_zone_enter
== 0||
740 zone
->zone_uniqid
== GLOBAL_ZONEUNIQID
) {
741 if (detail
> CTD_COMMON
) {
742 VERIFY(nvlist_add_int32(nvl
, CTPS_SVC_CTID
,
743 ctp
->conp_svc_ctid
) == 0);
745 if (detail
== CTD_ALL
) {
746 VERIFY(nvlist_add_string(nvl
, CTPS_SVC_FMRI
,
747 refstr_value(ctp
->conp_svc_fmri
)) == 0);
750 if (detail
> CTD_COMMON
) {
751 VERIFY(nvlist_add_int32(nvl
, CTPS_SVC_CTID
,
752 local_svc_zone_enter
) == 0);
754 if (detail
== CTD_ALL
) {
755 VERIFY(nvlist_add_string(nvl
, CTPS_SVC_FMRI
,
756 CT_PR_SVC_FMRI_ZONE_ENTER
) == 0);
763 contract_process_newct(contract_t
*ct
)
768 /* process contracts don't negotiate */
769 static contops_t contract_process_ops
= {
770 contract_process_free
, /* contop_free */
771 contract_process_abandon
, /* contop_abandon */
772 contract_process_destroy
, /* contop_destroy */
773 contract_process_status
, /* contop_status */
774 contract_ack_inval
, /* contop_ack */
775 contract_ack_inval
, /* contop_nack */
776 contract_qack_inval
, /* contop_qack */
777 contract_process_newct
/* contop_newct */
781 * contract_process_init
783 * Initializes the process contract type. Also creates a template for
784 * use by newproc() when it creates user processes.
787 contract_process_init(void)
789 process_type
= contract_type_init(CTT_PROCESS
, "process",
790 &contract_process_ops
, contract_process_default
);
793 * Create a template for use with init(8) and other
794 * kernel-started processes.
796 sys_process_tmpl
= kmem_alloc(sizeof (ctmpl_process_t
), KM_SLEEP
);
797 ctmpl_init(&sys_process_tmpl
->ctp_ctmpl
, &ctmpl_process_ops
,
798 process_type
, sys_process_tmpl
);
799 sys_process_tmpl
->ctp_subsume
= NULL
;
800 sys_process_tmpl
->ctp_params
= CT_PR_NOORPHAN
;
801 sys_process_tmpl
->ctp_ev_fatal
= CT_PR_EV_HWERR
;
802 sys_process_tmpl
->ctp_svc_fmri
=
803 refstr_alloc("svc:/system/init:default");
804 sys_process_tmpl
->ctp_svc_aux
= refstr_alloc("");
805 conp_svc_aux_default
= sys_process_tmpl
->ctp_svc_aux
;
806 refstr_hold(conp_svc_aux_default
);
810 * contract_process_create
812 * create a process contract given template "tmpl" and parent process
813 * "parent". May fail and return NULL if project.max-contracts would
814 * have been exceeded.
816 static cont_process_t
*
817 contract_process_create(ctmpl_process_t
*tmpl
, proc_t
*parent
, int canfail
)
821 ASSERT(tmpl
!= NULL
);
823 (void) contract_type_pbundle(process_type
, parent
);
825 ctp
= kmem_zalloc(sizeof (cont_process_t
), KM_SLEEP
);
827 list_create(&ctp
->conp_members
, sizeof (proc_t
),
828 offsetof(proc_t
, p_ct_member
));
829 list_create(&ctp
->conp_inherited
, sizeof (contract_t
),
830 offsetof(contract_t
, ct_ctlist
));
831 mutex_enter(&tmpl
->ctp_ctmpl
.ctmpl_lock
);
832 ctp
->conp_params
= tmpl
->ctp_params
;
833 ctp
->conp_ev_fatal
= tmpl
->ctp_ev_fatal
;
834 crhold(ctp
->conp_cred
= CRED());
836 if (contract_ctor(&ctp
->conp_contract
, process_type
, &tmpl
->ctp_ctmpl
,
837 ctp
, (ctp
->conp_params
& CT_PR_INHERIT
) ? CTF_INHERIT
: 0,
839 mutex_exit(&tmpl
->ctp_ctmpl
.ctmpl_lock
);
840 contract_process_free(&ctp
->conp_contract
);
845 * inherit svc_fmri if not defined by consumer. In this case, inherit
846 * also svc_ctid to keep track of the contract id where
849 if (tmpl
->ctp_svc_fmri
== NULL
) {
850 ctp
->conp_svc_fmri
= parent
->p_ct_process
->conp_svc_fmri
;
851 ctp
->conp_svc_ctid
= parent
->p_ct_process
->conp_svc_ctid
;
852 ctp
->conp_svc_zone_enter
=
853 parent
->p_ct_process
->conp_svc_zone_enter
;
855 ctp
->conp_svc_fmri
= tmpl
->ctp_svc_fmri
;
856 ctp
->conp_svc_ctid
= ctp
->conp_contract
.ct_id
;
857 /* make svc_zone_enter flag false when svc_fmri is set */
858 ctp
->conp_svc_zone_enter
= 0;
860 refstr_hold(ctp
->conp_svc_fmri
);
861 /* set svc_aux to default value if not defined in template */
862 if (tmpl
->ctp_svc_aux
== NULL
) {
863 ctp
->conp_svc_aux
= conp_svc_aux_default
;
865 ctp
->conp_svc_aux
= tmpl
->ctp_svc_aux
;
867 refstr_hold(ctp
->conp_svc_aux
);
869 * set svc_creator to execname
870 * We special case pid0 because when newproc() creates
871 * the init process, the p_user.u_comm field of sched's proc_t
872 * has not been populated yet.
874 if (parent
->p_pidp
== &pid0
) /* if the kernel is the creator */
875 ctp
->conp_svc_creator
= refstr_alloc("sched");
877 ctp
->conp_svc_creator
= refstr_alloc(parent
->p_user
.u_comm
);
880 * Transfer subcontracts only after new contract is visible.
881 * Also, only transfer contracts if the parent matches -- we
882 * don't want to create a cycle in the tree of contracts.
884 if (tmpl
->ctp_subsume
&& tmpl
->ctp_subsume
->ct_owner
== parent
) {
885 cont_process_t
*sct
= tmpl
->ctp_subsume
->ct_data
;
888 mutex_enter(&tmpl
->ctp_subsume
->ct_lock
);
889 mutex_enter(&ctp
->conp_contract
.ct_lock
);
890 while (ct
= list_head(&sct
->conp_inherited
)) {
891 mutex_enter(&ct
->ct_lock
);
892 list_remove(&sct
->conp_inherited
, ct
);
893 list_insert_tail(&ctp
->conp_inherited
, ct
);
894 ct
->ct_regent
= &ctp
->conp_contract
;
895 mutex_exit(&ct
->ct_lock
);
897 ctp
->conp_ninherited
+= sct
->conp_ninherited
;
898 sct
->conp_ninherited
= 0;
899 mutex_exit(&ctp
->conp_contract
.ct_lock
);
900 mutex_exit(&tmpl
->ctp_subsume
->ct_lock
);
903 * Automatically abandon the contract.
905 (void) contract_abandon(tmpl
->ctp_subsume
, parent
, 1);
908 mutex_exit(&tmpl
->ctp_ctmpl
.ctmpl_lock
);
914 * contract_process_exit
916 * Called on process exit. Removes process p from process contract
917 * ctp. Generates an exit event, if requested. Generates an empty
918 * event, if p is the last member of the the process contract and empty
919 * events were requested.
922 contract_process_exit(cont_process_t
*ctp
, proc_t
*p
, int exitstatus
)
924 contract_t
*ct
= &ctp
->conp_contract
;
929 * Remove self from process contract.
931 mutex_enter(&ct
->ct_lock
);
932 list_remove(&ctp
->conp_members
, p
);
933 ctp
->conp_nmembers
--;
934 mutex_enter(&p
->p_lock
); /* in case /proc is watching */
935 p
->p_ct_process
= NULL
;
936 mutex_exit(&p
->p_lock
);
939 * We check for emptiness before dropping the contract lock to
940 * send the exit event, otherwise we could end up with two
943 empty
= (list_head(&ctp
->conp_members
) == NULL
);
944 if (EVSENDP(ctp
, CT_PR_EV_EXIT
)) {
947 mutex_exit(&ct
->ct_lock
);
948 VERIFY(nvlist_alloc(&nvl
, NV_UNIQUE_NAME
, KM_SLEEP
) == 0);
949 VERIFY(nvlist_add_uint32(nvl
, CTPE_PID
, p
->p_pid
) == 0);
950 VERIFY(nvlist_add_int32(nvl
, CTPE_EXITSTATUS
, exitstatus
) == 0);
952 event
= kmem_zalloc(sizeof (ct_kevent_t
), KM_SLEEP
);
953 event
->cte_flags
= EVINFOP(ctp
, CT_PR_EV_EXIT
) ? CTE_INFO
: 0;
954 event
->cte_type
= CT_PR_EV_EXIT
;
955 (void) cte_publish_all(ct
, event
, nvl
, NULL
);
956 mutex_enter(&ct
->ct_lock
);
960 * Send EMPTY message.
962 if (EVSENDP(ctp
, CT_PR_EV_EMPTY
)) {
965 mutex_exit(&ct
->ct_lock
);
966 VERIFY(nvlist_alloc(&nvl
, NV_UNIQUE_NAME
,
968 VERIFY(nvlist_add_uint32(nvl
, CTPE_PID
, p
->p_pid
) == 0);
970 event
= kmem_zalloc(sizeof (ct_kevent_t
), KM_SLEEP
);
971 event
->cte_flags
= EVINFOP(ctp
, CT_PR_EV_EMPTY
) ?
973 event
->cte_type
= CT_PR_EV_EMPTY
;
974 (void) cte_publish_all(ct
, event
, nvl
, NULL
);
975 mutex_enter(&ct
->ct_lock
);
979 * The last one to leave an orphaned contract turns out
982 if (ct
->ct_state
== CTS_ORPHAN
) {
983 contract_destroy(ct
);
987 mutex_exit(&ct
->ct_lock
);
992 * contract_process_fork
994 * Called on process fork. If the current lwp has a active process
995 * contract template, we attempt to create a new process contract.
996 * Failure to create a process contract when required is a failure in
997 * fork so, in such an event, we return NULL.
999 * Assuming we succeeded or skipped the previous step, we add the child
1000 * process to the new contract (success) or to the parent's process
1001 * contract (skip). If requested, we also send a fork event to that
1004 * Because contract_process_fork() may fail, and because we would
1005 * prefer that process contracts not be created for processes which
1006 * don't complete forking, this should be the last function called
1007 * before the "all clear" point in cfork.
1010 contract_process_fork(ctmpl_process_t
*rtmpl
, proc_t
*cp
, proc_t
*pp
,
1014 cont_process_t
*ctp
;
1016 ct_template_t
*tmpl
;
1018 if (rtmpl
== NULL
&& (tmpl
= ttolwp(curthread
)->lwp_ct_active
[
1019 process_type
->ct_type_index
]) != NULL
)
1020 rtmpl
= tmpl
->ctmpl_data
;
1023 ctp
= curproc
->p_ct_process
;
1024 else if ((ctp
= contract_process_create(rtmpl
, pp
, canfail
)) == NULL
)
1027 ct
= &ctp
->conp_contract
;
1029 * Prevent contract_process_kill() from missing forked children
1030 * by failing forks by parents that have just been killed.
1031 * It's not worth hoisting the ctp test since contract creation
1032 * is by no means the common case.
1034 mutex_enter(&ct
->ct_lock
);
1035 mutex_enter(&pp
->p_lock
);
1036 if (ctp
== curproc
->p_ct_process
&& (pp
->p_flag
& SKILLED
) != 0 &&
1038 mutex_exit(&pp
->p_lock
);
1039 mutex_exit(&ct
->ct_lock
);
1042 cp
->p_ct_process
= ctp
;
1043 mutex_exit(&pp
->p_lock
);
1045 list_insert_head(&ctp
->conp_members
, cp
);
1046 ctp
->conp_nmembers
++;
1047 mutex_exit(&ct
->ct_lock
);
1048 if (EVSENDP(ctp
, CT_PR_EV_FORK
)) {
1051 VERIFY(nvlist_alloc(&nvl
, NV_UNIQUE_NAME
, KM_SLEEP
) == 0);
1052 VERIFY(nvlist_add_uint32(nvl
, CTPE_PID
, cp
->p_pid
) == 0);
1053 VERIFY(nvlist_add_uint32(nvl
, CTPE_PPID
, pp
->p_pid
) == 0);
1055 event
= kmem_zalloc(sizeof (ct_kevent_t
), KM_SLEEP
);
1056 event
->cte_flags
= EVINFOP(ctp
, CT_PR_EV_FORK
) ? CTE_INFO
: 0;
1057 event
->cte_type
= CT_PR_EV_FORK
;
1058 (void) cte_publish_all(ct
, event
, nvl
, NULL
);
1064 * contract_process_core
1066 * Called on core file generation attempts. Generates a core event, if
1067 * requested, containing the names of the process, global, and
1068 * system-global ("zone") core files. If dumping core is in the fatal
1069 * event set, calls contract_process_kill().
1072 contract_process_core(cont_process_t
*ctp
, proc_t
*p
, int sig
,
1073 const char *process
, const char *global
, const char *zone
)
1075 contract_t
*ct
= &ctp
->conp_contract
;
1077 if (EVSENDP(ctp
, CT_PR_EV_CORE
)) {
1079 nvlist_t
*nvl
, *gnvl
= NULL
;
1081 VERIFY(nvlist_alloc(&nvl
, NV_UNIQUE_NAME
, KM_SLEEP
) == 0);
1082 VERIFY(nvlist_add_uint32(nvl
, CTPE_PID
, p
->p_pid
) == 0);
1083 VERIFY(nvlist_add_uint32(nvl
, CTPE_SIGNAL
, sig
) == 0);
1085 VERIFY(nvlist_add_string(nvl
, CTPE_PCOREFILE
,
1086 (char *)process
) == 0);
1088 VERIFY(nvlist_add_string(nvl
, CTPE_GCOREFILE
,
1089 (char *)global
) == 0);
1093 * Only the global zone is informed of the
1094 * local-zone generated global-zone core.
1096 VERIFY(nvlist_alloc(&gnvl
, NV_UNIQUE_NAME
,
1098 VERIFY(nvlist_add_string(gnvl
, CTPE_ZCOREFILE
,
1099 (char *)zone
) == 0);
1102 event
= kmem_zalloc(sizeof (ct_kevent_t
), KM_SLEEP
);
1103 event
->cte_flags
= EVINFOP(ctp
, CT_PR_EV_CORE
) ? CTE_INFO
: 0;
1104 event
->cte_type
= CT_PR_EV_CORE
;
1105 (void) cte_publish_all(ct
, event
, nvl
, gnvl
);
1108 if (EVFATALP(ctp
, CT_PR_EV_CORE
)) {
1109 mutex_enter(&ct
->ct_lock
);
1110 contract_process_kill(ct
, p
, B_TRUE
);
1111 mutex_exit(&ct
->ct_lock
);
1116 * contract_process_hwerr
1118 * Called when a process is killed by an unrecoverable hardware error.
1119 * Generates an hwerr event, if requested. If hardware errors are in
1120 * the fatal event set, calls contract_process_kill().
1123 contract_process_hwerr(cont_process_t
*ctp
, proc_t
*p
)
1125 contract_t
*ct
= &ctp
->conp_contract
;
1127 if (EVSENDP(ctp
, CT_PR_EV_HWERR
)) {
1131 VERIFY(nvlist_alloc(&nvl
, NV_UNIQUE_NAME
, KM_SLEEP
) == 0);
1132 VERIFY(nvlist_add_uint32(nvl
, CTPE_PID
, p
->p_pid
) == 0);
1134 event
= kmem_zalloc(sizeof (ct_kevent_t
), KM_SLEEP
);
1135 event
->cte_flags
= EVINFOP(ctp
, CT_PR_EV_HWERR
) ? CTE_INFO
: 0;
1136 event
->cte_type
= CT_PR_EV_HWERR
;
1137 (void) cte_publish_all(ct
, event
, nvl
, NULL
);
1140 if (EVFATALP(ctp
, CT_PR_EV_HWERR
)) {
1141 mutex_enter(&ct
->ct_lock
);
1142 contract_process_kill(ct
, p
, B_FALSE
);
1143 mutex_exit(&ct
->ct_lock
);
1148 * contract_process_sig
1150 * Called when a process is killed by a signal originating from a
1151 * process outside of its process contract or its process contract's
1152 * holder. Generates an signal event, if requested, containing the
1153 * signal number, and the sender's pid and contract id (if available).
1154 * If signals are in the fatal event set, calls
1155 * contract_process_kill().
1158 contract_process_sig(cont_process_t
*ctp
, proc_t
*p
, int sig
, pid_t pid
,
1159 ctid_t ctid
, zoneid_t zoneid
)
1161 contract_t
*ct
= &ctp
->conp_contract
;
1163 if (EVSENDP(ctp
, CT_PR_EV_SIGNAL
)) {
1165 nvlist_t
*dest
, *nvl
, *gnvl
= NULL
;
1167 VERIFY(nvlist_alloc(&nvl
, NV_UNIQUE_NAME
, KM_SLEEP
) == 0);
1168 VERIFY(nvlist_add_uint32(nvl
, CTPE_PID
, p
->p_pid
) == 0);
1169 VERIFY(nvlist_add_uint32(nvl
, CTPE_SIGNAL
, sig
) == 0);
1171 if (zoneid
>= 0 && p
->p_zone
->zone_id
!= zoneid
) {
1172 VERIFY(nvlist_alloc(&gnvl
, NV_UNIQUE_NAME
,
1180 VERIFY(nvlist_add_uint32(dest
, CTPE_SENDER
, pid
) == 0);
1182 VERIFY(nvlist_add_uint32(dest
, CTPE_SENDCT
, ctid
) == 0);
1184 event
= kmem_zalloc(sizeof (ct_kevent_t
), KM_SLEEP
);
1185 event
->cte_flags
= EVINFOP(ctp
, CT_PR_EV_SIGNAL
) ? CTE_INFO
: 0;
1186 event
->cte_type
= CT_PR_EV_SIGNAL
;
1187 (void) cte_publish_all(ct
, event
, nvl
, gnvl
);
1190 if (EVFATALP(ctp
, CT_PR_EV_SIGNAL
)) {
1191 mutex_enter(&ct
->ct_lock
);
1192 contract_process_kill(ct
, p
, B_TRUE
);
1193 mutex_exit(&ct
->ct_lock
);