| blob | ec885d44f47888df87dbcf5ecb9886aa9b73465b |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
22 /*
23 * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright (c) 2013, Joyent, Inc. All rights reserved.
25 * Copyright (c) 2016 by Delphix. All rights reserved.
26 */
28 /*
29 * rc_node.c - In-memory SCF object management
30 *
31 * This layer manages the in-memory cache (the Repository Cache) of SCF
32 * data. Read requests are usually satisfied from here, but may require
33 * load calls to the "object" layer. Modify requests always write-through
34 * to the object layer.
35 *
36 * SCF data comprises scopes, services, instances, snapshots, snaplevels,
37 * property groups, properties, and property values. All but the last are
38 * known here as "entities" and are represented by rc_node_t data
39 * structures. (Property values are kept in the rn_values member of the
40 * respective property, not as separate objects.) All entities besides
41 * the "localhost" scope have some entity as a parent, and therefore form
42 * a tree.
43 *
44 * The entity tree is rooted at rc_scope, which rc_node_init() initializes to
45 * the "localhost" scope. The tree is filled in from the database on-demand
46 * by rc_node_fill_children().
47 *
48 * rc_node_t's are also placed in the cache_hash[] hash table, for rapid
49 * lookup.
50 *
51 * Multiple threads may service client requests, so access to each
52 * rc_node_t is synchronized by its rn_lock member. Some fields are
53 * protected by bits in the rn_flags field instead, to support operations
54 * which need to drop rn_lock, for example to respect locking order. Such
55 * flags should be manipulated with the rc_node_{hold,rele}_flag()
56 * functions.
57 *
58 * We track references to nodes to tell when they can be free()d. rn_refs
59 * should be incremented with rc_node_hold() on the creation of client
60 * references (rc_node_ptr_t's and rc_iter_t's). rn_erefs ("ephemeral
61 * references") should be incremented when a pointer is read into a local
62 * variable of a thread, with rc_node_hold_ephemeral_locked(). This
63 * hasn't been fully implemented, however, so rc_node_rele() tolerates
64 * rn_erefs being 0. Some code which predates rn_erefs counts ephemeral
65 * references in rn_refs. Other references are tracked by the
66 * rn_other_refs field and the RC_NODE_DEAD, RC_NODE_IN_PARENT,
67 * RC_NODE_OLD, and RC_NODE_ON_FORMER flags.
68 *
69 * Locking rules: To dereference an rc_node_t * (usually to lock it), you must
70 * have a hold (rc_node_hold()) on it or otherwise be sure that it hasn't been
71 * rc_node_destroy()ed (hold a lock on its parent or child, hold a flag,
72 * etc.). Once you have locked an rc_node_t you must check its rn_flags for
73 * RC_NODE_DEAD before you can use it. This is usually done with the
74 * rc_node_{wait,hold}_flag() functions (often via the rc_node_check_*()
75 * functions & RC_NODE_*() macros), which fail if the object has died.
76 *
77 * When a transactional node (property group or snapshot) is updated,
78 * a new node takes the place of the old node in the global hash and the
79 * old node is hung off of the rn_former list of the new node. At the
80 * same time, all of its children have their rn_parent_ref pointer set,
81 * and any holds they have are reflected in the old node's rn_other_refs
82 * count. This is automatically kept up to date until the final reference
83 * to the subgraph is dropped, at which point the node is unrefed and
84 * destroyed, along with all of its children.
85 *
86 * Because name service lookups may take a long time and, more importantly
87 * may trigger additional accesses to the repository, perm_granted() must be
88 * called without holding any locks.
89 *
90 * An ITER_START for a non-ENTITY_VALUE induces an rc_node_fill_children()
91 * call via rc_node_setup_iter() to populate the rn_children uu_list of the
92 * rc_node_t * in question and a call to uu_list_walk_start() on that list. For
93 * ITER_READ, rc_iter_next() uses uu_list_walk_next() to find the next
94 * apropriate child.
95 *
96 * An ITER_START for an ENTITY_VALUE makes sure the node has its values
97 * filled, and sets up the iterator. An ITER_READ_VALUE just copies out
98 * the proper values and updates the offset information.
99 *
100 * To allow aliases, snapshots are implemented with a level of indirection.
101 * A snapshot rc_node_t has a snapid which refers to an rc_snapshot_t in
102 * snapshot.c which contains the authoritative snaplevel information. The
103 * snapid is "assigned" by rc_attach_snapshot().
104 *
105 * We provide the client layer with rc_node_ptr_t's to reference objects.
106 * Objects referred to by them are automatically held & released by
107 * rc_node_assign() & rc_node_clear(). The RC_NODE_PTR_*() macros are used at
108 * client.c entry points to read the pointers. They fetch the pointer to the
109 * object, return (from the function) if it is dead, and lock, hold, or hold
110 * a flag of the object.
111 */
113 /*
114 * Permission checking is authorization-based: some operations may only
115 * proceed if the user has been assigned at least one of a set of
116 * authorization strings. The set of enabling authorizations depends on the
117 * operation and the target object. The set of authorizations assigned to
118 * a user is determined by an algorithm defined in libsecdb.
119 *
120 * The fastest way to decide whether the two sets intersect is by entering the
121 * strings into a hash table and detecting collisions, which takes linear time
122 * in the total size of the sets. Except for the authorization patterns which
123 * may be assigned to users, which without advanced pattern-matching
124 * algorithms will take O(n) in the number of enabling authorizations, per
125 * pattern.
126 *
127 * We can achieve some practical speed-ups by noting that if we enter all of
128 * the authorizations from one of the sets into the hash table we can merely
129 * check the elements of the second set for existence without adding them.
130 * This reduces memory requirements and hash table clutter. The enabling set
131 * is well suited for this because it is internal to configd (for now, at
132 * least). Combine this with short-circuiting and we can even minimize the
133 * number of queries to the security databases (user_attr & prof_attr).
134 *
135 * To force this usage onto clients we provide functions for adding
136 * authorizations to the enabling set of a permission context structure
137 * (perm_add_*()) and one to decide whether the the user associated with the
138 * current door call client possesses any of them (perm_granted()).
139 *
140 * At some point, a generic version of this should move to libsecdb.
141 *
142 * While entering the enabling strings into the hash table, we keep track
143 * of which is the most specific for use in generating auditing events.
144 * See the "Collecting the Authorization String" section of the "SMF Audit
145 * Events" block comment below.
146 */
148 /*
149 * Composition is the combination of sets of properties. The sets are ordered
150 * and properties in higher sets obscure properties of the same name in lower
151 * sets. Here we present a composed view of an instance's properties as the
152 * union of its properties and its service's properties. Similarly the
153 * properties of snaplevels are combined to form a composed view of the
154 * properties of a snapshot (which should match the composed view of the
155 * properties of the instance when the snapshot was taken).
156 *
157 * In terms of the client interface, the client may request that a property
158 * group iterator for an instance or snapshot be composed. Property groups
159 * traversed by such an iterator may not have the target entity as a parent.
160 * Similarly, the properties traversed by a property iterator for those
161 * property groups may not have the property groups iterated as parents.
162 *
163 * Implementation requires that iterators for instances and snapshots be
164 * composition-savvy, and that we have a "composed property group" entity
165 * which represents the composition of a number of property groups. Iteration
166 * over "composed property groups" yields properties which may have different
167 * parents, but for all other operations a composed property group behaves
168 * like the top-most property group it represents.
169 *
170 * The implementation is based on the rn_cchain[] array of rc_node_t pointers
171 * in rc_node_t. For instances, the pointers point to the instance and its
172 * parent service. For snapshots they point to the child snaplevels, and for
173 * composed property groups they point to property groups. A composed
174 * iterator carries an index into rn_cchain[]. Thus most of the magic ends up
175 * int the rc_iter_*() code.
176 */
177 /*
178 * SMF Audit Events:
179 * ================
180 *
181 * To maintain security, SMF generates audit events whenever
182 * privileged operations are attempted. See the System Administration
183 * Guide:Security Services answerbook for a discussion of the Solaris
184 * audit system.
185 *
186 * The SMF audit event codes are defined in adt_event.h by symbols
187 * starting with ADT_smf_ and are described in audit_event.txt. The
188 * audit record structures are defined in the SMF section of adt.xml.
189 * adt.xml is used to automatically generate adt_event.h which
190 * contains the definitions that we code to in this file. For the
191 * most part the audit events map closely to actions that you would
192 * perform with svcadm or svccfg, but there are some special cases
193 * which we'll discuss later.
194 *
195 * The software associated with SMF audit events falls into three
196 * categories:
197 * - collecting information to be written to the audit
198 * records
199 * - using the adt_* functions in
200 * usr/src/lib/libbsm/common/adt.c to generate the audit
201 * records.
202 * - handling special cases
203 *
204 * Collecting Information:
205 * ----------------------
206 *
207 * Most all of the audit events require the FMRI of the affected
208 * object and the authorization string that was used. The one
209 * exception is ADT_smf_annotation which we'll talk about later.
210 *
211 * Collecting the FMRI:
212 *
213 * The rc_node structure has a member called rn_fmri which points to
214 * its FMRI. This is initialized by a call to rc_node_build_fmri()
215 * when the node's parent is established. The reason for doing it
216 * at this time is that a node's FMRI is basically the concatenation
217 * of the parent's FMRI and the node's name with the appropriate
218 * decoration. rc_node_build_fmri() does this concatenation and
219 * decorating. It is called from rc_node_link_child() and
220 * rc_node_relink_child() where a node is linked to its parent.
221 *
222 * rc_node_get_fmri_or_fragment() is called to retrieve a node's FMRI
223 * when it is needed. It returns rn_fmri if it is set. If the node
224 * is at the top level, however, rn_fmri won't be set because it was
225 * never linked to a parent. In this case,
226 * rc_node_get_fmri_or_fragment() constructs an FMRI fragment based on
227 * its node type and its name, rn_name.
228 *
229 * Collecting the Authorization String:
230 *
231 * Naturally, the authorization string is captured during the
232 * authorization checking process. Acceptable authorization strings
233 * are added to a permcheck_t hash table as noted in the section on
234 * permission checking above. Once all entries have been added to the
235 * hash table, perm_granted() is called. If the client is authorized,
236 * perm_granted() returns with pc_auth_string of the permcheck_t
237 * structure pointing to the authorization string.
238 *
239 * This works fine if the client is authorized, but what happens if
240 * the client is not authorized? We need to report the required
241 * authorization string. This is the authorization that would have
242 * been used if permission had been granted. perm_granted() will
243 * find no match, so it needs to decide which string in the hash
244 * table to use as the required authorization string. It needs to do
245 * this, because configd is still going to generate an event. A
246 * design decision was made to use the most specific authorization
247 * in the hash table. The pc_auth_type enum designates the
248 * specificity of an authorization string. For example, an
249 * authorization string that is declared in an instance PG is more
250 * specific than one that is declared in a service PG.
251 *
252 * The pc_add() function keeps track of the most specific
253 * authorization in the hash table. It does this using the
254 * pc_specific and pc_specific_type members of the permcheck
255 * structure. pc_add() updates these members whenever a more
256 * specific authorization string is added to the hash table. Thus, if
257 * an authorization match is not found, perm_granted() will return
258 * with pc_auth_string in the permcheck_t pointing to the string that
259 * is referenced by pc_specific.
260 *
261 * Generating the Audit Events:
262 * ===========================
263 *
264 * As the functions in this file process requests for clients of
265 * configd, they gather the information that is required for an audit
266 * event. Eventually, the request processing gets to the point where
267 * the authorization is rejected or to the point where the requested
268 * action was attempted. At these two points smf_audit_event() is
269 * called.
270 *
271 * smf_audit_event() takes 4 parameters:
272 * - the event ID which is one of the ADT_smf_* symbols from
273 * adt_event.h.
274 * - status to pass to adt_put_event()
275 * - return value to pass to adt_put_event()
276 * - the event data (see audit_event_data structure)
277 *
278 * All interactions with the auditing software require an audit
279 * session. We use one audit session per configd client. We keep
280 * track of the audit session in the repcache_client structure.
281 * smf_audit_event() calls get_audit_session() to get the session
282 * pointer.
283 *
284 * smf_audit_event() then calls adt_alloc_event() to allocate an
285 * adt_event_data union which is defined in adt_event.h, copies the
286 * data into the appropriate members of the union and calls
287 * adt_put_event() to generate the event.
288 *
289 * Special Cases:
290 * =============
291 *
292 * There are three major types of special cases:
293 *
294 * - gathering event information for each action in a
295 * transaction
296 * - Higher level events represented by special property
297 * group/property name combinations. Many of these are
298 * restarter actions.
299 * - ADT_smf_annotation event
300 *
301 * Processing Transaction Actions:
302 * ------------------------------
303 *
304 * A transaction can contain multiple actions to modify, create or
305 * delete one or more properties. We need to capture information so
306 * that we can generate an event for each property action. The
307 * transaction information is stored in a tx_commmit_data_t, and
308 * object.c provides accessor functions to retrieve data from this
309 * structure. rc_tx_commit() obtains a tx_commit_data_t by calling
310 * tx_commit_data_new() and passes this to object_tx_commit() to
311 * commit the transaction. Then we call generate_property_events() to
312 * generate an audit event for each property action.
313 *
314 * Special Properties:
315 * ------------------
316 *
317 * There are combinations of property group/property name that are special.
318 * They are special because they have specific meaning to startd. startd
319 * interprets them in a service-independent fashion.
320 * restarter_actions/refresh and general/enabled are two examples of these.
321 * A special event is generated for these properties in addition to the
322 * regular property event described in the previous section. The special
323 * properties are declared as an array of audit_special_prop_item
324 * structures at special_props_list in rc_node.c.
325 *
326 * In the previous section, we mentioned the
327 * generate_property_event() function that generates an event for
328 * every property action. Before generating the event,
329 * generate_property_event() calls special_property_event().
330 * special_property_event() checks to see if the action involves a
331 * special property. If it does, it generates a special audit
332 * event.
333 *
334 * ADT_smf_annotation event:
335 * ------------------------
336 *
337 * This is a special event unlike any other. It allows the svccfg
338 * program to store an annotation in the event log before a series
339 * of transactions is processed. It is used with the import and
340 * apply svccfg commands. svccfg uses the rep_protocol_annotation
341 * message to pass the operation (import or apply) and the file name
342 * to configd. The set_annotation() function in client.c stores
343 * these away in the a repcache_client structure. The address of
344 * this structure is saved in the thread_info structure.
345 *
346 * Before it generates any events, smf_audit_event() calls
347 * smf_annotation_event(). smf_annotation_event() calls
348 * client_annotation_needed() which is defined in client.c. If an
349 * annotation is needed client_annotation_needed() returns the
350 * operation and filename strings that were saved from the
351 * rep_protocol_annotation message. smf_annotation_event() then
352 * generates the ADT_smf_annotation event.
353 */
355 #include <assert.h>
356 #include <atomic.h>
357 #include <bsm/adt_event.h>
358 #include <errno.h>
359 #include <libuutil.h>
360 #include <libscf.h>
361 #include <libscf_priv.h>
362 #include <pthread.h>
363 #include <pwd.h>
364 #include <stdio.h>
365 #include <stdlib.h>
366 #include <strings.h>
367 #include <sys/types.h>
368 #include <syslog.h>
369 #include <unistd.h>
370 #include <secdb.h>
378 #define AUTH_PG_ACTIONS SCF_PG_RESTARTER_ACTIONS
379 #define AUTH_PG_ACTIONS_TYPE SCF_PG_RESTARTER_ACTIONS_TYPE
380 #define AUTH_PG_GENERAL SCF_PG_GENERAL
381 #define AUTH_PG_GENERAL_TYPE SCF_PG_GENERAL_TYPE
382 #define AUTH_PG_GENERAL_OVR SCF_PG_GENERAL_OVR
383 #define AUTH_PG_GENERAL_OVR_TYPE SCF_PG_GENERAL_OVR_TYPE
390 #define MAX_VALID_CHILDREN 3
392 /*
393 * The ADT_smf_* symbols may not be defined on the build machine. Because
394 * of this, we do not want to compile the _smf_aud_event() function when
395 * doing native builds.
396 */
397 #ifdef NATIVE_BUILD
398 #define smf_audit_event(i, s, r, d)
399 #else
400 #define smf_audit_event(i, s, r, d) _smf_audit_event(i, s, r, d)
410 #define RT_NO_NAME -1U
430 };
431 #define NUM_TYPES ((sizeof (rc_types) / sizeof (*rc_types)))
433 /* Element of a permcheck_t hash table. */
437 };
439 /*
440 * If an authorization fails, we must decide which of the elements in the
441 * permcheck hash table to use in the audit event. That is to say of all
442 * the strings in the hash table, we must choose one and use it in the audit
443 * event. It is desirable to use the most specific string in the audit
444 * event.
445 *
446 * The pc_auth_type specifies the types (sources) of authorization
447 * strings. The enum is ordered in increasing specificity.
448 */
453 PC_AUTH_INST /* strings specified in PG of an instance. */
456 /*
457 * The following enum is used to represent the results of the checks to see
458 * if the client has the appropriate permissions to perform an action.
459 */
464 PERM_FAIL /* Generic failure. e.g. resources */
467 /* An authorization set hash table. */
475 /* for audit events */
478 /*
479 * Structure for holding audit event data. Not all events use all members
480 * of the structure.
481 */
492 /*
493 * Pointer to function to do special processing to get audit event ID.
494 * Audit event IDs are defined in /usr/include/bsm/adt_event.h. Function
495 * returns 0 if ID successfully retrieved. Otherwise it returns -1.
496 */
498 au_event_t *);
500 au_event_t *);
513 /*
514 * Some combinations of property group/property name require a special
515 * audit event to be generated when there is a change.
516 * audit_special_prop_item_t is used to specify these special cases. The
517 * special_props_list array defines a list of these special properties.
518 */
526 /*
527 * Native builds are done using the build machine's standard include
528 * files. These files may not yet have the definitions for the ADT_smf_*
529 * symbols. Thus, we do not compile this table when doing native builds.
530 */
531 #ifndef NATIVE_BUILD
532 /*
533 * The following special_props_list array specifies property group/property
534 * name combinations that have specific meaning to startd. A special event
535 * is generated for these combinations in addition to the regular property
536 * event.
537 *
538 * At run time this array gets sorted. See the call to qsort(3C) in
539 * rc_node_init(). The array is sorted, so that bsearch(3C) can be used
540 * to do lookups.
541 */
544 NULL},
563 };
564 #define SPECIAL_PROP_COUNT (sizeof (special_props_list) /\
565 sizeof (audit_special_prop_item_t))
568 /*
569 * We support an arbitrary number of clients interested in events for certain
570 * types of changes. Each client is represented by an rc_notify_info_t, and
571 * all clients are chained onto the rc_notify_info_list.
572 *
573 * The rc_notify_list is the global notification list. Each entry is of
574 * type rc_notify_t, which is embedded in one of three other structures:
575 *
576 * rc_node_t property group update notification
577 * rc_notify_delete_t object deletion notification
578 * rc_notify_info_t notification clients
579 *
580 * Which type of object is determined by which pointer in the rc_notify_t is
581 * non-NULL.
582 *
583 * New notifications and clients are added to the end of the list.
584 * Notifications no-one is interested in are never added to the list.
585 *
586 * Clients use their position in the list to track which notifications they
587 * have not yet reported. As they process notifications, they move forward
588 * in the list past them. There is always a client at the beginning of the
589 * list -- as it moves past notifications, it removes them from the list and
590 * cleans them up.
591 *
592 * The rc_pg_notify_lock protects all notification state. The rc_pg_notify_cv
593 * is used for global signalling, and each client has a cv which it waits for
594 * events of interest on.
595 *
596 * rc_notify_in_use is used to protect rc_notify_list from deletions when
597 * the rc_pg_notify_lock is dropped. Specifically, rc_notify_info_wait()
598 * must drop the lock to call rc_node_assign(), and then it reacquires the
599 * lock. Deletions from rc_notify_list during this period are not
600 * allowed. Insertions do not matter, because they are always done at the
601 * end of the list.
602 */
606 #define HASH_SIZE 512
607 #define HASH_MASK (HASH_SIZE - 1)
609 #pragma align 64(cache_hash)
612 #define CACHE_BUCKET(h) (&cache_hash[(h) & HASH_MASK])
618 static uint32_t
620 {
645 /*
646 * the rest should be zeroed
647 */
652 }
654 static int
656 {
680 }
682 /*
683 * Register an ephemeral reference to np. This should be done while both
684 * the persistent reference from which the np pointer was read is locked
685 * and np itself is locked. This guarantees that another thread which
686 * thinks it has the last reference will yield without destroying the
687 * node.
688 */
689 static void
691 {
695 }
697 /*
698 * the "other" references on a node are maintained in an atomically
699 * updated refcount, rn_other_refs. This can be bumped from arbitrary
700 * context, and tracks references to a possibly out-of-date node's children.
701 *
702 * To prevent the node from disappearing between the final drop of
703 * rn_other_refs and the unref handling, rn_other_refs_held is bumped on
704 * 0->1 transitions and decremented (with the node lock held) on 1->0
705 * transitions.
706 */
707 static void
709 {
713 }
715 }
717 /*
718 * No node locks may be held
719 */
720 static void
722 {
729 /*
730 * This was the last client reference. Destroy
731 * any other references and free() the node.
732 */
736 }
737 }
738 }
740 static void
742 {
749 }
751 static void
753 {
757 }
759 static void
761 {
772 /*
773 * Composed property groups are only as good as their
774 * references.
775 */
782 }
785 /*
786 * This was the last client reference. Destroy any other
787 * references and free() the node.
788 */
791 /*
792 * rn_erefs can be 0 if we acquired the reference in
793 * a path which hasn't been updated to increment rn_erefs.
794 * When all paths which end here are updated, we should
795 * assert rn_erefs > 0 and always decrement it.
796 */
800 }
804 }
806 void
808 {
811 }
815 {
819 }
821 static void
823 {
825 }
829 {
840 }
841 }
844 }
848 {
861 }
863 static void
865 {
874 }
876 static void
878 {
892 }
894 /*
895 * verify that the 'parent' type can have a child typed 'child'
896 * Fails with
897 * _INVALID_TYPE - argument is invalid
898 * _TYPE_MISMATCH - parent type cannot have children of type child
899 */
900 static int
902 {
914 }
917 }
919 /*
920 * Fails with
921 * _INVALID_TYPE - type is invalid
922 * _BAD_REQUEST - name is an invalid name for a node of type type
923 */
924 int
926 {
934 }
936 static int
938 {
943 }
945 /*
946 * rc_node_free_fmri should be called whenever a node loses its parent.
947 * The reason is that the node's fmri string is built up by concatenating
948 * its name to the parent's fmri. Thus, when the node no longer has a
949 * parent, its fmri is no longer valid.
950 */
951 static void
953 {
957 }
958 }
960 /*
961 * Concatenate the appropriate separator and the FMRI element to the base
962 * FMRI string at fmri.
963 *
964 * Fails with
965 * _TRUNCATED Not enough room in buffer at fmri.
966 */
967 static int
974 {
982 else
988 /*
989 * No need to display scope information if we are
990 * in the local scope.
991 */
995 /*
996 * Need to display scope information, because it is
997 * not the local scope.
998 */
1000 }
1016 /*
1017 * A value does not have a separate FMRI from its property,
1018 * so there is nothing to concat.
1019 */
1023 /* Snapshots do not have FMRIs, so there is nothing to do. */
1029 }
1031 /* Concatenate separator and element to the fmri buffer. */
1039 }
1040 }
1045 }
1048 }
1050 /*
1051 * Get the FMRI for the node at np. The fmri will be placed in buf. On
1052 * success sz_out will be set to the size of the fmri in buf. If
1053 * REP_PROTOCOL_FAIL_TRUNCATED is returned, sz_out will be set to the size
1054 * of the buffer that would be required to avoid truncation.
1055 *
1056 * Fails with
1057 * _TRUNCATED not enough room in buf for the FMRI.
1058 */
1059 static int
1062 {
1071 /*
1072 * A NULL rn_fmri implies that this is a top level scope.
1073 * Child nodes will always have an rn_fmri established
1074 * because both rc_node_link_child() and
1075 * rc_node_relink_child() call rc_node_build_fmri(). In
1076 * this case, we'll just return our name preceded by the
1077 * appropriate FMRI decorations.
1078 */
1085 /* We have an fmri, so return it. */
1087 }
1095 }
1097 /*
1098 * Build an FMRI string for this node and save it in rn_fmri.
1099 *
1100 * The basic strategy here is to get the fmri of our parent and then
1101 * concatenate the appropriate separator followed by our name. If our name
1102 * is null, the resulting fmri will just be a copy of the parent fmri.
1103 * rc_node_build_fmri() should be called with the RC_NODE_USING_PARENT flag
1104 * set. Also the rn_lock for this node should be held.
1105 *
1106 * Fails with
1107 * _NO_RESOURCES Could not allocate memory.
1108 */
1109 static int
1111 {
1132 }
1137 }
1140 }
1142 /*
1143 * Get the FMRI of the node at np placing the result in fmri. Then
1144 * concatenate the additional element to fmri. The type variable indicates
1145 * the type of element, so that the appropriate separator can be
1146 * generated. size is the number of bytes in the buffer at fmri, and
1147 * sz_out receives the size of the generated string. If the result is
1148 * truncated, sz_out will receive the size of the buffer that would be
1149 * required to avoid truncation.
1150 *
1151 * Fails with
1152 * _TRUNCATED Not enough room in buffer at fmri.
1153 */
1154 static int
1157 {
1161 REP_PROTOCOL_SUCCESS) {
1163 }
1165 REP_PROTOCOL_SUCCESS) {
1167 }
1170 }
1172 static int
1174 {
1183 }
1187 }
1194 }
1198 }
1199 }
1201 }
1203 static void
1205 {
1221 found++;
1222 }
1223 }
1226 else
1230 }
1232 static void
1235 {
1239 rc_notify_pool);
1247 /*
1248 * add to notification list, notify watchers
1249 */
1256 }
1258 static void
1260 {
1272 }
1276 }
1278 }
1280 static void
1282 {
1293 }
1294 }
1296 /*
1297 * Permission checking functions. See comment atop this file.
1298 */
1299 #ifndef NATIVE_BUILD
1302 {
1313 }
1317 }
1319 static void
1321 {
1322 uint_t i;
1329 }
1330 }
1334 }
1336 static uint32_t
1338 {
1342 /*
1343 * Generic hash function from uts/common/os/modhash.c.
1344 */
1351 }
1352 }
1355 }
1357 static perm_status_t
1359 {
1370 }
1371 }
1374 }
1376 static perm_status_t
1378 {
1379 uint_t i;
1387 }
1388 }
1389 }
1392 }
1394 static int
1396 {
1403 /* Homey don't play that. */
1416 }
1417 }
1424 }
1426 static int
1428 {
1430 uint_t i;
1436 /* Grow if pc_enum / pc_bnum > 3/4. */
1438 /* Failure is not a stopper; we'll try again next time. */
1450 }
1455 }
1457 /*
1458 * For the type of a property group, return the authorization which may be
1459 * used to modify it.
1460 */
1463 {
1472 else
1474 }
1476 /*
1477 * Fails with
1478 * _NO_RESOURCES - out of memory
1479 */
1480 static int
1482 pc_auth_type_t auth_type)
1483 {
1485 REP_PROTOCOL_FAIL_NO_RESOURCES);
1486 }
1488 /*
1489 * Fails with
1490 * _NO_RESOURCES - out of memory
1491 */
1492 static int
1494 {
1496 }
1498 /* Note that perm_add_enabling_values() is defined below. */
1500 /*
1501 * perm_granted() returns PERM_GRANTED if the current door caller has one of
1502 * the enabling authorizations in pcp, PERM_DENIED if it doesn't, PERM_GONE if
1503 * the door client went away and PERM_FAIL if an error (usually lack of
1504 * memory) occurs. auth_cb() checks each and every authorizations as
1505 * enumerated by _enum_auths. When we find a result other than PERM_DENIED,
1506 * we short-cut the enumeration and return non-zero.
1507 */
1509 static int
1511 {
1517 else
1522 /*
1523 * If we failed, choose the most specific auth string for use in
1524 * the audit event.
1525 */
1530 }
1532 static perm_status_t
1534 {
1538 uid_t uid;
1542 /* Get the uid */
1545 /*
1546 * Client is no longer waiting for our response (e.g.,
1547 * it received a signal & resumed with EINTR).
1548 * Punting with door_return() would be nice but we
1549 * need to release all of the locks & references we
1550 * hold. And we must report failure to the client
1551 * layer to keep it from ignoring retries as
1552 * already-done (idempotency & all that). None of the
1553 * error codes fit very well, so we might as well
1554 * force the return of _PERMISSION_DENIED since we
1555 * couldn't determine the user.
1556 */
1558 }
1561 }
1568 }
1570 /*
1571 * Enumerate all the auths defined for the user and return the
1572 * result in ret.
1573 */
1578 }
1580 static int
1583 {
1592 else
1599 else
1608 }
1610 }
1613 /*
1614 * flags in RC_NODE_WAITING_FLAGS are broadcast when unset, and are used to
1615 * serialize certain actions, and to wait for certain operations to complete
1616 *
1617 * The waiting flags are:
1618 * RC_NODE_CHILDREN_CHANGING
1619 * The child list is being built or changed (due to creation
1620 * or deletion). All iterators pause.
1621 *
1622 * RC_NODE_USING_PARENT
1623 * Someone is actively using the parent pointer, so we can't
1624 * be removed from the parent list.
1625 *
1626 * RC_NODE_CREATING_CHILD
1627 * A child is being created -- locks out other creations, to
1628 * prevent insert-insert races.
1629 *
1630 * RC_NODE_IN_TX
1631 * This object is running a transaction.
1632 *
1633 * RC_NODE_DYING
1634 * This node might be dying. Always set as a set, using
1635 * RC_NODE_DYING_FLAGS (which is everything but
1636 * RC_NODE_USING_PARENT)
1637 */
1638 static int
1640 {
1646 }
1652 }
1654 static void
1656 {
1662 }
1664 /*
1665 * wait until a particular flag has cleared. Fails if the object dies.
1666 */
1667 static int
1669 {
1675 }
1677 /*
1678 * On entry, np's lock must be held, and this thread must be holding
1679 * RC_NODE_USING_PARENT. On return, both of them are released.
1680 *
1681 * If the return value is NULL, np either does not have a parent, or
1682 * the parent has been marked DEAD.
1683 *
1684 * If the return value is non-NULL, it is the parent of np, and both
1685 * its lock and the requested flags are held.
1686 */
1689 {
1699 }
1710 }
1712 }
1714 rc_node_t *
1716 {
1731 rc_notify_pool);
1734 }
1736 void
1738 {
1748 /* Release the holds from rc_iter_next(). */
1750 /* rn_cchain[i] may be NULL for empty snapshots. */
1753 }
1754 }
1775 rc_notify_pool);
1785 }
1787 /*
1788 * Link in a child node.
1789 *
1790 * Because of the lock ordering, cp has to already be in the hash table with
1791 * its lock dropped before we get it. To prevent anyone from noticing that
1792 * it is parentless, the creation code sets the RC_NODE_USING_PARENT. Once
1793 * we've linked it in, we release the flag.
1794 */
1795 static void
1797 {
1807 REP_PROTOCOL_SUCCESS);
1818 }
1820 /*
1821 * Sets the rn_parent_ref field of all the children of np to pp -- always
1822 * initially invoked as rc_node_setup_parent_ref(np, np), we then recurse.
1823 *
1824 * This is used when we mark a node RC_NODE_OLD, so that when the object and
1825 * its children are no longer referenced, they will all be deleted as a unit.
1826 */
1827 static void
1829 {
1846 }
1849 }
1850 }
1852 /*
1853 * Atomically replace 'np' with 'newp', with a parent of 'pp'.
1854 *
1855 * Requirements:
1856 * *no* node locks may be held.
1857 * pp must be held with RC_NODE_CHILDREN_CHANGING
1858 * newp and np must be held with RC_NODE_IN_TX
1859 * np must be marked RC_NODE_IN_PARENT, newp must not be
1860 * np must be marked RC_NODE_OLD
1861 *
1862 * Afterwards:
1863 * pp's RC_NODE_CHILDREN_CHANGING is dropped
1864 * newp and np's RC_NODE_IN_TX is dropped
1865 * newp->rn_former = np;
1866 * newp is RC_NODE_IN_PARENT, np is not.
1867 * interested notify subscribers have been notified of newp's new status.
1868 */
1869 static void
1871 {
1873 /*
1874 * First, swap np and nnp in the cache. newp's RC_NODE_IN_TX flag
1875 * keeps rc_node_update() from seeing it until we are done.
1876 */
1882 /*
1883 * replace np with newp in pp's list, and attach it to newp's rn_former
1884 * link.
1885 */
1901 /*
1902 * Note that we carefully add newp before removing np -- this
1903 * keeps iterators on the list from missing us.
1904 */
1909 /*
1910 * re-set np
1911 */
1926 }
1928 /*
1929 * makes sure a node with lookup 'nip', name 'name', and parent 'pp' exists.
1930 * 'cp' is used (and returned) if the node does not yet exist. If it does
1931 * exist, 'cp' is freed, and the existent node is returned instead.
1932 */
1933 rc_node_t *
1936 {
1947 /*
1948 * make sure it matches our expectations
1949 */
1958 }
1963 }
1965 /*
1966 * No one is there -- setup & install the new node.
1967 */
1977 #if COMPOSITION_DEPTH == 2
1980 #else
1981 #error This code must be updated.
1982 #endif
1983 }
1991 }
1993 /*
1994 * makes sure a snapshot with lookup 'nip', name 'name', and parent 'pp' exists.
1995 * 'cp' is used (and returned) if the node does not yet exist. If it does
1996 * exist, 'cp' is freed, and the existent node is returned instead.
1997 */
1998 rc_node_t *
2001 {
2012 /*
2013 * make sure it matches our expectations
2014 */
2023 }
2028 }
2030 /*
2031 * No one is there -- create a new node.
2032 */
2048 }
2050 /*
2051 * makes sure a snaplevel with lookup 'nip' and parent 'pp' exists. 'cp' is
2052 * used (and returned) if the node does not yet exist. If it does exist, 'cp'
2053 * is freed, and the existent node is returned instead.
2054 */
2055 rc_node_t *
2058 {
2069 /*
2070 * make sure it matches our expectations
2071 */
2080 }
2085 }
2087 /*
2088 * No one is there -- create a new node.
2089 */
2103 /* Add this snaplevel to the snapshot's composition chain. */
2110 }
2112 /*
2113 * Returns NULL if strdup() fails.
2114 */
2115 rc_node_t *
2118 {
2127 /*
2128 * make sure it matches our expectations (don't check
2129 * the generation number or parent, since someone could
2130 * have gotten a transaction through while we weren't
2131 * looking)
2132 */
2141 }
2146 }
2156 }
2162 }
2174 }
2176 #if COMPOSITION_DEPTH == 2
2177 /*
2178 * Initialize a "composed property group" which represents the composition of
2179 * property groups pg1 & pg2. It is ephemeral: once created & returned for an
2180 * ITER_READ request, keeping it out of cache_hash and any child lists
2181 * prevents it from being looked up. Operations besides iteration are passed
2182 * through to pg1.
2183 *
2184 * pg1 & pg2 should be held before entering this function. They will be
2185 * released in rc_node_destroy().
2186 */
2187 static int
2189 {
2202 }
2203 #else
2204 #error This code must be updated.
2205 #endif
2207 /*
2208 * Fails with _NO_RESOURCES.
2209 */
2210 int
2214 {
2222 /*
2223 * make sure it matches our expectations
2224 */
2237 }
2241 }
2243 /*
2244 * No one is there -- create a new node.
2245 */
2251 }
2259 }
2274 }
2276 /*
2277 * This function implements a decision table to determine the event ID for
2278 * changes to the enabled (SCF_PROPERTY_ENABLED) property. The event ID is
2279 * determined by the value of the first property in the command specified
2280 * by cmd_no and the name of the property group. Here is the decision
2281 * table:
2282 *
2283 * Property Group Name
2284 * Property ------------------------------------------
2285 * Value SCF_PG_GENERAL SCF_PG_GENERAL_OVR
2286 * -------- -------------- ------------------
2287 * "0" ADT_smf_disable ADT_smf_tmp_disable
2288 * "1" ADT_smf_enable ADT_smf_tmp_enable
2289 *
2290 * This function is called by special_property_event through a function
2291 * pointer in the special_props_list array.
2292 *
2293 * Since the ADT_smf_* symbols may not be defined in the build machine's
2294 * include files, this function is not compiled when doing native builds.
2295 */
2296 #ifndef NATIVE_BUILD
2297 static int
2300 {
2305 /*
2306 * First, check property value.
2307 */
2320 }
2322 /*
2323 * Now check property group name.
2324 */
2331 }
2333 }
2336 /*
2337 * This function compares two audit_special_prop_item_t structures
2338 * represented by item1 and item2. It returns an integer greater than 0 if
2339 * item1 is greater than item2. It returns 0 if they are equal and an
2340 * integer less than 0 if item1 is less than item2. api_prop_name and
2341 * api_pg_name are the key fields for sorting.
2342 *
2343 * This function is suitable for calls to bsearch(3C) and qsort(3C).
2344 */
2345 static int
2347 {
2354 /*
2355 * Primary keys are the same, so check the secondary key.
2356 */
2358 }
2360 }
2362 int
2364 {
2399 /*
2400 * Sort the special_props_list array so that it can be searched
2401 * with bsearch(3C).
2402 *
2403 * The special_props_list array is not compiled into the native
2404 * build code, so there is no need to call qsort if NATIVE_BUILD is
2405 * defined.
2406 */
2407 #ifndef NATIVE_BUILD
2427 }
2429 /*
2430 * Fails with
2431 * _INVALID_TYPE - type is invalid
2432 * _TYPE_MISMATCH - np doesn't carry children of type type
2433 * _DELETED - np has been deleted
2434 * _NO_RESOURCES
2435 */
2436 static int
2438 {
2444 REP_PROTOCOL_SUCCESS)
2453 }
2461 }
2465 }
2467 /*
2468 * Returns
2469 * _INVALID_TYPE - type is invalid
2470 * _TYPE_MISMATCH - np doesn't carry children of type type
2471 * _DELETED - np has been deleted
2472 * _NO_RESOURCES
2473 * _SUCCESS - if *cpp is not NULL, it is held
2474 */
2475 static int
2478 {
2494 }
2501 }
2505 /*
2506 * Returns
2507 * _INVALID_TYPE - type is invalid
2508 * _DELETED - np or an ancestor has been deleted
2509 * _NOT_FOUND - no ancestor of specified type exists
2510 * _SUCCESS - *app is held
2511 */
2512 static int
2514 {
2530 }
2535 }
2538 }
2540 #ifndef NATIVE_BUILD
2541 /*
2542 * If the propname property exists in pg, and it is of type string, add its
2543 * values as authorizations to pcp. pg must not be locked on entry, and it is
2544 * returned unlocked. Returns
2545 * _DELETED - pg was deleted
2546 * _NO_RESOURCES
2547 * _NOT_FOUND - pg has no property named propname
2548 * _SUCCESS
2549 */
2550 static int
2552 {
2556 uint_t count;
2576 }
2577 }
2582 /* rn_valtype is immutable, so no locking. */
2586 }
2594 PC_AUTH_SVC);
2599 }
2604 }
2606 /*
2607 * Assuming that ent is a service or instance node, if the pgname property
2608 * group has type pgtype, and it has a propname property with string type, add
2609 * its values as authorizations to pcp. If pgtype is NULL, it is not checked.
2610 * Returns
2611 * _SUCCESS
2612 * _DELETED - ent was deleted
2613 * _NO_RESOURCES - no resources
2614 * _NOT_FOUND - ent does not have pgname pg or propname property
2615 */
2616 static int
2619 {
2640 }
2659 }
2660 }
2665 }
2667 /*
2668 * If pg has a property named propname, and is string typed, add its values as
2669 * authorizations to pcp. If pg has no such property, and its parent is an
2670 * instance, walk up to the service and try doing the same with the property
2671 * of the same name from the property group of the same name. Returns
2672 * _SUCCESS
2673 * _NO_RESOURCES
2674 * _DELETED - pg (or an ancestor) was deleted
2675 */
2676 static int
2678 {
2697 /*
2698 * If pg is a child of an instance or snapshot, we want to compose the
2699 * authorization property with the service's (if it exists). The
2700 * snapshot case applies only to read_authorization. In all other
2701 * cases, the pg's parent will be the instance.
2702 */
2707 }
2718 }
2720 /*
2721 * Call perm_add_enabling_values() for the "action_authorization" property of
2722 * the "general" property group of inst. Returns
2723 * _DELETED - inst (or an ancestor) was deleted
2724 * _NO_RESOURCES
2725 * _SUCCESS
2726 */
2727 static int
2729 {
2745 }
2751 }
2754 void
2756 {
2761 }
2763 void
2765 {
2769 }
2770 }
2772 static void
2774 {
2782 /*
2783 * Register the ephemeral reference created by reading
2784 * out->rnp_node into cur. Note that the persistent
2785 * reference we're destroying is locked by the client
2786 * layer.
2787 */
2791 }
2795 }
2797 void
2799 {
2802 }
2804 void
2806 {
2808 }
2810 /*
2811 * rc_node_check()/RC_NODE_CHECK()
2812 * generic "entry" checks, run before the use of an rc_node pointer.
2813 *
2814 * Fails with
2815 * _NOT_SET
2816 * _DELETED
2817 */
2818 static int
2820 {
2829 }
2832 }
2834 /*
2835 * Fails with
2836 * _NOT_SET - ptr is reset
2837 * _DELETED - node has been deleted
2838 */
2841 {
2846 else
2849 }
2857 }
2859 }
2861 #define RC_NODE_CHECK_AND_LOCK(n) { \
2862 int rc__res; \
2863 if ((rc__res = rc_node_check_and_lock(n)) != REP_PROTOCOL_SUCCESS) \
2864 return (rc__res); \
2865 }
2867 #define RC_NODE_CHECK(n) { \
2868 RC_NODE_CHECK_AND_LOCK(n); \
2869 (void) pthread_mutex_unlock(&(n)->rn_lock); \
2870 }
2872 #define RC_NODE_CHECK_AND_HOLD(n) { \
2873 RC_NODE_CHECK_AND_LOCK(n); \
2874 rc_node_hold_locked(n); \
2875 (void) pthread_mutex_unlock(&(n)->rn_lock); \
2876 }
2878 #define RC_NODE_PTR_GET_CHECK_AND_LOCK(np, npp) { \
2879 int rc__res; \
2880 if (((np) = rc_node_ptr_check_and_lock(npp, &rc__res)) == NULL) \
2881 return (rc__res); \
2882 }
2884 #define RC_NODE_PTR_CHECK_LOCK_OR_FREE_RETURN(np, npp, mem) { \
2885 int rc__res; \
2886 if (((np) = rc_node_ptr_check_and_lock(npp, &rc__res)) == \
2887 NULL) { \
2888 if ((mem) != NULL) \
2889 free((mem)); \
2890 return (rc__res); \
2891 } \
2892 }
2894 #define RC_NODE_PTR_GET_CHECK(np, npp) { \
2895 RC_NODE_PTR_GET_CHECK_AND_LOCK(np, npp); \
2896 (void) pthread_mutex_unlock(&(np)->rn_lock); \
2897 }
2899 #define RC_NODE_PTR_GET_CHECK_AND_HOLD(np, npp) { \
2900 RC_NODE_PTR_GET_CHECK_AND_LOCK(np, npp); \
2901 rc_node_hold_locked(np); \
2902 (void) pthread_mutex_unlock(&(np)->rn_lock); \
2903 }
2905 #define HOLD_FLAG_OR_RETURN(np, flag) { \
2906 assert(MUTEX_HELD(&(np)->rn_lock)); \
2907 assert(!((np)->rn_flags & RC_NODE_DEAD)); \
2908 if (!rc_node_hold_flag((np), flag)) { \
2909 (void) pthread_mutex_unlock(&(np)->rn_lock); \
2910 return (REP_PROTOCOL_FAIL_DELETED); \
2911 } \
2912 }
2914 #define HOLD_PTR_FLAG_OR_FREE_AND_RETURN(np, npp, flag, mem) { \
2915 assert(MUTEX_HELD(&(np)->rn_lock)); \
2916 if (!rc_node_hold_flag((np), flag)) { \
2917 (void) pthread_mutex_unlock(&(np)->rn_lock); \
2918 assert((np) == (npp)->rnp_node); \
2919 rc_node_clear(npp, 1); \
2920 if ((mem) != NULL) \
2921 free((mem)); \
2922 return (REP_PROTOCOL_FAIL_DELETED); \
2923 } \
2924 }
2926 int
2928 {
2932 }
2934 /*
2935 * the main scope never gets destroyed
2936 */
2940 }
2942 /*
2943 * Fails with
2944 * _NOT_SET - npp is not set
2945 * _DELETED - the node npp pointed at has been deleted
2946 * _TYPE_MISMATCH - type is not _SCOPE
2947 * _NOT_FOUND - scope has no parent
2948 */
2949 static int
2951 {
2962 }
2966 /*
2967 * Fails with
2968 * _NOT_SET
2969 * _DELETED
2970 * _NOT_APPLICABLE
2971 * _NOT_FOUND
2972 * _BAD_REQUEST
2973 * _TRUNCATED
2974 * _NO_RESOURCES
2975 */
2976 int
2979 {
2990 }
3026 {
3042 }
3044 }
3047 }
3053 }
3055 int
3057 {
3068 }
3070 /*
3071 * Get np's parent. If np is deleted, returns _DELETED. Otherwise puts a hold
3072 * on the parent, returns a pointer to it in *out, and returns _SUCCESS.
3073 */
3074 static int
3076 {
3085 }
3095 }
3107 }
3109 /* guaranteed to succeed without dropping the lock */
3115 }
3134 deleted:
3137 }
3139 /*
3140 * Fails with
3141 * _NOT_SET
3142 * _DELETED
3143 */
3144 static int
3146 {
3152 }
3154 /*
3155 * Fails with
3156 * _NOT_SET - npp is not set
3157 * _DELETED - the node npp pointed at has been deleted
3158 * _TYPE_MISMATCH - npp's node's parent is not of type type
3159 *
3160 * If npp points to a scope, can also fail with
3161 * _NOT_FOUND - scope has no parent
3162 */
3163 int
3165 {
3176 }
3181 }
3187 }
3189 int
3191 {
3199 }
3209 }
3211 /*
3212 * Fails with
3213 * _INVALID_TYPE - type is invalid
3214 * _TYPE_MISMATCH - np doesn't carry children of type type
3215 * _DELETED - np has been deleted
3216 * _NOT_FOUND - no child with that name/type combo found
3217 * _NO_RESOURCES
3218 * _BACKEND_ACCESS
3219 */
3220 int
3223 {
3243 /*
3244 * loop only if we succeeded, but no child of
3245 * the correct name was found.
3246 */
3250 }
3252 }
3253 }
3260 else
3264 }
3266 }
3268 int
3270 {
3278 /*
3279 * If we're updating a composed property group, actually
3280 * update the top-level property group & return the
3281 * appropriate value. But leave *nnp pointing at us.
3282 */
3285 }
3300 }
3301 /*
3302 * grab the lock before dropping the cache bucket, so
3303 * that no one else can sneak in
3304 */
3313 }
3315 /*
3316 * If it is dead, we want to update it so that it will continue to
3317 * report being dead.
3318 */
3325 }
3336 }
3338 /*
3339 * does a generic modification check, for creation, deletion, and snapshot
3340 * management only. Property group transactions have different checks.
3341 *
3342 * The string returned to *match_auth must be freed.
3343 */
3344 static perm_status_t
3346 {
3352 #ifdef NATIVE_BUILD
3355 }
3357 #else
3369 /*
3370 * Copy off the authorization
3371 * string before freeing pcp.
3372 */
3377 }
3380 }
3385 }
3389 }
3391 /*
3392 * Native builds are done to create svc.configd-native. This program runs
3393 * only on the Solaris build machines to create the seed repository, and it
3394 * is compiled against the build machine's header files. The ADT_smf_*
3395 * symbols may not be defined in these header files. For this reason
3396 * smf_annotation_event(), _smf_audit_event() and special_property_event()
3397 * are not compiled for native builds.
3398 */
3399 #ifndef NATIVE_BUILD
3401 /*
3402 * This function generates an annotation audit event if one has been setup.
3403 * Annotation events should only be generated immediately before the audit
3404 * record from the first attempt to modify the repository from a client
3405 * which has requested an annotation.
3406 */
3407 static void
3409 {
3415 /* Don't audit if we're using an alternate repository. */
3422 }
3425 }
3429 }
3436 }
3444 }
3446 }
3448 /*
3449 * _smf_audit_event interacts with the security auditing system to generate
3450 * an audit event structure. It establishes an audit session and allocates
3451 * an audit event. The event is filled in from the audit data, and
3452 * adt_put_event is called to generate the event.
3453 */
3454 static void
3457 {
3464 /* Don't audit if we're using an alternate repository */
3475 }
3477 /*
3478 * Handle possibility of NULL authorization strings, FMRIs and
3479 * property values.
3480 */
3485 }
3492 }
3497 }
3499 /* Fill in the event data. */
3624 }
3629 }
3631 }
3633 /*
3634 * Determine if the combination of the property group at pg_name and the
3635 * property at prop_name are in the set of special startd properties. If
3636 * they are, a special audit event will be generated.
3637 */
3638 static void
3642 {
3643 au_event_t event_id;
3644 audit_special_prop_item_t search_key;
3647 /* Use bsearch to find the special property information. */
3654 /* Not a special property. */
3656 }
3658 /* Get the event id */
3665 }
3667 /* Generate the event. */
3669 }
3672 /*
3673 * Return a pointer to a string containing all the values of the command
3674 * specified by cmd_no with each value enclosed in quotes. It is up to the
3675 * caller to free the memory at the returned pointer.
3676 */
3679 {
3691 /*
3692 * First determine the size of the buffer that we will need. We
3693 * will represent each property value surrounded by quotes with a
3694 * space separating the values. Thus, we need to find the total
3695 * size of all the value strings and add 3 for each value.
3696 *
3697 * There is one catch, though. We need to escape any internal
3698 * quote marks in the values. So for each quote in the value we
3699 * need to add another byte to the buffer size.
3700 */
3703 REP_PROTOCOL_SUCCESS)
3707 }
3709 }
3716 /* Now build up the string of values. */
3719 REP_PROTOCOL_SUCCESS) {
3722 }
3731 }
3732 }
3736 }
3740 }
3742 /*
3743 * generate_property_events takes the transaction commit data at tx_data
3744 * and generates an audit event for each command.
3745 *
3746 * Native builds are done to create svc.configd-native. This program runs
3747 * only on the Solaris build machines to create the seed repository. Thus,
3748 * no audit events should be generated when running svc.configd-native.
3749 */
3750 static void
3757 {
3758 #ifndef NATIVE_BUILD
3760 audit_event_data_t audit_data;
3764 au_event_t event_id;
3774 /* Make sure we have something to do. */
3780 /* Copy the property group fmri */
3784 /*
3785 * Get the property group name. It is the first component after
3786 * the last occurance of SCF_FMRI_PROPERTYGRP_PREFIX in the fmri.
3787 */
3794 }
3800 /*
3801 * Property type is two characters (see
3802 * rep_protocol_value_type_t), so terminate the string.
3803 */
3807 /* Construct FMRI of the property */
3810 REP_PROTOCOL_SUCCESS) {
3812 }
3816 /*
3817 * If we can't get the FMRI, we'll abandon this
3818 * command
3819 */
3821 }
3823 /* Generate special property event if necessary. */
3827 /* Capture rest of audit data. */
3829 REP_PROTOCOL_SUCCESS) {
3831 }
3836 /* Determine the event type. */
3838 REP_PROTOCOL_SUCCESS) {
3841 }
3859 }
3861 /* Generate the event. */
3865 }
3867 }
3869 /*
3870 * Fails with
3871 * _DELETED - node has been deleted
3872 * _NOT_SET - npp is reset
3873 * _NOT_APPLICABLE - type is _PROPERTYGRP
3874 * _INVALID_TYPE - node is corrupt or type is invalid
3875 * _TYPE_MISMATCH - node cannot have children of type type
3876 * _BAD_REQUEST - name is invalid
3877 * cannot create children for this type of node
3878 * _NO_RESOURCES - out of memory, or could not allocate new id
3879 * _PERMISSION_DENIED
3880 * _BACKEND_ACCESS
3881 * _BACKEND_READONLY
3882 * _EXISTS - child already exists
3883 * _TRUNCATED - truncated FMRI for the audit record
3884 */
3885 int
3888 {
3892 perm_status_t perm_rc;
3895 audit_event_data_t audit_data;
3899 /*
3900 * rc_node_modify_permission_check() must be called before the node
3901 * is locked. This is because the library functions that check
3902 * authorizations can trigger calls back into configd.
3903 */
3907 /*
3908 * We continue in this case, so that an audit event can be
3909 * generated later in the function.
3910 */
3920 }
3926 /*
3927 * there is a separate interface for creating property groups
3928 */
3933 }
3941 }
3942 }
3945 REP_PROTOCOL_SUCCESS) {
3949 }
3954 }
3961 }
3968 }
3980 }
3989 }
3994 }
3996 int
3999 {
4004 perm_status_t granted;
4006 audit_event_data_t audit_data;
4007 au_event_t event_id;
4016 /* verify flags is valid */
4025 }
4028 REP_PROTOCOL_SUCCESS) {
4031 }
4036 }
4038 #ifdef NATIVE_BUILD
4041 }
4042 #else
4047 }
4052 }
4055 /* Must have .smf.modify or smf.modify.<type> authorization */
4066 }
4068 /*
4069 * .manage or $action_authorization can be used to
4070 * create the actions pg and the general_ovr pg.
4071 */
4083 }
4091 /* No auditing if client gone. */
4095 }
4096 }
4101 }
4105 }
4114 }
4118 }
4130 }
4139 }
4144 }
4146 static void
4148 {
4159 }
4160 }
4162 static void
4164 {
4176 }
4197 }
4204 }
4213 cleanup:
4233 }
4234 }
4236 /*
4237 * Hold RC_NODE_DYING_FLAGS on np's descendents. If andformer is true, do
4238 * the same down the rn_former chain.
4239 */
4240 static void
4242 {
4245 again:
4254 /*
4255 * already marked as dead -- can't happen, since that
4256 * would require setting RC_NODE_CHILDREN_CHANGING
4257 * in np, and we're holding that...
4258 */
4260 }
4264 }
4272 }
4274 }
4276 /*
4277 * N.B.: this function drops np->rn_lock on the way out.
4278 */
4279 static void
4281 {
4284 again:
4294 }
4302 }
4305 }
4307 static void
4309 {
4319 }
4323 }
4327 /*
4328 * If this node is not out-dated, we need to remove it from
4329 * the notify list and cache hash table.
4330 */
4345 }
4346 }
4348 /*
4349 * For each child, call rc_node_finish_delete() and recurse. If andformer
4350 * is set, also recurse down rn_former. Finally release np, which might
4351 * free it.
4352 */
4353 static void
4355 {
4358 again:
4371 }
4373 /*
4374 * When we drop cp's lock, all the children will be gone, so we
4375 * can release DYING_FLAGS.
4376 */
4382 /*
4383 * Register the ephemeral reference created by reading
4384 * np->rn_former into cp. Note that the persistent
4385 * reference (np->rn_former) is locked because we haven't
4386 * dropped np's lock since we dropped its RC_NODE_IN_TX
4387 * (via RC_NODE_DYING_FLAGS).
4388 */
4402 }
4404 }
4406 /*
4407 * The last client or child reference to np, which must be either
4408 * RC_NODE_OLD or RC_NODE_DEAD, has been destroyed. We'll destroy any
4409 * remaining references (e.g., rn_former) and call rc_node_destroy() to
4410 * free np.
4411 */
4412 static void
4414 {
4424 /*
4425 * The node is DEAD, so the deletion code should have
4426 * destroyed all rn_children or rn_former references.
4427 * Since the last client or child reference has been
4428 * destroyed, we're free to destroy np. Unless another
4429 * thread has an ephemeral reference, in which case we'll
4430 * pass the buck.
4431 */
4436 }
4441 }
4443 /* We only collect DEAD and OLD nodes, thank you. */
4446 /*
4447 * RC_NODE_UNREFED keeps multiple threads from processing OLD
4448 * nodes. But it's vulnerable to unfriendly scheduling, so full
4449 * use of rn_erefs should supersede it someday.
4450 */
4454 }
4457 /*
4458 * Now we'll remove the node from the rn_former chain and take its
4459 * DYING_FLAGS.
4460 */
4462 /*
4463 * Since this node is OLD, it should be on an rn_former chain. To
4464 * remove it, we must find the current in-hash object and grab its
4465 * RC_NODE_IN_TX flag to protect the entire rn_former chain.
4466 */
4479 /*
4480 * We are trying to unreference this node, but the
4481 * owner of the former list does not exist. It must
4482 * be the case that another thread is deleting this
4483 * entire sub-branch, but has not yet reached us.
4484 * We will in short order be deleted.
4485 */
4489 }
4492 /*
4493 * no longer unreferenced
4494 */
4497 /* held in cache_lookup() */
4500 }
4504 /*
4505 * current has been replaced since we looked it
4506 * up. Try again.
4507 */
4508 /* held in cache_lookup() */
4511 }
4514 /*
4515 * current has been deleted since we looked it up. Try
4516 * again.
4517 */
4518 /* held in cache_lookup() */
4521 }
4523 /*
4524 * rc_node_hold_flag() might have dropped current's lock, so
4525 * check OLD again.
4526 */
4528 /* Not old. Stop looping. */
4531 }
4535 }
4537 /* To take np's RC_NODE_DYING_FLAGS, we need its lock. */
4540 /*
4541 * While we didn't have the lock, a thread may have added
4542 * a reference or changed the flags.
4543 */
4551 /* held by cache_lookup() */
4554 }
4557 /*
4558 * Someone deleted the node while we were waiting for
4559 * DYING_FLAGS. Undo the modifications to current.
4560 */
4564 /* held by cache_lookup() */
4569 }
4571 /* Take RC_NODE_DYING_FLAGS on np's descendents. */
4574 /* Mark np DEAD. This requires the lock. */
4577 /* Recheck for new references. */
4586 /* held by cache_lookup() */
4589 }
4593 /*
4594 * Delete the children. This calls rc_node_rele_locked() on np at
4595 * the end, so add a reference to keep the count from going
4596 * negative. It will recurse with RC_NODE_DEAD set, so we'll call
4597 * rc_node_destroy() above, but RC_NODE_UNREFED is also set, so it
4598 * shouldn't actually free() np.
4599 */
4603 /* Remove np from current's rn_former chain. */
4607 ;
4614 /* held by cache_lookup() */
4617 /* Clear ON_FORMER and UNREFED, and destroy. */
4623 /* Still referenced. Stay execution. */
4627 }
4633 died:
4634 /*
4635 * Another thread marked np DEAD. If there still aren't any
4636 * persistent references, destroy the node.
4637 */
4649 }
4655 }
4657 static au_event_t
4659 {
4662 #ifndef NATIVE_BUILD
4677 }
4681 }
4684 }
4686 /*
4687 * Fails with
4688 * _NOT_SET
4689 * _DELETED
4690 * _BAD_REQUEST
4691 * _PERMISSION_DENIED
4692 * _NO_RESOURCES
4693 * _TRUNCATED
4694 * and whatever object_delete() fails with.
4695 */
4696 int
4698 {
4709 audit_event_data_t audit_data;
4735 }
4740 /* Scopes and snaplevels are indelible. */
4754 event_id =
4761 }
4763 }
4765 /* Snapshot property groups are indelible. */
4777 }
4783 }
4787 again:
4788 /*
4789 * The following loop is to deal with the fact that snapshots and
4790 * property groups are moving targets -- changes to them result
4791 * in a new "child" node. Since we can only delete from the top node,
4792 * we have to loop until we have a non-RC_NODE_OLD version.
4793 */
4800 }
4810 }
4813 }
4819 }
4821 /*
4822 * Mark our parent as children changing. this call drops our
4823 * lock and the RC_NODE_USING_PARENT flag, and returns with
4824 * pp's lock held
4825 */
4828 /* our parent is gone, we're going next... */
4834 }
4849 }
4850 /*
4851 * Everyone out of the pool -- we grab everything but
4852 * RC_NODE_USING_PARENT (including RC_NODE_DYING) to keep
4853 * any changes from occurring while we are attempting to
4854 * delete the node.
4855 */
4860 }
4869 }
4871 #ifdef NATIVE_BUILD
4874 }
4875 #else
4877 /* permission check */
4883 /* add .smf.modify.<type> for pgs. */
4885 REP_PROTOCOL_ENTITY_PROPERTYGRP) {
4891 }
4899 /* No need to audit if client gone. */
4902 RC_NODE_DYING_FLAGS);
4904 }
4907 }
4912 }
4917 }
4924 }
4932 }
4943 }
4945 /*
4946 * Now, delicately unlink and delete the object.
4947 *
4948 * Create the delete notification, atomically remove
4949 * from the hash table and set the NODE_DEAD flag, and
4950 * remove from the parent's children list.
4951 */
4963 /*
4964 * Remove from pp's rn_children. This requires pp's lock,
4965 * so we must drop np's lock to respect lock order.
4966 */
4978 }
4980 /*
4981 * finally, propagate death to our children (including marking
4982 * them DEAD), handle notifications, and release our hold.
4983 */
5005 fail:
5013 }
5017 }
5018 cleanout:
5024 }
5026 int
5028 {
5041 }
5048 }
5057 }
5065 }
5067 /*
5068 * mark our parent as children changing. This call drops our
5069 * lock and the RC_NODE_USING_PARENT flag, and returns with
5070 * pp's lock held
5071 */
5074 /* our parent is gone, we're going next... */
5078 }
5080 /*
5081 * find the next snaplevel
5082 */
5086 ;
5088 /* it must match the snaplevel list */
5099 }
5106 }
5108 }
5110 /*
5111 * This call takes a snapshot (np) and either:
5112 * an existing snapid (to be associated with np), or
5113 * a non-NULL parentp (from which a new snapshot is taken, and associated
5114 * with np)
5115 *
5116 * To do the association, np is duplicated, the duplicate is made to
5117 * represent the new snapid, and np is replaced with the new rc_node_t on
5118 * np's parent's child list. np is placed on the new node's rn_former list,
5119 * and replaces np in cache_hash (so rc_node_update() will find the new one).
5120 *
5121 * old_fmri and old_name point to the original snap shot's FMRI and name.
5122 * These values are used when generating audit events.
5123 *
5124 * Fails with
5125 * _BAD_REQUEST
5126 * _BACKEND_READONLY
5127 * _DELETED
5128 * _NO_RESOURCES
5129 * _TRUNCATED
5130 * _TYPE_MISMATCH
5131 */
5132 static int
5139 {
5145 perm_status_t granted;
5146 au_event_t event_id;
5147 audit_event_data_t audit_data;
5153 }
5156 /* Gather the audit data. */
5157 /*
5158 * ADT_smf_* symbols may not be defined in the /usr/include header
5159 * files on the build machine. Thus, the following if-else will
5160 * not be compiled when doing native builds.
5161 */
5162 #ifndef NATIVE_BUILD
5167 }
5176 }
5181 }
5186 /*
5187 * In the attach case, get the instance FMRIs of the
5188 * snapshots.
5189 */
5196 }
5198 /*
5199 * Capture the FMRI of the parent if we're actually going
5200 * to take the snapshot.
5201 */
5204 REP_PROTOCOL_SUCCESS) {
5209 }
5210 }
5236 }
5239 /*
5240 * get the latest node, holding RC_NODE_IN_TX to keep the rn_former
5241 * list from changing.
5242 */
5247 }
5249 RC_NODE_CHILDREN_CHANGING);
5254 }
5257 RC_NODE_CHILDREN_CHANGING);
5260 }
5264 /*
5265 * Can't happen, since we're holding our
5266 * parent's CHILDREN_CHANGING flag...
5267 */
5269 }
5271 }
5272 again:
5279 }
5282 }
5288 }
5291 /*
5292 * look for a former node with the snapid we need.
5293 */
5303 }
5310 }
5312 }
5313 }
5321 }
5332 }
5333 }
5341 else
5348 /*
5349 * fix up the former chain
5350 */
5357 }
5361 /*
5362 * replace np with nnp
5363 */
5370 cleanout:
5376 fail:
5386 else
5388 }
5394 }
5396 int
5399 {
5400 perm_status_t granted;
5405 audit_event_data_t audit_data;
5410 /*
5411 * rc_node_modify_permission_check() must be called before the node
5412 * is locked. This is because the library functions that check
5413 * authorizations can trigger calls back into configd.
5414 */
5418 /*
5419 * We continue in this case, so that we can generate an
5420 * audit event later in this function.
5421 */
5428 /* No need to produce audit event if client is gone. */
5435 }
5442 }
5449 }
5453 REP_PROTOCOL_SUCCESS) {
5457 }
5461 REP_PROTOCOL_SUCCESS) {
5465 }
5475 }
5482 }
5493 }
5502 }
5506 }
5508 int
5510 {
5516 }
5522 }
5526 }
5528 int
5530 {
5543 }
5554 }
5555 }
5561 }
5566 }
5568 /*
5569 * If the pgname property group under ent has type pgtype, and it has a
5570 * propname property with type ptype, return _SUCCESS. If pgtype is NULL,
5571 * it is not checked. If ent is not a service node, we will return _SUCCESS if
5572 * a property meeting the requirements exists in either the instance or its
5573 * parent.
5574 *
5575 * Returns
5576 * _SUCCESS - see above
5577 * _DELETED - ent or one of its ancestors was deleted
5578 * _NO_RESOURCES - no resources
5579 * _NOT_FOUND - no matching property was found
5580 */
5581 static int
5584 {
5605 }
5615 }
5637 }
5638 }
5644 }
5650 }
5657 }
5659 /*
5660 * At this point, pg is non-NULL, and is a property group node of the
5661 * correct type. spg, if non-NULL, is also a property group node of
5662 * the correct type. Check for the property in pg first, then spg
5663 * (if applicable).
5664 */
5678 }
5680 }
5693 }
5711 }
5713 }
5724 }
5727 }
5729 /*
5730 * Given a property group node, returns _SUCCESS if the property group may
5731 * be read without any special authorization.
5732 *
5733 * Fails with:
5734 * _DELETED - np or an ancestor node was deleted
5735 * _TYPE_MISMATCH - np does not refer to a property group
5736 * _NO_RESOURCES - no resources
5737 * _PERMISSION_DENIED - authorization is required
5738 */
5739 static int
5741 {
5775 }
5778 }
5780 /*
5781 * Fails with
5782 * _DELETED - np's node or parent has been deleted
5783 * _TYPE_MISMATCH - np's node is not a property
5784 * _NO_RESOURCES - out of memory
5785 * _PERMISSION_DENIED - no authorization to read this property's value(s)
5786 * _BAD_REQUEST - np's parent is not a property group
5787 */
5788 static int
5790 {
5795 audit_event_data_t audit_data;
5804 #ifdef NATIVE_BUILD
5806 #else
5815 }
5822 }
5829 }
5839 }
5841 /*
5842 * If you are permitted to modify the value, you may also
5843 * read it. This means that both the MODIFY and VALUE
5844 * authorizations are acceptable. We don't allow requests
5845 * for AUTH_PROP_MODIFY if all you have is $AUTH_PROP_VALUE,
5846 * however, to avoid leaking possibly valuable information
5847 * since such a user can't change the property anyway.
5848 */
5851 AUTH_PROP_MODIFY);
5856 AUTH_PROP_VALUE);
5860 AUTH_PROP_READ);
5870 }
5873 /* Generate a read_prop audit event. */
5877 }
5881 }
5892 }
5896 }
5906 }
5908 /*
5909 * Iteration
5910 */
5911 static int
5913 {
5917 }
5919 static int
5921 {
5925 }
5927 /*ARGSUSED*/
5928 static int
5930 {
5932 }
5934 /*
5935 * Allocate & initialize an rc_node_iter_t structure. Essentially, ensure
5936 * np->rn_children is populated and call uu_list_walk_start(np->rn_children).
5937 * If successful, leaves a hold on np & increments np->rn_other_refs
5938 *
5939 * If composed is true, then set up for iteration across the top level of np's
5940 * composition chain. If successful, leaves a hold on np and increments
5941 * rn_other_refs for the top level of np's composition chain.
5942 *
5943 * Fails with
5944 * _NO_RESOURCES
5945 * _INVALID_TYPE
5946 * _TYPE_MISMATCH - np cannot carry type children
5947 * _DELETED
5948 */
5949 static int
5952 {
5962 /* np is held by the client's rc_node_ptr_t */
5970 REP_PROTOCOL_SUCCESS) {
5974 }
5979 UU_WALK_ROBUST);
5987 }
5993 /* rn_cchain isn't valid until children are loaded. */
5996 REP_PROTOCOL_ENTITY_SNAPLEVEL);
6001 }
6003 /* Check for an empty snapshot. */
6006 }
6008 /* Start at the top of the composition chain. */
6011 /* Empty composition chain. */
6012 empty:
6015 /* It's ok, iter_next() will return _DONE. */
6017 }
6025 /* Someone deleted it, so try the next one. */
6026 }
6032 UU_WALK_ROBUST);
6039 }
6040 }
6046 }
6049 }
6051 out:
6059 }
6061 static void
6063 {
6078 }
6080 /*
6081 * Fails with
6082 * _NOT_SET - npp is reset
6083 * _DELETED - npp's node has been deleted
6084 * _NOT_APPLICABLE - npp's node is not a property
6085 * _NO_RESOURCES - out of memory
6086 */
6087 static int
6089 {
6101 }
6107 }
6122 }
6124 /*
6125 * Returns:
6126 * _NO_RESOURCES - out of memory
6127 * _NOT_SET - npp is reset
6128 * _DELETED - npp's node has been deleted
6129 * _TYPE_MISMATCH - npp's node is not a property
6130 * _NOT_FOUND - property has no values
6131 * _TRUNCATED - property has >1 values (first is written into out)
6132 * _SUCCESS - property has 1 value (which is written into out)
6133 * _PERMISSION_DENIED - no authorization to read property value(s)
6134 *
6135 * We shorten *sz_out to not include anything after the final '\0'.
6136 */
6137 int
6140 {
6159 }
6164 }
6176 REP_PROTOCOL_SUCCESS;
6179 }
6181 int
6184 {
6193 rep_protocol_responseid_t result;
6230 /*
6231 * update the offsets if we're not repeating
6232 */
6236 }
6239 }
6243 }
6245 /*
6246 * Entry point for ITER_START from client.c. Validate the arguments & call
6247 * rc_iter_create().
6248 *
6249 * Fails with
6250 * _NOT_SET
6251 * _DELETED
6252 * _TYPE_MISMATCH - np cannot carry type children
6253 * _BAD_REQUEST - flags is invalid
6254 * pattern is invalid
6255 * _NO_RESOURCES
6256 * _INVALID_TYPE
6257 * _TYPE_MISMATCH - *npp cannot have children of type
6258 * _BACKEND_ACCESS
6259 */
6260 int
6263 {
6282 }
6285 REP_PROTOCOL_SUCCESS)
6292 /* Composition only works for instances & snapshots. */
6300 REP_PROTOCOL_SUCCESS)
6305 }
6318 }
6324 }
6332 }
6334 /*
6335 * Do uu_list_walk_next(iter->rni_iter) until we find a child which matches
6336 * the filter.
6337 * For composed iterators, then check to see if there's an overlapping entity
6338 * (see embedded comments). If we reach the end of the list, start over at
6339 * the next level.
6340 *
6341 * Returns
6342 * _BAD_REQUEST - iter walks values
6343 * _TYPE_MISMATCH - iter does not walk type entities
6344 * _DELETED - parent was deleted
6345 * _NO_RESOURCES
6346 * _INVALID_TYPE - type is invalid
6347 * _DONE
6348 * _SUCCESS
6349 *
6350 * For composed property group iterators, can also return
6351 * _TYPE_MISMATCH - parent cannot have type children
6352 */
6353 int
6355 {
6366 }
6371 }
6379 }
6382 /* Composed iterator. Iterate over appropriate level. */
6385 /*
6386 * If iter->rni_parent is an instance or a snapshot, np must
6387 * be valid since iter holds iter->rni_parent & possible
6388 * levels (service, instance, snaplevel) cannot be destroyed
6389 * while rni_parent is held. If iter->rni_parent is
6390 * a composed property group then rc_node_setup_cpg() put
6391 * a hold on np.
6392 */
6400 }
6401 }
6410 #if COMPOSITION_DEPTH == 2
6412 /* release walker and lock */
6415 }
6417 /* Stop walking current level. */
6424 /* Start walking next level. */
6428 #else
6429 #error This code must be updated.
6430 #endif
6439 UU_WALK_ROBUST);
6446 }
6447 }
6453 }
6456 }
6462 /*
6463 * If we're composed and not at the top level, check to see if
6464 * there's an entity at a higher level with the same name. If
6465 * so, skip this one.
6466 */
6471 #if COMPOSITION_DEPTH == 2
6484 }
6487 /* Make sure np isn't being deleted all of a sudden. */
6492 }
6495 /* Keep going. */
6497 #else
6498 #error This code must be updated.
6499 #endif
6500 }
6502 /*
6503 * If we're composed, iterating over property groups, and not
6504 * at the bottom level, check to see if there's a pg at lower
6505 * level with the same name. If so, return a cpg.
6506 */
6510 #if COMPOSITION_DEPTH == 2
6520 /* holds pg if not NULL */
6526 }
6536 }
6544 rn_lock);
6547 }
6551 /* Keep res held for rc_node_setup_cpg(). */
6561 }
6569 /* Nevermind. */
6571 rn_lock);
6576 rn_lock);
6578 RC_NODE_DYING)) {
6582 return
6584 }
6599 }
6600 }
6601 #else
6602 #error This code must be updated.
6603 #endif
6604 }
6609 }
6616 }
6618 void
6620 {
6637 else
6641 }
6646 }
6648 int
6650 {
6654 perm_status_t granted;
6664 }
6669 }
6674 }
6676 #ifdef NATIVE_BUILD
6681 #else
6685 /* permission check */
6690 }
6699 /* solaris.smf.modify can be used */
6705 }
6707 /* solaris.smf.manage can be used. */
6714 }
6716 /* general/action_authorization values can be used. */
6723 }
6741 }
6749 /* propertygroup-type-specific authorization */
6750 /* no locking because rn_type won't change anyway */
6756 }
6759 /* propertygroup/transaction-type-specific auths */
6760 ret =
6764 ret =
6767 /* AUTH_MANAGE can manipulate general/AUTH_PROP_ACTION */
6777 }
6778 }
6789 }
6792 /*
6793 * If we get here, the authorization failed.
6794 * Unfortunately, we don't have enough information at this
6795 * point to generate the security audit events. We'll only
6796 * get that information when the client tries to commit the
6797 * event. Thus, we'll remember the failed authorization,
6798 * so that we can generate the audit events later.
6799 */
6801 }
6804 skip_checks:
6808 /* Save the authorization string. */
6813 }
6819 }
6821 /*
6822 * Return 1 if the given transaction commands only modify the values of
6823 * properties other than "modify_authorization". Return -1 if any of the
6824 * commands are invalid, and 0 otherwise.
6825 */
6826 static int
6828 {
6833 boolean_t ok;
6858 /* Check type */
6864 REP_PROTOCOL_SUCCESS) {
6868 /*
6869 * rc_node_find_named_child()
6870 * places a hold on prop which we
6871 * do not need to hang on to.
6872 */
6874 }
6875 }
6883 }
6891 }
6894 }
6896 /*
6897 * Return 1 if any of the given transaction commands affect
6898 * "action_authorization". Return -1 if any of the commands are invalid and
6899 * 0 in all other cases.
6900 */
6901 static int
6903 {
6930 }
6933 }
6935 /*
6936 * Returns 1 if the transaction commands only modify properties named
6937 * 'enabled'.
6938 */
6939 static int
6941 {
6968 }
6971 }
6973 int
6975 {
6982 perm_status_t granted;
6999 }
7002 is_main_repository) {
7003 #ifdef NATIVE_BUILD
7006 }
7007 #else
7008 /* permission check: depends on contents of transaction */
7013 /* If normal is cleared, we won't do the normal checks. */
7019 /* Touching general[framework]/action_authorization? */
7024 }
7027 /*
7028 * Yes: only AUTH_MODIFY and AUTH_MANAGE
7029 * can be used.
7030 */
7035 AUTH_MANAGE);
7040 }
7050 }
7058 }
7061 REP_PROTOCOL_ENTITY_INSTANCE);
7076 rc);
7077 }
7080 }
7081 }
7087 /* Add pgtype-specific authorization. */
7093 }
7095 /* Add pg-specific modify_authorization auths. */
7098 AUTH_PROP_MODIFY);
7100 /* If value_authorization values are ok, add them. */
7107 AUTH_PROP_VALUE);
7108 }
7109 }
7115 /*
7116 * _PERMISSION_DENIED should not cause us
7117 * to exit at this point, because we still
7118 * want to generate an audit event.
7119 */
7121 }
7122 }
7133 }
7139 }
7145 }
7149 }
7151 /*
7152 * Parse the transaction commands into a useful form.
7153 */
7155 REP_PROTOCOL_SUCCESS) {
7157 }
7160 /* Authorization failed. Generate audit events. */
7165 }
7171 }
7185 }
7189 /*
7190 * We must have all of the old properties in the cache, or the
7191 * database deletions could cause inconsistencies.
7192 */
7194 REP_PROTOCOL_SUCCESS) {
7198 }
7205 }
7213 }
7217 /* our parent is gone, we're going next... */
7224 }
7228 }
7231 /*
7232 * prepare for the transaction
7233 */
7243 }
7247 /* Sets nnp->rn_gen_id on success. */
7262 }
7264 /*
7265 * Notify waiters
7266 */
7277 /*
7278 * replace np with nnp
7279 */
7282 /*
7283 * all done -- clear the transaction.
7284 */
7291 cleanout:
7296 }
7298 void
7300 {
7304 }
7306 int
7308 {
7316 }
7318 /*
7319 * wait for any transaction in progress to complete
7320 */
7324 }
7329 }
7340 }
7342 void
7344 {
7350 }
7352 void
7354 {
7359 rc_notify_pool);
7372 }
7373 }
7375 static void
7377 {
7385 }
7387 static void
7389 {
7403 /*
7404 * clean up any notifications at the beginning of the list
7405 */
7407 /*
7408 * We can't call rc_notify_remove_locked() unless
7409 * rc_notify_in_use is 0.
7410 */
7414 }
7418 }
7425 }
7428 }
7430 static int
7433 {
7455 /*
7456 * Don't add name if it's already being tracked.
7457 */
7461 }
7462 }
7468 }
7472 out:
7478 }
7480 int
7482 {
7484 }
7486 int
7488 {
7490 }
7492 /*
7493 * Wait for and report an event of interest to rnip, a notification client
7494 */
7495 int
7498 {
7512 RC_NOTIFY_ACTIVE) {
7513 /*
7514 * If I'm first on the notify list, it is my job to
7515 * clean up any notifications I pass by. I can't do that
7516 * if someone is blocking the list from removals, so I
7517 * have to wait until they have all drained.
7518 */
7526 }
7528 /*
7529 * Search the list for a node of interest.
7530 */
7537 /*
7538 * Passing another client -- stop
7539 * cleaning up notifications
7540 */
7544 }
7545 }
7547 }
7549 /*
7550 * Nothing of interest -- wait for notification
7551 */
7558 }
7560 /*
7561 * found something to report -- move myself after the
7562 * notification and process it.
7563 */
7574 }
7579 /*
7580 * We can't bump nnp's reference count without grabbing its
7581 * lock, and rc_pg_notify_lock is a leaf lock. So we
7582 * temporarily block all removals to keep nnp from
7583 * disappearing.
7584 */
7585 rc_notify_in_use++;
7593 rc_notify_in_use--;
7596 /*
7597 * While we had the lock dropped, another thread
7598 * may have also incremented rc_notify_in_use. We
7599 * need to make sure that we're back to 0 before
7600 * removing the node.
7601 */
7605 }
7607 }
7613 }
7614 /*
7615 * If we're the last one out, let people know it's clear.
7616 */
7621 }
7623 static void
7625 {
7639 }
7643 }
7644 }
7649 }
7651 void
7653 {
7658 rc_notify_pool);
7659 }