1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23 * Use is subject to license terms.
24 * Copyright 2019 Joyent, Inc.
25 */
26
27#include <sys/mutex.h>
28#include <sys/debug.h>
29#include <sys/types.h>
30#include <sys/param.h>
31#include <sys/kmem.h>
32#include <sys/thread.h>
33#include <sys/id_space.h>
34#include <sys/avl.h>
35#include <sys/list.h>
36#include <sys/sysmacros.h>
37#include <sys/proc.h>
38#include <sys/contract.h>
39#include <sys/contract_impl.h>
40#include <sys/contract/process.h>
41#include <sys/contract/process_impl.h>
42#include <sys/cmn_err.h>
43#include <sys/nvpair.h>
44#include <sys/policy.h>
45#include <sys/refstr.h>
46#include <sys/sunddi.h>
47
48/*
49 * Process Contracts
50 * -----------------
51 *
52 * Generally speaking, a process contract is a contract between a
53 * process and a set of its descendent processes.  In some cases, when
54 * the child processes outlive the author of the contract, the contract
55 * may be held by (and therefore be between the child processes and) a
56 * successor process which adopts the contract after the death of the
57 * original author.
58 *
59 * The process contract adds two new concepts to the Solaris process
60 * model.  The first is that a process contract forms a rigid fault
61 * boundary around a set of processes.  Hardware, software, and even
62 * administrator errors impacting a process in a process contract
63 * generate specific events and can be requested to atomically shutdown
64 * all processes in the contract.  The second is that a process
65 * contract is a process collective whose leader is not a member of the
66 * collective.  This means that the leader can reliably react to events
67 * in the collective, and may also act upon the collective without
68 * special casing itself.
69 *
70 * A composite outcome of these two concepts is that we can now create
71 * a tree of process contracts, rooted at init(1M), which represent
72 * services and subservices that are reliably observed and can be
73 * restarted when fatal errors occur.  The service management framework
74 * (SMF) realizes this structure.
75 *
76 * For more details, see the "restart agreements" case, PSARC 2003/193.
77 *
78 * There are four sets of routines in this file: the process contract
79 * standard template operations, the process contract standard contract
80 * operations, a couple routines used only by the contract subsystem to
81 * handle process contracts' unique role as a temporary holder of
82 * abandoned contracts, and the interfaces which allow the system to
83 * create and act upon process contracts.  The first two are defined by
84 * the contracts framework and won't be discussed further.  As for the
85 * remaining two:
86 *
87 * Special framework interfaces
88 * ----------------------------
89 *
90 * contract_process_accept - determines if a process contract is a
91 *   regent, i.e. if it can inherit other contracts.
92 *
93 * contract_process_take - tells a regent process contract to inherit
94 *   an abandoned contract
95 *
96 * contract_process_adopt - tells a regent process contract that a
97 *   contract it has inherited is being adopted by a process.
98 *
99 * Process contract interfaces
100 * ---------------------------
101 *
102 * contract_process_fork - called when a process is created; adds the
103 *   new process to an existing contract or to a newly created one.
104 *
105 * contract_process_exit - called when a process exits
106 *
107 * contract_process_core - called when a process would have dumped core
108 *   (even if a core file wasn't generated)
109 *
110 * contract_process_hwerr - called when a process was killed because of
111 *   an uncorrectable hardware error
112 *
113 * contract_process_sig - called when a process was killed by a fatal
114 *   signal sent by a process in another process contract
115 *
116 */
117
118ct_type_t *process_type;
119ctmpl_process_t *sys_process_tmpl;
120refstr_t *conp_svc_aux_default;
121
122/*
123 * Macro predicates for determining when events should be sent and how.
124 */
125#define	EVSENDP(ctp, flag) \
126	((ctp->conp_contract.ct_ev_info | ctp->conp_contract.ct_ev_crit) & flag)
127
128#define	EVINFOP(ctp, flag) \
129	((ctp->conp_contract.ct_ev_crit & flag) == 0)
130
131#define	EVFATALP(ctp, flag) \
132	(ctp->conp_ev_fatal & flag)
133
134
135/*
136 * Process contract template implementation
137 */
138
139/*
140 * ctmpl_process_dup
141 *
142 * The process contract template dup entry point.  Other than the
143 * to-be-subsumed contract, which must be held, this simply copies all
144 * the fields of the original.
145 */
146static struct ct_template *
147ctmpl_process_dup(struct ct_template *template)
148{
149	ctmpl_process_t *new;
150	ctmpl_process_t *old = template->ctmpl_data;
151
152	new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP);
153
154	ctmpl_copy(&new->ctp_ctmpl, template);
155	new->ctp_ctmpl.ctmpl_data = new;
156
157	new->ctp_subsume = old->ctp_subsume;
158	if (new->ctp_subsume)
159		contract_hold(new->ctp_subsume);
160	new->ctp_params = old->ctp_params;
161	new->ctp_ev_fatal = old->ctp_ev_fatal;
162	new->ctp_svc_fmri = old->ctp_svc_fmri;
163	if (new->ctp_svc_fmri != NULL) {
164		refstr_hold(new->ctp_svc_fmri);
165	}
166	new->ctp_svc_aux = old->ctp_svc_aux;
167	if (new->ctp_svc_aux != NULL) {
168		refstr_hold(new->ctp_svc_aux);
169	}
170
171	return (&new->ctp_ctmpl);
172}
173
174/*
175 * ctmpl_process_free
176 *
177 * The process contract template free entry point.  Just releases a
178 * to-be-subsumed contract and frees the template.
179 */
180static void
181ctmpl_process_free(struct ct_template *template)
182{
183	ctmpl_process_t *ctp = template->ctmpl_data;
184
185	if (ctp->ctp_subsume)
186		contract_rele(ctp->ctp_subsume);
187	if (ctp->ctp_svc_fmri != NULL) {
188		refstr_rele(ctp->ctp_svc_fmri);
189	}
190	if (ctp->ctp_svc_aux != NULL) {
191		refstr_rele(ctp->ctp_svc_aux);
192	}
193	kmem_free(template, sizeof (ctmpl_process_t));
194}
195
196/*
197 * SAFE_EV is the set of events which a non-privileged process is
198 * allowed to make critical but not fatal or if the PGRPONLY parameter
199 * is set.  EXCESS tells us if "value", a critical event set, requires
200 * additional privilege given the template "ctp".
201 */
202#define	SAFE_EV			(CT_PR_EV_EMPTY)
203#define	EXCESS(ctp, value)	\
204	(((value) & ~((ctp)->ctp_ev_fatal | SAFE_EV)) || \
205	(((value) & ~SAFE_EV) && (ctp->ctp_params & CT_PR_PGRPONLY)))
206
207/*
208 * ctmpl_process_set
209 *
210 * The process contract template set entry point.  None of the terms
211 * may be unconditionally set, and setting the parameters or fatal
212 * event set may result in events being implicitly removed from to the
213 * critical event set and added to the informative event set.  The
214 * (admittedly subtle) reason we implicitly change the critical event
215 * set when the parameter or fatal event set is modified but not the
216 * other way around is because a change to the critical event set only
217 * affects the contract's owner, whereas a change to the parameter set
218 * and fatal set can affect the execution of the application running in
219 * the contract (and should therefore be only made explicitly).  We
220 * allow implicit changes at all so that setting contract terms doesn't
221 * become a complex dance dependent on the template's initial state and
222 * the desired terms.
223 */
224static int
225ctmpl_process_set(struct ct_template *tmpl, ct_kparam_t *kparam,
226    const cred_t *cr)
227{
228	ctmpl_process_t *ctp = tmpl->ctmpl_data;
229	ct_param_t *param = &kparam->param;
230	contract_t *ct;
231	int error;
232	uint64_t param_value;
233	char *str_value;
234
235	if ((param->ctpm_id == CTPP_SVC_FMRI) ||
236	    (param->ctpm_id == CTPP_CREATOR_AUX)) {
237		str_value = (char *)kparam->ctpm_kbuf;
238		str_value[param->ctpm_size - 1] = '\0';
239	} else {
240		if (param->ctpm_size < sizeof (uint64_t))
241			return (EINVAL);
242		param_value = *(uint64_t *)kparam->ctpm_kbuf;
243		/*
244		 * No process contract parameters are > 32 bits.
245		 * Unless it is a string.
246		 */
247		if (param_value & ~UINT32_MAX)
248			return (EINVAL);
249	}
250
251	switch (param->ctpm_id) {
252	case CTPP_SUBSUME:
253		if (param_value != 0) {
254			/*
255			 * Ensure that the contract exists, that we
256			 * hold the contract, and that the contract is
257			 * empty.
258			 */
259			ct = contract_type_ptr(process_type, param_value,
260			    curproc->p_zone->zone_uniqid);
261			if (ct == NULL)
262				return (ESRCH);
263			if (ct->ct_owner != curproc) {
264				contract_rele(ct);
265				return (EACCES);
266			}
267			if (((cont_process_t *)ct->ct_data)->conp_nmembers) {
268				contract_rele(ct);
269				return (ENOTEMPTY);
270			}
271		} else {
272			ct = NULL;
273		}
274		if (ctp->ctp_subsume)
275			contract_rele(ctp->ctp_subsume);
276		ctp->ctp_subsume = ct;
277		break;
278	case CTPP_PARAMS:
279		if (param_value & ~CT_PR_ALLPARAM)
280			return (EINVAL);
281		ctp->ctp_params = param_value;
282		/*
283		 * If an unprivileged process requests that
284		 * CT_PR_PGRPONLY be set, remove any unsafe events from
285		 * the critical event set and add them to the
286		 * informative event set.
287		 */
288		if ((ctp->ctp_params & CT_PR_PGRPONLY) &&
289		    EXCESS(ctp, tmpl->ctmpl_ev_crit) &&
290		    !secpolicy_contract_event_choice(cr)) {
291			tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~SAFE_EV);
292			tmpl->ctmpl_ev_crit &= SAFE_EV;
293		}
294
295		break;
296	case CTPP_SVC_FMRI:
297		if (error = secpolicy_contract_identity(cr))
298			return (error);
299		if (ctp->ctp_svc_fmri != NULL)
300			refstr_rele(ctp->ctp_svc_fmri);
301		if (strcmp(CT_PR_SVC_DEFAULT, str_value) == 0)
302			ctp->ctp_svc_fmri = NULL;
303		else
304			ctp->ctp_svc_fmri =
305			    refstr_alloc(str_value);
306		break;
307	case CTPP_CREATOR_AUX:
308		if (ctp->ctp_svc_aux != NULL)
309			refstr_rele(ctp->ctp_svc_aux);
310		if (param->ctpm_size == 1) /* empty string */
311			ctp->ctp_svc_aux = NULL;
312		else
313			ctp->ctp_svc_aux =
314			    refstr_alloc(str_value);
315		break;
316	case CTP_EV_CRITICAL:
317		/*
318		 * We simply don't allow adding events to the critical
319		 * event set which aren't permitted by our policy or by
320		 * privilege.
321		 */
322		if (EXCESS(ctp, param_value) &&
323		    (error = secpolicy_contract_event(cr)) != 0)
324			return (error);
325		tmpl->ctmpl_ev_crit = param_value;
326		break;
327	case CTPP_EV_FATAL:
328		if (param_value & ~CT_PR_ALLFATAL)
329			return (EINVAL);
330		ctp->ctp_ev_fatal = param_value;
331		/*
332		 * Check to see if an unprivileged process is
333		 * requesting that events be removed from the fatal
334		 * event set which are still in the critical event set.
335		 */
336		if (EXCESS(ctp, tmpl->ctmpl_ev_crit) &&
337		    !secpolicy_contract_event_choice(cr)) {
338			int allowed =
339			    SAFE_EV | (ctp->ctp_params & CT_PR_PGRPONLY) ?
340			    0 : ctp->ctp_ev_fatal;
341			tmpl->ctmpl_ev_info |= (tmpl->ctmpl_ev_crit & ~allowed);
342			tmpl->ctmpl_ev_crit &= allowed;
343		}
344		break;
345	default:
346		return (EINVAL);
347	}
348
349	return (0);
350}
351
352/*
353 * ctmpl_process_get
354 *
355 * The process contract template get entry point.  Simply fetches and
356 * returns the requested term.
357 */
358static int
359ctmpl_process_get(struct ct_template *template, ct_kparam_t *kparam)
360{
361	ctmpl_process_t *ctp = template->ctmpl_data;
362	ct_param_t *param = &kparam->param;
363	uint64_t *param_value = kparam->ctpm_kbuf;
364
365	if (param->ctpm_id == CTPP_SUBSUME ||
366	    param->ctpm_id == CTPP_PARAMS ||
367	    param->ctpm_id == CTPP_EV_FATAL) {
368		if (param->ctpm_size < sizeof (uint64_t))
369			return (EINVAL);
370		kparam->ret_size = sizeof (uint64_t);
371	}
372
373	switch (param->ctpm_id) {
374	case CTPP_SUBSUME:
375		*param_value = ctp->ctp_subsume ?
376		    ctp->ctp_subsume->ct_id : 0;
377		break;
378	case CTPP_PARAMS:
379		*param_value = ctp->ctp_params;
380		break;
381	case CTPP_SVC_FMRI:
382		if (ctp->ctp_svc_fmri == NULL) {
383			kparam->ret_size =
384			    strlcpy((char *)kparam->ctpm_kbuf,
385			    CT_PR_SVC_DEFAULT, param->ctpm_size);
386		} else {
387			kparam->ret_size =
388			    strlcpy((char *)kparam->ctpm_kbuf,
389			    refstr_value(ctp->ctp_svc_fmri), param->ctpm_size);
390		}
391		kparam->ret_size++;
392		break;
393	case CTPP_CREATOR_AUX:
394		if (ctp->ctp_svc_aux == NULL) {
395			kparam->ret_size =
396			    strlcpy((char *)kparam->ctpm_kbuf,
397			    refstr_value(conp_svc_aux_default),
398			    param->ctpm_size);
399		} else {
400			kparam->ret_size =
401			    strlcpy((char *)kparam->ctpm_kbuf,
402			    refstr_value(ctp->ctp_svc_aux), param->ctpm_size);
403		}
404		kparam->ret_size++;
405		break;
406	case CTPP_EV_FATAL:
407		*param_value = ctp->ctp_ev_fatal;
408		break;
409	default:
410		return (EINVAL);
411	}
412
413	return (0);
414}
415
416static ctmplops_t ctmpl_process_ops = {
417	ctmpl_process_dup,		/* ctop_dup */
418	ctmpl_process_free,		/* ctop_free */
419	ctmpl_process_set,		/* ctop_set */
420	ctmpl_process_get,		/* ctop_get */
421	ctmpl_create_inval,		/* ctop_create */
422	CT_PR_ALLEVENT
423};
424
425
426/*
427 * Process contract implementation
428 */
429
430/*
431 * ctmpl_process_default
432 *
433 * The process contract default template entry point.  Creates a
434 * process contract template with no parameters set, with informative
435 * core and signal events, critical empty and hwerr events, and fatal
436 * hwerr events.
437 */
438static ct_template_t *
439contract_process_default(void)
440{
441	ctmpl_process_t *new;
442
443	new = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP);
444	ctmpl_init(&new->ctp_ctmpl, &ctmpl_process_ops, process_type, new);
445
446	new->ctp_subsume = NULL;
447	new->ctp_params = 0;
448	new->ctp_ctmpl.ctmpl_ev_info = CT_PR_EV_CORE | CT_PR_EV_SIGNAL;
449	new->ctp_ctmpl.ctmpl_ev_crit = CT_PR_EV_EMPTY | CT_PR_EV_HWERR;
450	new->ctp_ev_fatal = CT_PR_EV_HWERR;
451	new->ctp_svc_fmri = NULL;
452	new->ctp_svc_aux = NULL;
453
454	return (&new->ctp_ctmpl);
455}
456
457/*
458 * contract_process_free
459 *
460 * The process contract free entry point.
461 */
462static void
463contract_process_free(contract_t *ct)
464{
465	cont_process_t *ctp = ct->ct_data;
466	crfree(ctp->conp_cred);
467	list_destroy(&ctp->conp_members);
468	list_destroy(&ctp->conp_inherited);
469	if (ctp->conp_svc_fmri != NULL) {
470		refstr_rele(ctp->conp_svc_fmri);
471	}
472	if (ctp->conp_svc_aux != NULL) {
473		refstr_rele(ctp->conp_svc_aux);
474	}
475	if (ctp->conp_svc_creator != NULL) {
476		refstr_rele(ctp->conp_svc_creator);
477	}
478	kmem_free(ctp, sizeof (cont_process_t));
479}
480
481/*
482 * contract_process_cankill
483 *
484 * Determine if the contract author had or if the process generating
485 * the event, sp, has adequate privileges to kill process tp.
486 */
487static int
488contract_process_cankill(proc_t *tp, proc_t *sp, cont_process_t *ctp)
489{
490	int cankill;
491
492	mutex_enter(&tp->p_crlock);
493	cankill = hasprocperm(tp->p_cred, ctp->conp_cred);
494	mutex_exit(&tp->p_crlock);
495	if (cankill || (sp && prochasprocperm(tp, sp, CRED())))
496		return (1);
497
498	return (0);
499}
500
501/*
502 * contract_process_kill
503 *
504 * Kills all processes in a contract, or all processes in the
505 * intersection of a contract and ex's process group (if ex is non-NULL
506 * and the contract's PGRPONLY parameter is set).  If checkpriv is
507 * true, only those processes which may be signaled by the contract
508 * author or ex are killed.
509 */
510static void
511contract_process_kill(contract_t *ct, proc_t *ex, int checkpriv)
512{
513	cont_process_t *ctp = ct->ct_data;
514	proc_t *p;
515	pid_t pgrp = -1;
516
517	ASSERT(MUTEX_HELD(&ct->ct_lock));
518
519	if (ex && (ctp->conp_params & CT_PR_PGRPONLY)) {
520		pgrp = ex->p_pgrp;
521		mutex_enter(&pidlock);
522	}
523
524	for (p = list_head(&ctp->conp_members); p != NULL;
525	    p = list_next(&ctp->conp_members, p)) {
526		if ((p == ex) ||
527		    (pgrp != -1 && (p->p_stat == SIDL || p->p_pgrp != pgrp)) ||
528		    (checkpriv && !contract_process_cankill(p, ex, ctp)))
529			continue;
530
531		psignal(p, SIGKILL);
532	}
533
534	if (pgrp != -1)
535		mutex_exit(&pidlock);
536}
537
538
539/*
540 * contract_process_accept
541 *
542 * Tests if the process contract is willing to act as a regent for
543 * inherited contracts.  Though brief and only called from one place,
544 * this functionality is kept here to avoid including knowledge of
545 * process contract implementation in the generic contract code.
546 */
547int
548contract_process_accept(contract_t *parent)
549{
550	cont_process_t *ctp = parent->ct_data;
551
552	ASSERT(parent->ct_type == process_type);
553
554	return (ctp->conp_params & CT_PR_REGENT);
555}
556
557/*
558 * contract_process_take
559 *
560 * Executes the process contract side of inheriting a contract.
561 */
562void
563contract_process_take(contract_t *parent, contract_t *child)
564{
565	cont_process_t *ctp = parent->ct_data;
566
567	ASSERT(MUTEX_HELD(&parent->ct_lock));
568	ASSERT(MUTEX_HELD(&child->ct_lock));
569	ASSERT(parent->ct_type == process_type);
570	ASSERT(ctp->conp_params & CT_PR_REGENT);
571
572	list_insert_head(&ctp->conp_inherited, child);
573	ctp->conp_ninherited++;
574}
575
576/*
577 * contract_process_adopt
578 *
579 * Executes the process contract side of adopting a contract.
580 */
581void
582contract_process_adopt(contract_t *ct, proc_t *p)
583{
584	cont_process_t *parent = p->p_ct_process;
585
586	ASSERT(MUTEX_HELD(&parent->conp_contract.ct_lock));
587	ASSERT(MUTEX_HELD(&ct->ct_lock));
588
589	list_remove(&parent->conp_inherited, ct);
590	parent->conp_ninherited--;
591
592	/*
593	 * We drop the parent lock first because a) we are passing the
594	 * contract reference to the child, and b) contract_adopt
595	 * expects us to return with the contract lock held.
596	 */
597	mutex_exit(&parent->conp_contract.ct_lock);
598}
599
600/*
601 * contract_process_abandon
602 *
603 * The process contract abandon entry point.
604 */
605static void
606contract_process_abandon(contract_t *ct)
607{
608	cont_process_t *ctp = ct->ct_data;
609
610	ASSERT(MUTEX_HELD(&ct->ct_lock));
611
612	/*
613	 * Shall we stay or shall we go?
614	 */
615	if (list_head(&ctp->conp_members) == NULL) {
616		contract_destroy(ct);
617	} else {
618		/*
619		 * Strictly speaking, we actually do orphan the contract.
620		 * Assuming our credentials allow us to kill all
621		 * processes in the contract, this is only temporary.
622		 */
623		if (ctp->conp_params & CT_PR_NOORPHAN)
624			contract_process_kill(ct, NULL, B_TRUE);
625		contract_orphan(ct);
626		mutex_exit(&ct->ct_lock);
627		contract_rele(ct);
628	}
629}
630
631/*
632 * contract_process_destroy
633 *
634 * The process contract destroy entry point.
635 */
636static void
637contract_process_destroy(contract_t *ct)
638{
639	cont_process_t *ctp = ct->ct_data;
640	contract_t *cct;
641
642	ASSERT(MUTEX_HELD(&ct->ct_lock));
643
644	/*
645	 * contract_destroy all empty children, kill or orphan the rest
646	 */
647	while (cct = list_head(&ctp->conp_inherited)) {
648		mutex_enter(&cct->ct_lock);
649
650		ASSERT(cct->ct_state == CTS_INHERITED);
651
652		list_remove(&ctp->conp_inherited, cct);
653		ctp->conp_ninherited--;
654		cct->ct_regent = NULL;
655		cct->ct_type->ct_type_ops->contop_abandon(cct);
656	}
657}
658
659/*
660 * contract_process_status
661 *
662 * The process contract status entry point.
663 */
664static void
665contract_process_status(contract_t *ct, zone_t *zone, int detail, nvlist_t *nvl,
666    void *status, model_t model)
667{
668	cont_process_t *ctp = ct->ct_data;
669	uint32_t *pids, *ctids;
670	uint_t npids, nctids;
671	uint_t spids, sctids;
672	ctid_t local_svc_zone_enter;
673
674	if (detail == CTD_FIXED) {
675		mutex_enter(&ct->ct_lock);
676		contract_status_common(ct, zone, status, model);
677		local_svc_zone_enter = ctp->conp_svc_zone_enter;
678		mutex_exit(&ct->ct_lock);
679	} else {
680		contract_t *cnext;
681		proc_t *pnext;
682		uint_t loc;
683
684		ASSERT(detail == CTD_ALL);
685		mutex_enter(&ct->ct_lock);
686		for (;;) {
687			spids = ctp->conp_nmembers + 5;
688			sctids = ctp->conp_ninherited + 5;
689			mutex_exit(&ct->ct_lock);
690
691			pids = kmem_alloc(spids * sizeof (uint32_t), KM_SLEEP);
692			ctids = kmem_alloc(sctids * sizeof (uint32_t),
693			    KM_SLEEP);
694
695			mutex_enter(&ct->ct_lock);
696			npids = ctp->conp_nmembers;
697			nctids = ctp->conp_ninherited;
698			if (spids >= npids && sctids >= nctids)
699				break;
700
701			kmem_free(pids, spids * sizeof (uint32_t));
702			kmem_free(ctids, sctids * sizeof (uint32_t));
703		}
704		contract_status_common(ct, zone, status, model);
705		for (loc = 0, cnext = list_head(&ctp->conp_inherited); cnext;
706		    cnext = list_next(&ctp->conp_inherited, cnext))
707			ctids[loc++] = cnext->ct_id;
708		ASSERT(loc == nctids);
709		for (loc = 0, pnext = list_head(&ctp->conp_members); pnext;
710		    pnext = list_next(&ctp->conp_members, pnext))
711			pids[loc++] = pnext->p_pid;
712		ASSERT(loc == npids);
713		local_svc_zone_enter = ctp->conp_svc_zone_enter;
714		mutex_exit(&ct->ct_lock);
715	}
716
717	/*
718	 * Contract terms are static; there's no need to hold the
719	 * contract lock while accessing them.
720	 */
721	VERIFY(nvlist_add_uint32(nvl, CTPS_PARAMS, ctp->conp_params) == 0);
722	VERIFY(nvlist_add_uint32(nvl, CTPS_EV_FATAL, ctp->conp_ev_fatal) == 0);
723	if (detail == CTD_ALL) {
724		VERIFY(nvlist_add_uint32_array(nvl, CTPS_MEMBERS, pids,
725		    npids) == 0);
726		VERIFY(nvlist_add_uint32_array(nvl, CTPS_CONTRACTS, ctids,
727		    nctids) == 0);
728		VERIFY(nvlist_add_string(nvl, CTPS_CREATOR_AUX,
729		    refstr_value(ctp->conp_svc_aux)) == 0);
730		VERIFY(nvlist_add_string(nvl, CTPS_SVC_CREATOR,
731		    refstr_value(ctp->conp_svc_creator)) == 0);
732		kmem_free(pids, spids * sizeof (uint32_t));
733		kmem_free(ctids, sctids * sizeof (uint32_t));
734	}
735
736	/*
737	 * if we are in a local zone and svc_fmri was inherited from
738	 * the global zone, we provide fake svc_fmri and svc_ctid
739	 */
740	if (local_svc_zone_enter == 0 ||
741	    zone->zone_uniqid == GLOBAL_ZONEUNIQID) {
742		if (detail > CTD_COMMON) {
743			VERIFY(nvlist_add_int32(nvl, CTPS_SVC_CTID,
744			    ctp->conp_svc_ctid) == 0);
745			VERIFY(nvlist_add_string(nvl, CTPS_SVC_FMRI,
746			    refstr_value(ctp->conp_svc_fmri)) == 0);
747		}
748	} else {
749		if (detail > CTD_COMMON) {
750			VERIFY(nvlist_add_int32(nvl, CTPS_SVC_CTID,
751			    local_svc_zone_enter) == 0);
752			VERIFY(nvlist_add_string(nvl, CTPS_SVC_FMRI,
753			    CT_PR_SVC_FMRI_ZONE_ENTER) == 0);
754		}
755	}
756}
757
758/*ARGSUSED*/
759static int
760contract_process_newct(contract_t *ct)
761{
762	return (0);
763}
764
765/* process contracts don't negotiate */
766static contops_t contract_process_ops = {
767	contract_process_free,		/* contop_free */
768	contract_process_abandon,	/* contop_abandon */
769	contract_process_destroy,	/* contop_destroy */
770	contract_process_status,	/* contop_status */
771	contract_ack_inval,		/* contop_ack */
772	contract_ack_inval,		/* contop_nack */
773	contract_qack_inval,		/* contop_qack */
774	contract_process_newct		/* contop_newct */
775};
776
777/*
778 * contract_process_init
779 *
780 * Initializes the process contract type.  Also creates a template for
781 * use by newproc() when it creates user processes.
782 */
783void
784contract_process_init(void)
785{
786	process_type = contract_type_init(CTT_PROCESS, "process",
787	    &contract_process_ops, contract_process_default);
788
789	/*
790	 * Create a template for use with init(1M) and other
791	 * kernel-started processes.
792	 */
793	sys_process_tmpl = kmem_alloc(sizeof (ctmpl_process_t), KM_SLEEP);
794	ctmpl_init(&sys_process_tmpl->ctp_ctmpl, &ctmpl_process_ops,
795	    process_type, sys_process_tmpl);
796	sys_process_tmpl->ctp_subsume = NULL;
797	sys_process_tmpl->ctp_params = CT_PR_NOORPHAN;
798	sys_process_tmpl->ctp_ev_fatal = CT_PR_EV_HWERR;
799	sys_process_tmpl->ctp_svc_fmri =
800	    refstr_alloc("svc:/system/init:default");
801	sys_process_tmpl->ctp_svc_aux = refstr_alloc("");
802	conp_svc_aux_default = sys_process_tmpl->ctp_svc_aux;
803	refstr_hold(conp_svc_aux_default);
804}
805
806/*
807 * contract_process_create
808 *
809 * create a process contract given template "tmpl" and parent process
810 * "parent".  May fail and return NULL if project.max-contracts would
811 * have been exceeded.
812 */
813static cont_process_t *
814contract_process_create(ctmpl_process_t *tmpl, proc_t *parent, int canfail)
815{
816	cont_process_t *ctp;
817
818	ASSERT(tmpl != NULL);
819
820	(void) contract_type_pbundle(process_type, parent);
821
822	ctp = kmem_zalloc(sizeof (cont_process_t), KM_SLEEP);
823
824	list_create(&ctp->conp_members, sizeof (proc_t),
825	    offsetof(proc_t, p_ct_member));
826	list_create(&ctp->conp_inherited, sizeof (contract_t),
827	    offsetof(contract_t, ct_ctlist));
828	mutex_enter(&tmpl->ctp_ctmpl.ctmpl_lock);
829	ctp->conp_params = tmpl->ctp_params;
830	ctp->conp_ev_fatal = tmpl->ctp_ev_fatal;
831	crhold(ctp->conp_cred = CRED());
832
833	if (contract_ctor(&ctp->conp_contract, process_type, &tmpl->ctp_ctmpl,
834	    ctp, (ctp->conp_params & CT_PR_INHERIT) ? CTF_INHERIT : 0,
835	    parent, canfail)) {
836		mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock);
837		contract_process_free(&ctp->conp_contract);
838		return (NULL);
839	}
840
841	/*
842	 * inherit svc_fmri if not defined by consumer. In this case, inherit
843	 * also svc_ctid to keep track of the contract id where
844	 * svc_fmri was set
845	 */
846	if (tmpl->ctp_svc_fmri == NULL) {
847		ctp->conp_svc_fmri = parent->p_ct_process->conp_svc_fmri;
848		ctp->conp_svc_ctid = parent->p_ct_process->conp_svc_ctid;
849		ctp->conp_svc_zone_enter =
850		    parent->p_ct_process->conp_svc_zone_enter;
851	} else {
852		ctp->conp_svc_fmri = tmpl->ctp_svc_fmri;
853		ctp->conp_svc_ctid = ctp->conp_contract.ct_id;
854		/* make svc_zone_enter flag false when svc_fmri is set */
855		ctp->conp_svc_zone_enter = 0;
856	}
857	refstr_hold(ctp->conp_svc_fmri);
858	/* set svc_aux to default value if not defined in template */
859	if (tmpl->ctp_svc_aux == NULL) {
860		ctp->conp_svc_aux = conp_svc_aux_default;
861	} else {
862		ctp->conp_svc_aux = tmpl->ctp_svc_aux;
863	}
864	refstr_hold(ctp->conp_svc_aux);
865	/*
866	 * set svc_creator to execname
867	 * We special case pid0 because when newproc() creates
868	 * the init process, the p_user.u_comm field of sched's proc_t
869	 * has not been populated yet.
870	 */
871	if (parent->p_pidp == &pid0) /* if the kernel is the creator */
872		ctp->conp_svc_creator = refstr_alloc("sched");
873	else
874		ctp->conp_svc_creator = refstr_alloc(parent->p_user.u_comm);
875
876	/*
877	 * Transfer subcontracts only after new contract is visible.
878	 * Also, only transfer contracts if the parent matches -- we
879	 * don't want to create a cycle in the tree of contracts.
880	 */
881	if (tmpl->ctp_subsume && tmpl->ctp_subsume->ct_owner == parent) {
882		cont_process_t *sct = tmpl->ctp_subsume->ct_data;
883		contract_t *ct;
884
885		mutex_enter(&tmpl->ctp_subsume->ct_lock);
886		mutex_enter(&ctp->conp_contract.ct_lock);
887		while (ct = list_head(&sct->conp_inherited)) {
888			mutex_enter(&ct->ct_lock);
889			list_remove(&sct->conp_inherited, ct);
890			list_insert_tail(&ctp->conp_inherited, ct);
891			ct->ct_regent = &ctp->conp_contract;
892			mutex_exit(&ct->ct_lock);
893		}
894		ctp->conp_ninherited += sct->conp_ninherited;
895		sct->conp_ninherited = 0;
896		mutex_exit(&ctp->conp_contract.ct_lock);
897		mutex_exit(&tmpl->ctp_subsume->ct_lock);
898
899		/*
900		 * Automatically abandon the contract.
901		 */
902		(void) contract_abandon(tmpl->ctp_subsume, parent, 1);
903	}
904
905	mutex_exit(&tmpl->ctp_ctmpl.ctmpl_lock);
906
907	return (ctp);
908}
909
910/*
911 * contract_process_exit
912 *
913 * Called on process exit.  Removes process p from process contract
914 * ctp.  Generates an exit event, if requested.  Generates an empty
915 * event, if p is the last member of the the process contract and empty
916 * events were requested.
917 */
918void
919contract_process_exit(cont_process_t *ctp, proc_t *p, int exitstatus)
920{
921	contract_t *ct = &ctp->conp_contract;
922	ct_kevent_t *event;
923	int empty;
924
925	/*
926	 * Remove self from process contract.
927	 */
928	mutex_enter(&ct->ct_lock);
929	list_remove(&ctp->conp_members, p);
930	ctp->conp_nmembers--;
931	mutex_enter(&p->p_lock);	/* in case /proc is watching */
932	p->p_ct_process = NULL;
933	mutex_exit(&p->p_lock);
934
935	/*
936	 * We check for emptiness before dropping the contract lock to
937	 * send the exit event, otherwise we could end up with two
938	 * empty events.
939	 */
940	empty = (list_head(&ctp->conp_members) == NULL);
941	if (EVSENDP(ctp, CT_PR_EV_EXIT)) {
942		nvlist_t *nvl;
943
944		mutex_exit(&ct->ct_lock);
945		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
946		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
947		VERIFY(nvlist_add_int32(nvl, CTPE_EXITSTATUS, exitstatus) == 0);
948
949		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
950		event->cte_flags = EVINFOP(ctp, CT_PR_EV_EXIT) ? CTE_INFO : 0;
951		event->cte_type = CT_PR_EV_EXIT;
952		(void) cte_publish_all(ct, event, nvl, NULL);
953		mutex_enter(&ct->ct_lock);
954	}
955	if (empty) {
956		/*
957		 * Send EMPTY message.
958		 */
959		if (EVSENDP(ctp, CT_PR_EV_EMPTY)) {
960			nvlist_t *nvl;
961
962			mutex_exit(&ct->ct_lock);
963			VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME,
964			    KM_SLEEP) == 0);
965			VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
966
967			event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
968			event->cte_flags = EVINFOP(ctp, CT_PR_EV_EMPTY) ?
969			    CTE_INFO : 0;
970			event->cte_type = CT_PR_EV_EMPTY;
971			(void) cte_publish_all(ct, event, nvl, NULL);
972			mutex_enter(&ct->ct_lock);
973		}
974
975		/*
976		 * The last one to leave an orphaned contract turns out
977		 * the lights.
978		 */
979		if (ct->ct_state == CTS_ORPHAN) {
980			contract_destroy(ct);
981			return;
982		}
983	}
984	mutex_exit(&ct->ct_lock);
985	contract_rele(ct);
986}
987
988/*
989 * contract_process_fork
990 *
991 * Called on process fork.  If the current lwp has a active process
992 * contract template, we attempt to create a new process contract.
993 * Failure to create a process contract when required is a failure in
994 * fork so, in such an event, we return NULL.
995 *
996 * Assuming we succeeded or skipped the previous step, we add the child
997 * process to the new contract (success) or to the parent's process
998 * contract (skip).  If requested, we also send a fork event to that
999 * contract.
1000 *
1001 * Because contract_process_fork() may fail, and because we would
1002 * prefer that process contracts not be created for processes which
1003 * don't complete forking, this should be the last function called
1004 * before the "all clear" point in cfork.
1005 */
1006cont_process_t *
1007contract_process_fork(ctmpl_process_t *rtmpl, proc_t *cp, proc_t *pp,
1008    int canfail)
1009{
1010	contract_t *ct;
1011	cont_process_t *ctp;
1012	ct_kevent_t *event;
1013	ct_template_t *tmpl;
1014
1015	if (rtmpl == NULL && (tmpl = ttolwp(curthread)->lwp_ct_active[
1016	    process_type->ct_type_index]) != NULL)
1017		rtmpl = tmpl->ctmpl_data;
1018
1019	if (rtmpl == NULL)
1020		ctp = curproc->p_ct_process;
1021	else if ((ctp = contract_process_create(rtmpl, pp, canfail)) == NULL)
1022		return (NULL);
1023
1024	ct = &ctp->conp_contract;
1025	/*
1026	 * Prevent contract_process_kill() from missing forked children
1027	 * by failing forks by parents that have just been killed.
1028	 * It's not worth hoisting the ctp test since contract creation
1029	 * is by no means the common case.
1030	 */
1031	mutex_enter(&ct->ct_lock);
1032	mutex_enter(&pp->p_lock);
1033	if (ctp == curproc->p_ct_process && (pp->p_flag & SKILLED) != 0 &&
1034	    canfail) {
1035		mutex_exit(&pp->p_lock);
1036		mutex_exit(&ct->ct_lock);
1037		return (NULL);
1038	}
1039	cp->p_ct_process = ctp;
1040	mutex_exit(&pp->p_lock);
1041	contract_hold(ct);
1042	list_insert_head(&ctp->conp_members, cp);
1043	ctp->conp_nmembers++;
1044	mutex_exit(&ct->ct_lock);
1045	if (EVSENDP(ctp, CT_PR_EV_FORK)) {
1046		nvlist_t *nvl;
1047
1048		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1049		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, cp->p_pid) == 0);
1050		VERIFY(nvlist_add_uint32(nvl, CTPE_PPID, pp->p_pid) == 0);
1051
1052		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1053		event->cte_flags = EVINFOP(ctp, CT_PR_EV_FORK) ? CTE_INFO : 0;
1054		event->cte_type = CT_PR_EV_FORK;
1055		(void) cte_publish_all(ct, event, nvl, NULL);
1056	}
1057	return (ctp);
1058}
1059
1060/*
1061 * contract_process_core
1062 *
1063 * Called on core file generation attempts.  Generates a core event, if
1064 * requested, containing the names of the process, global, and
1065 * system-global ("zone") core files.  If dumping core is in the fatal
1066 * event set, calls contract_process_kill().
1067 */
1068void
1069contract_process_core(cont_process_t *ctp, proc_t *p, int sig,
1070    const char *process, const char *global, const char *zone)
1071{
1072	contract_t *ct = &ctp->conp_contract;
1073
1074	if (EVSENDP(ctp, CT_PR_EV_CORE)) {
1075		ct_kevent_t *event;
1076		nvlist_t *nvl, *gnvl = NULL;
1077
1078		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1079		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
1080		VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0);
1081		if (process)
1082			VERIFY(nvlist_add_string(nvl, CTPE_PCOREFILE,
1083			    (char *)process) == 0);
1084		if (global)
1085			VERIFY(nvlist_add_string(nvl, CTPE_GCOREFILE,
1086			    (char *)global) == 0);
1087
1088		if (zone) {
1089			/*
1090			 * Only the global zone is informed of the
1091			 * local-zone generated global-zone core.
1092			 */
1093			VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME,
1094			    KM_SLEEP) == 0);
1095			VERIFY(nvlist_add_string(gnvl, CTPE_ZCOREFILE,
1096			    (char *)zone) == 0);
1097		}
1098
1099		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1100		event->cte_flags = EVINFOP(ctp, CT_PR_EV_CORE) ? CTE_INFO : 0;
1101		event->cte_type = CT_PR_EV_CORE;
1102		(void) cte_publish_all(ct, event, nvl, gnvl);
1103	}
1104
1105	if (EVFATALP(ctp, CT_PR_EV_CORE)) {
1106		mutex_enter(&ct->ct_lock);
1107		contract_process_kill(ct, p, B_TRUE);
1108		mutex_exit(&ct->ct_lock);
1109	}
1110}
1111
1112/*
1113 * contract_process_hwerr
1114 *
1115 * Called when a process is killed by an unrecoverable hardware error.
1116 * Generates an hwerr event, if requested.  If hardware errors are in
1117 * the fatal event set, calls contract_process_kill().
1118 */
1119void
1120contract_process_hwerr(cont_process_t *ctp, proc_t *p)
1121{
1122	contract_t *ct = &ctp->conp_contract;
1123
1124	if (EVSENDP(ctp, CT_PR_EV_HWERR)) {
1125		ct_kevent_t *event;
1126		nvlist_t *nvl;
1127
1128		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1129		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
1130
1131		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1132		event->cte_flags = EVINFOP(ctp, CT_PR_EV_HWERR) ? CTE_INFO : 0;
1133		event->cte_type = CT_PR_EV_HWERR;
1134		(void) cte_publish_all(ct, event, nvl, NULL);
1135	}
1136
1137	if (EVFATALP(ctp, CT_PR_EV_HWERR)) {
1138		mutex_enter(&ct->ct_lock);
1139		contract_process_kill(ct, p, B_FALSE);
1140		mutex_exit(&ct->ct_lock);
1141	}
1142}
1143
1144/*
1145 * contract_process_sig
1146 *
1147 * Called when a process is killed by a signal originating from a
1148 * process outside of its process contract or its process contract's
1149 * holder.  Generates an signal event, if requested, containing the
1150 * signal number, and the sender's pid and contract id (if available).
1151 * If signals are in the fatal event set, calls
1152 * contract_process_kill().
1153 */
1154void
1155contract_process_sig(cont_process_t *ctp, proc_t *p, int sig, pid_t pid,
1156    ctid_t ctid, zoneid_t zoneid)
1157{
1158	contract_t *ct = &ctp->conp_contract;
1159
1160	if (EVSENDP(ctp, CT_PR_EV_SIGNAL)) {
1161		ct_kevent_t *event;
1162		nvlist_t *dest, *nvl, *gnvl = NULL;
1163
1164		VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1165		VERIFY(nvlist_add_uint32(nvl, CTPE_PID, p->p_pid) == 0);
1166		VERIFY(nvlist_add_uint32(nvl, CTPE_SIGNAL, sig) == 0);
1167
1168		if (zoneid >= 0 && p->p_zone->zone_id != zoneid) {
1169			VERIFY(nvlist_alloc(&gnvl, NV_UNIQUE_NAME,
1170			    KM_SLEEP) == 0);
1171			dest = gnvl;
1172		} else {
1173			dest = nvl;
1174		}
1175
1176		if (pid != -1)
1177			VERIFY(nvlist_add_uint32(dest, CTPE_SENDER, pid) == 0);
1178		if (ctid != 0)
1179			VERIFY(nvlist_add_uint32(dest, CTPE_SENDCT, ctid) == 0);
1180
1181		event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1182		event->cte_flags = EVINFOP(ctp, CT_PR_EV_SIGNAL) ? CTE_INFO : 0;
1183		event->cte_type = CT_PR_EV_SIGNAL;
1184		(void) cte_publish_all(ct, event, nvl, gnvl);
1185	}
1186
1187	if (EVFATALP(ctp, CT_PR_EV_SIGNAL)) {
1188		mutex_enter(&ct->ct_lock);
1189		contract_process_kill(ct, p, B_TRUE);
1190		mutex_exit(&ct->ct_lock);
1191	}
1192}
1193