4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
23 * Copyright (c) 1989, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright (c) 2011, Joyent Inc. All rights reserved.
27 /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */
28 /* All Rights Reserved */
30 #include <sys/param.h>
31 #include <sys/types.h>
33 #include <sys/sysmacros.h>
35 #include <sys/systm.h>
38 #include <sys/utsname.h>
39 #include <sys/errno.h>
40 #include <sys/signal.h>
41 #include <sys/siginfo.h>
42 #include <sys/fault.h>
43 #include <sys/syscall.h>
44 #include <sys/ucontext.h>
45 #include <sys/prsystm.h>
46 #include <sys/vnode.h>
49 #include <sys/pathname.h>
52 #include <sys/debug.h>
53 #include <sys/stack.h>
55 #include <sys/schedctl.h>
57 #include <sys/corectl.h>
58 #include <sys/cmn_err.h>
61 #include <sys/nbmlock.h>
64 #include <sys/contract/process_impl.h>
68 * Processes running within a zone potentially dump core in 3 locations,
69 * based on the per-process, per-zone, and the global zone's core settings.
71 * Per-zone and global zone settings are often referred to as "global"
72 * settings since they apply to the system (or zone) as a whole, as
73 * opposed to a particular process.
76 CORE_PROC
, /* Use per-process settings */
77 CORE_ZONE
, /* Use per-zone settings */
78 CORE_GLOBAL
/* Use global zone settings */
82 * Log information about "global" core dumps to syslog.
85 core_log(struct core_globals
*cg
, int error
, const char *why
, const char *path
,
90 char *fn
= PTOU(p
)->u_comm
;
92 if (!(cg
->core_options
& CC_GLOBAL_LOG
))
96 zcmn_err(zoneid
, CE_NOTE
, "core_log: %s[%d] %s", fn
, pid
, why
);
98 zcmn_err(zoneid
, CE_NOTE
, "core_log: %s[%d] %s: %s", fn
, pid
,
101 zcmn_err(zoneid
, CE_NOTE
, "core_log: %s[%d] %s, errno=%d: %s",
102 fn
, pid
, why
, error
, path
);
106 * Private version of vn_remove().
107 * Refuse to unlink a directory or an unwritable file.
108 * Also allow the process to access files normally inaccessible due to
109 * chroot(2) or Zone limitations.
112 remove_core_file(char *fp
, enum core_types core_type
)
114 vnode_t
*vp
= NULL
; /* entry vnode */
115 vnode_t
*dvp
; /* ptr to parent dir vnode */
119 pathname_t pn
; /* name of entry */
120 vnode_t
*startvp
, *rootvp
;
122 if ((error
= pn_get(fp
, UIO_SYSSPACE
, &pn
)) != 0)
125 * Determine what rootvp to use.
127 if (core_type
== CORE_PROC
) {
128 rootvp
= (PTOU(curproc
)->u_rdir
== NULL
?
129 curproc
->p_zone
->zone_rootvp
: PTOU(curproc
)->u_rdir
);
130 startvp
= (fp
[0] == '/' ? rootvp
: PTOU(curproc
)->u_cdir
);
131 } else if (core_type
== CORE_ZONE
) {
132 startvp
= curproc
->p_zone
->zone_rootvp
;
133 rootvp
= curproc
->p_zone
->zone_rootvp
;
135 ASSERT(core_type
== CORE_GLOBAL
);
140 if (rootvp
!= rootdir
)
142 if ((error
= lookuppnvp(&pn
, NULL
, NO_FOLLOW
, &dvp
, &vp
, rootvp
,
143 startvp
, CRED())) != 0) {
148 * Succeed if there is no file.
149 * Fail if the file is not a regular file.
150 * Fail if the filesystem is mounted read-only.
151 * Fail if the file is not writeable.
152 * Fail if the file has NBMAND share reservations.
156 else if (vp
->v_type
!= VREG
)
158 else if ((dvfsp
= dvp
->v_vfsp
) != NULL
&&
159 (dvfsp
->vfs_flag
& VFS_RDONLY
))
161 else if ((error
= VOP_ACCESS(vp
, VWRITE
, 0, CRED(), NULL
)) == 0) {
162 if (nbl_need_check(vp
)) {
163 nbl_start_crit(vp
, RW_READER
);
165 if (nbl_share_conflict(vp
, NBL_REMOVE
, NULL
)) {
170 error
= VOP_REMOVE(dvp
, pn
.pn_path
, CRED(), NULL
, 0);
185 * Create the core file in a location that may be normally inaccessible due
186 * to chroot(2) or Zone limitations.
189 create_core_file(char *fp
, enum core_types core_type
, vnode_t
**vpp
)
192 mode_t perms
= (S_IRUSR
| S_IWUSR
);
198 cred_t
*credp
= CRED();
200 if (core_type
== CORE_PROC
) {
202 dvp
= NULL
; /* regular lookup */
204 vnode_t
*startvp
, *rootvp
;
206 ASSERT(core_type
== CORE_ZONE
|| core_type
== CORE_GLOBAL
);
208 * This is tricky because we want to dump the core in
209 * a location which may normally be inaccessible
210 * to us (due to chroot(2) limitations, or zone
211 * membership), and hence need to overcome u_rdir
212 * restrictions. The basic idea is to separate
213 * the path from the filename, lookup the
214 * pathname separately (starting from the global
215 * zone's root directory), and then open the
216 * file starting at the directory vnode.
218 if (error
= pn_get(fp
, UIO_SYSSPACE
, &pn
))
221 if (core_type
== CORE_ZONE
) {
222 startvp
= rootvp
= curproc
->p_zone
->zone_rootvp
;
224 startvp
= rootvp
= rootdir
;
227 * rootvp and startvp will be VN_RELE()'d by lookuppnvp() if
231 if (rootvp
!= rootdir
)
234 * Do a lookup on the full path, ignoring the actual file, but
235 * finding the vnode for the directory. It's OK if the file
236 * doesn't exist -- it most likely won't since we just removed
239 error
= lookuppnvp(&pn
, NULL
, FOLLOW
, &dvp
, NULLVPP
,
240 rootvp
, startvp
, credp
);
246 * Now find the final component in the path (ie, the name of
249 if (error
= pn_get(fp
, UIO_SYSSPACE
, &pn
)) {
256 error
= vn_openat(file
, UIO_SYSSPACE
,
257 FWRITE
| FTRUNC
| FEXCL
| FCREAT
| FOFFMAX
,
258 perms
, &vp
, CRCREAT
, PTOU(curproc
)->u_cmask
, dvp
, -1);
259 if (core_type
!= CORE_PROC
) {
264 * Don't dump a core file owned by "nobody".
266 vattr
.va_mask
= AT_UID
;
268 (VOP_GETATTR(vp
, &vattr
, 0, credp
, NULL
) != 0 ||
269 vattr
.va_uid
!= crgetuid(credp
))) {
270 (void) VOP_CLOSE(vp
, FWRITE
, 1, (offset_t
)0,
273 (void) remove_core_file(fp
, core_type
);
281 * Install the specified held cred into the process, and return a pointer to
282 * the held cred which was previously the value of p->p_cred.
285 set_cred(proc_t
*p
, cred_t
*newcr
)
288 uid_t olduid
, newuid
;
291 * Place a hold on the existing cred, and then install the new
292 * cred into the proc structure.
294 mutex_enter(&p
->p_crlock
);
298 mutex_exit(&p
->p_crlock
);
300 ASSERT(crgetzoneid(oldcr
) == crgetzoneid(newcr
));
303 * If the real uid is changing, keep the per-user process
306 olduid
= crgetruid(oldcr
);
307 newuid
= crgetruid(newcr
);
308 if (olduid
!= newuid
) {
309 zoneid_t zoneid
= crgetzoneid(newcr
);
311 mutex_enter(&pidlock
);
312 upcount_dec(olduid
, zoneid
);
313 upcount_inc(newuid
, zoneid
);
314 mutex_exit(&pidlock
);
318 * Broadcast the new cred to all the other threads. The old
319 * cred can be safely returned because we have a hold on it.
326 do_core(char *fp
, int sig
, enum core_types core_type
, struct core_globals
*cg
)
329 cred_t
*credp
= CRED();
334 cred_t
*ocredp
= NULL
;
336 core_content_t content
;
340 if (core_type
== CORE_GLOBAL
|| core_type
== CORE_ZONE
) {
341 mutex_enter(&cg
->core_lock
);
342 content
= cg
->core_content
;
343 mutex_exit(&cg
->core_lock
);
344 rlimit
= cg
->core_rlimit
;
346 mutex_enter(&p
->p_lock
);
347 rlimit
= rctl_enforced_value(rctlproc_legacy
[RLIMIT_CORE
],
349 content
= corectl_content_value(p
->p_content
);
350 mutex_exit(&p
->p_lock
);
357 * If SNOCD is set, or if the effective, real, and saved ids do
358 * not match up, no one but a privileged user is allowed to view
359 * this core file. Set the credentials and the owner to root.
361 if ((p
->p_flag
& SNOCD
) ||
362 (uid
= crgetuid(credp
)) != crgetruid(credp
) ||
363 uid
!= crgetsuid(credp
) ||
364 (gid
= crgetgid(credp
)) != crgetrgid(credp
) ||
365 gid
!= crgetsgid(credp
)) {
367 * Because this is insecure against certain forms of file
368 * system attack, do it only if set-id core files have been
369 * enabled via corectl(CC_GLOBAL_SETID | CC_PROCESS_SETID).
371 if (((core_type
== CORE_GLOBAL
|| core_type
== CORE_ZONE
) &&
372 !(cg
->core_options
& CC_GLOBAL_SETID
)) ||
373 (core_type
== CORE_PROC
&&
374 !(cg
->core_options
& CC_PROCESS_SETID
)))
381 * If we are doing a "global" core dump or a set-id core dump,
382 * use kcred to do the dumping.
384 if (core_type
== CORE_GLOBAL
|| core_type
== CORE_ZONE
|| is_setid
) {
386 * Use the zone's "kcred" to prevent privilege
389 credp
= zone_get_kcred(getzoneid());
390 ASSERT(credp
!= NULL
);
391 ocredp
= set_cred(p
, credp
);
395 * First remove any existing core file, then
396 * open the new core file with (O_EXCL|O_CREAT).
398 * The reasons for doing this are manifold:
400 * For security reasons, we don't want root processes
401 * to dump core through a symlink because that would
402 * allow a malicious user to clobber any file on
403 * the system if s/he could convince a root process,
404 * perhaps a set-uid root process that s/he started,
405 * to dump core in a directory writable by that user.
406 * Similar security reasons apply to hard links.
407 * For symmetry we do this unconditionally, not
408 * just for root processes.
410 * If the process has the core file mmap()d into the
411 * address space, we would be modifying the address
412 * space that we are trying to dump if we did not first
413 * remove the core file. (The command "file core"
414 * is the canonical example of this possibility.)
416 * Opening the core file with O_EXCL|O_CREAT ensures than
417 * two concurrent core dumps don't clobber each other.
418 * One is bound to lose; we don't want to make both lose.
420 if ((error
= remove_core_file(fp
, core_type
)) == 0) {
421 error
= create_core_file(fp
, core_type
, &vp
);
425 * Now that vn_open is complete, reset the process's credentials if
426 * we changed them, and make 'credp' point to kcred used
427 * above. We use 'credp' to do i/o on the core file below, but leave
428 * p->p_cred set to the original credential to allow the core file
429 * to record this information.
432 credp
= set_cred(p
, ocredp
);
437 (void) flush_user_windows_to_stack(NULL
);
439 if ((eswp
= PTOU(curproc
)->u_execsw
) == NULL
||
440 (eswp
= findexec_by_magic(eswp
->exec_magic
)) == NULL
) {
443 error
= eswp
->exec_core(vp
, p
, credp
, rlimit
, sig
,
445 rw_exit(eswp
->exec_lock
);
448 closerr
= VOP_CLOSE(vp
, FWRITE
, 1, (offset_t
)0, credp
, NULL
);
461 * Convert a core name pattern to a pathname.
464 expand_string(const char *pat
, char *fp
, int size
, cred_t
*cr
)
472 while ((c
= *pat
++) != '\0') {
474 return (ENAMETOOLONG
);
480 if ((c
= *pat
++) == '\0') {
487 (void) sprintf((s
= buf
), "%d", p
->p_pid
);
489 case 'u': /* effective uid */
490 (void) sprintf((s
= buf
), "%u", crgetuid(p
->p_cred
));
492 case 'g': /* effective gid */
493 (void) sprintf((s
= buf
), "%u", crgetgid(p
->p_cred
));
495 case 'f': /* exec'd filename */
498 case 'd': /* exec'd dirname */
500 * Even if pathname caching is disabled, we should
501 * be able to lookup the pathname for a directory.
503 if (p
->p_execdir
!= NULL
&& vnodetopath(NULL
,
504 p
->p_execdir
, fp
, size
, cr
) == 0) {
505 len
= (int)strlen(fp
);
508 ASSERT(fp
[0] == '/');
511 * Strip off the leading slash.
513 for (i
= 0; i
< len
; i
++) {
526 case 'n': /* system nodename */
529 case 'm': /* machine (sun4u, etc) */
532 case 't': /* decimal value of time(2) */
533 (void) sprintf((s
= buf
), "%ld", gethrestime_sec());
536 s
= p
->p_zone
->zone_name
;
539 /* This is zonepath + "/root/", except for GZ */
540 s
= p
->p_zone
->zone_rootpath
;
543 (void) strcpy((s
= buf
), "%");
552 len
= (int)strlen(s
);
553 if ((size
-= len
) <= 0)
554 return (ENAMETOOLONG
);
555 (void) strcpy(fp
, s
);
556 /* strip trailing "/root/" from non-GZ zonepath string */
557 if (c
== 'Z' && len
> 6) {
559 ASSERT(strncmp(fp
+ len
, "/root/", 6) == 0);
569 dump_one_core(int sig
, rlim64_t rlimit
, enum core_types core_type
,
570 struct core_globals
*cg
, char **name
)
579 ASSERT(core_type
== CORE_ZONE
|| core_type
== CORE_GLOBAL
);
580 zoneid
= (core_type
== CORE_ZONE
? getzoneid() : GLOBAL_ZONEID
);
582 mutex_enter(&cg
->core_lock
);
583 if ((rp
= cg
->core_file
) != NULL
)
585 mutex_exit(&cg
->core_lock
);
587 core_log(cg
, 0, "no global core file pattern exists", NULL
,
589 return (1); /* core file not generated */
591 fp
= kmem_alloc(MAXPATHLEN
, KM_SLEEP
);
592 cr
= zone_get_kcred(getzoneid());
593 error
= expand_string(refstr_value(rp
), fp
, MAXPATHLEN
, cr
);
596 core_log(cg
, 0, "global core file pattern too long",
597 refstr_value(rp
), zoneid
);
598 } else if ((error
= do_core(fp
, sig
, core_type
, cg
)) == 0) {
599 core_log(cg
, 0, "core dumped", fp
, zoneid
);
600 } else if (error
== ENOTSUP
) {
601 core_log(cg
, 0, "setid process, core not dumped", fp
, zoneid
);
602 } else if (error
== ENOSPC
) {
603 core_log(cg
, 0, "no space left on device, core truncated",
605 } else if (error
== EFBIG
) {
607 core_log(cg
, 0, "core rlimit is zero, core not dumped",
610 core_log(cg
, 0, "core rlimit exceeded, core truncated",
613 * In addition to the core result logging, we
614 * may also have explicit actions defined on
615 * core file size violations via the resource
618 mutex_enter(&p
->p_lock
);
619 (void) rctl_action(rctlproc_legacy
[RLIMIT_CORE
],
620 p
->p_rctls
, p
, RCA_SAFE
);
621 mutex_exit(&p
->p_lock
);
623 core_log(cg
, error
, "core dump failed", fp
, zoneid
);
629 kmem_free(fp
, MAXPATHLEN
);
634 core(int sig
, int ext
)
637 klwp_t
*lwp
= ttolwp(curthread
);
639 char *fp_process
= NULL
, *fp_global
= NULL
, *fp_zone
= NULL
;
646 struct core_globals
*my_cg
, *global_cg
;
648 global_cg
= zone_getspecific(core_zone_key
, global_zone
);
649 ASSERT(global_cg
!= NULL
);
651 my_cg
= zone_getspecific(core_zone_key
, curproc
->p_zone
);
652 ASSERT(my_cg
!= NULL
);
654 /* core files suppressed? */
655 if (!(my_cg
->core_options
& (CC_PROCESS_PATH
|CC_GLOBAL_PATH
)) &&
656 !(global_cg
->core_options
& CC_GLOBAL_PATH
)) {
657 if (!ext
&& p
->p_ct_process
!= NULL
)
658 contract_process_core(p
->p_ct_process
, p
, sig
,
664 * Block all signals except SIGHUP, SIGINT, SIGKILL, and SIGTERM; no
665 * other signal may interrupt a core dump. For each signal, we
666 * explicitly unblock it and set it in p_siginfo to allow for some
667 * minimal error reporting. Additionally, we get the current limit on
668 * core file size for handling later error reporting.
670 mutex_enter(&p
->p_lock
);
672 p
->p_flag
|= SDOCORE
;
673 schedctl_finish_sigblock(curthread
);
674 sigmask
= curthread
->t_hold
; /* remember for later */
675 sigfillset(&sighold
);
676 if (!sigismember(&sigmask
, SIGHUP
))
677 sigdelset(&sighold
, SIGHUP
);
678 if (!sigismember(&sigmask
, SIGINT
))
679 sigdelset(&sighold
, SIGINT
);
680 if (!sigismember(&sigmask
, SIGKILL
))
681 sigdelset(&sighold
, SIGKILL
);
682 if (!sigismember(&sigmask
, SIGTERM
))
683 sigdelset(&sighold
, SIGTERM
);
685 sigaddset(&p
->p_siginfo
, SIGHUP
);
686 sigaddset(&p
->p_siginfo
, SIGINT
);
687 sigaddset(&p
->p_siginfo
, SIGKILL
);
688 sigaddset(&p
->p_siginfo
, SIGTERM
);
690 curthread
->t_hold
= sighold
;
692 rlimit
= rctl_enforced_value(rctlproc_legacy
[RLIMIT_CORE
], p
->p_rctls
,
695 mutex_exit(&p
->p_lock
);
698 * Undo any watchpoints.
700 pr_free_watched_pages(p
);
703 * The presence of a current signal prevents file i/o
704 * from succeeding over a network. We copy the current
705 * signal information to the side and cancel the current
706 * signal so that the core dump will succeed.
708 ASSERT(lwp
->lwp_cursig
== sig
);
711 if (lwp
->lwp_curinfo
== NULL
) {
712 bzero(&lwp
->lwp_siginfo
, sizeof (k_siginfo_t
));
713 lwp
->lwp_siginfo
.si_signo
= sig
;
714 lwp
->lwp_siginfo
.si_code
= SI_NOINFO
;
716 bcopy(&lwp
->lwp_curinfo
->sq_info
,
717 &lwp
->lwp_siginfo
, sizeof (k_siginfo_t
));
718 siginfofree(lwp
->lwp_curinfo
);
719 lwp
->lwp_curinfo
= NULL
;
723 * Convert the core file name patterns into path names
724 * and call do_core() to write the core files.
727 if (my_cg
->core_options
& CC_PROCESS_PATH
) {
728 mutex_enter(&p
->p_lock
);
729 if (p
->p_corefile
!= NULL
)
730 rp
= corectl_path_value(p
->p_corefile
);
733 mutex_exit(&p
->p_lock
);
735 fp_process
= kmem_alloc(MAXPATHLEN
, KM_SLEEP
);
736 error1
= expand_string(refstr_value(rp
),
737 fp_process
, MAXPATHLEN
, p
->p_cred
);
739 error1
= do_core(fp_process
, sig
, CORE_PROC
,
745 if (my_cg
->core_options
& CC_GLOBAL_PATH
)
746 error2
= dump_one_core(sig
, rlimit
, CORE_ZONE
, my_cg
,
748 if (global_cg
!= my_cg
&& (global_cg
->core_options
& CC_GLOBAL_PATH
))
749 error3
= dump_one_core(sig
, rlimit
, CORE_GLOBAL
, global_cg
,
753 * Restore the signal hold mask.
755 mutex_enter(&p
->p_lock
);
756 curthread
->t_hold
= sigmask
;
757 mutex_exit(&p
->p_lock
);
759 if (!ext
&& p
->p_ct_process
!= NULL
)
760 contract_process_core(p
->p_ct_process
, p
, sig
,
761 error1
== 0 ? fp_process
: NULL
,
762 error2
== 0 ? fp_global
: NULL
,
763 error3
== 0 ? fp_zone
: NULL
);
765 if (fp_process
!= NULL
)
766 kmem_free(fp_process
, MAXPATHLEN
);
767 if (fp_global
!= NULL
)
768 kmem_free(fp_global
, MAXPATHLEN
);
770 kmem_free(fp_zone
, MAXPATHLEN
);
773 * Return non-zero if no core file was created.
775 return (error1
!= 0 && error2
!= 0 && error3
!= 0);
779 * Maximum chunk size for dumping core files,
780 * size in pages, patchable in /etc/system
782 uint_t core_chunk
= 32;
785 * The delay between core_write() calls, in microseconds. The default
786 * matches one "normal" clock tick, or 10 milliseconds.
788 clock_t core_delay_usec
= 10000;
791 * Common code to core dump process memory. The core_seg routine does i/o
792 * using core_write() below, and so it has the same failure semantics.
795 core_seg(proc_t
*p
, vnode_t
*vp
, offset_t offset
, caddr_t addr
, size_t size
,
796 rlim64_t rlimit
, cred_t
*credp
)
804 for (base
= addr
; base
< eaddr
; base
+= len
) {
806 if (as_memory(p
->p_as
, &base
, &len
) != 0)
810 * Reduce len to a reasonable value so that we don't
811 * overwhelm the VM system with a monstrously large
812 * single write and cause pageout to stop running.
814 if (len
> (size_t)core_chunk
* PAGESIZE
)
815 len
= (size_t)core_chunk
* PAGESIZE
;
817 err
= core_write(vp
, UIO_USERSPACE
,
818 offset
+ (size_t)(base
- addr
), base
, len
, rlimit
, credp
);
824 * If we have taken a signal, return EINTR to allow the dump
827 if (issig(JUSTLOOKING
) && issig(FORREAL
))
835 * Wrapper around vn_rdwr to perform writes to a core file. For core files,
836 * we always want to write as much as we possibly can, and then make sure to
837 * return either 0 to the caller (for success), or the actual errno value.
838 * By using this function, the caller can omit additional code for handling
839 * retries and errors for partial writes returned by vn_rdwr. If vn_rdwr
840 * unexpectedly returns zero but no progress has been made, we return ENOSPC.
843 core_write(vnode_t
*vp
, enum uio_seg segflg
, offset_t offset
,
844 const void *buf
, size_t len
, rlim64_t rlimit
, cred_t
*credp
)
850 error
= vn_rdwr(UIO_WRITE
, vp
, (caddr_t
)buf
, len
, offset
,
851 segflg
, 0, rlimit
, credp
, &resid
);
859 buf
= (const char *)buf
+ len
- resid
;
860 offset
+= len
- resid
;