| blob | 909a6c286078fd2815b0191fe29bb9c3d0f8e219 |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25 /*
26 * Copyright (c) 2017 by Delphix. All rights reserved.
27 */
29 /*
30 * Contracts
31 * ---------
32 *
33 * Contracts are a primitive which enrich the relationships between
34 * processes and system resources. The primary purpose of contracts is
35 * to provide a means for the system to negotiate the departure from a
36 * binding relationship (e.g. pages locked in memory or a thread bound
37 * to processor), but they can also be used as a purely asynchronous
38 * error reporting mechanism as they are with process contracts.
39 *
40 * More information on how one interfaces with contracts and what
41 * contracts can do for you can be found in:
42 * PSARC 2003/193 Solaris Contracts
43 * PSARC 2004/460 Contracts addendum
44 *
45 * This file contains the core contracts framework. By itself it is
46 * useless: it depends the contracts filesystem (ctfs) to provide an
47 * interface to user processes and individual contract types to
48 * implement the process/resource relationships.
49 *
50 * Data structure overview
51 * -----------------------
52 *
53 * A contract is represented by a contract_t, which itself points to an
54 * encapsulating contract-type specific contract object. A contract_t
55 * contains the contract's static identity (including its terms), its
56 * linkage to various bookkeeping structures, the contract-specific
57 * event queue, and a reference count.
58 *
59 * A contract template is represented by a ct_template_t, which, like a
60 * contract, points to an encapsulating contract-type specific template
61 * object. A ct_template_t contains the template's terms.
62 *
63 * An event queue is represented by a ct_equeue_t, and consists of a
64 * list of events, a list of listeners, and a list of listeners who are
65 * waiting for new events (affectionately referred to as "tail
66 * listeners"). There are three queue types, defined by ct_listnum_t
67 * (an enum). An event may be on one of each type of queue
68 * simultaneously; the list linkage used by a queue is determined by
69 * its type.
70 *
71 * An event is represented by a ct_kevent_t, which contains mostly
72 * static event data (e.g. id, payload). It also has an array of
73 * ct_member_t structures, each of which contains a list_node_t and
74 * represent the event's linkage in a specific event queue.
75 *
76 * Each open of an event endpoint results in the creation of a new
77 * listener, represented by a ct_listener_t. In addition to linkage
78 * into the aforementioned lists in the event_queue, a ct_listener_t
79 * contains a pointer to the ct_kevent_t it is currently positioned at
80 * as well as a set of status flags and other administrative data.
81 *
82 * Each process has a list of contracts it owns, p_ct_held; a pointer
83 * to the process contract it is a member of, p_ct_process; the linkage
84 * for that membership, p_ct_member; and an array of event queue
85 * structures representing the process bundle queues.
86 *
87 * Each LWP has an array of its active templates, lwp_ct_active; and
88 * the most recently created contracts, lwp_ct_latest.
89 *
90 * A process contract has a list of member processes and a list of
91 * inherited contracts.
92 *
93 * There is a system-wide list of all contracts, as well as per-type
94 * lists of contracts.
95 *
96 * Lock ordering overview
97 * ----------------------
98 *
99 * Locks at the top are taken first:
100 *
101 * ct_evtlock
102 * regent ct_lock
103 * member ct_lock
104 * pidlock
105 * p_lock
106 * contract ctq_lock contract_lock
107 * pbundle ctq_lock
108 * cte_lock
109 * ct_reflock
110 *
111 * contract_lock and ctq_lock/cte_lock are not currently taken at the
112 * same time.
113 *
114 * Reference counting and locking
115 * ------------------------------
116 *
117 * A contract has a reference count, protected by ct_reflock.
118 * (ct_reflock is also used in a couple other places where atomic
119 * access to a variable is needed in an innermost context). A process
120 * maintains a hold on each contract it owns. A process contract has a
121 * hold on each contract is has inherited. Each event has a hold on
122 * the contract which generated it. Process contract templates have
123 * holds on the contracts referred to by their transfer terms. CTFS
124 * contract directory nodes have holds on contracts. Lastly, various
125 * code paths may temporarily take holds on contracts to prevent them
126 * from disappearing while other processing is going on. It is
127 * important to note that the global contract lists do not hold
128 * references on contracts; a contract is removed from these structures
129 * atomically with the release of its last reference.
130 *
131 * At a given point in time, a contract can either be owned by a
132 * process, inherited by a regent process contract, or orphaned. A
133 * contract_t's owner and regent pointers, ct_owner and ct_regent, are
134 * protected by its ct_lock. The linkage in the holder's (holder =
135 * owner or regent) list of contracts, ct_ctlist, is protected by
136 * whatever lock protects the holder's data structure. In order for
137 * these two directions to remain consistent, changing the holder of a
138 * contract requires that both locks be held.
139 *
140 * Events also have reference counts. There is one hold on an event
141 * per queue it is present on, in addition to those needed for the
142 * usual sundry reasons. Individual listeners are associated with
143 * specific queues, and increase a queue-specific reference count
144 * stored in the ct_member_t structure.
145 *
146 * The dynamic contents of an event (reference count and flags) are
147 * protected by its cte_lock, while the contents of the embedded
148 * ct_member_t structures are protected by the locks of the queues they
149 * are linked into. A ct_listener_t's contents are also protected by
150 * its event queue's ctq_lock.
151 *
152 * Resource controls
153 * -----------------
154 *
155 * Control: project.max-contracts (rc_project_contract)
156 * Description: Maximum number of contracts allowed a project.
157 *
158 * When a contract is created, the project's allocation is tested and
159 * (assuming success) increased. When the last reference to a
160 * contract is released, the creating project's allocation is
161 * decreased.
162 */
164 #include <sys/mutex.h>
165 #include <sys/debug.h>
166 #include <sys/types.h>
167 #include <sys/param.h>
168 #include <sys/kmem.h>
169 #include <sys/thread.h>
170 #include <sys/id_space.h>
171 #include <sys/avl.h>
172 #include <sys/list.h>
173 #include <sys/sysmacros.h>
174 #include <sys/proc.h>
175 #include <sys/ctfs.h>
176 #include <sys/contract_impl.h>
177 #include <sys/contract/process_impl.h>
178 #include <sys/dditypes.h>
179 #include <sys/contract/device_impl.h>
180 #include <sys/systm.h>
181 #include <sys/atomic.h>
182 #include <sys/cmn_err.h>
183 #include <sys/model.h>
184 #include <sys/policy.h>
185 #include <sys/zone.h>
186 #include <sys/task.h>
187 #include <sys/ddi.h>
188 #include <sys/sunddi.h>
207 /*
208 * contract_compar
209 *
210 * A contract comparator which sorts on contract ID.
211 */
212 int
214 {
223 }
225 /*
226 * contract_init
227 *
228 * Initializes the contract subsystem, the specific contract types, and
229 * process 0.
230 */
231 void
233 {
234 /*
235 * Initialize contract subsystem.
236 */
242 /*
243 * Initialize contract types.
244 */
248 /*
249 * Initialize p0/lwp0 contract state.
250 */
253 }
255 /*
256 * contract_dtor
257 *
258 * Performs basic destruction of the common portions of a contract.
259 * Called from the failure path of contract_ctor and from
260 * contract_rele.
261 */
262 static void
264 {
270 }
272 /*
273 * contract_ctor
274 *
275 * Called by a contract type to initialize a contract. Fails if the
276 * max-contract resource control would have been exceeded. After a
277 * successful call to contract_ctor, the contract is unlocked and
278 * visible in all namespaces; any type-specific initialization should
279 * be completed before calling contract_ctor. Returns 0 on success.
280 *
281 * Because not all callers can tolerate failure, a 0 value for canfail
282 * instructs contract_ctor to ignore the project.max-contracts resource
283 * control. Obviously, this "out" should only be employed by callers
284 * who are sufficiently constrained in other ways (e.g. newproc).
285 */
286 int
289 {
290 avl_index_t where;
304 /*
305 * Instance data
306 */
324 /*
325 * Test project.max-contracts.
326 */
338 }
344 /*
345 * Insert into holder's avl of contracts.
346 * We use an avl not because order is important, but because
347 * readdir of /proc/contracts requires we be able to use a
348 * scalar as an index into the process's list of contracts
349 */
356 /*
357 * Insert into global contract AVL
358 */
364 /*
365 * Insert into type AVL
366 */
378 }
380 /*
381 * contract_rele
382 *
383 * Releases a reference to a contract. If the caller had the last
384 * reference, the contract is removed from all namespaces, its
385 * allocation against the max-contracts resource control is released,
386 * and the contract type's free entry point is invoked for any
387 * type-specific deconstruction and to (presumably) free the object.
388 */
389 void
391 {
399 /*
400 * ct_owner is cleared when it drops its reference.
401 */
405 /*
406 * Remove from global contract AVL
407 */
412 /*
413 * Remove from type AVL
414 */
419 /*
420 * Release the contract's ID
421 */
424 /*
425 * Release project hold
426 */
432 /*
433 * Free the contract
434 */
437 }
438 }
440 /*
441 * contract_hold
442 *
443 * Adds a reference to a contract
444 */
445 void
447 {
452 }
454 /*
455 * contract_getzuniqid
456 *
457 * Get a contract's zone unique ID. Needed because 64-bit reads and
458 * writes aren't atomic on x86. Since there are contexts where we are
459 * unable to take ct_lock, we instead use ct_reflock; in actuality any
460 * lock would do.
461 */
462 uint64_t
464 {
472 }
474 /*
475 * contract_setzuniqid
476 *
477 * Sets a contract's zone unique ID. See contract_getzuniqid.
478 */
479 void
481 {
485 }
487 /*
488 * contract_abandon
489 *
490 * Abandons the specified contract. If "explicit" is clear, the
491 * contract was implicitly abandoned (by process exit) and should be
492 * inherited if its terms allow it and its owner was a member of a
493 * regent contract. Otherwise, the contract type's abandon entry point
494 * is invoked to either destroy or orphan the contract.
495 */
496 int
498 {
507 /*
508 * Multiple contract locks are taken contract -> subcontract.
509 * Check if the contract will be inherited so we can acquire
510 * all the necessary locks before making sensitive changes.
511 */
518 }
525 }
533 /*
534 * Since we can't call cte_trim with the contract lock held,
535 * we grab the queue pointer here.
536 */
540 /*
541 * contop_abandon may destroy the contract so we rely on it to
542 * drop ct_lock. We retain a reference on the contract so that
543 * the cte_trim which follows functions properly. Even though
544 * cte_trim doesn't dereference the contract pointer, it is
545 * still necessary to retain a reference to the contract so
546 * that we don't trim events which are sent by a subsequently
547 * allocated contract infortuitously located at the same address.
548 */
556 /*
557 * We are handing off the process's reference to the
558 * parent contract. For this reason, the order in
559 * which we drop the contract locks is also important.
560 */
566 }
568 /*
569 * ct_lock has been dropped; we can safely trim the event
570 * queue now.
571 */
576 }
581 }
583 int
585 {
587 }
589 /*
590 * contract_adopt
591 *
592 * Adopts a contract. After a successful call to this routine, the
593 * previously inherited contract will belong to the calling process,
594 * and its events will have been appended to its new owner's process
595 * bundle queue.
596 */
597 int
599 {
600 avl_index_t where;
606 /*
607 * Ensure the process has an event queue. Checked by ASSERTs
608 * below.
609 */
619 }
621 /*
622 * Multiple contract locks are taken contract -> subcontract.
623 */
628 /*
629 * It is possible that the contract was adopted by someone else
630 * while its lock was dropped. It isn't possible for the
631 * contract to have been inherited by a different regent
632 * contract.
633 */
638 }
658 }
660 /*
661 * contract_ack
662 *
663 * Acknowledges receipt of a critical event.
664 */
665 int
667 {
672 uint_t evtype;
678 /*
679 * We are probably ACKing something near the head of the queue.
680 */
692 }
694 }
695 }
699 /*
700 * Not all critical events are negotiation events, however
701 * every negotiation event is a critical event. NEGEND events
702 * are critical events but are not negotiation events
703 */
709 else
713 }
715 /*ARGSUSED*/
716 int
718 {
722 }
724 /*ARGSUSED*/
725 int
727 {
731 }
733 /*ARGSUSED*/
734 int
736 {
738 }
740 /*
741 * contract_qack
742 *
743 * Asks that negotiations be extended by another time quantum
744 */
745 int
747 {
751 uint_t evtype;
761 }
763 }
764 }
768 /*
769 * Only a negotiated event (which is by definition also a critical
770 * event) which has not yet been acknowledged can provide
771 * time quanta to a negotiating owner process.
772 */
777 }
779 /*
780 * contract_orphan
781 *
782 * Icky-poo. This is a process-contract special, used to ACK all
783 * critical messages when a contract is orphaned.
784 */
785 void
787 {
800 }
801 }
805 }
807 /*
808 * contract_destroy
809 *
810 * Explicit contract destruction. Called when contract is empty.
811 * The contract will actually stick around until all of its events are
812 * removed from the bundle and and process bundle queues, and all fds
813 * which refer to it are closed. See contract_dtor if you are looking
814 * for what destroys the contract structure.
815 */
816 void
818 {
833 }
835 /*
836 * contract_vnode_get
837 *
838 * Obtains the contract directory vnode for this contract, if there is
839 * one. The caller must VN_RELE the vnode when they are through using
840 * it.
841 */
842 vnode_t *
844 {
855 }
858 }
860 /*
861 * contract_vnode_set
862 *
863 * Sets the contract directory vnode for this contract. We don't hold
864 * a reference on the vnode because we don't want to prevent it from
865 * being freed. The vnode's inactive entry point will take care of
866 * notifying us when it should be removed.
867 */
868 void
870 {
875 }
877 /*
878 * contract_vnode_clear
879 *
880 * Removes this vnode as the contract directory vnode for this
881 * contract. Called from a contract directory's inactive entry point,
882 * this may return 0 indicating that the vnode gained another reference
883 * because of a simultaneous call to contract_vnode_get.
884 */
885 int
887 {
899 }
904 }
906 /*
907 * contract_exit
908 *
909 * Abandons all contracts held by process p, and drains process p's
910 * bundle queues. Called on process exit.
911 */
912 void
914 {
921 /*
922 * Abandon held contracts. contract_abandon knows enough not
923 * to remove the contract from the list a second time. We are
924 * exiting, so no locks are needed here. But because
925 * contract_abandon will take p_lock, we need to make sure we
926 * aren't holding it.
927 */
932 /*
933 * Drain pbundles. Because a process bundle queue could have
934 * been passed to another process, they may not be freed right
935 * away.
936 */
942 }
943 }
945 static int
947 {
957 }
959 /*
960 * contract_status_common
961 *
962 * Populates a ct_status structure. Used by contract types in their
963 * status entry points and ctfs when only common information is
964 * requested.
965 */
966 void
968 model_t model)
969 {
979 /*
980 * Contracts don't have holds on the zones they were
981 * created by. If the contract's zone no longer
982 * exists, we say its zoneid is -1.
983 */
991 }
999 /*
1000 * We are looking at a contract which was created by a
1001 * process outside of our zone. We provide fake zone,
1002 * holder, and state information.
1003 */
1006 /*
1007 * Since "zone" can't disappear until the calling ctfs
1008 * is unmounted, zone_zsched must be valid.
1009 */
1014 }
1025 }
1027 /*
1028 * contract_checkcred
1029 *
1030 * Determines if the specified contract is owned by a process with the
1031 * same effective uid as the specified credential. The caller must
1032 * ensure that the uid spaces are the same. Returns 1 on success.
1033 */
1034 static int
1036 {
1045 }
1049 }
1051 /*
1052 * contract_owned
1053 *
1054 * Determines if the specified credential can view an event generated
1055 * by the specified contract. If locked is set, the contract's ct_lock
1056 * is held and the caller will need to do additional work to determine
1057 * if they truly can see the event. Returns 1 on success.
1058 */
1059 int
1061 {
1064 uid_t euid;
1072 /*
1073 * owner: we own the contract
1074 * cmatch: we are in the creator's (and holder's) zone and our
1075 * uid matches the creator's or holder's
1076 * zmatch: we are in the effective zone of a contract created
1077 * in the global zone, and our uid matches that of the
1078 * virtualized holder's (zsched/kcred)
1079 */
1087 }
1090 /*
1091 * contract_type_init
1092 *
1093 * Called by contract types to register themselves with the contracts
1094 * framework.
1095 */
1096 ct_type_t *
1099 {
1120 }
1122 /*
1123 * contract_type_count
1124 *
1125 * Obtains the number of contracts of a particular type.
1126 */
1127 int
1129 {
1130 ulong_t count;
1137 }
1139 /*
1140 * contract_type_max
1141 *
1142 * Obtains the maximum contract id of of a particular type.
1143 */
1144 ctid_t
1146 {
1148 ctid_t res;
1156 }
1158 /*
1159 * contract_max
1160 *
1161 * Obtains the maximum contract id.
1162 */
1163 ctid_t
1165 {
1167 ctid_t res;
1175 }
1177 /*
1178 * contract_lookup_common
1179 *
1180 * Common code for contract_lookup and contract_type_lookup. Takes a
1181 * pointer to an AVL tree to search in. Should be called with the
1182 * appropriate tree-protecting lock held (unfortunately unassertable).
1183 */
1184 static ctid_t
1186 {
1188 avl_index_t where;
1189 ctid_t res;
1201 }
1203 /*
1204 * contract_type_lookup
1205 *
1206 * Returns the next type contract after the specified id, visible from
1207 * the specified zone.
1208 */
1209 ctid_t
1211 {
1212 ctid_t res;
1219 }
1221 /*
1222 * contract_lookup
1223 *
1224 * Returns the next contract after the specified id, visible from the
1225 * specified zone.
1226 */
1227 ctid_t
1229 {
1230 ctid_t res;
1237 }
1239 /*
1240 * contract_plookup
1241 *
1242 * Returns the next contract held by process p after the specified id,
1243 * visible from the specified zone. Made complicated by the fact that
1244 * contracts visible in a zone but held by processes outside of the
1245 * zone need to appear as being held by zsched to zone members.
1246 */
1247 ctid_t
1249 {
1251 avl_index_t where;
1252 ctid_t res;
1257 /* This is inelegant. */
1275 }
1278 }
1280 /*
1281 * contract_ptr_common
1282 *
1283 * Common code for contract_ptr and contract_type_ptr. Takes a pointer
1284 * to an AVL tree to search in. Should be called with the appropriate
1285 * tree-protecting lock held (unfortunately unassertable).
1286 */
1289 {
1297 }
1299 /*
1300 * Check to see if a thread is in the window in contract_rele
1301 * between dropping the reference count and removing the
1302 * contract from the type AVL.
1303 */
1311 }
1314 }
1316 /*
1317 * contract_type_ptr
1318 *
1319 * Returns a pointer to the contract with the specified id. The
1320 * contract is held, so the caller needs to release the reference when
1321 * it is through with the contract.
1322 */
1323 contract_t *
1325 {
1333 }
1335 /*
1336 * contract_ptr
1337 *
1338 * Returns a pointer to the contract with the specified id. The
1339 * contract is held, so the caller needs to release the reference when
1340 * it is through with the contract.
1341 */
1342 contract_t *
1344 {
1352 }
1354 /*
1355 * contract_type_time
1356 *
1357 * Obtains the last time a contract of a particular type was created.
1358 */
1359 void
1361 {
1365 }
1367 /*
1368 * contract_type_bundle
1369 *
1370 * Obtains a type's bundle queue.
1371 */
1372 ct_equeue_t *
1374 {
1376 }
1378 /*
1379 * contract_type_pbundle
1380 *
1381 * Obtain's a process's bundle queue. If one doesn't exist, one is
1382 * created. Often used simply to ensure that a bundle queue is
1383 * allocated.
1384 */
1385 ct_equeue_t *
1387 {
1388 /*
1389 * If there isn't an array of bundle queues, allocate one.
1390 */
1398 else
1401 }
1403 /*
1404 * If there isn't a bundle queue of the required type, allocate
1405 * one.
1406 */
1414 else
1417 }
1420 }
1422 /*
1423 * ctparam_copyin
1424 *
1425 * copyin a ct_param_t for CT_TSET or CT_TGET commands.
1426 * If ctparam_copyout() is not called after ctparam_copyin(), then
1427 * the caller must kmem_free() the buffer pointed by kparam->ctpm_kbuf.
1428 *
1429 * The copyin/out of ct_param_t is not done in ctmpl_set() and ctmpl_get()
1430 * because prctioctl() calls ctmpl_set() and ctmpl_get() while holding a
1431 * process lock.
1432 */
1433 int
1435 {
1455 }
1456 }
1463 }
1465 /*
1466 * ctparam_copyout
1467 *
1468 * copyout a ct_kparam_t and frees the buffer pointed by the member
1469 * ctpm_kbuf of ct_kparam_t
1470 */
1471 int
1473 {
1486 }
1490 }
1492 error:
1496 }
1498 /*
1499 * ctmpl_free
1500 *
1501 * Frees a template.
1502 */
1503 void
1505 {
1508 }
1510 /*
1511 * ctmpl_dup
1512 *
1513 * Creates a copy of a template.
1514 */
1515 ct_template_t *
1517 {
1524 /*
1525 * ctmpl_lock was taken by ctop_dup's call to ctmpl_copy and
1526 * should have remain held until now.
1527 */
1531 }
1533 /*
1534 * ctmpl_set
1535 *
1536 * Sets the requested terms of a template.
1537 */
1538 int
1540 {
1552 }
1553 }
1563 else
1571 /*
1572 * Assume that a pure reduction of the critical
1573 * set is allowed by the contract type.
1574 */
1577 }
1578 /*
1579 * There may be restrictions on what we can make
1580 * critical, so we defer to the judgement of the
1581 * contract type.
1582 */
1583 /* FALLTHROUGH */
1586 }
1590 }
1592 /*
1593 * ctmpl_get
1594 *
1595 * Obtains the requested terms from a template.
1596 *
1597 * If the term requested is a variable-sized term and the buffer
1598 * provided is too small for the data, we truncate the data and return
1599 * the buffer size necessary to fit the term in kparam->ret_size. If the
1600 * term requested is fix-sized (uint64_t) and the buffer provided is too
1601 * small, we return EINVAL. This should never happen if you're using
1602 * libcontract(3LIB), only if you call ioctl with a hand constructed
1603 * ct_param_t argument.
1604 *
1605 * Currently, only contract specific parameters have variable-sized
1606 * parameters.
1607 */
1608 int
1610 {
1623 }
1624 }
1639 }
1643 }
1645 /*
1646 * ctmpl_makecurrent
1647 *
1648 * Used by ctmpl_activate and ctmpl_clear to set the current thread's
1649 * active template. Frees the old active template, if there was one.
1650 */
1651 static void
1653 {
1665 }
1667 /*
1668 * ctmpl_activate
1669 *
1670 * Copy the specified template as the current thread's activate
1671 * template of that type.
1672 */
1673 void
1675 {
1677 }
1679 /*
1680 * ctmpl_clear
1681 *
1682 * Clears the current thread's activate template of the same type as
1683 * the specified template.
1684 */
1685 void
1687 {
1689 }
1691 /*
1692 * ctmpl_create
1693 *
1694 * Creates a new contract using the specified template.
1695 */
1696 int
1698 {
1700 }
1702 /*
1703 * ctmpl_init
1704 *
1705 * Initializes the common portion of a new contract template.
1706 */
1707 void
1709 {
1716 }
1718 /*
1719 * ctmpl_copy
1720 *
1721 * Copies the common portions of a contract template. Intended for use
1722 * by a contract type's ctop_dup template op. Returns with the old
1723 * template's lock held, which will should remain held until the
1724 * template op returns (it is dropped by ctmpl_dup).
1725 */
1726 void
1728 {
1736 }
1738 /*
1739 * ctmpl_create_inval
1740 *
1741 * Returns EINVAL. Provided for the convenience of those contract
1742 * types which don't support ct_tmpl_create(3contract) and would
1743 * otherwise need to create their own stub for the ctop_create template
1744 * op.
1745 */
1746 /*ARGSUSED*/
1747 int
1749 {
1751 }
1754 /*
1755 * cte_queue_create
1756 *
1757 * Initializes a queue of a particular type. If dynamic is set, the
1758 * queue is to be freed when its last listener is removed after being
1759 * drained.
1760 */
1761 static void
1763 {
1778 /*
1779 * Bundle queues and contract queues are embedded in other
1780 * structures and are implicitly referenced counted by virtue
1781 * of their vnodes' indirect hold on their contracts. Process
1782 * bundle queues are dynamically allocated and may persist
1783 * after the death of the process, so they must be explicitly
1784 * reference counted.
1785 */
1787 }
1789 /*
1790 * cte_queue_destroy
1791 *
1792 * Destroys the specified queue. The queue is freed if referenced
1793 * counted.
1794 */
1795 static void
1797 {
1807 }
1809 /*
1810 * cte_hold
1811 *
1812 * Takes a hold on the specified event.
1813 */
1814 static void
1816 {
1821 }
1823 /*
1824 * cte_rele
1825 *
1826 * Releases a hold on the specified event. If the caller had the last
1827 * reference, frees the event and releases its hold on the contract
1828 * that generated it.
1829 */
1830 static void
1832 {
1838 }
1846 }
1848 /*
1849 * cte_qrele
1850 *
1851 * Remove this listener's hold on the specified event, removing and
1852 * releasing the queue's hold on the event if appropriate.
1853 */
1854 static void
1856 {
1867 }
1868 }
1870 /*
1871 * cte_qmove
1872 *
1873 * Move this listener to the specified event in the queue.
1874 */
1877 {
1895 }
1902 }
1904 /*
1905 * cte_checkcred
1906 *
1907 * Determines if the specified event's contract is owned by a process
1908 * with the same effective uid as the specified credential. Called
1909 * after a failed call to contract_owned with locked set. Because it
1910 * drops the queue lock, its caller (cte_qreadable) needs to make sure
1911 * we're still in the same place after we return. Returns 1 on
1912 * success.
1913 */
1914 static int
1916 {
1928 }
1930 /*
1931 * cte_qreadable
1932 *
1933 * Ensures that the listener is pointing to a valid event that the
1934 * caller has the credentials to read. Returns 0 if we can read the
1935 * event we're pointing to.
1936 */
1937 static int
1940 {
1953 /*
1954 * Check obvious things first. If we are looking for a
1955 * critical message, is this one? If we aren't in the
1956 * global zone, is this message meant for us?
1957 */
1964 /*
1965 * Next, see if our effective uid equals that of owner
1966 * or author of the contract. Since we are holding the
1967 * queue lock, contract_owned can't always check if we
1968 * have the same effective uid as the contract's
1969 * owner. If it comes to that, it fails and we take
1970 * the slow(er) path.
1971 */
1974 /*
1975 * At this point we either don't have any claim
1976 * to this contract or we match the effective
1977 * uid of the owner but couldn't tell. We
1978 * first test for a NULL holder so that events
1979 * from orphans and inherited contracts avoid
1980 * the penalty phase.
1981 */
1986 /*
1987 * cte_checkcred will juggle locks to see if we
1988 * have the same uid as the event's contract's
1989 * current owner. If it succeeds, we have to
1990 * make sure we are in the same point in the
1991 * queue.
1992 */
1997 /*
1998 * cte_checkcred failed; see if we're in the
1999 * same place.
2000 */
2004 else
2007 /*
2008 * cte_checkcred failed, and our position was
2009 * changed. Start from there.
2010 */
2011 else
2015 }
2016 }
2018 /*
2019 * We check for CTLF_COPYOUT again in case we dropped the queue
2020 * lock in cte_checkcred.
2021 */
2023 }
2025 /*
2026 * cte_qwakeup
2027 *
2028 * Wakes up any waiting listeners and points them at the specified event.
2029 */
2030 static void
2032 {
2045 }
2046 }
2048 /*
2049 * cte_copy
2050 *
2051 * Copies events from the specified contract event queue to the
2052 * end of the specified process bundle queue. Only called from
2053 * contract_adopt.
2054 *
2055 * We copy to the end of the target queue instead of mixing the events
2056 * in their proper order because otherwise the act of adopting a
2057 * contract would require a process to reset all process bundle
2058 * listeners it needed to see the new events. This would, in turn,
2059 * require the process to keep track of which preexisting events had
2060 * already been processed.
2061 */
2062 static void
2064 {
2073 /*
2074 * For now, only copy critical events.
2075 */
2081 /*
2082 * It is possible for adoption to race with an owner's
2083 * cte_publish_all(); we must only enqueue events that
2084 * have not already been enqueued.
2085 */
2090 }
2091 }
2092 }
2100 }
2102 /*
2103 * cte_trim
2104 *
2105 * Trims unneeded events from an event queue. Algorithm works as
2106 * follows:
2107 *
2108 * Removes all informative and acknowledged critical events until the
2109 * first referenced event is found.
2110 *
2111 * If a contract is specified, removes all events (regardless of
2112 * acknowledgement) generated by that contract until the first event
2113 * referenced by a reliable listener is found. Reference events are
2114 * removed by marking them "trimmed". Such events will be removed
2115 * when the last reference is dropped and will be skipped by future
2116 * listeners.
2117 *
2118 * This is pretty basic. Ideally this should remove from the middle of
2119 * the list (i.e. beyond the first referenced event), and even
2120 * referenced events.
2121 */
2122 static void
2124 {
2139 /*
2140 * Toss informative and ACKed critical messages.
2141 */
2144 }
2151 /*
2152 * Don't free messages past the first reader.
2153 */
2155 }
2156 }
2157 }
2159 /*
2160 * cte_queue_drain
2161 *
2162 * Drain all events from the specified queue, and mark it dead. If
2163 * "ack" is set, acknowledge any critical events we find along the
2164 * way.
2165 */
2166 static void
2168 {
2177 /*
2178 * Make sure critical messages are eventually
2179 * removed from the bundle queues.
2180 */
2186 }
2192 }
2194 /*
2195 * This is necessary only because of CTEL_PBUNDLE listeners;
2196 * the events they point to can move from one pbundle to
2197 * another. Fortunately, this only happens if the contract is
2198 * inherited, which (in turn) only happens if the process
2199 * exits, which means it's an all-or-nothing deal. If this
2200 * wasn't the case, we would instead need to keep track of
2201 * listeners on a per-event basis, not just a per-queue basis.
2202 * This would have the side benefit of letting us clean up
2203 * trimmed events sooner (i.e. immediately), but would
2204 * unfortunately make events even bigger than they already
2205 * are.
2206 */
2213 }
2215 }
2217 /*
2218 * Disallow events.
2219 */
2222 /*
2223 * If we represent the last reference to a reference counted
2224 * process bundle queue, free it.
2225 */
2228 else
2230 }
2232 /*
2233 * cte_publish
2234 *
2235 * Publishes an event to a specific queue. Only called by
2236 * cte_publish_all.
2237 */
2238 static void
2240 {
2245 /*
2246 * If this event may already exist on this queue, check to see if it
2247 * is already there and return if so.
2248 */
2254 }
2256 /*
2257 * Don't publish if the event is informative and there aren't
2258 * any listeners, or if the queue has been shut down.
2259 */
2265 }
2267 /*
2268 * Enqueue event
2269 */
2274 /*
2275 * Check for waiting listeners
2276 */
2279 /*
2280 * Trim unnecessary events from the queue.
2281 */
2284 }
2286 /*
2287 * cte_publish_all
2288 *
2289 * Publish an event to all necessary event queues. The event, e, must
2290 * be zallocated by the caller, and the event's flags and type must be
2291 * set. The rest of the event's fields are initialized here.
2292 */
2293 uint64_t
2295 {
2297 timespec_t ts;
2309 /*
2310 * For a negotiation event we set the ct->ct_nevent field of the
2311 * contract for the duration of the negotiation
2312 */
2319 }
2323 /*
2324 * ct_evtlock simply (and only) ensures that two events sent
2325 * from the same contract are delivered to all queues in the
2326 * same order.
2327 */
2330 /*
2331 * CTEL_CONTRACT - First deliver to the contract queue, acking
2332 * the event if the contract has been orphaned.
2333 */
2339 else
2341 }
2345 /*
2346 * CTEL_BUNDLE - Next deliver to the contract type's bundle
2347 * queue.
2348 */
2352 /*
2353 * CTEL_PBUNDLE - Finally, if the contract has an owner,
2354 * deliver to the owner's process bundle queue.
2355 */
2358 /*
2359 * proc_exit doesn't free event queues until it has
2360 * abandoned all contracts.
2361 */
2368 /*
2369 * It is possible for this code to race with adoption; we
2370 * publish the event indicating that the event may already
2371 * be enqueued because adoption beat us to it (in which case
2372 * cte_pubish() does nothing).
2373 */
2378 }
2386 }
2391 }
2393 /*
2394 * cte_add_listener
2395 *
2396 * Add a new listener to an event queue.
2397 */
2398 void
2400 {
2411 }
2413 /*
2414 * cte_remove_listener
2415 *
2416 * Remove a listener from an event queue. No other queue activities
2417 * (e.g. cte_get event) may be in progress at this endpoint when this
2418 * is called.
2419 */
2420 void
2422 {
2432 else
2442 /*
2443 * If we are a the last listener of a dead reference counted
2444 * queue (i.e. a process bundle) we free it. Otherwise we just
2445 * trim any events which may have been kept around for our
2446 * benefit.
2447 */
2454 }
2455 }
2457 /*
2458 * cte_reset_listener
2459 *
2460 * Moves a listener's queue pointer to the beginning of the queue.
2461 */
2462 void
2464 {
2469 /*
2470 * We allow an asynchronous reset because it doesn't make a
2471 * whole lot of sense to make reset block or fail. We already
2472 * have most of the mechanism needed thanks to queue trimming,
2473 * so implementing it isn't a big deal.
2474 */
2480 /*
2481 * Inform blocked readers.
2482 */
2486 }
2488 /*
2489 * cte_next_event
2490 *
2491 * Moves the event pointer for the specified listener to the next event
2492 * on the queue. To avoid races, this movement only occurs if the
2493 * specified event id matches that of the current event. This is used
2494 * primarily to skip events that have been read but whose extended data
2495 * haven't been copied out.
2496 */
2497 int
2499 {
2514 }
2516 /*
2517 * cte_get_event
2518 *
2519 * Reads an event from an event endpoint. If "nonblock" is clear, we
2520 * block until a suitable event is ready. If "crit" is set, we only
2521 * read critical events. Note that while "cr" is the caller's cred,
2522 * "zuniqid" is the unique id of the zone the calling contract
2523 * filesystem was mounted in.
2524 */
2525 int
2528 {
2538 /*
2539 * cte_qreadable checks for CTLF_COPYOUT as well as ensures
2540 * that there exists, and we are pointing to, an appropriate
2541 * event. It may temporarily drop ctq_lock, but that doesn't
2542 * really matter to us.
2543 */
2549 }
2553 }
2558 }
2559 }
2565 /*
2566 * We now have an event. Copy in the user event structure to
2567 * see how much space we have to work with.
2568 */
2573 /*
2574 * Determine what data we have and what the user should be
2575 * allowed to see.
2576 */
2582 }
2587 }
2589 /*
2590 * If we have enough space, copy out the extended event data.
2591 */
2605 }
2607 /* This shouldn't have changed */
2610 len);
2616 }
2617 }
2619 /*
2620 * Copy out the common event data.
2621 */
2633 copyerr:
2634 /*
2635 * Only move our location in the queue if all copyouts were
2636 * successful, the caller provided enough space for the entire
2637 * event, and our endpoint wasn't reset or otherwise moved by
2638 * another thread.
2639 */
2647 /*
2648 * Signal any readers blocked on our CTLF_COPYOUT.
2649 */
2653 error:
2656 }
2658 /*
2659 * cte_set_reliable
2660 *
2661 * Requests that events be reliably delivered to an event endpoint.
2662 * Unread informative and acknowledged critical events will not be
2663 * removed from the queue until this listener reads or skips them.
2664 * Because a listener could maliciously request reliable delivery and
2665 * then do nothing, this requires that PRIV_CONTRACT_EVENT be in the
2666 * caller's effective set.
2667 */
2668 int
2670 {
2683 ctm_nreliable++;
2684 }
2688 }