| blob | a5b968c53cb542aface0ca0b78897ec0cb76958d |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
22 /*
23 * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright (c) 2013, Joyent, Inc. All rights reserved.
25 * Copyright (c) 2016 by Delphix. All rights reserved.
26 */
28 /*
29 * rc_node.c - In-memory SCF object management
30 *
31 * This layer manages the in-memory cache (the Repository Cache) of SCF
32 * data. Read requests are usually satisfied from here, but may require
33 * load calls to the "object" layer. Modify requests always write-through
34 * to the object layer.
35 *
36 * SCF data comprises scopes, services, instances, snapshots, snaplevels,
37 * property groups, properties, and property values. All but the last are
38 * known here as "entities" and are represented by rc_node_t data
39 * structures. (Property values are kept in the rn_values member of the
40 * respective property, not as separate objects.) All entities besides
41 * the "localhost" scope have some entity as a parent, and therefore form
42 * a tree.
43 *
44 * The entity tree is rooted at rc_scope, which rc_node_init() initializes to
45 * the "localhost" scope. The tree is filled in from the database on-demand
46 * by rc_node_fill_children().
47 *
48 * rc_node_t's are also placed in the cache_hash[] hash table, for rapid
49 * lookup.
50 *
51 * Multiple threads may service client requests, so access to each
52 * rc_node_t is synchronized by its rn_lock member. Some fields are
53 * protected by bits in the rn_flags field instead, to support operations
54 * which need to drop rn_lock, for example to respect locking order. Such
55 * flags should be manipulated with the rc_node_{hold,rele}_flag()
56 * functions.
57 *
58 * We track references to nodes to tell when they can be free()d. rn_refs
59 * should be incremented with rc_node_hold() on the creation of client
60 * references (rc_node_ptr_t's and rc_iter_t's). rn_erefs ("ephemeral
61 * references") should be incremented when a pointer is read into a local
62 * variable of a thread, with rc_node_hold_ephemeral_locked(). This
63 * hasn't been fully implemented, however, so rc_node_rele() tolerates
64 * rn_erefs being 0. Some code which predates rn_erefs counts ephemeral
65 * references in rn_refs. Other references are tracked by the
66 * rn_other_refs field and the RC_NODE_DEAD, RC_NODE_IN_PARENT,
67 * RC_NODE_OLD, and RC_NODE_ON_FORMER flags.
68 *
69 * Locking rules: To dereference an rc_node_t * (usually to lock it), you must
70 * have a hold (rc_node_hold()) on it or otherwise be sure that it hasn't been
71 * rc_node_destroy()ed (hold a lock on its parent or child, hold a flag,
72 * etc.). Once you have locked an rc_node_t you must check its rn_flags for
73 * RC_NODE_DEAD before you can use it. This is usually done with the
74 * rc_node_{wait,hold}_flag() functions (often via the rc_node_check_*()
75 * functions & RC_NODE_*() macros), which fail if the object has died.
76 *
77 * When a transactional node (property group or snapshot) is updated,
78 * a new node takes the place of the old node in the global hash and the
79 * old node is hung off of the rn_former list of the new node. At the
80 * same time, all of its children have their rn_parent_ref pointer set,
81 * and any holds they have are reflected in the old node's rn_other_refs
82 * count. This is automatically kept up to date until the final reference
83 * to the subgraph is dropped, at which point the node is unrefed and
84 * destroyed, along with all of its children.
85 *
86 * Because name service lookups may take a long time and, more importantly
87 * may trigger additional accesses to the repository, perm_granted() must be
88 * called without holding any locks.
89 *
90 * An ITER_START for a non-ENTITY_VALUE induces an rc_node_fill_children()
91 * call via rc_node_setup_iter() to populate the rn_children uu_list of the
92 * rc_node_t * in question and a call to uu_list_walk_start() on that list. For
93 * ITER_READ, rc_iter_next() uses uu_list_walk_next() to find the next
94 * apropriate child.
95 *
96 * An ITER_START for an ENTITY_VALUE makes sure the node has its values
97 * filled, and sets up the iterator. An ITER_READ_VALUE just copies out
98 * the proper values and updates the offset information.
99 *
100 * To allow aliases, snapshots are implemented with a level of indirection.
101 * A snapshot rc_node_t has a snapid which refers to an rc_snapshot_t in
102 * snapshot.c which contains the authoritative snaplevel information. The
103 * snapid is "assigned" by rc_attach_snapshot().
104 *
105 * We provide the client layer with rc_node_ptr_t's to reference objects.
106 * Objects referred to by them are automatically held & released by
107 * rc_node_assign() & rc_node_clear(). The RC_NODE_PTR_*() macros are used at
108 * client.c entry points to read the pointers. They fetch the pointer to the
109 * object, return (from the function) if it is dead, and lock, hold, or hold
110 * a flag of the object.
111 */
113 /*
114 * Permission checking is authorization-based: some operations may only
115 * proceed if the user has been assigned at least one of a set of
116 * authorization strings. The set of enabling authorizations depends on the
117 * operation and the target object. The set of authorizations assigned to
118 * a user is determined by an algorithm defined in libsecdb.
119 *
120 * The fastest way to decide whether the two sets intersect is by entering the
121 * strings into a hash table and detecting collisions, which takes linear time
122 * in the total size of the sets. Except for the authorization patterns which
123 * may be assigned to users, which without advanced pattern-matching
124 * algorithms will take O(n) in the number of enabling authorizations, per
125 * pattern.
126 *
127 * We can achieve some practical speed-ups by noting that if we enter all of
128 * the authorizations from one of the sets into the hash table we can merely
129 * check the elements of the second set for existence without adding them.
130 * This reduces memory requirements and hash table clutter. The enabling set
131 * is well suited for this because it is internal to configd (for now, at
132 * least). Combine this with short-circuiting and we can even minimize the
133 * number of queries to the security databases (user_attr & prof_attr).
134 *
135 * To force this usage onto clients we provide functions for adding
136 * authorizations to the enabling set of a permission context structure
137 * (perm_add_*()) and one to decide whether the the user associated with the
138 * current door call client possesses any of them (perm_granted()).
139 *
140 * At some point, a generic version of this should move to libsecdb.
141 *
142 * While entering the enabling strings into the hash table, we keep track
143 * of which is the most specific for use in generating auditing events.
144 * See the "Collecting the Authorization String" section of the "SMF Audit
145 * Events" block comment below.
146 */
148 /*
149 * Composition is the combination of sets of properties. The sets are ordered
150 * and properties in higher sets obscure properties of the same name in lower
151 * sets. Here we present a composed view of an instance's properties as the
152 * union of its properties and its service's properties. Similarly the
153 * properties of snaplevels are combined to form a composed view of the
154 * properties of a snapshot (which should match the composed view of the
155 * properties of the instance when the snapshot was taken).
156 *
157 * In terms of the client interface, the client may request that a property
158 * group iterator for an instance or snapshot be composed. Property groups
159 * traversed by such an iterator may not have the target entity as a parent.
160 * Similarly, the properties traversed by a property iterator for those
161 * property groups may not have the property groups iterated as parents.
162 *
163 * Implementation requires that iterators for instances and snapshots be
164 * composition-savvy, and that we have a "composed property group" entity
165 * which represents the composition of a number of property groups. Iteration
166 * over "composed property groups" yields properties which may have different
167 * parents, but for all other operations a composed property group behaves
168 * like the top-most property group it represents.
169 *
170 * The implementation is based on the rn_cchain[] array of rc_node_t pointers
171 * in rc_node_t. For instances, the pointers point to the instance and its
172 * parent service. For snapshots they point to the child snaplevels, and for
173 * composed property groups they point to property groups. A composed
174 * iterator carries an index into rn_cchain[]. Thus most of the magic ends up
175 * int the rc_iter_*() code.
176 */
177 /*
178 * SMF Audit Events:
179 * ================
180 *
181 * To maintain security, SMF generates audit events whenever
182 * privileged operations are attempted. See the System Administration
183 * Guide:Security Services answerbook for a discussion of the Solaris
184 * audit system.
185 *
186 * The SMF audit event codes are defined in adt_event.h by symbols
187 * starting with ADT_smf_ and are described in audit_event.txt. The
188 * audit record structures are defined in the SMF section of adt.xml.
189 * adt.xml is used to automatically generate adt_event.h which
190 * contains the definitions that we code to in this file. For the
191 * most part the audit events map closely to actions that you would
192 * perform with svcadm or svccfg, but there are some special cases
193 * which we'll discuss later.
194 *
195 * The software associated with SMF audit events falls into three
196 * categories:
197 * - collecting information to be written to the audit
198 * records
199 * - using the adt_* functions in
200 * usr/src/lib/libbsm/common/adt.c to generate the audit
201 * records.
202 * - handling special cases
203 *
204 * Collecting Information:
205 * ----------------------
206 *
207 * Most all of the audit events require the FMRI of the affected
208 * object and the authorization string that was used. The one
209 * exception is ADT_smf_annotation which we'll talk about later.
210 *
211 * Collecting the FMRI:
212 *
213 * The rc_node structure has a member called rn_fmri which points to
214 * its FMRI. This is initialized by a call to rc_node_build_fmri()
215 * when the node's parent is established. The reason for doing it
216 * at this time is that a node's FMRI is basically the concatenation
217 * of the parent's FMRI and the node's name with the appropriate
218 * decoration. rc_node_build_fmri() does this concatenation and
219 * decorating. It is called from rc_node_link_child() and
220 * rc_node_relink_child() where a node is linked to its parent.
221 *
222 * rc_node_get_fmri_or_fragment() is called to retrieve a node's FMRI
223 * when it is needed. It returns rn_fmri if it is set. If the node
224 * is at the top level, however, rn_fmri won't be set because it was
225 * never linked to a parent. In this case,
226 * rc_node_get_fmri_or_fragment() constructs an FMRI fragment based on
227 * its node type and its name, rn_name.
228 *
229 * Collecting the Authorization String:
230 *
231 * Naturally, the authorization string is captured during the
232 * authorization checking process. Acceptable authorization strings
233 * are added to a permcheck_t hash table as noted in the section on
234 * permission checking above. Once all entries have been added to the
235 * hash table, perm_granted() is called. If the client is authorized,
236 * perm_granted() returns with pc_auth_string of the permcheck_t
237 * structure pointing to the authorization string.
238 *
239 * This works fine if the client is authorized, but what happens if
240 * the client is not authorized? We need to report the required
241 * authorization string. This is the authorization that would have
242 * been used if permission had been granted. perm_granted() will
243 * find no match, so it needs to decide which string in the hash
244 * table to use as the required authorization string. It needs to do
245 * this, because configd is still going to generate an event. A
246 * design decision was made to use the most specific authorization
247 * in the hash table. The pc_auth_type enum designates the
248 * specificity of an authorization string. For example, an
249 * authorization string that is declared in an instance PG is more
250 * specific than one that is declared in a service PG.
251 *
252 * The pc_add() function keeps track of the most specific
253 * authorization in the hash table. It does this using the
254 * pc_specific and pc_specific_type members of the permcheck
255 * structure. pc_add() updates these members whenever a more
256 * specific authorization string is added to the hash table. Thus, if
257 * an authorization match is not found, perm_granted() will return
258 * with pc_auth_string in the permcheck_t pointing to the string that
259 * is referenced by pc_specific.
260 *
261 * Generating the Audit Events:
262 * ===========================
263 *
264 * As the functions in this file process requests for clients of
265 * configd, they gather the information that is required for an audit
266 * event. Eventually, the request processing gets to the point where
267 * the authorization is rejected or to the point where the requested
268 * action was attempted. At these two points smf_audit_event() is
269 * called.
270 *
271 * smf_audit_event() takes 4 parameters:
272 * - the event ID which is one of the ADT_smf_* symbols from
273 * adt_event.h.
274 * - status to pass to adt_put_event()
275 * - return value to pass to adt_put_event()
276 * - the event data (see audit_event_data structure)
277 *
278 * All interactions with the auditing software require an audit
279 * session. We use one audit session per configd client. We keep
280 * track of the audit session in the repcache_client structure.
281 * smf_audit_event() calls get_audit_session() to get the session
282 * pointer.
283 *
284 * smf_audit_event() then calls adt_alloc_event() to allocate an
285 * adt_event_data union which is defined in adt_event.h, copies the
286 * data into the appropriate members of the union and calls
287 * adt_put_event() to generate the event.
288 *
289 * Special Cases:
290 * =============
291 *
292 * There are three major types of special cases:
293 *
294 * - gathering event information for each action in a
295 * transaction
296 * - Higher level events represented by special property
297 * group/property name combinations. Many of these are
298 * restarter actions.
299 * - ADT_smf_annotation event
300 *
301 * Processing Transaction Actions:
302 * ------------------------------
303 *
304 * A transaction can contain multiple actions to modify, create or
305 * delete one or more properties. We need to capture information so
306 * that we can generate an event for each property action. The
307 * transaction information is stored in a tx_commmit_data_t, and
308 * object.c provides accessor functions to retrieve data from this
309 * structure. rc_tx_commit() obtains a tx_commit_data_t by calling
310 * tx_commit_data_new() and passes this to object_tx_commit() to
311 * commit the transaction. Then we call generate_property_events() to
312 * generate an audit event for each property action.
313 *
314 * Special Properties:
315 * ------------------
316 *
317 * There are combinations of property group/property name that are special.
318 * They are special because they have specific meaning to startd. startd
319 * interprets them in a service-independent fashion.
320 * restarter_actions/refresh and general/enabled are two examples of these.
321 * A special event is generated for these properties in addition to the
322 * regular property event described in the previous section. The special
323 * properties are declared as an array of audit_special_prop_item
324 * structures at special_props_list in rc_node.c.
325 *
326 * In the previous section, we mentioned the
327 * generate_property_event() function that generates an event for
328 * every property action. Before generating the event,
329 * generate_property_event() calls special_property_event().
330 * special_property_event() checks to see if the action involves a
331 * special property. If it does, it generates a special audit
332 * event.
333 *
334 * ADT_smf_annotation event:
335 * ------------------------
336 *
337 * This is a special event unlike any other. It allows the svccfg
338 * program to store an annotation in the event log before a series
339 * of transactions is processed. It is used with the import and
340 * apply svccfg commands. svccfg uses the rep_protocol_annotation
341 * message to pass the operation (import or apply) and the file name
342 * to configd. The set_annotation() function in client.c stores
343 * these away in the a repcache_client structure. The address of
344 * this structure is saved in the thread_info structure.
345 *
346 * Before it generates any events, smf_audit_event() calls
347 * smf_annotation_event(). smf_annotation_event() calls
348 * client_annotation_needed() which is defined in client.c. If an
349 * annotation is needed client_annotation_needed() returns the
350 * operation and filename strings that were saved from the
351 * rep_protocol_annotation message. smf_annotation_event() then
352 * generates the ADT_smf_annotation event.
353 */
355 #include <assert.h>
356 #include <atomic.h>
357 #include <bsm/adt_event.h>
358 #include <errno.h>
359 #include <libuutil.h>
360 #include <libscf.h>
361 #include <libscf_priv.h>
362 #include <pthread.h>
363 #include <pwd.h>
364 #include <stdio.h>
365 #include <stdlib.h>
366 #include <strings.h>
367 #include <sys/types.h>
368 #include <syslog.h>
369 #include <unistd.h>
370 #include <secdb.h>
378 #define AUTH_PG_ACTIONS SCF_PG_RESTARTER_ACTIONS
379 #define AUTH_PG_ACTIONS_TYPE SCF_PG_RESTARTER_ACTIONS_TYPE
380 #define AUTH_PG_GENERAL SCF_PG_GENERAL
381 #define AUTH_PG_GENERAL_TYPE SCF_PG_GENERAL_TYPE
382 #define AUTH_PG_GENERAL_OVR SCF_PG_GENERAL_OVR
383 #define AUTH_PG_GENERAL_OVR_TYPE SCF_PG_GENERAL_OVR_TYPE
390 #define MAX_VALID_CHILDREN 3
399 #define RT_NO_NAME -1U
419 };
420 #define NUM_TYPES ((sizeof (rc_types) / sizeof (*rc_types)))
422 /* Element of a permcheck_t hash table. */
426 };
428 /*
429 * If an authorization fails, we must decide which of the elements in the
430 * permcheck hash table to use in the audit event. That is to say of all
431 * the strings in the hash table, we must choose one and use it in the audit
432 * event. It is desirable to use the most specific string in the audit
433 * event.
434 *
435 * The pc_auth_type specifies the types (sources) of authorization
436 * strings. The enum is ordered in increasing specificity.
437 */
442 PC_AUTH_INST /* strings specified in PG of an instance. */
445 /*
446 * The following enum is used to represent the results of the checks to see
447 * if the client has the appropriate permissions to perform an action.
448 */
453 PERM_FAIL /* Generic failure. e.g. resources */
456 /* An authorization set hash table. */
464 /* for audit events */
467 /*
468 * Structure for holding audit event data. Not all events use all members
469 * of the structure.
470 */
481 /*
482 * Pointer to function to do special processing to get audit event ID.
483 * Audit event IDs are defined in /usr/include/bsm/adt_event.h. Function
484 * returns 0 if ID successfully retrieved. Otherwise it returns -1.
485 */
487 au_event_t *);
489 au_event_t *);
502 /*
503 * Some combinations of property group/property name require a special
504 * audit event to be generated when there is a change.
505 * audit_special_prop_item_t is used to specify these special cases. The
506 * special_props_list array defines a list of these special properties.
507 */
515 /*
516 * Native builds are done using the build machine's standard include
517 * files. These files may not yet have the definitions for the ADT_smf_*
518 * symbols. Thus, we do not compile this table when doing native builds.
519 */
520 #ifndef NATIVE_BUILD
521 /*
522 * The following special_props_list array specifies property group/property
523 * name combinations that have specific meaning to startd. A special event
524 * is generated for these combinations in addition to the regular property
525 * event.
526 *
527 * At run time this array gets sorted. See the call to qsort(3C) in
528 * rc_node_init(). The array is sorted, so that bsearch(3C) can be used
529 * to do lookups.
530 */
533 NULL},
552 };
553 #define SPECIAL_PROP_COUNT (sizeof (special_props_list) /\
554 sizeof (audit_special_prop_item_t))
557 /*
558 * We support an arbitrary number of clients interested in events for certain
559 * types of changes. Each client is represented by an rc_notify_info_t, and
560 * all clients are chained onto the rc_notify_info_list.
561 *
562 * The rc_notify_list is the global notification list. Each entry is of
563 * type rc_notify_t, which is embedded in one of three other structures:
564 *
565 * rc_node_t property group update notification
566 * rc_notify_delete_t object deletion notification
567 * rc_notify_info_t notification clients
568 *
569 * Which type of object is determined by which pointer in the rc_notify_t is
570 * non-NULL.
571 *
572 * New notifications and clients are added to the end of the list.
573 * Notifications no-one is interested in are never added to the list.
574 *
575 * Clients use their position in the list to track which notifications they
576 * have not yet reported. As they process notifications, they move forward
577 * in the list past them. There is always a client at the beginning of the
578 * list -- as it moves past notifications, it removes them from the list and
579 * cleans them up.
580 *
581 * The rc_pg_notify_lock protects all notification state. The rc_pg_notify_cv
582 * is used for global signalling, and each client has a cv which it waits for
583 * events of interest on.
584 *
585 * rc_notify_in_use is used to protect rc_notify_list from deletions when
586 * the rc_pg_notify_lock is dropped. Specifically, rc_notify_info_wait()
587 * must drop the lock to call rc_node_assign(), and then it reacquires the
588 * lock. Deletions from rc_notify_list during this period are not
589 * allowed. Insertions do not matter, because they are always done at the
590 * end of the list.
591 */
595 #define HASH_SIZE 512
596 #define HASH_MASK (HASH_SIZE - 1)
598 #pragma align 64(cache_hash)
601 #define CACHE_BUCKET(h) (&cache_hash[(h) & HASH_MASK])
607 static uint32_t
609 {
634 /*
635 * the rest should be zeroed
636 */
641 }
643 static int
645 {
669 }
671 /*
672 * Register an ephemeral reference to np. This should be done while both
673 * the persistent reference from which the np pointer was read is locked
674 * and np itself is locked. This guarantees that another thread which
675 * thinks it has the last reference will yield without destroying the
676 * node.
677 */
678 static void
680 {
684 }
686 /*
687 * the "other" references on a node are maintained in an atomically
688 * updated refcount, rn_other_refs. This can be bumped from arbitrary
689 * context, and tracks references to a possibly out-of-date node's children.
690 *
691 * To prevent the node from disappearing between the final drop of
692 * rn_other_refs and the unref handling, rn_other_refs_held is bumped on
693 * 0->1 transitions and decremented (with the node lock held) on 1->0
694 * transitions.
695 */
696 static void
698 {
702 }
704 }
706 /*
707 * No node locks may be held
708 */
709 static void
711 {
718 /*
719 * This was the last client reference. Destroy
720 * any other references and free() the node.
721 */
725 }
726 }
727 }
729 static void
731 {
738 }
740 static void
742 {
746 }
748 static void
750 {
761 /*
762 * Composed property groups are only as good as their
763 * references.
764 */
771 }
774 /*
775 * This was the last client reference. Destroy any other
776 * references and free() the node.
777 */
780 /*
781 * rn_erefs can be 0 if we acquired the reference in
782 * a path which hasn't been updated to increment rn_erefs.
783 * When all paths which end here are updated, we should
784 * assert rn_erefs > 0 and always decrement it.
785 */
789 }
793 }
795 void
797 {
800 }
804 {
808 }
810 static void
812 {
814 }
818 {
829 }
830 }
833 }
837 {
850 }
852 static void
854 {
863 }
865 static void
867 {
881 }
883 /*
884 * verify that the 'parent' type can have a child typed 'child'
885 * Fails with
886 * _INVALID_TYPE - argument is invalid
887 * _TYPE_MISMATCH - parent type cannot have children of type child
888 */
889 static int
891 {
903 }
906 }
908 /*
909 * Fails with
910 * _INVALID_TYPE - type is invalid
911 * _BAD_REQUEST - name is an invalid name for a node of type type
912 */
913 int
915 {
923 }
925 static int
927 {
932 }
934 /*
935 * rc_node_free_fmri should be called whenever a node loses its parent.
936 * The reason is that the node's fmri string is built up by concatenating
937 * its name to the parent's fmri. Thus, when the node no longer has a
938 * parent, its fmri is no longer valid.
939 */
940 static void
942 {
946 }
947 }
949 /*
950 * Concatenate the appropriate separator and the FMRI element to the base
951 * FMRI string at fmri.
952 *
953 * Fails with
954 * _TRUNCATED Not enough room in buffer at fmri.
955 */
956 static int
963 {
971 else
977 /*
978 * No need to display scope information if we are
979 * in the local scope.
980 */
984 /*
985 * Need to display scope information, because it is
986 * not the local scope.
987 */
989 }
1005 /*
1006 * A value does not have a separate FMRI from its property,
1007 * so there is nothing to concat.
1008 */
1012 /* Snapshots do not have FMRIs, so there is nothing to do. */
1018 }
1020 /* Concatenate separator and element to the fmri buffer. */
1028 }
1029 }
1034 }
1037 }
1039 /*
1040 * Get the FMRI for the node at np. The fmri will be placed in buf. On
1041 * success sz_out will be set to the size of the fmri in buf. If
1042 * REP_PROTOCOL_FAIL_TRUNCATED is returned, sz_out will be set to the size
1043 * of the buffer that would be required to avoid truncation.
1044 *
1045 * Fails with
1046 * _TRUNCATED not enough room in buf for the FMRI.
1047 */
1048 static int
1051 {
1060 /*
1061 * A NULL rn_fmri implies that this is a top level scope.
1062 * Child nodes will always have an rn_fmri established
1063 * because both rc_node_link_child() and
1064 * rc_node_relink_child() call rc_node_build_fmri(). In
1065 * this case, we'll just return our name preceded by the
1066 * appropriate FMRI decorations.
1067 */
1074 /* We have an fmri, so return it. */
1076 }
1084 }
1086 /*
1087 * Build an FMRI string for this node and save it in rn_fmri.
1088 *
1089 * The basic strategy here is to get the fmri of our parent and then
1090 * concatenate the appropriate separator followed by our name. If our name
1091 * is null, the resulting fmri will just be a copy of the parent fmri.
1092 * rc_node_build_fmri() should be called with the RC_NODE_USING_PARENT flag
1093 * set. Also the rn_lock for this node should be held.
1094 *
1095 * Fails with
1096 * _NO_RESOURCES Could not allocate memory.
1097 */
1098 static int
1100 {
1121 }
1126 }
1129 }
1131 /*
1132 * Get the FMRI of the node at np placing the result in fmri. Then
1133 * concatenate the additional element to fmri. The type variable indicates
1134 * the type of element, so that the appropriate separator can be
1135 * generated. size is the number of bytes in the buffer at fmri, and
1136 * sz_out receives the size of the generated string. If the result is
1137 * truncated, sz_out will receive the size of the buffer that would be
1138 * required to avoid truncation.
1139 *
1140 * Fails with
1141 * _TRUNCATED Not enough room in buffer at fmri.
1142 */
1143 static int
1146 {
1150 REP_PROTOCOL_SUCCESS) {
1152 }
1154 REP_PROTOCOL_SUCCESS) {
1156 }
1159 }
1161 static int
1163 {
1172 }
1176 }
1183 }
1187 }
1188 }
1190 }
1192 static void
1194 {
1210 found++;
1211 }
1212 }
1215 else
1219 }
1221 static void
1224 {
1228 rc_notify_pool);
1236 /*
1237 * add to notification list, notify watchers
1238 */
1245 }
1247 static void
1249 {
1261 }
1265 }
1267 }
1269 static void
1271 {
1282 }
1283 }
1285 /*
1286 * Permission checking functions. See comment atop this file.
1287 */
1288 #ifndef NATIVE_BUILD
1291 {
1302 }
1306 }
1308 static void
1310 {
1311 uint_t i;
1318 }
1319 }
1323 }
1325 static uint32_t
1327 {
1331 /*
1332 * Generic hash function from uts/common/os/modhash.c.
1333 */
1340 }
1341 }
1344 }
1346 static perm_status_t
1348 {
1359 }
1360 }
1363 }
1365 static perm_status_t
1367 {
1368 uint_t i;
1376 }
1377 }
1378 }
1381 }
1383 static int
1385 {
1392 /* Homey don't play that. */
1405 }
1406 }
1413 }
1415 static int
1417 {
1419 uint_t i;
1425 /* Grow if pc_enum / pc_bnum > 3/4. */
1427 /* Failure is not a stopper; we'll try again next time. */
1439 }
1444 }
1446 /*
1447 * For the type of a property group, return the authorization which may be
1448 * used to modify it.
1449 */
1452 {
1461 else
1463 }
1465 /*
1466 * Fails with
1467 * _NO_RESOURCES - out of memory
1468 */
1469 static int
1471 pc_auth_type_t auth_type)
1472 {
1474 REP_PROTOCOL_FAIL_NO_RESOURCES);
1475 }
1477 /*
1478 * Fails with
1479 * _NO_RESOURCES - out of memory
1480 */
1481 static int
1483 {
1485 }
1487 /* Note that perm_add_enabling_values() is defined below. */
1489 /*
1490 * perm_granted() returns PERM_GRANTED if the current door caller has one of
1491 * the enabling authorizations in pcp, PERM_DENIED if it doesn't, PERM_GONE if
1492 * the door client went away and PERM_FAIL if an error (usually lack of
1493 * memory) occurs. auth_cb() checks each and every authorizations as
1494 * enumerated by _enum_auths. When we find a result other than PERM_DENIED,
1495 * we short-cut the enumeration and return non-zero.
1496 */
1498 static int
1500 {
1506 else
1511 /*
1512 * If we failed, choose the most specific auth string for use in
1513 * the audit event.
1514 */
1519 }
1521 static perm_status_t
1523 {
1527 uid_t uid;
1531 /* Get the uid */
1534 /*
1535 * Client is no longer waiting for our response (e.g.,
1536 * it received a signal & resumed with EINTR).
1537 * Punting with door_return() would be nice but we
1538 * need to release all of the locks & references we
1539 * hold. And we must report failure to the client
1540 * layer to keep it from ignoring retries as
1541 * already-done (idempotency & all that). None of the
1542 * error codes fit very well, so we might as well
1543 * force the return of _PERMISSION_DENIED since we
1544 * couldn't determine the user.
1545 */
1547 }
1550 }
1557 }
1559 /*
1560 * Enumerate all the auths defined for the user and return the
1561 * result in ret.
1562 */
1567 }
1569 static int
1572 {
1581 else
1588 else
1597 }
1599 }
1602 /*
1603 * flags in RC_NODE_WAITING_FLAGS are broadcast when unset, and are used to
1604 * serialize certain actions, and to wait for certain operations to complete
1605 *
1606 * The waiting flags are:
1607 * RC_NODE_CHILDREN_CHANGING
1608 * The child list is being built or changed (due to creation
1609 * or deletion). All iterators pause.
1610 *
1611 * RC_NODE_USING_PARENT
1612 * Someone is actively using the parent pointer, so we can't
1613 * be removed from the parent list.
1614 *
1615 * RC_NODE_CREATING_CHILD
1616 * A child is being created -- locks out other creations, to
1617 * prevent insert-insert races.
1618 *
1619 * RC_NODE_IN_TX
1620 * This object is running a transaction.
1621 *
1622 * RC_NODE_DYING
1623 * This node might be dying. Always set as a set, using
1624 * RC_NODE_DYING_FLAGS (which is everything but
1625 * RC_NODE_USING_PARENT)
1626 */
1627 static int
1629 {
1635 }
1641 }
1643 static void
1645 {
1651 }
1653 /*
1654 * wait until a particular flag has cleared. Fails if the object dies.
1655 */
1656 static int
1658 {
1664 }
1666 /*
1667 * On entry, np's lock must be held, and this thread must be holding
1668 * RC_NODE_USING_PARENT. On return, both of them are released.
1669 *
1670 * If the return value is NULL, np either does not have a parent, or
1671 * the parent has been marked DEAD.
1672 *
1673 * If the return value is non-NULL, it is the parent of np, and both
1674 * its lock and the requested flags are held.
1675 */
1678 {
1688 }
1699 }
1701 }
1703 rc_node_t *
1705 {
1720 rc_notify_pool);
1723 }
1725 void
1727 {
1737 /* Release the holds from rc_iter_next(). */
1739 /* rn_cchain[i] may be NULL for empty snapshots. */
1742 }
1743 }
1764 rc_notify_pool);
1774 }
1776 /*
1777 * Link in a child node.
1778 *
1779 * Because of the lock ordering, cp has to already be in the hash table with
1780 * its lock dropped before we get it. To prevent anyone from noticing that
1781 * it is parentless, the creation code sets the RC_NODE_USING_PARENT. Once
1782 * we've linked it in, we release the flag.
1783 */
1784 static void
1786 {
1796 REP_PROTOCOL_SUCCESS);
1807 }
1809 /*
1810 * Sets the rn_parent_ref field of all the children of np to pp -- always
1811 * initially invoked as rc_node_setup_parent_ref(np, np), we then recurse.
1812 *
1813 * This is used when we mark a node RC_NODE_OLD, so that when the object and
1814 * its children are no longer referenced, they will all be deleted as a unit.
1815 */
1816 static void
1818 {
1835 }
1838 }
1839 }
1841 /*
1842 * Atomically replace 'np' with 'newp', with a parent of 'pp'.
1843 *
1844 * Requirements:
1845 * *no* node locks may be held.
1846 * pp must be held with RC_NODE_CHILDREN_CHANGING
1847 * newp and np must be held with RC_NODE_IN_TX
1848 * np must be marked RC_NODE_IN_PARENT, newp must not be
1849 * np must be marked RC_NODE_OLD
1850 *
1851 * Afterwards:
1852 * pp's RC_NODE_CHILDREN_CHANGING is dropped
1853 * newp and np's RC_NODE_IN_TX is dropped
1854 * newp->rn_former = np;
1855 * newp is RC_NODE_IN_PARENT, np is not.
1856 * interested notify subscribers have been notified of newp's new status.
1857 */
1858 static void
1860 {
1862 /*
1863 * First, swap np and nnp in the cache. newp's RC_NODE_IN_TX flag
1864 * keeps rc_node_update() from seeing it until we are done.
1865 */
1871 /*
1872 * replace np with newp in pp's list, and attach it to newp's rn_former
1873 * link.
1874 */
1890 /*
1891 * Note that we carefully add newp before removing np -- this
1892 * keeps iterators on the list from missing us.
1893 */
1898 /*
1899 * re-set np
1900 */
1915 }
1917 /*
1918 * makes sure a node with lookup 'nip', name 'name', and parent 'pp' exists.
1919 * 'cp' is used (and returned) if the node does not yet exist. If it does
1920 * exist, 'cp' is freed, and the existent node is returned instead.
1921 */
1922 rc_node_t *
1925 {
1936 /*
1937 * make sure it matches our expectations
1938 */
1947 }
1952 }
1954 /*
1955 * No one is there -- setup & install the new node.
1956 */
1966 #if COMPOSITION_DEPTH == 2
1969 #else
1970 #error This code must be updated.
1971 #endif
1972 }
1980 }
1982 /*
1983 * makes sure a snapshot with lookup 'nip', name 'name', and parent 'pp' exists.
1984 * 'cp' is used (and returned) if the node does not yet exist. If it does
1985 * exist, 'cp' is freed, and the existent node is returned instead.
1986 */
1987 rc_node_t *
1990 {
2001 /*
2002 * make sure it matches our expectations
2003 */
2012 }
2017 }
2019 /*
2020 * No one is there -- create a new node.
2021 */
2037 }
2039 /*
2040 * makes sure a snaplevel with lookup 'nip' and parent 'pp' exists. 'cp' is
2041 * used (and returned) if the node does not yet exist. If it does exist, 'cp'
2042 * is freed, and the existent node is returned instead.
2043 */
2044 rc_node_t *
2047 {
2058 /*
2059 * make sure it matches our expectations
2060 */
2069 }
2074 }
2076 /*
2077 * No one is there -- create a new node.
2078 */
2092 /* Add this snaplevel to the snapshot's composition chain. */
2099 }
2101 /*
2102 * Returns NULL if strdup() fails.
2103 */
2104 rc_node_t *
2107 {
2116 /*
2117 * make sure it matches our expectations (don't check
2118 * the generation number or parent, since someone could
2119 * have gotten a transaction through while we weren't
2120 * looking)
2121 */
2130 }
2135 }
2145 }
2151 }
2163 }
2165 #if COMPOSITION_DEPTH == 2
2166 /*
2167 * Initialize a "composed property group" which represents the composition of
2168 * property groups pg1 & pg2. It is ephemeral: once created & returned for an
2169 * ITER_READ request, keeping it out of cache_hash and any child lists
2170 * prevents it from being looked up. Operations besides iteration are passed
2171 * through to pg1.
2172 *
2173 * pg1 & pg2 should be held before entering this function. They will be
2174 * released in rc_node_destroy().
2175 */
2176 static int
2178 {
2191 }
2192 #else
2193 #error This code must be updated.
2194 #endif
2196 /*
2197 * Fails with _NO_RESOURCES.
2198 */
2199 int
2203 {
2211 /*
2212 * make sure it matches our expectations
2213 */
2226 }
2230 }
2232 /*
2233 * No one is there -- create a new node.
2234 */
2240 }
2248 }
2263 }
2265 /*
2266 * This function implements a decision table to determine the event ID for
2267 * changes to the enabled (SCF_PROPERTY_ENABLED) property. The event ID is
2268 * determined by the value of the first property in the command specified
2269 * by cmd_no and the name of the property group. Here is the decision
2270 * table:
2271 *
2272 * Property Group Name
2273 * Property ------------------------------------------
2274 * Value SCF_PG_GENERAL SCF_PG_GENERAL_OVR
2275 * -------- -------------- ------------------
2276 * "0" ADT_smf_disable ADT_smf_tmp_disable
2277 * "1" ADT_smf_enable ADT_smf_tmp_enable
2278 *
2279 * This function is called by special_property_event through a function
2280 * pointer in the special_props_list array.
2281 *
2282 * Since the ADT_smf_* symbols may not be defined in the build machine's
2283 * include files, this function is not compiled when doing native builds.
2284 */
2285 #ifndef NATIVE_BUILD
2286 static int
2289 {
2294 /*
2295 * First, check property value.
2296 */
2309 }
2311 /*
2312 * Now check property group name.
2313 */
2320 }
2322 }
2325 /*
2326 * This function compares two audit_special_prop_item_t structures
2327 * represented by item1 and item2. It returns an integer greater than 0 if
2328 * item1 is greater than item2. It returns 0 if they are equal and an
2329 * integer less than 0 if item1 is less than item2. api_prop_name and
2330 * api_pg_name are the key fields for sorting.
2331 *
2332 * This function is suitable for calls to bsearch(3C) and qsort(3C).
2333 */
2334 static int
2336 {
2343 /*
2344 * Primary keys are the same, so check the secondary key.
2345 */
2347 }
2349 }
2351 int
2353 {
2388 /*
2389 * Sort the special_props_list array so that it can be searched
2390 * with bsearch(3C).
2391 *
2392 * The special_props_list array is not compiled into the native
2393 * build code, so there is no need to call qsort if NATIVE_BUILD is
2394 * defined.
2395 */
2396 #ifndef NATIVE_BUILD
2416 }
2418 /*
2419 * Fails with
2420 * _INVALID_TYPE - type is invalid
2421 * _TYPE_MISMATCH - np doesn't carry children of type type
2422 * _DELETED - np has been deleted
2423 * _NO_RESOURCES
2424 */
2425 static int
2427 {
2433 REP_PROTOCOL_SUCCESS)
2442 }
2450 }
2454 }
2456 /*
2457 * Returns
2458 * _INVALID_TYPE - type is invalid
2459 * _TYPE_MISMATCH - np doesn't carry children of type type
2460 * _DELETED - np has been deleted
2461 * _NO_RESOURCES
2462 * _SUCCESS - if *cpp is not NULL, it is held
2463 */
2464 static int
2467 {
2483 }
2490 }
2494 /*
2495 * Returns
2496 * _INVALID_TYPE - type is invalid
2497 * _DELETED - np or an ancestor has been deleted
2498 * _NOT_FOUND - no ancestor of specified type exists
2499 * _SUCCESS - *app is held
2500 */
2501 static int
2503 {
2519 }
2524 }
2527 }
2529 #ifndef NATIVE_BUILD
2530 /*
2531 * If the propname property exists in pg, and it is of type string, add its
2532 * values as authorizations to pcp. pg must not be locked on entry, and it is
2533 * returned unlocked. Returns
2534 * _DELETED - pg was deleted
2535 * _NO_RESOURCES
2536 * _NOT_FOUND - pg has no property named propname
2537 * _SUCCESS
2538 */
2539 static int
2541 {
2545 uint_t count;
2565 }
2566 }
2571 /* rn_valtype is immutable, so no locking. */
2575 }
2583 PC_AUTH_SVC);
2588 }
2593 }
2595 /*
2596 * Assuming that ent is a service or instance node, if the pgname property
2597 * group has type pgtype, and it has a propname property with string type, add
2598 * its values as authorizations to pcp. If pgtype is NULL, it is not checked.
2599 * Returns
2600 * _SUCCESS
2601 * _DELETED - ent was deleted
2602 * _NO_RESOURCES - no resources
2603 * _NOT_FOUND - ent does not have pgname pg or propname property
2604 */
2605 static int
2608 {
2629 }
2648 }
2649 }
2654 }
2656 /*
2657 * If pg has a property named propname, and is string typed, add its values as
2658 * authorizations to pcp. If pg has no such property, and its parent is an
2659 * instance, walk up to the service and try doing the same with the property
2660 * of the same name from the property group of the same name. Returns
2661 * _SUCCESS
2662 * _NO_RESOURCES
2663 * _DELETED - pg (or an ancestor) was deleted
2664 */
2665 static int
2667 {
2686 /*
2687 * If pg is a child of an instance or snapshot, we want to compose the
2688 * authorization property with the service's (if it exists). The
2689 * snapshot case applies only to read_authorization. In all other
2690 * cases, the pg's parent will be the instance.
2691 */
2696 }
2707 }
2709 /*
2710 * Call perm_add_enabling_values() for the "action_authorization" property of
2711 * the "general" property group of inst. Returns
2712 * _DELETED - inst (or an ancestor) was deleted
2713 * _NO_RESOURCES
2714 * _SUCCESS
2715 */
2716 static int
2718 {
2734 }
2740 }
2743 void
2745 {
2750 }
2752 void
2754 {
2758 }
2759 }
2761 static void
2763 {
2771 /*
2772 * Register the ephemeral reference created by reading
2773 * out->rnp_node into cur. Note that the persistent
2774 * reference we're destroying is locked by the client
2775 * layer.
2776 */
2780 }
2784 }
2786 void
2788 {
2791 }
2793 void
2795 {
2797 }
2799 /*
2800 * rc_node_check()/RC_NODE_CHECK()
2801 * generic "entry" checks, run before the use of an rc_node pointer.
2802 *
2803 * Fails with
2804 * _NOT_SET
2805 * _DELETED
2806 */
2807 static int
2809 {
2818 }
2821 }
2823 /*
2824 * Fails with
2825 * _NOT_SET - ptr is reset
2826 * _DELETED - node has been deleted
2827 */
2830 {
2835 else
2838 }
2846 }
2848 }
2850 #define RC_NODE_CHECK_AND_LOCK(n) { \
2851 int rc__res; \
2852 if ((rc__res = rc_node_check_and_lock(n)) != REP_PROTOCOL_SUCCESS) \
2853 return (rc__res); \
2854 }
2856 #define RC_NODE_CHECK(n) { \
2857 RC_NODE_CHECK_AND_LOCK(n); \
2858 (void) pthread_mutex_unlock(&(n)->rn_lock); \
2859 }
2861 #define RC_NODE_CHECK_AND_HOLD(n) { \
2862 RC_NODE_CHECK_AND_LOCK(n); \
2863 rc_node_hold_locked(n); \
2864 (void) pthread_mutex_unlock(&(n)->rn_lock); \
2865 }
2867 #define RC_NODE_PTR_GET_CHECK_AND_LOCK(np, npp) { \
2868 int rc__res; \
2869 if (((np) = rc_node_ptr_check_and_lock(npp, &rc__res)) == NULL) \
2870 return (rc__res); \
2871 }
2873 #define RC_NODE_PTR_CHECK_LOCK_OR_FREE_RETURN(np, npp, mem) { \
2874 int rc__res; \
2875 if (((np) = rc_node_ptr_check_and_lock(npp, &rc__res)) == \
2876 NULL) { \
2877 if ((mem) != NULL) \
2878 free((mem)); \
2879 return (rc__res); \
2880 } \
2881 }
2883 #define RC_NODE_PTR_GET_CHECK(np, npp) { \
2884 RC_NODE_PTR_GET_CHECK_AND_LOCK(np, npp); \
2885 (void) pthread_mutex_unlock(&(np)->rn_lock); \
2886 }
2888 #define RC_NODE_PTR_GET_CHECK_AND_HOLD(np, npp) { \
2889 RC_NODE_PTR_GET_CHECK_AND_LOCK(np, npp); \
2890 rc_node_hold_locked(np); \
2891 (void) pthread_mutex_unlock(&(np)->rn_lock); \
2892 }
2894 #define HOLD_FLAG_OR_RETURN(np, flag) { \
2895 assert(MUTEX_HELD(&(np)->rn_lock)); \
2896 assert(!((np)->rn_flags & RC_NODE_DEAD)); \
2897 if (!rc_node_hold_flag((np), flag)) { \
2898 (void) pthread_mutex_unlock(&(np)->rn_lock); \
2899 return (REP_PROTOCOL_FAIL_DELETED); \
2900 } \
2901 }
2903 #define HOLD_PTR_FLAG_OR_FREE_AND_RETURN(np, npp, flag, mem) { \
2904 assert(MUTEX_HELD(&(np)->rn_lock)); \
2905 if (!rc_node_hold_flag((np), flag)) { \
2906 (void) pthread_mutex_unlock(&(np)->rn_lock); \
2907 assert((np) == (npp)->rnp_node); \
2908 rc_node_clear(npp, 1); \
2909 if ((mem) != NULL) \
2910 free((mem)); \
2911 return (REP_PROTOCOL_FAIL_DELETED); \
2912 } \
2913 }
2915 int
2917 {
2921 }
2923 /*
2924 * the main scope never gets destroyed
2925 */
2929 }
2931 /*
2932 * Fails with
2933 * _NOT_SET - npp is not set
2934 * _DELETED - the node npp pointed at has been deleted
2935 * _TYPE_MISMATCH - type is not _SCOPE
2936 * _NOT_FOUND - scope has no parent
2937 */
2938 static int
2940 {
2951 }
2955 /*
2956 * Fails with
2957 * _NOT_SET
2958 * _DELETED
2959 * _NOT_APPLICABLE
2960 * _NOT_FOUND
2961 * _BAD_REQUEST
2962 * _TRUNCATED
2963 * _NO_RESOURCES
2964 */
2965 int
2968 {
2979 }
3015 {
3031 }
3033 }
3036 }
3042 }
3044 int
3046 {
3057 }
3059 /*
3060 * Get np's parent. If np is deleted, returns _DELETED. Otherwise puts a hold
3061 * on the parent, returns a pointer to it in *out, and returns _SUCCESS.
3062 */
3063 static int
3065 {
3074 }
3084 }
3096 }
3098 /* guaranteed to succeed without dropping the lock */
3104 }
3123 deleted:
3126 }
3128 /*
3129 * Fails with
3130 * _NOT_SET
3131 * _DELETED
3132 */
3133 static int
3135 {
3141 }
3143 /*
3144 * Fails with
3145 * _NOT_SET - npp is not set
3146 * _DELETED - the node npp pointed at has been deleted
3147 * _TYPE_MISMATCH - npp's node's parent is not of type type
3148 *
3149 * If npp points to a scope, can also fail with
3150 * _NOT_FOUND - scope has no parent
3151 */
3152 int
3154 {
3165 }
3170 }
3176 }
3178 int
3180 {
3188 }
3198 }
3200 /*
3201 * Fails with
3202 * _INVALID_TYPE - type is invalid
3203 * _TYPE_MISMATCH - np doesn't carry children of type type
3204 * _DELETED - np has been deleted
3205 * _NOT_FOUND - no child with that name/type combo found
3206 * _NO_RESOURCES
3207 * _BACKEND_ACCESS
3208 */
3209 int
3212 {
3232 /*
3233 * loop only if we succeeded, but no child of
3234 * the correct name was found.
3235 */
3239 }
3241 }
3242 }
3249 else
3253 }
3255 }
3257 int
3259 {
3267 /*
3268 * If we're updating a composed property group, actually
3269 * update the top-level property group & return the
3270 * appropriate value. But leave *nnp pointing at us.
3271 */
3274 }
3289 }
3290 /*
3291 * grab the lock before dropping the cache bucket, so
3292 * that no one else can sneak in
3293 */
3302 }
3304 /*
3305 * If it is dead, we want to update it so that it will continue to
3306 * report being dead.
3307 */
3314 }
3325 }
3327 /*
3328 * does a generic modification check, for creation, deletion, and snapshot
3329 * management only. Property group transactions have different checks.
3330 *
3331 * The string returned to *match_auth must be freed.
3332 */
3333 static perm_status_t
3335 {
3341 #ifdef NATIVE_BUILD
3344 }
3346 #else
3358 /*
3359 * Copy off the authorization
3360 * string before freeing pcp.
3361 */
3366 }
3369 }
3374 }
3378 }
3380 /*
3381 * Native builds are done to create svc.configd-native. This program runs
3382 * only on the Solaris build machines to create the seed repository, and it
3383 * is compiled against the build machine's header files. The ADT_smf_*
3384 * symbols may not be defined in these header files. For this reason
3385 * smf_annotation_event(), smf_audit_event() and special_property_event()
3386 * are not compiled for native builds.
3387 */
3388 #ifndef NATIVE_BUILD
3390 /*
3391 * This function generates an annotation audit event if one has been setup.
3392 * Annotation events should only be generated immediately before the audit
3393 * record from the first attempt to modify the repository from a client
3394 * which has requested an annotation.
3395 */
3396 static void
3398 {
3404 /* Don't audit if we're using an alternate repository. */
3411 }
3414 }
3418 }
3425 }
3433 }
3435 }
3436 #endif
3438 /*
3439 * smf_audit_event interacts with the security auditing system to generate
3440 * an audit event structure. It establishes an audit session and allocates
3441 * an audit event. The event is filled in from the audit data, and
3442 * adt_put_event is called to generate the event.
3443 */
3444 static void
3447 {
3448 #ifndef NATIVE_BUILD
3455 /* Don't audit if we're using an alternate repository */
3466 }
3468 /*
3469 * Handle possibility of NULL authorization strings, FMRIs and
3470 * property values.
3471 */
3476 }
3483 }
3488 }
3490 /* Fill in the event data. */
3615 }
3620 }
3622 #endif
3623 }
3625 #ifndef NATIVE_BUILD
3626 /*
3627 * Determine if the combination of the property group at pg_name and the
3628 * property at prop_name are in the set of special startd properties. If
3629 * they are, a special audit event will be generated.
3630 */
3631 static void
3635 {
3636 au_event_t event_id;
3637 audit_special_prop_item_t search_key;
3640 /* Use bsearch to find the special property information. */
3647 /* Not a special property. */
3649 }
3651 /* Get the event id */
3658 }
3660 /* Generate the event. */
3662 }
3665 /*
3666 * Return a pointer to a string containing all the values of the command
3667 * specified by cmd_no with each value enclosed in quotes. It is up to the
3668 * caller to free the memory at the returned pointer.
3669 */
3672 {
3684 /*
3685 * First determine the size of the buffer that we will need. We
3686 * will represent each property value surrounded by quotes with a
3687 * space separating the values. Thus, we need to find the total
3688 * size of all the value strings and add 3 for each value.
3689 *
3690 * There is one catch, though. We need to escape any internal
3691 * quote marks in the values. So for each quote in the value we
3692 * need to add another byte to the buffer size.
3693 */
3696 REP_PROTOCOL_SUCCESS)
3700 }
3702 }
3709 /* Now build up the string of values. */
3712 REP_PROTOCOL_SUCCESS) {
3715 }
3724 }
3725 }
3729 }
3733 }
3735 /*
3736 * generate_property_events takes the transaction commit data at tx_data
3737 * and generates an audit event for each command.
3738 *
3739 * Native builds are done to create svc.configd-native. This program runs
3740 * only on the Solaris build machines to create the seed repository. Thus,
3741 * no audit events should be generated when running svc.configd-native.
3742 */
3743 static void
3750 {
3751 #ifndef NATIVE_BUILD
3753 audit_event_data_t audit_data;
3757 au_event_t event_id;
3767 /* Make sure we have something to do. */
3773 /* Copy the property group fmri */
3777 /*
3778 * Get the property group name. It is the first component after
3779 * the last occurance of SCF_FMRI_PROPERTYGRP_PREFIX in the fmri.
3780 */
3787 }
3793 /*
3794 * Property type is two characters (see
3795 * rep_protocol_value_type_t), so terminate the string.
3796 */
3800 /* Construct FMRI of the property */
3803 REP_PROTOCOL_SUCCESS) {
3805 }
3809 /*
3810 * If we can't get the FMRI, we'll abandon this
3811 * command
3812 */
3814 }
3816 /* Generate special property event if necessary. */
3820 /* Capture rest of audit data. */
3822 REP_PROTOCOL_SUCCESS) {
3824 }
3829 /* Determine the event type. */
3831 REP_PROTOCOL_SUCCESS) {
3834 }
3852 }
3854 /* Generate the event. */
3858 }
3860 }
3862 /*
3863 * Fails with
3864 * _DELETED - node has been deleted
3865 * _NOT_SET - npp is reset
3866 * _NOT_APPLICABLE - type is _PROPERTYGRP
3867 * _INVALID_TYPE - node is corrupt or type is invalid
3868 * _TYPE_MISMATCH - node cannot have children of type type
3869 * _BAD_REQUEST - name is invalid
3870 * cannot create children for this type of node
3871 * _NO_RESOURCES - out of memory, or could not allocate new id
3872 * _PERMISSION_DENIED
3873 * _BACKEND_ACCESS
3874 * _BACKEND_READONLY
3875 * _EXISTS - child already exists
3876 * _TRUNCATED - truncated FMRI for the audit record
3877 */
3878 int
3881 {
3885 perm_status_t perm_rc;
3888 audit_event_data_t audit_data;
3892 /*
3893 * rc_node_modify_permission_check() must be called before the node
3894 * is locked. This is because the library functions that check
3895 * authorizations can trigger calls back into configd.
3896 */
3900 /*
3901 * We continue in this case, so that an audit event can be
3902 * generated later in the function.
3903 */
3913 }
3919 /*
3920 * there is a separate interface for creating property groups
3921 */
3926 }
3934 }
3935 }
3938 REP_PROTOCOL_SUCCESS) {
3942 }
3947 }
3954 }
3961 }
3973 }
3982 }
3987 }
3989 int
3992 {
3997 perm_status_t granted;
3999 audit_event_data_t audit_data;
4000 au_event_t event_id;
4009 /* verify flags is valid */
4018 }
4021 REP_PROTOCOL_SUCCESS) {
4024 }
4029 }
4031 #ifdef NATIVE_BUILD
4034 }
4035 #else
4040 }
4045 }
4048 /* Must have .smf.modify or smf.modify.<type> authorization */
4059 }
4061 /*
4062 * .manage or $action_authorization can be used to
4063 * create the actions pg and the general_ovr pg.
4064 */
4076 }
4084 /* No auditing if client gone. */
4088 }
4089 }
4094 }
4098 }
4107 }
4111 }
4123 }
4132 }
4137 }
4139 static void
4141 {
4152 }
4153 }
4155 static void
4157 {
4169 }
4190 }
4197 }
4206 cleanup:
4226 }
4227 }
4229 /*
4230 * Hold RC_NODE_DYING_FLAGS on np's descendents. If andformer is true, do
4231 * the same down the rn_former chain.
4232 */
4233 static void
4235 {
4238 again:
4247 /*
4248 * already marked as dead -- can't happen, since that
4249 * would require setting RC_NODE_CHILDREN_CHANGING
4250 * in np, and we're holding that...
4251 */
4253 }
4257 }
4265 }
4267 }
4269 /*
4270 * N.B.: this function drops np->rn_lock on the way out.
4271 */
4272 static void
4274 {
4277 again:
4287 }
4295 }
4298 }
4300 static void
4302 {
4312 }
4316 }
4320 /*
4321 * If this node is not out-dated, we need to remove it from
4322 * the notify list and cache hash table.
4323 */
4338 }
4339 }
4341 /*
4342 * For each child, call rc_node_finish_delete() and recurse. If andformer
4343 * is set, also recurse down rn_former. Finally release np, which might
4344 * free it.
4345 */
4346 static void
4348 {
4351 again:
4364 }
4366 /*
4367 * When we drop cp's lock, all the children will be gone, so we
4368 * can release DYING_FLAGS.
4369 */
4375 /*
4376 * Register the ephemeral reference created by reading
4377 * np->rn_former into cp. Note that the persistent
4378 * reference (np->rn_former) is locked because we haven't
4379 * dropped np's lock since we dropped its RC_NODE_IN_TX
4380 * (via RC_NODE_DYING_FLAGS).
4381 */
4395 }
4397 }
4399 /*
4400 * The last client or child reference to np, which must be either
4401 * RC_NODE_OLD or RC_NODE_DEAD, has been destroyed. We'll destroy any
4402 * remaining references (e.g., rn_former) and call rc_node_destroy() to
4403 * free np.
4404 */
4405 static void
4407 {
4417 /*
4418 * The node is DEAD, so the deletion code should have
4419 * destroyed all rn_children or rn_former references.
4420 * Since the last client or child reference has been
4421 * destroyed, we're free to destroy np. Unless another
4422 * thread has an ephemeral reference, in which case we'll
4423 * pass the buck.
4424 */
4429 }
4434 }
4436 /* We only collect DEAD and OLD nodes, thank you. */
4439 /*
4440 * RC_NODE_UNREFED keeps multiple threads from processing OLD
4441 * nodes. But it's vulnerable to unfriendly scheduling, so full
4442 * use of rn_erefs should supersede it someday.
4443 */
4447 }
4450 /*
4451 * Now we'll remove the node from the rn_former chain and take its
4452 * DYING_FLAGS.
4453 */
4455 /*
4456 * Since this node is OLD, it should be on an rn_former chain. To
4457 * remove it, we must find the current in-hash object and grab its
4458 * RC_NODE_IN_TX flag to protect the entire rn_former chain.
4459 */
4472 /*
4473 * We are trying to unreference this node, but the
4474 * owner of the former list does not exist. It must
4475 * be the case that another thread is deleting this
4476 * entire sub-branch, but has not yet reached us.
4477 * We will in short order be deleted.
4478 */
4482 }
4485 /*
4486 * no longer unreferenced
4487 */
4490 /* held in cache_lookup() */
4493 }
4497 /*
4498 * current has been replaced since we looked it
4499 * up. Try again.
4500 */
4501 /* held in cache_lookup() */
4504 }
4507 /*
4508 * current has been deleted since we looked it up. Try
4509 * again.
4510 */
4511 /* held in cache_lookup() */
4514 }
4516 /*
4517 * rc_node_hold_flag() might have dropped current's lock, so
4518 * check OLD again.
4519 */
4521 /* Not old. Stop looping. */
4524 }
4528 }
4530 /* To take np's RC_NODE_DYING_FLAGS, we need its lock. */
4533 /*
4534 * While we didn't have the lock, a thread may have added
4535 * a reference or changed the flags.
4536 */
4544 /* held by cache_lookup() */
4547 }
4550 /*
4551 * Someone deleted the node while we were waiting for
4552 * DYING_FLAGS. Undo the modifications to current.
4553 */
4557 /* held by cache_lookup() */
4562 }
4564 /* Take RC_NODE_DYING_FLAGS on np's descendents. */
4567 /* Mark np DEAD. This requires the lock. */
4570 /* Recheck for new references. */
4579 /* held by cache_lookup() */
4582 }
4586 /*
4587 * Delete the children. This calls rc_node_rele_locked() on np at
4588 * the end, so add a reference to keep the count from going
4589 * negative. It will recurse with RC_NODE_DEAD set, so we'll call
4590 * rc_node_destroy() above, but RC_NODE_UNREFED is also set, so it
4591 * shouldn't actually free() np.
4592 */
4596 /* Remove np from current's rn_former chain. */
4600 ;
4607 /* held by cache_lookup() */
4610 /* Clear ON_FORMER and UNREFED, and destroy. */
4616 /* Still referenced. Stay execution. */
4620 }
4626 died:
4627 /*
4628 * Another thread marked np DEAD. If there still aren't any
4629 * persistent references, destroy the node.
4630 */
4642 }
4648 }
4650 static au_event_t
4652 {
4655 #ifndef NATIVE_BUILD
4670 }
4674 }
4677 }
4679 /*
4680 * Fails with
4681 * _NOT_SET
4682 * _DELETED
4683 * _BAD_REQUEST
4684 * _PERMISSION_DENIED
4685 * _NO_RESOURCES
4686 * _TRUNCATED
4687 * and whatever object_delete() fails with.
4688 */
4689 int
4691 {
4702 audit_event_data_t audit_data;
4728 }
4733 /* Scopes and snaplevels are indelible. */
4747 event_id =
4754 }
4756 }
4758 /* Snapshot property groups are indelible. */
4770 }
4776 }
4780 again:
4781 /*
4782 * The following loop is to deal with the fact that snapshots and
4783 * property groups are moving targets -- changes to them result
4784 * in a new "child" node. Since we can only delete from the top node,
4785 * we have to loop until we have a non-RC_NODE_OLD version.
4786 */
4793 }
4803 }
4806 }
4812 }
4814 /*
4815 * Mark our parent as children changing. this call drops our
4816 * lock and the RC_NODE_USING_PARENT flag, and returns with
4817 * pp's lock held
4818 */
4821 /* our parent is gone, we're going next... */
4827 }
4842 }
4843 /*
4844 * Everyone out of the pool -- we grab everything but
4845 * RC_NODE_USING_PARENT (including RC_NODE_DYING) to keep
4846 * any changes from occurring while we are attempting to
4847 * delete the node.
4848 */
4853 }
4862 }
4864 #ifdef NATIVE_BUILD
4867 }
4868 #else
4870 /* permission check */
4876 /* add .smf.modify.<type> for pgs. */
4878 REP_PROTOCOL_ENTITY_PROPERTYGRP) {
4884 }
4892 /* No need to audit if client gone. */
4895 RC_NODE_DYING_FLAGS);
4897 }
4900 }
4905 }
4910 }
4917 }
4925 }
4936 }
4938 /*
4939 * Now, delicately unlink and delete the object.
4940 *
4941 * Create the delete notification, atomically remove
4942 * from the hash table and set the NODE_DEAD flag, and
4943 * remove from the parent's children list.
4944 */
4956 /*
4957 * Remove from pp's rn_children. This requires pp's lock,
4958 * so we must drop np's lock to respect lock order.
4959 */
4971 }
4973 /*
4974 * finally, propagate death to our children (including marking
4975 * them DEAD), handle notifications, and release our hold.
4976 */
4998 fail:
5006 }
5010 }
5011 cleanout:
5017 }
5019 int
5021 {
5034 }
5041 }
5050 }
5058 }
5060 /*
5061 * mark our parent as children changing. This call drops our
5062 * lock and the RC_NODE_USING_PARENT flag, and returns with
5063 * pp's lock held
5064 */
5067 /* our parent is gone, we're going next... */
5071 }
5073 /*
5074 * find the next snaplevel
5075 */
5079 ;
5081 /* it must match the snaplevel list */
5092 }
5099 }
5101 }
5103 /*
5104 * This call takes a snapshot (np) and either:
5105 * an existing snapid (to be associated with np), or
5106 * a non-NULL parentp (from which a new snapshot is taken, and associated
5107 * with np)
5108 *
5109 * To do the association, np is duplicated, the duplicate is made to
5110 * represent the new snapid, and np is replaced with the new rc_node_t on
5111 * np's parent's child list. np is placed on the new node's rn_former list,
5112 * and replaces np in cache_hash (so rc_node_update() will find the new one).
5113 *
5114 * old_fmri and old_name point to the original snap shot's FMRI and name.
5115 * These values are used when generating audit events.
5116 *
5117 * Fails with
5118 * _BAD_REQUEST
5119 * _BACKEND_READONLY
5120 * _DELETED
5121 * _NO_RESOURCES
5122 * _TRUNCATED
5123 * _TYPE_MISMATCH
5124 */
5125 static int
5132 {
5138 perm_status_t granted;
5139 au_event_t event_id;
5140 audit_event_data_t audit_data;
5146 }
5149 /* Gather the audit data. */
5150 /*
5151 * ADT_smf_* symbols may not be defined in the /usr/include header
5152 * files on the build machine. Thus, the following if-else will
5153 * not be compiled when doing native builds.
5154 */
5155 #ifndef NATIVE_BUILD
5160 }
5169 }
5174 }
5179 /*
5180 * In the attach case, get the instance FMRIs of the
5181 * snapshots.
5182 */
5189 }
5191 /*
5192 * Capture the FMRI of the parent if we're actually going
5193 * to take the snapshot.
5194 */
5197 REP_PROTOCOL_SUCCESS) {
5202 }
5203 }
5229 }
5232 /*
5233 * get the latest node, holding RC_NODE_IN_TX to keep the rn_former
5234 * list from changing.
5235 */
5240 }
5242 RC_NODE_CHILDREN_CHANGING);
5247 }
5250 RC_NODE_CHILDREN_CHANGING);
5253 }
5257 /*
5258 * Can't happen, since we're holding our
5259 * parent's CHILDREN_CHANGING flag...
5260 */
5262 }
5264 }
5265 again:
5272 }
5275 }
5281 }
5284 /*
5285 * look for a former node with the snapid we need.
5286 */
5296 }
5303 }
5305 }
5306 }
5314 }
5325 }
5326 }
5334 else
5341 /*
5342 * fix up the former chain
5343 */
5350 }
5354 /*
5355 * replace np with nnp
5356 */
5363 cleanout:
5369 fail:
5379 else
5381 }
5387 }
5389 int
5392 {
5393 perm_status_t granted;
5398 audit_event_data_t audit_data;
5403 /*
5404 * rc_node_modify_permission_check() must be called before the node
5405 * is locked. This is because the library functions that check
5406 * authorizations can trigger calls back into configd.
5407 */
5411 /*
5412 * We continue in this case, so that we can generate an
5413 * audit event later in this function.
5414 */
5421 /* No need to produce audit event if client is gone. */
5428 }
5435 }
5442 }
5446 REP_PROTOCOL_SUCCESS) {
5450 }
5454 REP_PROTOCOL_SUCCESS) {
5458 }
5468 }
5475 }
5486 }
5495 }
5499 }
5501 int
5503 {
5509 }
5515 }
5519 }
5521 int
5523 {
5536 }
5547 }
5548 }
5554 }
5559 }
5561 /*
5562 * If the pgname property group under ent has type pgtype, and it has a
5563 * propname property with type ptype, return _SUCCESS. If pgtype is NULL,
5564 * it is not checked. If ent is not a service node, we will return _SUCCESS if
5565 * a property meeting the requirements exists in either the instance or its
5566 * parent.
5567 *
5568 * Returns
5569 * _SUCCESS - see above
5570 * _DELETED - ent or one of its ancestors was deleted
5571 * _NO_RESOURCES - no resources
5572 * _NOT_FOUND - no matching property was found
5573 */
5574 static int
5577 {
5598 }
5608 }
5630 }
5631 }
5637 }
5643 }
5650 }
5652 /*
5653 * At this point, pg is non-NULL, and is a property group node of the
5654 * correct type. spg, if non-NULL, is also a property group node of
5655 * the correct type. Check for the property in pg first, then spg
5656 * (if applicable).
5657 */
5671 }
5673 }
5686 }
5704 }
5706 }
5717 }
5720 }
5722 /*
5723 * Given a property group node, returns _SUCCESS if the property group may
5724 * be read without any special authorization.
5725 *
5726 * Fails with:
5727 * _DELETED - np or an ancestor node was deleted
5728 * _TYPE_MISMATCH - np does not refer to a property group
5729 * _NO_RESOURCES - no resources
5730 * _PERMISSION_DENIED - authorization is required
5731 */
5732 static int
5734 {
5768 }
5771 }
5773 /*
5774 * Fails with
5775 * _DELETED - np's node or parent has been deleted
5776 * _TYPE_MISMATCH - np's node is not a property
5777 * _NO_RESOURCES - out of memory
5778 * _PERMISSION_DENIED - no authorization to read this property's value(s)
5779 * _BAD_REQUEST - np's parent is not a property group
5780 */
5781 static int
5783 {
5788 audit_event_data_t audit_data;
5797 #ifdef NATIVE_BUILD
5799 #else
5808 }
5815 }
5822 }
5832 }
5834 /*
5835 * If you are permitted to modify the value, you may also
5836 * read it. This means that both the MODIFY and VALUE
5837 * authorizations are acceptable. We don't allow requests
5838 * for AUTH_PROP_MODIFY if all you have is $AUTH_PROP_VALUE,
5839 * however, to avoid leaking possibly valuable information
5840 * since such a user can't change the property anyway.
5841 */
5844 AUTH_PROP_MODIFY);
5849 AUTH_PROP_VALUE);
5853 AUTH_PROP_READ);
5863 }
5866 /* Generate a read_prop audit event. */
5870 }
5874 }
5885 }
5889 }
5899 }
5901 /*
5902 * Iteration
5903 */
5904 static int
5906 {
5910 }
5912 static int
5914 {
5918 }
5920 /*ARGSUSED*/
5921 static int
5923 {
5925 }
5927 /*
5928 * Allocate & initialize an rc_node_iter_t structure. Essentially, ensure
5929 * np->rn_children is populated and call uu_list_walk_start(np->rn_children).
5930 * If successful, leaves a hold on np & increments np->rn_other_refs
5931 *
5932 * If composed is true, then set up for iteration across the top level of np's
5933 * composition chain. If successful, leaves a hold on np and increments
5934 * rn_other_refs for the top level of np's composition chain.
5935 *
5936 * Fails with
5937 * _NO_RESOURCES
5938 * _INVALID_TYPE
5939 * _TYPE_MISMATCH - np cannot carry type children
5940 * _DELETED
5941 */
5942 static int
5945 {
5955 /* np is held by the client's rc_node_ptr_t */
5963 REP_PROTOCOL_SUCCESS) {
5967 }
5972 UU_WALK_ROBUST);
5980 }
5986 /* rn_cchain isn't valid until children are loaded. */
5989 REP_PROTOCOL_ENTITY_SNAPLEVEL);
5994 }
5996 /* Check for an empty snapshot. */
5999 }
6001 /* Start at the top of the composition chain. */
6004 /* Empty composition chain. */
6005 empty:
6008 /* It's ok, iter_next() will return _DONE. */
6010 }
6018 /* Someone deleted it, so try the next one. */
6019 }
6025 UU_WALK_ROBUST);
6032 }
6033 }
6039 }
6042 }
6044 out:
6052 }
6054 static void
6056 {
6071 }
6073 /*
6074 * Fails with
6075 * _NOT_SET - npp is reset
6076 * _DELETED - npp's node has been deleted
6077 * _NOT_APPLICABLE - npp's node is not a property
6078 * _NO_RESOURCES - out of memory
6079 */
6080 static int
6082 {
6094 }
6100 }
6115 }
6117 /*
6118 * Returns:
6119 * _NO_RESOURCES - out of memory
6120 * _NOT_SET - npp is reset
6121 * _DELETED - npp's node has been deleted
6122 * _TYPE_MISMATCH - npp's node is not a property
6123 * _NOT_FOUND - property has no values
6124 * _TRUNCATED - property has >1 values (first is written into out)
6125 * _SUCCESS - property has 1 value (which is written into out)
6126 * _PERMISSION_DENIED - no authorization to read property value(s)
6127 *
6128 * We shorten *sz_out to not include anything after the final '\0'.
6129 */
6130 int
6133 {
6152 }
6157 }
6169 REP_PROTOCOL_SUCCESS;
6172 }
6174 int
6177 {
6186 rep_protocol_responseid_t result;
6223 /*
6224 * update the offsets if we're not repeating
6225 */
6229 }
6232 }
6236 }
6238 /*
6239 * Entry point for ITER_START from client.c. Validate the arguments & call
6240 * rc_iter_create().
6241 *
6242 * Fails with
6243 * _NOT_SET
6244 * _DELETED
6245 * _TYPE_MISMATCH - np cannot carry type children
6246 * _BAD_REQUEST - flags is invalid
6247 * pattern is invalid
6248 * _NO_RESOURCES
6249 * _INVALID_TYPE
6250 * _TYPE_MISMATCH - *npp cannot have children of type
6251 * _BACKEND_ACCESS
6252 */
6253 int
6256 {
6275 }
6278 REP_PROTOCOL_SUCCESS)
6285 /* Composition only works for instances & snapshots. */
6293 REP_PROTOCOL_SUCCESS)
6298 }
6311 }
6317 }
6325 }
6327 /*
6328 * Do uu_list_walk_next(iter->rni_iter) until we find a child which matches
6329 * the filter.
6330 * For composed iterators, then check to see if there's an overlapping entity
6331 * (see embedded comments). If we reach the end of the list, start over at
6332 * the next level.
6333 *
6334 * Returns
6335 * _BAD_REQUEST - iter walks values
6336 * _TYPE_MISMATCH - iter does not walk type entities
6337 * _DELETED - parent was deleted
6338 * _NO_RESOURCES
6339 * _INVALID_TYPE - type is invalid
6340 * _DONE
6341 * _SUCCESS
6342 *
6343 * For composed property group iterators, can also return
6344 * _TYPE_MISMATCH - parent cannot have type children
6345 */
6346 int
6348 {
6359 }
6364 }
6372 }
6375 /* Composed iterator. Iterate over appropriate level. */
6378 /*
6379 * If iter->rni_parent is an instance or a snapshot, np must
6380 * be valid since iter holds iter->rni_parent & possible
6381 * levels (service, instance, snaplevel) cannot be destroyed
6382 * while rni_parent is held. If iter->rni_parent is
6383 * a composed property group then rc_node_setup_cpg() put
6384 * a hold on np.
6385 */
6393 }
6394 }
6403 #if COMPOSITION_DEPTH == 2
6405 /* release walker and lock */
6408 }
6410 /* Stop walking current level. */
6417 /* Start walking next level. */
6421 #else
6422 #error This code must be updated.
6423 #endif
6432 UU_WALK_ROBUST);
6439 }
6440 }
6446 }
6449 }
6455 /*
6456 * If we're composed and not at the top level, check to see if
6457 * there's an entity at a higher level with the same name. If
6458 * so, skip this one.
6459 */
6464 #if COMPOSITION_DEPTH == 2
6477 }
6480 /* Make sure np isn't being deleted all of a sudden. */
6485 }
6488 /* Keep going. */
6490 #else
6491 #error This code must be updated.
6492 #endif
6493 }
6495 /*
6496 * If we're composed, iterating over property groups, and not
6497 * at the bottom level, check to see if there's a pg at lower
6498 * level with the same name. If so, return a cpg.
6499 */
6503 #if COMPOSITION_DEPTH == 2
6513 /* holds pg if not NULL */
6519 }
6529 }
6537 rn_lock);
6540 }
6544 /* Keep res held for rc_node_setup_cpg(). */
6554 }
6562 /* Nevermind. */
6564 rn_lock);
6569 rn_lock);
6571 RC_NODE_DYING)) {
6575 return
6577 }
6592 }
6593 }
6594 #else
6595 #error This code must be updated.
6596 #endif
6597 }
6602 }
6609 }
6611 void
6613 {
6630 else
6634 }
6639 }
6641 int
6643 {
6647 perm_status_t granted;
6657 }
6662 }
6667 }
6669 #ifdef NATIVE_BUILD
6674 #else
6678 /* permission check */
6683 }
6692 /* solaris.smf.modify can be used */
6698 }
6700 /* solaris.smf.manage can be used. */
6707 }
6709 /* general/action_authorization values can be used. */
6716 }
6734 }
6742 /* propertygroup-type-specific authorization */
6743 /* no locking because rn_type won't change anyway */
6749 }
6752 /* propertygroup/transaction-type-specific auths */
6753 ret =
6757 ret =
6760 /* AUTH_MANAGE can manipulate general/AUTH_PROP_ACTION */
6770 }
6771 }
6782 }
6785 /*
6786 * If we get here, the authorization failed.
6787 * Unfortunately, we don't have enough information at this
6788 * point to generate the security audit events. We'll only
6789 * get that information when the client tries to commit the
6790 * event. Thus, we'll remember the failed authorization,
6791 * so that we can generate the audit events later.
6792 */
6794 }
6797 skip_checks:
6801 /* Save the authorization string. */
6806 }
6812 }
6814 /*
6815 * Return 1 if the given transaction commands only modify the values of
6816 * properties other than "modify_authorization". Return -1 if any of the
6817 * commands are invalid, and 0 otherwise.
6818 */
6819 static int
6821 {
6826 boolean_t ok;
6851 /* Check type */
6857 REP_PROTOCOL_SUCCESS) {
6861 /*
6862 * rc_node_find_named_child()
6863 * places a hold on prop which we
6864 * do not need to hang on to.
6865 */
6867 }
6868 }
6876 }
6884 }
6887 }
6889 /*
6890 * Return 1 if any of the given transaction commands affect
6891 * "action_authorization". Return -1 if any of the commands are invalid and
6892 * 0 in all other cases.
6893 */
6894 static int
6896 {
6923 }
6926 }
6928 /*
6929 * Returns 1 if the transaction commands only modify properties named
6930 * 'enabled'.
6931 */
6932 static int
6934 {
6961 }
6964 }
6966 int
6968 {
6975 perm_status_t granted;
6992 }
6995 is_main_repository) {
6996 #ifdef NATIVE_BUILD
6999 }
7000 #else
7001 /* permission check: depends on contents of transaction */
7006 /* If normal is cleared, we won't do the normal checks. */
7012 /* Touching general[framework]/action_authorization? */
7017 }
7020 /*
7021 * Yes: only AUTH_MODIFY and AUTH_MANAGE
7022 * can be used.
7023 */
7028 AUTH_MANAGE);
7033 }
7043 }
7051 }
7054 REP_PROTOCOL_ENTITY_INSTANCE);
7069 rc);
7070 }
7073 }
7074 }
7080 /* Add pgtype-specific authorization. */
7086 }
7088 /* Add pg-specific modify_authorization auths. */
7091 AUTH_PROP_MODIFY);
7093 /* If value_authorization values are ok, add them. */
7100 AUTH_PROP_VALUE);
7101 }
7102 }
7108 /*
7109 * _PERMISSION_DENIED should not cause us
7110 * to exit at this point, because we still
7111 * want to generate an audit event.
7112 */
7114 }
7115 }
7126 }
7132 }
7138 }
7142 }
7144 /*
7145 * Parse the transaction commands into a useful form.
7146 */
7148 REP_PROTOCOL_SUCCESS) {
7150 }
7153 /* Authorization failed. Generate audit events. */
7158 }
7164 }
7178 }
7182 /*
7183 * We must have all of the old properties in the cache, or the
7184 * database deletions could cause inconsistencies.
7185 */
7187 REP_PROTOCOL_SUCCESS) {
7191 }
7198 }
7206 }
7210 /* our parent is gone, we're going next... */
7217 }
7221 }
7224 /*
7225 * prepare for the transaction
7226 */
7236 }
7240 /* Sets nnp->rn_gen_id on success. */
7255 }
7257 /*
7258 * Notify waiters
7259 */
7270 /*
7271 * replace np with nnp
7272 */
7275 /*
7276 * all done -- clear the transaction.
7277 */
7284 cleanout:
7289 }
7291 void
7293 {
7297 }
7299 int
7301 {
7309 }
7311 /*
7312 * wait for any transaction in progress to complete
7313 */
7317 }
7322 }
7333 }
7335 void
7337 {
7343 }
7345 void
7347 {
7352 rc_notify_pool);
7365 }
7366 }
7368 static void
7370 {
7378 }
7380 static void
7382 {
7396 /*
7397 * clean up any notifications at the beginning of the list
7398 */
7400 /*
7401 * We can't call rc_notify_remove_locked() unless
7402 * rc_notify_in_use is 0.
7403 */
7407 }
7411 }
7418 }
7421 }
7423 static int
7426 {
7448 /*
7449 * Don't add name if it's already being tracked.
7450 */
7454 }
7455 }
7461 }
7465 out:
7471 }
7473 int
7475 {
7477 }
7479 int
7481 {
7483 }
7485 /*
7486 * Wait for and report an event of interest to rnip, a notification client
7487 */
7488 int
7491 {
7505 RC_NOTIFY_ACTIVE) {
7506 /*
7507 * If I'm first on the notify list, it is my job to
7508 * clean up any notifications I pass by. I can't do that
7509 * if someone is blocking the list from removals, so I
7510 * have to wait until they have all drained.
7511 */
7519 }
7521 /*
7522 * Search the list for a node of interest.
7523 */
7530 /*
7531 * Passing another client -- stop
7532 * cleaning up notifications
7533 */
7537 }
7538 }
7540 }
7542 /*
7543 * Nothing of interest -- wait for notification
7544 */
7551 }
7553 /*
7554 * found something to report -- move myself after the
7555 * notification and process it.
7556 */
7567 }
7572 /*
7573 * We can't bump nnp's reference count without grabbing its
7574 * lock, and rc_pg_notify_lock is a leaf lock. So we
7575 * temporarily block all removals to keep nnp from
7576 * disappearing.
7577 */
7578 rc_notify_in_use++;
7586 rc_notify_in_use--;
7589 /*
7590 * While we had the lock dropped, another thread
7591 * may have also incremented rc_notify_in_use. We
7592 * need to make sure that we're back to 0 before
7593 * removing the node.
7594 */
7598 }
7600 }
7606 }
7607 /*
7608 * If we're the last one out, let people know it's clear.
7609 */
7614 }
7616 static void
7618 {
7632 }
7636 }
7637 }
7642 }
7644 void
7646 {
7651 rc_notify_pool);
7652 }