| blob | bd6febc0ea5b235e22da2e37b10a96708d9c3e35 |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
22 /*
23 * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright (c) 2013, Joyent, Inc. All rights reserved.
25 * Copyright (c) 2016 by Delphix. All rights reserved.
26 */
28 /*
29 * rc_node.c - In-memory SCF object management
30 *
31 * This layer manages the in-memory cache (the Repository Cache) of SCF
32 * data. Read requests are usually satisfied from here, but may require
33 * load calls to the "object" layer. Modify requests always write-through
34 * to the object layer.
35 *
36 * SCF data comprises scopes, services, instances, snapshots, snaplevels,
37 * property groups, properties, and property values. All but the last are
38 * known here as "entities" and are represented by rc_node_t data
39 * structures. (Property values are kept in the rn_values member of the
40 * respective property, not as separate objects.) All entities besides
41 * the "localhost" scope have some entity as a parent, and therefore form
42 * a tree.
43 *
44 * The entity tree is rooted at rc_scope, which rc_node_init() initializes to
45 * the "localhost" scope. The tree is filled in from the database on-demand
46 * by rc_node_fill_children().
47 *
48 * rc_node_t's are also placed in the cache_hash[] hash table, for rapid
49 * lookup.
50 *
51 * Multiple threads may service client requests, so access to each
52 * rc_node_t is synchronized by its rn_lock member. Some fields are
53 * protected by bits in the rn_flags field instead, to support operations
54 * which need to drop rn_lock, for example to respect locking order. Such
55 * flags should be manipulated with the rc_node_{hold,rele}_flag()
56 * functions.
57 *
58 * We track references to nodes to tell when they can be free()d. rn_refs
59 * should be incremented with rc_node_hold() on the creation of client
60 * references (rc_node_ptr_t's and rc_iter_t's). rn_erefs ("ephemeral
61 * references") should be incremented when a pointer is read into a local
62 * variable of a thread, with rc_node_hold_ephemeral_locked(). This
63 * hasn't been fully implemented, however, so rc_node_rele() tolerates
64 * rn_erefs being 0. Some code which predates rn_erefs counts ephemeral
65 * references in rn_refs. Other references are tracked by the
66 * rn_other_refs field and the RC_NODE_DEAD, RC_NODE_IN_PARENT,
67 * RC_NODE_OLD, and RC_NODE_ON_FORMER flags.
68 *
69 * Locking rules: To dereference an rc_node_t * (usually to lock it), you must
70 * have a hold (rc_node_hold()) on it or otherwise be sure that it hasn't been
71 * rc_node_destroy()ed (hold a lock on its parent or child, hold a flag,
72 * etc.). Once you have locked an rc_node_t you must check its rn_flags for
73 * RC_NODE_DEAD before you can use it. This is usually done with the
74 * rc_node_{wait,hold}_flag() functions (often via the rc_node_check_*()
75 * functions & RC_NODE_*() macros), which fail if the object has died.
76 *
77 * When a transactional node (property group or snapshot) is updated,
78 * a new node takes the place of the old node in the global hash and the
79 * old node is hung off of the rn_former list of the new node. At the
80 * same time, all of its children have their rn_parent_ref pointer set,
81 * and any holds they have are reflected in the old node's rn_other_refs
82 * count. This is automatically kept up to date until the final reference
83 * to the subgraph is dropped, at which point the node is unrefed and
84 * destroyed, along with all of its children.
85 *
86 * Because name service lookups may take a long time and, more importantly
87 * may trigger additional accesses to the repository, perm_granted() must be
88 * called without holding any locks.
89 *
90 * An ITER_START for a non-ENTITY_VALUE induces an rc_node_fill_children()
91 * call via rc_node_setup_iter() to populate the rn_children uu_list of the
92 * rc_node_t * in question and a call to uu_list_walk_start() on that list. For
93 * ITER_READ, rc_iter_next() uses uu_list_walk_next() to find the next
94 * apropriate child.
95 *
96 * An ITER_START for an ENTITY_VALUE makes sure the node has its values
97 * filled, and sets up the iterator. An ITER_READ_VALUE just copies out
98 * the proper values and updates the offset information.
99 *
100 * To allow aliases, snapshots are implemented with a level of indirection.
101 * A snapshot rc_node_t has a snapid which refers to an rc_snapshot_t in
102 * snapshot.c which contains the authoritative snaplevel information. The
103 * snapid is "assigned" by rc_attach_snapshot().
104 *
105 * We provide the client layer with rc_node_ptr_t's to reference objects.
106 * Objects referred to by them are automatically held & released by
107 * rc_node_assign() & rc_node_clear(). The RC_NODE_PTR_*() macros are used at
108 * client.c entry points to read the pointers. They fetch the pointer to the
109 * object, return (from the function) if it is dead, and lock, hold, or hold
110 * a flag of the object.
111 */
113 /*
114 * Permission checking is authorization-based: some operations may only
115 * proceed if the user has been assigned at least one of a set of
116 * authorization strings. The set of enabling authorizations depends on the
117 * operation and the target object. The set of authorizations assigned to
118 * a user is determined by an algorithm defined in libsecdb.
119 *
120 * The fastest way to decide whether the two sets intersect is by entering the
121 * strings into a hash table and detecting collisions, which takes linear time
122 * in the total size of the sets. Except for the authorization patterns which
123 * may be assigned to users, which without advanced pattern-matching
124 * algorithms will take O(n) in the number of enabling authorizations, per
125 * pattern.
126 *
127 * We can achieve some practical speed-ups by noting that if we enter all of
128 * the authorizations from one of the sets into the hash table we can merely
129 * check the elements of the second set for existence without adding them.
130 * This reduces memory requirements and hash table clutter. The enabling set
131 * is well suited for this because it is internal to configd (for now, at
132 * least). Combine this with short-circuiting and we can even minimize the
133 * number of queries to the security databases (user_attr & prof_attr).
134 *
135 * To force this usage onto clients we provide functions for adding
136 * authorizations to the enabling set of a permission context structure
137 * (perm_add_*()) and one to decide whether the the user associated with the
138 * current door call client possesses any of them (perm_granted()).
139 *
140 * At some point, a generic version of this should move to libsecdb.
141 */
143 /*
144 * Composition is the combination of sets of properties. The sets are ordered
145 * and properties in higher sets obscure properties of the same name in lower
146 * sets. Here we present a composed view of an instance's properties as the
147 * union of its properties and its service's properties. Similarly the
148 * properties of snaplevels are combined to form a composed view of the
149 * properties of a snapshot (which should match the composed view of the
150 * properties of the instance when the snapshot was taken).
151 *
152 * In terms of the client interface, the client may request that a property
153 * group iterator for an instance or snapshot be composed. Property groups
154 * traversed by such an iterator may not have the target entity as a parent.
155 * Similarly, the properties traversed by a property iterator for those
156 * property groups may not have the property groups iterated as parents.
157 *
158 * Implementation requires that iterators for instances and snapshots be
159 * composition-savvy, and that we have a "composed property group" entity
160 * which represents the composition of a number of property groups. Iteration
161 * over "composed property groups" yields properties which may have different
162 * parents, but for all other operations a composed property group behaves
163 * like the top-most property group it represents.
164 *
165 * The implementation is based on the rn_cchain[] array of rc_node_t pointers
166 * in rc_node_t. For instances, the pointers point to the instance and its
167 * parent service. For snapshots they point to the child snaplevels, and for
168 * composed property groups they point to property groups. A composed
169 * iterator carries an index into rn_cchain[]. Thus most of the magic ends up
170 * int the rc_iter_*() code.
171 */
173 #include <assert.h>
174 #include <atomic.h>
175 #include <errno.h>
176 #include <libuutil.h>
177 #include <libscf.h>
178 #include <libscf_priv.h>
179 #include <pthread.h>
180 #include <pwd.h>
181 #include <stdio.h>
182 #include <stdlib.h>
183 #include <strings.h>
184 #include <sys/types.h>
185 #include <syslog.h>
186 #include <unistd.h>
187 #include <secdb.h>
195 #define AUTH_PG_ACTIONS SCF_PG_RESTARTER_ACTIONS
196 #define AUTH_PG_ACTIONS_TYPE SCF_PG_RESTARTER_ACTIONS_TYPE
197 #define AUTH_PG_GENERAL SCF_PG_GENERAL
198 #define AUTH_PG_GENERAL_TYPE SCF_PG_GENERAL_TYPE
199 #define AUTH_PG_GENERAL_OVR SCF_PG_GENERAL_OVR
200 #define AUTH_PG_GENERAL_OVR_TYPE SCF_PG_GENERAL_OVR_TYPE
207 #define MAX_VALID_CHILDREN 3
216 #define RT_NO_NAME -1U
236 };
237 #define NUM_TYPES ((sizeof (rc_types) / sizeof (*rc_types)))
239 /* Element of a permcheck_t hash table. */
243 };
245 /*
246 * The pc_auth_type specifies the types (sources) of authorization
247 * strings. The enum is ordered in increasing specificity.
248 */
253 PC_AUTH_INST /* strings specified in PG of an instance. */
256 /*
257 * The following enum is used to represent the results of the checks to see
258 * if the client has the appropriate permissions to perform an action.
259 */
264 PERM_FAIL /* Generic failure. e.g. resources */
267 /* An authorization set hash table. */
287 /*
288 * We support an arbitrary number of clients interested in events for certain
289 * types of changes. Each client is represented by an rc_notify_info_t, and
290 * all clients are chained onto the rc_notify_info_list.
291 *
292 * The rc_notify_list is the global notification list. Each entry is of
293 * type rc_notify_t, which is embedded in one of three other structures:
294 *
295 * rc_node_t property group update notification
296 * rc_notify_delete_t object deletion notification
297 * rc_notify_info_t notification clients
298 *
299 * Which type of object is determined by which pointer in the rc_notify_t is
300 * non-NULL.
301 *
302 * New notifications and clients are added to the end of the list.
303 * Notifications no-one is interested in are never added to the list.
304 *
305 * Clients use their position in the list to track which notifications they
306 * have not yet reported. As they process notifications, they move forward
307 * in the list past them. There is always a client at the beginning of the
308 * list -- as it moves past notifications, it removes them from the list and
309 * cleans them up.
310 *
311 * The rc_pg_notify_lock protects all notification state. The rc_pg_notify_cv
312 * is used for global signalling, and each client has a cv which it waits for
313 * events of interest on.
314 *
315 * rc_notify_in_use is used to protect rc_notify_list from deletions when
316 * the rc_pg_notify_lock is dropped. Specifically, rc_notify_info_wait()
317 * must drop the lock to call rc_node_assign(), and then it reacquires the
318 * lock. Deletions from rc_notify_list during this period are not
319 * allowed. Insertions do not matter, because they are always done at the
320 * end of the list.
321 */
325 #define HASH_SIZE 512
326 #define HASH_MASK (HASH_SIZE - 1)
328 #pragma align 64(cache_hash)
331 #define CACHE_BUCKET(h) (&cache_hash[(h) & HASH_MASK])
337 static uint32_t
339 {
364 /*
365 * the rest should be zeroed
366 */
371 }
373 static int
375 {
399 }
401 /*
402 * Register an ephemeral reference to np. This should be done while both
403 * the persistent reference from which the np pointer was read is locked
404 * and np itself is locked. This guarantees that another thread which
405 * thinks it has the last reference will yield without destroying the
406 * node.
407 */
408 static void
410 {
414 }
416 /*
417 * the "other" references on a node are maintained in an atomically
418 * updated refcount, rn_other_refs. This can be bumped from arbitrary
419 * context, and tracks references to a possibly out-of-date node's children.
420 *
421 * To prevent the node from disappearing between the final drop of
422 * rn_other_refs and the unref handling, rn_other_refs_held is bumped on
423 * 0->1 transitions and decremented (with the node lock held) on 1->0
424 * transitions.
425 */
426 static void
428 {
432 }
434 }
436 /*
437 * No node locks may be held
438 */
439 static void
441 {
448 /*
449 * This was the last client reference. Destroy
450 * any other references and free() the node.
451 */
455 }
456 }
457 }
459 static void
461 {
468 }
470 static void
472 {
476 }
478 static void
480 {
491 /*
492 * Composed property groups are only as good as their
493 * references.
494 */
501 }
504 /*
505 * This was the last client reference. Destroy any other
506 * references and free() the node.
507 */
510 /*
511 * rn_erefs can be 0 if we acquired the reference in
512 * a path which hasn't been updated to increment rn_erefs.
513 * When all paths which end here are updated, we should
514 * assert rn_erefs > 0 and always decrement it.
515 */
519 }
523 }
525 void
527 {
530 }
534 {
538 }
540 static void
542 {
544 }
548 {
559 }
560 }
563 }
567 {
580 }
582 static void
584 {
593 }
595 static void
597 {
611 }
613 /*
614 * verify that the 'parent' type can have a child typed 'child'
615 * Fails with
616 * _INVALID_TYPE - argument is invalid
617 * _TYPE_MISMATCH - parent type cannot have children of type child
618 */
619 static int
621 {
633 }
636 }
638 /*
639 * Fails with
640 * _INVALID_TYPE - type is invalid
641 * _BAD_REQUEST - name is an invalid name for a node of type type
642 */
643 int
645 {
653 }
655 static int
657 {
662 }
664 /*
665 * rc_node_free_fmri should be called whenever a node loses its parent.
666 * The reason is that the node's fmri string is built up by concatenating
667 * its name to the parent's fmri. Thus, when the node no longer has a
668 * parent, its fmri is no longer valid.
669 */
670 static void
672 {
676 }
677 }
679 /*
680 * Concatenate the appropriate separator and the FMRI element to the base
681 * FMRI string at fmri.
682 *
683 * Fails with
684 * _TRUNCATED Not enough room in buffer at fmri.
685 */
686 static int
693 {
701 else
707 /*
708 * No need to display scope information if we are
709 * in the local scope.
710 */
714 /*
715 * Need to display scope information, because it is
716 * not the local scope.
717 */
719 }
735 /*
736 * A value does not have a separate FMRI from its property,
737 * so there is nothing to concat.
738 */
742 /* Snapshots do not have FMRIs, so there is nothing to do. */
748 }
750 /* Concatenate separator and element to the fmri buffer. */
758 }
759 }
764 }
767 }
769 /*
770 * Get the FMRI for the node at np. The fmri will be placed in buf. On
771 * success sz_out will be set to the size of the fmri in buf. If
772 * REP_PROTOCOL_FAIL_TRUNCATED is returned, sz_out will be set to the size
773 * of the buffer that would be required to avoid truncation.
774 *
775 * Fails with
776 * _TRUNCATED not enough room in buf for the FMRI.
777 */
778 static int
781 {
790 /*
791 * A NULL rn_fmri implies that this is a top level scope.
792 * Child nodes will always have an rn_fmri established
793 * because both rc_node_link_child() and
794 * rc_node_relink_child() call rc_node_build_fmri(). In
795 * this case, we'll just return our name preceded by the
796 * appropriate FMRI decorations.
797 */
804 /* We have an fmri, so return it. */
806 }
814 }
816 /*
817 * Build an FMRI string for this node and save it in rn_fmri.
818 *
819 * The basic strategy here is to get the fmri of our parent and then
820 * concatenate the appropriate separator followed by our name. If our name
821 * is null, the resulting fmri will just be a copy of the parent fmri.
822 * rc_node_build_fmri() should be called with the RC_NODE_USING_PARENT flag
823 * set. Also the rn_lock for this node should be held.
824 *
825 * Fails with
826 * _NO_RESOURCES Could not allocate memory.
827 */
828 static int
830 {
851 }
856 }
859 }
861 /*
862 * Get the FMRI of the node at np placing the result in fmri. Then
863 * concatenate the additional element to fmri. The type variable indicates
864 * the type of element, so that the appropriate separator can be
865 * generated. size is the number of bytes in the buffer at fmri, and
866 * sz_out receives the size of the generated string. If the result is
867 * truncated, sz_out will receive the size of the buffer that would be
868 * required to avoid truncation.
869 *
870 * Fails with
871 * _TRUNCATED Not enough room in buffer at fmri.
872 */
873 static int
876 {
880 REP_PROTOCOL_SUCCESS) {
882 }
884 REP_PROTOCOL_SUCCESS) {
886 }
889 }
891 static int
893 {
902 }
906 }
913 }
917 }
918 }
920 }
922 static void
924 {
940 found++;
941 }
942 }
945 else
949 }
951 static void
954 {
958 rc_notify_pool);
966 /*
967 * add to notification list, notify watchers
968 */
975 }
977 static void
979 {
991 }
995 }
997 }
999 static void
1001 {
1012 }
1013 }
1015 /*
1016 * Permission checking functions. See comment atop this file.
1017 */
1018 #ifndef NATIVE_BUILD
1021 {
1032 }
1036 }
1038 static void
1040 {
1041 uint_t i;
1048 }
1049 }
1053 }
1055 static uint32_t
1057 {
1061 /*
1062 * Generic hash function from kernel/os/modhash.c.
1063 */
1070 }
1071 }
1074 }
1076 static perm_status_t
1078 {
1088 }
1089 }
1092 }
1094 static perm_status_t
1096 {
1097 uint_t i;
1104 }
1105 }
1106 }
1109 }
1111 static int
1113 {
1120 /* Homey don't play that. */
1133 }
1134 }
1141 }
1143 static int
1145 {
1147 uint_t i;
1153 /* Grow if pc_enum / pc_bnum > 3/4. */
1155 /* Failure is not a stopper; we'll try again next time. */
1167 }
1172 }
1174 /*
1175 * For the type of a property group, return the authorization which may be
1176 * used to modify it.
1177 */
1180 {
1189 else
1191 }
1193 /*
1194 * Fails with
1195 * _NO_RESOURCES - out of memory
1196 */
1197 static int
1199 pc_auth_type_t auth_type)
1200 {
1202 REP_PROTOCOL_FAIL_NO_RESOURCES);
1203 }
1205 /*
1206 * Fails with
1207 * _NO_RESOURCES - out of memory
1208 */
1209 static int
1211 {
1213 }
1215 /* Note that perm_add_enabling_values() is defined below. */
1217 /*
1218 * perm_granted() returns PERM_GRANTED if the current door caller has one of
1219 * the enabling authorizations in pcp, PERM_DENIED if it doesn't, PERM_GONE if
1220 * the door client went away and PERM_FAIL if an error (usually lack of
1221 * memory) occurs. auth_cb() checks each and every authorizations as
1222 * enumerated by _enum_auths. When we find a result other than PERM_DENIED,
1223 * we short-cut the enumeration and return non-zero.
1224 */
1226 static int
1228 {
1234 else
1241 }
1243 static perm_status_t
1245 {
1249 uid_t uid;
1254 /* Get the uid */
1257 /*
1258 * Client is no longer waiting for our response (e.g.,
1259 * it received a signal & resumed with EINTR).
1260 * Punting with door_return() would be nice but we
1261 * need to release all of the locks & references we
1262 * hold. And we must report failure to the client
1263 * layer to keep it from ignoring retries as
1264 * already-done (idempotency & all that). None of the
1265 * error codes fit very well, so we might as well
1266 * force the return of _PERMISSION_DENIED since we
1267 * couldn't determine the user.
1268 */
1270 }
1273 }
1281 }
1283 /*
1284 * Enumerate all the auths defined for the user and return the
1285 * result in ret.
1286 */
1291 }
1293 static int
1295 {
1314 }
1316 }
1319 /*
1320 * flags in RC_NODE_WAITING_FLAGS are broadcast when unset, and are used to
1321 * serialize certain actions, and to wait for certain operations to complete
1322 *
1323 * The waiting flags are:
1324 * RC_NODE_CHILDREN_CHANGING
1325 * The child list is being built or changed (due to creation
1326 * or deletion). All iterators pause.
1327 *
1328 * RC_NODE_USING_PARENT
1329 * Someone is actively using the parent pointer, so we can't
1330 * be removed from the parent list.
1331 *
1332 * RC_NODE_CREATING_CHILD
1333 * A child is being created -- locks out other creations, to
1334 * prevent insert-insert races.
1335 *
1336 * RC_NODE_IN_TX
1337 * This object is running a transaction.
1338 *
1339 * RC_NODE_DYING
1340 * This node might be dying. Always set as a set, using
1341 * RC_NODE_DYING_FLAGS (which is everything but
1342 * RC_NODE_USING_PARENT)
1343 */
1344 static int
1346 {
1352 }
1358 }
1360 static void
1362 {
1368 }
1370 /*
1371 * wait until a particular flag has cleared. Fails if the object dies.
1372 */
1373 static int
1375 {
1381 }
1383 /*
1384 * On entry, np's lock must be held, and this thread must be holding
1385 * RC_NODE_USING_PARENT. On return, both of them are released.
1386 *
1387 * If the return value is NULL, np either does not have a parent, or
1388 * the parent has been marked DEAD.
1389 *
1390 * If the return value is non-NULL, it is the parent of np, and both
1391 * its lock and the requested flags are held.
1392 */
1395 {
1405 }
1416 }
1418 }
1420 rc_node_t *
1422 {
1437 rc_notify_pool);
1440 }
1442 void
1444 {
1454 /* Release the holds from rc_iter_next(). */
1456 /* rn_cchain[i] may be NULL for empty snapshots. */
1459 }
1460 }
1481 rc_notify_pool);
1491 }
1493 /*
1494 * Link in a child node.
1495 *
1496 * Because of the lock ordering, cp has to already be in the hash table with
1497 * its lock dropped before we get it. To prevent anyone from noticing that
1498 * it is parentless, the creation code sets the RC_NODE_USING_PARENT. Once
1499 * we've linked it in, we release the flag.
1500 */
1501 static void
1503 {
1513 REP_PROTOCOL_SUCCESS);
1524 }
1526 /*
1527 * Sets the rn_parent_ref field of all the children of np to pp -- always
1528 * initially invoked as rc_node_setup_parent_ref(np, np), we then recurse.
1529 *
1530 * This is used when we mark a node RC_NODE_OLD, so that when the object and
1531 * its children are no longer referenced, they will all be deleted as a unit.
1532 */
1533 static void
1535 {
1552 }
1555 }
1556 }
1558 /*
1559 * Atomically replace 'np' with 'newp', with a parent of 'pp'.
1560 *
1561 * Requirements:
1562 * *no* node locks may be held.
1563 * pp must be held with RC_NODE_CHILDREN_CHANGING
1564 * newp and np must be held with RC_NODE_IN_TX
1565 * np must be marked RC_NODE_IN_PARENT, newp must not be
1566 * np must be marked RC_NODE_OLD
1567 *
1568 * Afterwards:
1569 * pp's RC_NODE_CHILDREN_CHANGING is dropped
1570 * newp and np's RC_NODE_IN_TX is dropped
1571 * newp->rn_former = np;
1572 * newp is RC_NODE_IN_PARENT, np is not.
1573 * interested notify subscribers have been notified of newp's new status.
1574 */
1575 static void
1577 {
1579 /*
1580 * First, swap np and nnp in the cache. newp's RC_NODE_IN_TX flag
1581 * keeps rc_node_update() from seeing it until we are done.
1582 */
1588 /*
1589 * replace np with newp in pp's list, and attach it to newp's rn_former
1590 * link.
1591 */
1607 /*
1608 * Note that we carefully add newp before removing np -- this
1609 * keeps iterators on the list from missing us.
1610 */
1615 /*
1616 * re-set np
1617 */
1632 }
1634 /*
1635 * makes sure a node with lookup 'nip', name 'name', and parent 'pp' exists.
1636 * 'cp' is used (and returned) if the node does not yet exist. If it does
1637 * exist, 'cp' is freed, and the existent node is returned instead.
1638 */
1639 rc_node_t *
1642 {
1653 /*
1654 * make sure it matches our expectations
1655 */
1664 }
1669 }
1671 /*
1672 * No one is there -- setup & install the new node.
1673 */
1683 #if COMPOSITION_DEPTH == 2
1686 #else
1687 #error This code must be updated.
1688 #endif
1689 }
1697 }
1699 /*
1700 * makes sure a snapshot with lookup 'nip', name 'name', and parent 'pp' exists.
1701 * 'cp' is used (and returned) if the node does not yet exist. If it does
1702 * exist, 'cp' is freed, and the existent node is returned instead.
1703 */
1704 rc_node_t *
1707 {
1718 /*
1719 * make sure it matches our expectations
1720 */
1729 }
1734 }
1736 /*
1737 * No one is there -- create a new node.
1738 */
1754 }
1756 /*
1757 * makes sure a snaplevel with lookup 'nip' and parent 'pp' exists. 'cp' is
1758 * used (and returned) if the node does not yet exist. If it does exist, 'cp'
1759 * is freed, and the existent node is returned instead.
1760 */
1761 rc_node_t *
1764 {
1775 /*
1776 * make sure it matches our expectations
1777 */
1786 }
1791 }
1793 /*
1794 * No one is there -- create a new node.
1795 */
1809 /* Add this snaplevel to the snapshot's composition chain. */
1816 }
1818 /*
1819 * Returns NULL if strdup() fails.
1820 */
1821 rc_node_t *
1824 {
1833 /*
1834 * make sure it matches our expectations (don't check
1835 * the generation number or parent, since someone could
1836 * have gotten a transaction through while we weren't
1837 * looking)
1838 */
1847 }
1852 }
1862 }
1868 }
1880 }
1882 #if COMPOSITION_DEPTH == 2
1883 /*
1884 * Initialize a "composed property group" which represents the composition of
1885 * property groups pg1 & pg2. It is ephemeral: once created & returned for an
1886 * ITER_READ request, keeping it out of cache_hash and any child lists
1887 * prevents it from being looked up. Operations besides iteration are passed
1888 * through to pg1.
1889 *
1890 * pg1 & pg2 should be held before entering this function. They will be
1891 * released in rc_node_destroy().
1892 */
1893 static int
1895 {
1908 }
1909 #else
1910 #error This code must be updated.
1911 #endif
1913 /*
1914 * Fails with _NO_RESOURCES.
1915 */
1916 int
1920 {
1928 /*
1929 * make sure it matches our expectations
1930 */
1943 }
1947 }
1949 /*
1950 * No one is there -- create a new node.
1951 */
1957 }
1965 }
1980 }
1982 int
1984 {
2034 }
2036 /*
2037 * Fails with
2038 * _INVALID_TYPE - type is invalid
2039 * _TYPE_MISMATCH - np doesn't carry children of type type
2040 * _DELETED - np has been deleted
2041 * _NO_RESOURCES
2042 */
2043 static int
2045 {
2051 REP_PROTOCOL_SUCCESS)
2060 }
2068 }
2072 }
2074 /*
2075 * Returns
2076 * _INVALID_TYPE - type is invalid
2077 * _TYPE_MISMATCH - np doesn't carry children of type type
2078 * _DELETED - np has been deleted
2079 * _NO_RESOURCES
2080 * _SUCCESS - if *cpp is not NULL, it is held
2081 */
2082 static int
2085 {
2101 }
2108 }
2112 /*
2113 * Returns
2114 * _INVALID_TYPE - type is invalid
2115 * _DELETED - np or an ancestor has been deleted
2116 * _NOT_FOUND - no ancestor of specified type exists
2117 * _SUCCESS - *app is held
2118 */
2119 static int
2121 {
2137 }
2142 }
2145 }
2147 #ifndef NATIVE_BUILD
2148 /*
2149 * If the propname property exists in pg, and it is of type string, add its
2150 * values as authorizations to pcp. pg must not be locked on entry, and it is
2151 * returned unlocked. Returns
2152 * _DELETED - pg was deleted
2153 * _NO_RESOURCES
2154 * _NOT_FOUND - pg has no property named propname
2155 * _SUCCESS
2156 */
2157 static int
2159 {
2163 uint_t count;
2183 }
2184 }
2189 /* rn_valtype is immutable, so no locking. */
2193 }
2201 PC_AUTH_SVC);
2206 }
2211 }
2213 /*
2214 * Assuming that ent is a service or instance node, if the pgname property
2215 * group has type pgtype, and it has a propname property with string type, add
2216 * its values as authorizations to pcp. If pgtype is NULL, it is not checked.
2217 * Returns
2218 * _SUCCESS
2219 * _DELETED - ent was deleted
2220 * _NO_RESOURCES - no resources
2221 * _NOT_FOUND - ent does not have pgname pg or propname property
2222 */
2223 static int
2226 {
2247 }
2266 }
2267 }
2272 }
2274 /*
2275 * If pg has a property named propname, and is string typed, add its values as
2276 * authorizations to pcp. If pg has no such property, and its parent is an
2277 * instance, walk up to the service and try doing the same with the property
2278 * of the same name from the property group of the same name. Returns
2279 * _SUCCESS
2280 * _NO_RESOURCES
2281 * _DELETED - pg (or an ancestor) was deleted
2282 */
2283 static int
2285 {
2304 /*
2305 * If pg is a child of an instance or snapshot, we want to compose the
2306 * authorization property with the service's (if it exists). The
2307 * snapshot case applies only to read_authorization. In all other
2308 * cases, the pg's parent will be the instance.
2309 */
2314 }
2325 }
2327 /*
2328 * Call perm_add_enabling_values() for the "action_authorization" property of
2329 * the "general" property group of inst. Returns
2330 * _DELETED - inst (or an ancestor) was deleted
2331 * _NO_RESOURCES
2332 * _SUCCESS
2333 */
2334 static int
2336 {
2352 }
2358 }
2361 void
2363 {
2368 }
2370 void
2372 {
2376 }
2377 }
2379 static void
2381 {
2389 /*
2390 * Register the ephemeral reference created by reading
2391 * out->rnp_node into cur. Note that the persistent
2392 * reference we're destroying is locked by the client
2393 * layer.
2394 */
2398 }
2402 }
2404 void
2406 {
2409 }
2411 void
2413 {
2415 }
2417 /*
2418 * rc_node_check()/RC_NODE_CHECK()
2419 * generic "entry" checks, run before the use of an rc_node pointer.
2420 *
2421 * Fails with
2422 * _NOT_SET
2423 * _DELETED
2424 */
2425 static int
2427 {
2436 }
2439 }
2441 /*
2442 * Fails with
2443 * _NOT_SET - ptr is reset
2444 * _DELETED - node has been deleted
2445 */
2448 {
2453 else
2456 }
2464 }
2466 }
2468 #define RC_NODE_CHECK_AND_LOCK(n) { \
2469 int rc__res; \
2470 if ((rc__res = rc_node_check_and_lock(n)) != REP_PROTOCOL_SUCCESS) \
2471 return (rc__res); \
2472 }
2474 #define RC_NODE_CHECK(n) { \
2475 RC_NODE_CHECK_AND_LOCK(n); \
2476 (void) pthread_mutex_unlock(&(n)->rn_lock); \
2477 }
2479 #define RC_NODE_CHECK_AND_HOLD(n) { \
2480 RC_NODE_CHECK_AND_LOCK(n); \
2481 rc_node_hold_locked(n); \
2482 (void) pthread_mutex_unlock(&(n)->rn_lock); \
2483 }
2485 #define RC_NODE_PTR_GET_CHECK_AND_LOCK(np, npp) { \
2486 int rc__res; \
2487 if (((np) = rc_node_ptr_check_and_lock(npp, &rc__res)) == NULL) \
2488 return (rc__res); \
2489 }
2491 #define RC_NODE_PTR_CHECK_LOCK_OR_FREE_RETURN(np, npp, mem) { \
2492 int rc__res; \
2493 if (((np) = rc_node_ptr_check_and_lock(npp, &rc__res)) == \
2494 NULL) { \
2495 free((mem)); \
2496 return (rc__res); \
2497 } \
2498 }
2500 #define RC_NODE_PTR_GET_CHECK(np, npp) { \
2501 RC_NODE_PTR_GET_CHECK_AND_LOCK(np, npp); \
2502 (void) pthread_mutex_unlock(&(np)->rn_lock); \
2503 }
2505 #define RC_NODE_PTR_GET_CHECK_AND_HOLD(np, npp) { \
2506 RC_NODE_PTR_GET_CHECK_AND_LOCK(np, npp); \
2507 rc_node_hold_locked(np); \
2508 (void) pthread_mutex_unlock(&(np)->rn_lock); \
2509 }
2511 #define HOLD_FLAG_OR_RETURN(np, flag) { \
2512 assert(MUTEX_HELD(&(np)->rn_lock)); \
2513 assert(!((np)->rn_flags & RC_NODE_DEAD)); \
2514 if (!rc_node_hold_flag((np), flag)) { \
2515 (void) pthread_mutex_unlock(&(np)->rn_lock); \
2516 return (REP_PROTOCOL_FAIL_DELETED); \
2517 } \
2518 }
2520 #define HOLD_PTR_FLAG_OR_FREE_AND_RETURN(np, npp, flag, mem) { \
2521 assert(MUTEX_HELD(&(np)->rn_lock)); \
2522 if (!rc_node_hold_flag((np), flag)) { \
2523 (void) pthread_mutex_unlock(&(np)->rn_lock); \
2524 assert((np) == (npp)->rnp_node); \
2525 rc_node_clear(npp, 1); \
2526 free((mem)); \
2527 return (REP_PROTOCOL_FAIL_DELETED); \
2528 } \
2529 }
2531 int
2533 {
2537 }
2539 /*
2540 * the main scope never gets destroyed
2541 */
2545 }
2547 /*
2548 * Fails with
2549 * _NOT_SET - npp is not set
2550 * _DELETED - the node npp pointed at has been deleted
2551 * _TYPE_MISMATCH - type is not _SCOPE
2552 * _NOT_FOUND - scope has no parent
2553 */
2554 static int
2556 {
2567 }
2571 /*
2572 * Fails with
2573 * _NOT_SET
2574 * _DELETED
2575 * _NOT_APPLICABLE
2576 * _NOT_FOUND
2577 * _BAD_REQUEST
2578 * _TRUNCATED
2579 * _NO_RESOURCES
2580 */
2581 int
2584 {
2595 }
2631 {
2647 }
2649 }
2652 }
2658 }
2660 int
2662 {
2673 }
2675 /*
2676 * Get np's parent. If np is deleted, returns _DELETED. Otherwise puts a hold
2677 * on the parent, returns a pointer to it in *out, and returns _SUCCESS.
2678 */
2679 static int
2681 {
2690 }
2700 }
2712 }
2714 /* guaranteed to succeed without dropping the lock */
2720 }
2739 deleted:
2742 }
2744 /*
2745 * Fails with
2746 * _NOT_SET
2747 * _DELETED
2748 */
2749 static int
2751 {
2757 }
2759 /*
2760 * Fails with
2761 * _NOT_SET - npp is not set
2762 * _DELETED - the node npp pointed at has been deleted
2763 * _TYPE_MISMATCH - npp's node's parent is not of type type
2764 *
2765 * If npp points to a scope, can also fail with
2766 * _NOT_FOUND - scope has no parent
2767 */
2768 int
2770 {
2781 }
2786 }
2792 }
2794 int
2796 {
2804 }
2814 }
2816 /*
2817 * Fails with
2818 * _INVALID_TYPE - type is invalid
2819 * _TYPE_MISMATCH - np doesn't carry children of type type
2820 * _DELETED - np has been deleted
2821 * _NOT_FOUND - no child with that name/type combo found
2822 * _NO_RESOURCES
2823 * _BACKEND_ACCESS
2824 */
2825 int
2828 {
2848 /*
2849 * loop only if we succeeded, but no child of
2850 * the correct name was found.
2851 */
2855 }
2857 }
2858 }
2865 else
2869 }
2871 }
2873 int
2875 {
2883 /*
2884 * If we're updating a composed property group, actually
2885 * update the top-level property group & return the
2886 * appropriate value. But leave *nnp pointing at us.
2887 */
2890 }
2905 }
2906 /*
2907 * grab the lock before dropping the cache bucket, so
2908 * that no one else can sneak in
2909 */
2918 }
2920 /*
2921 * If it is dead, we want to update it so that it will continue to
2922 * report being dead.
2923 */
2930 }
2941 }
2943 /*
2944 * does a generic modification check, for creation, deletion, and snapshot
2945 * management only. Property group transactions have different checks.
2946 */
2947 static perm_status_t
2949 {
2954 #ifdef NATIVE_BUILD
2957 }
2959 #else
2970 }
2975 }
2979 }
2981 /*
2982 * Return a pointer to a string containing all the values of the command
2983 * specified by cmd_no with each value enclosed in quotes. It is up to the
2984 * caller to free the memory at the returned pointer.
2985 */
2988 {
3000 /*
3001 * First determine the size of the buffer that we will need. We
3002 * will represent each property value surrounded by quotes with a
3003 * space separating the values. Thus, we need to find the total
3004 * size of all the value strings and add 3 for each value.
3005 *
3006 * There is one catch, though. We need to escape any internal
3007 * quote marks in the values. So for each quote in the value we
3008 * need to add another byte to the buffer size.
3009 */
3012 REP_PROTOCOL_SUCCESS)
3016 }
3018 }
3025 /* Now build up the string of values. */
3028 REP_PROTOCOL_SUCCESS) {
3031 }
3040 }
3041 }
3045 }
3049 }
3051 /*
3052 * Fails with
3053 * _DELETED - node has been deleted
3054 * _NOT_SET - npp is reset
3055 * _NOT_APPLICABLE - type is _PROPERTYGRP
3056 * _INVALID_TYPE - node is corrupt or type is invalid
3057 * _TYPE_MISMATCH - node cannot have children of type type
3058 * _BAD_REQUEST - name is invalid
3059 * cannot create children for this type of node
3060 * _NO_RESOURCES - out of memory, or could not allocate new id
3061 * _PERMISSION_DENIED
3062 * _BACKEND_ACCESS
3063 * _BACKEND_READONLY
3064 * _EXISTS - child already exists
3065 */
3066 int
3069 {
3073 perm_status_t perm_rc;
3079 /*
3080 * rc_node_modify_permission_check() must be called before the node
3081 * is locked. This is because the library functions that check
3082 * authorizations can trigger calls back into configd.
3083 */
3095 }
3099 /*
3100 * there is a separate interface for creating property groups
3101 */
3105 }
3112 }
3113 }
3116 REP_PROTOCOL_SUCCESS) {
3119 }
3123 }
3129 }
3132 NULL);
3141 }
3148 }
3150 int
3153 {
3158 perm_status_t granted;
3164 /* verify flags is valid */
3173 }
3176 REP_PROTOCOL_SUCCESS) {
3179 }
3184 }
3186 #ifdef NATIVE_BUILD
3189 }
3190 #else
3195 }
3198 /* Must have .smf.modify or smf.modify.<type> authorization */
3209 }
3211 /*
3212 * .manage or $action_authorization can be used to
3213 * create the actions pg and the general_ovr pg.
3214 */
3226 }
3236 }
3237 }
3242 }
3246 }
3253 }
3257 NULL);
3265 }
3272 }
3274 static void
3276 {
3287 }
3288 }
3290 static void
3292 {
3304 }
3325 }
3332 }
3341 cleanup:
3361 }
3362 }
3364 /*
3365 * Hold RC_NODE_DYING_FLAGS on np's descendents. If andformer is true, do
3366 * the same down the rn_former chain.
3367 */
3368 static void
3370 {
3373 again:
3382 /*
3383 * already marked as dead -- can't happen, since that
3384 * would require setting RC_NODE_CHILDREN_CHANGING
3385 * in np, and we're holding that...
3386 */
3388 }
3392 }
3400 }
3402 }
3404 /*
3405 * N.B.: this function drops np->rn_lock on the way out.
3406 */
3407 static void
3409 {
3412 again:
3422 }
3430 }
3433 }
3435 static void
3437 {
3447 }
3451 }
3455 /*
3456 * If this node is not out-dated, we need to remove it from
3457 * the notify list and cache hash table.
3458 */
3473 }
3474 }
3476 /*
3477 * For each child, call rc_node_finish_delete() and recurse. If andformer
3478 * is set, also recurse down rn_former. Finally release np, which might
3479 * free it.
3480 */
3481 static void
3483 {
3486 again:
3499 }
3501 /*
3502 * When we drop cp's lock, all the children will be gone, so we
3503 * can release DYING_FLAGS.
3504 */
3510 /*
3511 * Register the ephemeral reference created by reading
3512 * np->rn_former into cp. Note that the persistent
3513 * reference (np->rn_former) is locked because we haven't
3514 * dropped np's lock since we dropped its RC_NODE_IN_TX
3515 * (via RC_NODE_DYING_FLAGS).
3516 */
3530 }
3532 }
3534 /*
3535 * The last client or child reference to np, which must be either
3536 * RC_NODE_OLD or RC_NODE_DEAD, has been destroyed. We'll destroy any
3537 * remaining references (e.g., rn_former) and call rc_node_destroy() to
3538 * free np.
3539 */
3540 static void
3542 {
3552 /*
3553 * The node is DEAD, so the deletion code should have
3554 * destroyed all rn_children or rn_former references.
3555 * Since the last client or child reference has been
3556 * destroyed, we're free to destroy np. Unless another
3557 * thread has an ephemeral reference, in which case we'll
3558 * pass the buck.
3559 */
3564 }
3569 }
3571 /* We only collect DEAD and OLD nodes, thank you. */
3574 /*
3575 * RC_NODE_UNREFED keeps multiple threads from processing OLD
3576 * nodes. But it's vulnerable to unfriendly scheduling, so full
3577 * use of rn_erefs should supersede it someday.
3578 */
3582 }
3585 /*
3586 * Now we'll remove the node from the rn_former chain and take its
3587 * DYING_FLAGS.
3588 */
3590 /*
3591 * Since this node is OLD, it should be on an rn_former chain. To
3592 * remove it, we must find the current in-hash object and grab its
3593 * RC_NODE_IN_TX flag to protect the entire rn_former chain.
3594 */
3607 /*
3608 * We are trying to unreference this node, but the
3609 * owner of the former list does not exist. It must
3610 * be the case that another thread is deleting this
3611 * entire sub-branch, but has not yet reached us.
3612 * We will in short order be deleted.
3613 */
3617 }
3620 /*
3621 * no longer unreferenced
3622 */
3625 /* held in cache_lookup() */
3628 }
3632 /*
3633 * current has been replaced since we looked it
3634 * up. Try again.
3635 */
3636 /* held in cache_lookup() */
3639 }
3642 /*
3643 * current has been deleted since we looked it up. Try
3644 * again.
3645 */
3646 /* held in cache_lookup() */
3649 }
3651 /*
3652 * rc_node_hold_flag() might have dropped current's lock, so
3653 * check OLD again.
3654 */
3656 /* Not old. Stop looping. */
3659 }
3663 }
3665 /* To take np's RC_NODE_DYING_FLAGS, we need its lock. */
3668 /*
3669 * While we didn't have the lock, a thread may have added
3670 * a reference or changed the flags.
3671 */
3679 /* held by cache_lookup() */
3682 }
3685 /*
3686 * Someone deleted the node while we were waiting for
3687 * DYING_FLAGS. Undo the modifications to current.
3688 */
3692 /* held by cache_lookup() */
3697 }
3699 /* Take RC_NODE_DYING_FLAGS on np's descendents. */
3702 /* Mark np DEAD. This requires the lock. */
3705 /* Recheck for new references. */
3714 /* held by cache_lookup() */
3717 }
3721 /*
3722 * Delete the children. This calls rc_node_rele_locked() on np at
3723 * the end, so add a reference to keep the count from going
3724 * negative. It will recurse with RC_NODE_DEAD set, so we'll call
3725 * rc_node_destroy() above, but RC_NODE_UNREFED is also set, so it
3726 * shouldn't actually free() np.
3727 */
3731 /* Remove np from current's rn_former chain. */
3735 ;
3742 /* held by cache_lookup() */
3745 /* Clear ON_FORMER and UNREFED, and destroy. */
3751 /* Still referenced. Stay execution. */
3755 }
3761 died:
3762 /*
3763 * Another thread marked np DEAD. If there still aren't any
3764 * persistent references, destroy the node.
3765 */
3777 }
3783 }
3784 /*
3785 * Fails with
3786 * _NOT_SET
3787 * _DELETED
3788 * _BAD_REQUEST
3789 * _PERMISSION_DENIED
3790 * _NO_RESOURCES
3791 * _TRUNCATED
3792 * and whatever object_delete() fails with.
3793 */
3794 int
3796 {
3819 /* Scopes and snaplevels are indelible. */
3832 }
3834 /* Snapshot property groups are indelible. */
3846 }
3851 again:
3852 /*
3853 * The following loop is to deal with the fact that snapshots and
3854 * property groups are moving targets -- changes to them result
3855 * in a new "child" node. Since we can only delete from the top node,
3856 * we have to loop until we have a non-RC_NODE_OLD version.
3857 */
3864 }
3874 }
3877 }
3883 }
3885 /*
3886 * Mark our parent as children changing. this call drops our
3887 * lock and the RC_NODE_USING_PARENT flag, and returns with
3888 * pp's lock held
3889 */
3892 /* our parent is gone, we're going next... */
3898 }
3913 }
3914 /*
3915 * Everyone out of the pool -- we grab everything but
3916 * RC_NODE_USING_PARENT (including RC_NODE_DYING) to keep
3917 * any changes from occurring while we are attempting to
3918 * delete the node.
3919 */
3924 }
3928 #ifdef NATIVE_BUILD
3931 else
3933 #else
3935 /* permission check */
3941 /* add .smf.modify.<type> for pgs. */
3943 REP_PROTOCOL_ENTITY_PROPERTYGRP) {
3949 }
3958 RC_NODE_DYING_FLAGS);
3960 }
3961 }
3966 }
3971 }
3978 }
3986 }
3997 }
3999 /*
4000 * Now, delicately unlink and delete the object.
4001 *
4002 * Create the delete notification, atomically remove
4003 * from the hash table and set the NODE_DEAD flag, and
4004 * remove from the parent's children list.
4005 */
4017 /*
4018 * Remove from pp's rn_children. This requires pp's lock,
4019 * so we must drop np's lock to respect lock order.
4020 */
4032 }
4034 /*
4035 * finally, propagate death to our children (including marking
4036 * them DEAD), handle notifications, and release our hold.
4037 */
4053 fail:
4061 }
4062 cleanout:
4064 }
4066 int
4068 {
4081 }
4088 }
4097 }
4105 }
4107 /*
4108 * mark our parent as children changing. This call drops our
4109 * lock and the RC_NODE_USING_PARENT flag, and returns with
4110 * pp's lock held
4111 */
4114 /* our parent is gone, we're going next... */
4118 }
4120 /*
4121 * find the next snaplevel
4122 */
4126 ;
4128 /* it must match the snaplevel list */
4139 }
4146 }
4148 }
4150 /*
4151 * This call takes a snapshot (np) and either:
4152 * an existing snapid (to be associated with np), or
4153 * a non-NULL parentp (from which a new snapshot is taken, and associated
4154 * with np)
4155 *
4156 * To do the association, np is duplicated, the duplicate is made to
4157 * represent the new snapid, and np is replaced with the new rc_node_t on
4158 * np's parent's child list. np is placed on the new node's rn_former list,
4159 * and replaces np in cache_hash (so rc_node_update() will find the new one).
4160 *
4161 * old_fmri and old_name point to the original snap shot's FMRI and name.
4162 *
4163 * Fails with
4164 * _BAD_REQUEST
4165 * _BACKEND_READONLY
4166 * _DELETED
4167 * _NO_RESOURCES
4168 * _TRUNCATED
4169 * _TYPE_MISMATCH
4170 */
4171 static int
4178 {
4184 perm_status_t granted;
4190 }
4215 }
4218 /*
4219 * get the latest node, holding RC_NODE_IN_TX to keep the rn_former
4220 * list from changing.
4221 */
4226 }
4228 RC_NODE_CHILDREN_CHANGING);
4233 }
4236 RC_NODE_CHILDREN_CHANGING);
4239 }
4243 /*
4244 * Can't happen, since we're holding our
4245 * parent's CHILDREN_CHANGING flag...
4246 */
4248 }
4250 }
4251 again:
4258 }
4261 }
4269 }
4271 /*
4272 * look for a former node with the snapid we need.
4273 */
4283 }
4290 }
4292 }
4293 }
4301 }
4312 }
4313 }
4321 else
4328 /*
4329 * fix up the former chain
4330 */
4337 }
4341 /*
4342 * replace np with nnp
4343 */
4349 cleanout:
4352 fail:
4362 else
4364 }
4367 }
4369 int
4372 {
4373 perm_status_t granted;
4382 /*
4383 * rc_node_modify_permission_check() must be called before the node
4384 * is locked. This is because the library functions that check
4385 * authorizations can trigger calls back into configd.
4386 */
4400 }
4406 }
4412 }
4416 REP_PROTOCOL_SUCCESS) {
4419 }
4423 REP_PROTOCOL_SUCCESS) {
4426 }
4432 }
4436 }
4439 NULL);
4447 }
4454 }
4456 int
4458 {
4464 }
4470 }
4474 }
4476 int
4478 {
4491 }
4502 }
4503 }
4509 }
4514 }
4516 /*
4517 * If the pgname property group under ent has type pgtype, and it has a
4518 * propname property with type ptype, return _SUCCESS. If pgtype is NULL,
4519 * it is not checked. If ent is not a service node, we will return _SUCCESS if
4520 * a property meeting the requirements exists in either the instance or its
4521 * parent.
4522 *
4523 * Returns
4524 * _SUCCESS - see above
4525 * _DELETED - ent or one of its ancestors was deleted
4526 * _NO_RESOURCES - no resources
4527 * _NOT_FOUND - no matching property was found
4528 */
4529 static int
4532 {
4553 }
4563 }
4585 }
4586 }
4592 }
4598 }
4605 }
4607 /*
4608 * At this point, pg is non-NULL, and is a property group node of the
4609 * correct type. spg, if non-NULL, is also a property group node of
4610 * the correct type. Check for the property in pg first, then spg
4611 * (if applicable).
4612 */
4626 }
4628 }
4641 }
4659 }
4661 }
4672 }
4675 }
4677 /*
4678 * Given a property group node, returns _SUCCESS if the property group may
4679 * be read without any special authorization.
4680 *
4681 * Fails with:
4682 * _DELETED - np or an ancestor node was deleted
4683 * _TYPE_MISMATCH - np does not refer to a property group
4684 * _NO_RESOURCES - no resources
4685 * _PERMISSION_DENIED - authorization is required
4686 */
4687 static int
4689 {
4723 }
4726 }
4728 /*
4729 * Fails with
4730 * _DELETED - np's node or parent has been deleted
4731 * _TYPE_MISMATCH - np's node is not a property
4732 * _NO_RESOURCES - out of memory
4733 * _PERMISSION_DENIED - no authorization to read this property's value(s)
4734 * _BAD_REQUEST - np's parent is not a property group
4735 */
4736 static int
4738 {
4751 #ifdef NATIVE_BUILD
4753 #else
4762 }
4769 }
4776 }
4786 }
4788 /*
4789 * If you are permitted to modify the value, you may also
4790 * read it. This means that both the MODIFY and VALUE
4791 * authorizations are acceptable. We don't allow requests
4792 * for AUTH_PROP_MODIFY if all you have is $AUTH_PROP_VALUE,
4793 * however, to avoid leaking possibly valuable information
4794 * since such a user can't change the property anyway.
4795 */
4798 AUTH_PROP_MODIFY);
4803 AUTH_PROP_VALUE);
4807 AUTH_PROP_READ);
4817 }
4826 }
4828 /*
4829 * Iteration
4830 */
4831 static int
4833 {
4837 }
4839 static int
4841 {
4845 }
4847 /*ARGSUSED*/
4848 static int
4850 {
4852 }
4854 /*
4855 * Allocate & initialize an rc_node_iter_t structure. Essentially, ensure
4856 * np->rn_children is populated and call uu_list_walk_start(np->rn_children).
4857 * If successful, leaves a hold on np & increments np->rn_other_refs
4858 *
4859 * If composed is true, then set up for iteration across the top level of np's
4860 * composition chain. If successful, leaves a hold on np and increments
4861 * rn_other_refs for the top level of np's composition chain.
4862 *
4863 * Fails with
4864 * _NO_RESOURCES
4865 * _INVALID_TYPE
4866 * _TYPE_MISMATCH - np cannot carry type children
4867 * _DELETED
4868 */
4869 static int
4872 {
4882 /* np is held by the client's rc_node_ptr_t */
4890 REP_PROTOCOL_SUCCESS) {
4894 }
4899 UU_WALK_ROBUST);
4907 }
4913 /* rn_cchain isn't valid until children are loaded. */
4916 REP_PROTOCOL_ENTITY_SNAPLEVEL);
4921 }
4923 /* Check for an empty snapshot. */
4926 }
4928 /* Start at the top of the composition chain. */
4931 /* Empty composition chain. */
4932 empty:
4935 /* It's ok, iter_next() will return _DONE. */
4937 }
4945 /* Someone deleted it, so try the next one. */
4946 }
4952 UU_WALK_ROBUST);
4959 }
4960 }
4966 }
4969 }
4971 out:
4979 }
4981 static void
4983 {
4998 }
5000 /*
5001 * Fails with
5002 * _NOT_SET - npp is reset
5003 * _DELETED - npp's node has been deleted
5004 * _NOT_APPLICABLE - npp's node is not a property
5005 * _NO_RESOURCES - out of memory
5006 */
5007 static int
5009 {
5021 }
5027 }
5042 }
5044 /*
5045 * Returns:
5046 * _NO_RESOURCES - out of memory
5047 * _NOT_SET - npp is reset
5048 * _DELETED - npp's node has been deleted
5049 * _TYPE_MISMATCH - npp's node is not a property
5050 * _NOT_FOUND - property has no values
5051 * _TRUNCATED - property has >1 values (first is written into out)
5052 * _SUCCESS - property has 1 value (which is written into out)
5053 * _PERMISSION_DENIED - no authorization to read property value(s)
5054 *
5055 * We shorten *sz_out to not include anything after the final '\0'.
5056 */
5057 int
5060 {
5079 }
5084 }
5096 REP_PROTOCOL_SUCCESS;
5099 }
5101 int
5104 {
5113 rep_protocol_responseid_t result;
5150 /*
5151 * update the offsets if we're not repeating
5152 */
5156 }
5159 }
5163 }
5165 /*
5166 * Entry point for ITER_START from client.c. Validate the arguments & call
5167 * rc_iter_create().
5168 *
5169 * Fails with
5170 * _NOT_SET
5171 * _DELETED
5172 * _TYPE_MISMATCH - np cannot carry type children
5173 * _BAD_REQUEST - flags is invalid
5174 * pattern is invalid
5175 * _NO_RESOURCES
5176 * _INVALID_TYPE
5177 * _TYPE_MISMATCH - *npp cannot have children of type
5178 * _BACKEND_ACCESS
5179 */
5180 int
5183 {
5202 }
5205 REP_PROTOCOL_SUCCESS)
5212 /* Composition only works for instances & snapshots. */
5220 REP_PROTOCOL_SUCCESS)
5225 }
5238 }
5244 }
5252 }
5254 /*
5255 * Do uu_list_walk_next(iter->rni_iter) until we find a child which matches
5256 * the filter.
5257 * For composed iterators, then check to see if there's an overlapping entity
5258 * (see embedded comments). If we reach the end of the list, start over at
5259 * the next level.
5260 *
5261 * Returns
5262 * _BAD_REQUEST - iter walks values
5263 * _TYPE_MISMATCH - iter does not walk type entities
5264 * _DELETED - parent was deleted
5265 * _NO_RESOURCES
5266 * _INVALID_TYPE - type is invalid
5267 * _DONE
5268 * _SUCCESS
5269 *
5270 * For composed property group iterators, can also return
5271 * _TYPE_MISMATCH - parent cannot have type children
5272 */
5273 int
5275 {
5286 }
5291 }
5299 }
5302 /* Composed iterator. Iterate over appropriate level. */
5305 /*
5306 * If iter->rni_parent is an instance or a snapshot, np must
5307 * be valid since iter holds iter->rni_parent & possible
5308 * levels (service, instance, snaplevel) cannot be destroyed
5309 * while rni_parent is held. If iter->rni_parent is
5310 * a composed property group then rc_node_setup_cpg() put
5311 * a hold on np.
5312 */
5320 }
5321 }
5330 #if COMPOSITION_DEPTH == 2
5332 /* release walker and lock */
5335 }
5337 /* Stop walking current level. */
5344 /* Start walking next level. */
5348 #else
5349 #error This code must be updated.
5350 #endif
5359 UU_WALK_ROBUST);
5366 }
5367 }
5373 }
5376 }
5382 /*
5383 * If we're composed and not at the top level, check to see if
5384 * there's an entity at a higher level with the same name. If
5385 * so, skip this one.
5386 */
5391 #if COMPOSITION_DEPTH == 2
5404 }
5407 /* Make sure np isn't being deleted all of a sudden. */
5412 }
5415 /* Keep going. */
5417 #else
5418 #error This code must be updated.
5419 #endif
5420 }
5422 /*
5423 * If we're composed, iterating over property groups, and not
5424 * at the bottom level, check to see if there's a pg at lower
5425 * level with the same name. If so, return a cpg.
5426 */
5430 #if COMPOSITION_DEPTH == 2
5440 /* holds pg if not NULL */
5446 }
5456 }
5464 rn_lock);
5467 }
5471 /* Keep res held for rc_node_setup_cpg(). */
5481 }
5489 /* Nevermind. */
5491 rn_lock);
5496 rn_lock);
5498 RC_NODE_DYING)) {
5502 return
5504 }
5519 }
5520 }
5521 #else
5522 #error This code must be updated.
5523 #endif
5524 }
5529 }
5536 }
5538 void
5540 {
5556 else
5560 }
5565 }
5567 int
5569 {
5573 perm_status_t granted;
5583 }
5588 }
5593 }
5595 #ifdef NATIVE_BUILD
5600 #else
5604 /* permission check */
5609 }
5618 /* solaris.smf.modify can be used */
5624 }
5626 /* solaris.smf.manage can be used. */
5633 }
5635 /* general/action_authorization values can be used. */
5642 }
5660 }
5668 /* propertygroup-type-specific authorization */
5669 /* no locking because rn_type won't change anyway */
5675 }
5678 /* propertygroup/transaction-type-specific auths */
5679 ret =
5683 ret =
5686 /* AUTH_MANAGE can manipulate general/AUTH_PROP_ACTION */
5696 }
5697 }
5708 }
5712 }
5715 skip_checks:
5719 /* Save the authorization string. */
5724 }
5729 }
5731 /*
5732 * Return 1 if the given transaction commands only modify the values of
5733 * properties other than "modify_authorization". Return -1 if any of the
5734 * commands are invalid, and 0 otherwise.
5735 */
5736 static int
5738 {
5743 boolean_t ok;
5768 /* Check type */
5774 REP_PROTOCOL_SUCCESS) {
5778 /*
5779 * rc_node_find_named_child()
5780 * places a hold on prop which we
5781 * do not need to hang on to.
5782 */
5784 }
5785 }
5793 }
5801 }
5804 }
5806 /*
5807 * Return 1 if any of the given transaction commands affect
5808 * "action_authorization". Return -1 if any of the commands are invalid and
5809 * 0 in all other cases.
5810 */
5811 static int
5813 {
5840 }
5843 }
5845 /*
5846 * Returns 1 if the transaction commands only modify properties named
5847 * 'enabled'.
5848 */
5849 static int
5851 {
5878 }
5881 }
5883 int
5885 {
5892 perm_status_t granted;
5907 }
5910 is_main_repository) {
5911 #ifdef NATIVE_BUILD
5914 }
5915 #else
5916 /* permission check: depends on contents of transaction */
5921 /* If normal is cleared, we won't do the normal checks. */
5927 /* Touching general[framework]/action_authorization? */
5932 }
5935 /*
5936 * Yes: only AUTH_MODIFY and AUTH_MANAGE
5937 * can be used.
5938 */
5943 AUTH_MANAGE);
5948 }
5958 }
5966 }
5969 REP_PROTOCOL_ENTITY_INSTANCE);
5984 rc);
5985 }
5988 }
5989 }
5995 /* Add pgtype-specific authorization. */
6001 }
6003 /* Add pg-specific modify_authorization auths. */
6006 AUTH_PROP_MODIFY);
6008 /* If value_authorization values are ok, add them. */
6015 AUTH_PROP_VALUE);
6016 }
6017 }
6022 }
6031 }
6035 }
6041 }
6045 }
6047 /*
6048 * Parse the transaction commands into a useful form.
6049 */
6051 REP_PROTOCOL_SUCCESS) {
6053 }
6058 }
6064 }
6078 }
6082 /*
6083 * We must have all of the old properties in the cache, or the
6084 * database deletions could cause inconsistencies.
6085 */
6087 REP_PROTOCOL_SUCCESS) {
6091 }
6098 }
6106 }
6110 /* our parent is gone, we're going next... */
6117 }
6121 }
6124 /*
6125 * prepare for the transaction
6126 */
6136 }
6140 /* Sets nnp->rn_gen_id on success. */
6155 }
6157 /*
6158 * Notify waiters
6159 */
6170 /*
6171 * replace np with nnp
6172 */
6175 /*
6176 * all done -- clear the transaction.
6177 */
6182 cleanout:
6186 }
6188 void
6190 {
6194 }
6196 int
6198 {
6206 }
6208 /*
6209 * wait for any transaction in progress to complete
6210 */
6214 }
6219 }
6230 }
6232 void
6234 {
6240 }
6242 void
6244 {
6249 rc_notify_pool);
6262 }
6263 }
6265 static void
6267 {
6275 }
6277 static void
6279 {
6293 /*
6294 * clean up any notifications at the beginning of the list
6295 */
6297 /*
6298 * We can't call rc_notify_remove_locked() unless
6299 * rc_notify_in_use is 0.
6300 */
6304 }
6308 }
6315 }
6318 }
6320 static int
6323 {
6345 /*
6346 * Don't add name if it's already being tracked.
6347 */
6351 }
6352 }
6358 }
6362 out:
6368 }
6370 int
6372 {
6374 }
6376 int
6378 {
6380 }
6382 /*
6383 * Wait for and report an event of interest to rnip, a notification client
6384 */
6385 int
6388 {
6402 RC_NOTIFY_ACTIVE) {
6403 /*
6404 * If I'm first on the notify list, it is my job to
6405 * clean up any notifications I pass by. I can't do that
6406 * if someone is blocking the list from removals, so I
6407 * have to wait until they have all drained.
6408 */
6416 }
6418 /*
6419 * Search the list for a node of interest.
6420 */
6427 /*
6428 * Passing another client -- stop
6429 * cleaning up notifications
6430 */
6434 }
6435 }
6437 }
6439 /*
6440 * Nothing of interest -- wait for notification
6441 */
6448 }
6450 /*
6451 * found something to report -- move myself after the
6452 * notification and process it.
6453 */
6464 }
6469 /*
6470 * We can't bump nnp's reference count without grabbing its
6471 * lock, and rc_pg_notify_lock is a leaf lock. So we
6472 * temporarily block all removals to keep nnp from
6473 * disappearing.
6474 */
6475 rc_notify_in_use++;
6483 rc_notify_in_use--;
6486 /*
6487 * While we had the lock dropped, another thread
6488 * may have also incremented rc_notify_in_use. We
6489 * need to make sure that we're back to 0 before
6490 * removing the node.
6491 */
6495 }
6497 }
6503 }
6504 /*
6505 * If we're the last one out, let people know it's clear.
6506 */
6511 }
6513 static void
6515 {
6529 }
6533 }
6534 }
6539 }
6541 void
6543 {
6548 rc_notify_pool);
6549 }