From 9a5d73e03cd3312ddb571a748c40a63c58bd66e5 Mon Sep 17 00:00:00 2001 From: Ric Aleshire Date: Wed, 25 Feb 2009 20:53:30 -0800 Subject: PSARC/2009/065 labeled brand zone 6717648 Labeled zones should have their own brand 6713821 lx branded zone warnings printed to console when booting tx --- usr/src/Targetdirs | 1 + usr/src/cmd/tsol/zones/SUNWtsoldef.xml | 6 +- usr/src/cmd/zoneadmd/vplat.c | 8 ++ usr/src/cmd/zoneadmd/zoneadmd.c | 5 +- usr/src/cmd/zoneadmd/zoneadmd.h | 1 + usr/src/lib/brand/Makefile | 6 +- usr/src/lib/brand/labeled/Makefile | 43 ++++++ usr/src/lib/brand/labeled/config.xml | 97 +++++++++++++ usr/src/lib/brand/labeled/pkgcreatezone.sh | 223 +++++++++++++++++++++++++++++ usr/src/lib/brand/labeled/platform.xml | 136 ++++++++++++++++++ usr/src/pkgdefs/SUNWtsu/prototype_com | 12 +- usr/src/uts/common/os/brand.c | 10 +- usr/src/uts/common/os/zone.c | 7 - usr/src/uts/common/sys/brand.h | 7 +- 14 files changed, 531 insertions(+), 31 deletions(-) create mode 100644 usr/src/lib/brand/labeled/Makefile create mode 100644 usr/src/lib/brand/labeled/config.xml create mode 100644 usr/src/lib/brand/labeled/pkgcreatezone.sh create mode 100644 usr/src/lib/brand/labeled/platform.xml diff --git a/usr/src/Targetdirs b/usr/src/Targetdirs index 5177c5b8a2..80e999ca7f 100644 --- a/usr/src/Targetdirs +++ b/usr/src/Targetdirs @@ -264,6 +264,7 @@ ROOT.BIN= \ /usr/lib \ /usr/lib/abi \ /usr/lib/brand \ + /usr/lib/brand/labeled \ /usr/lib/brand/native \ /usr/lib/brand/shared \ /usr/lib/brand/sn1 \ diff --git a/usr/src/cmd/tsol/zones/SUNWtsoldef.xml b/usr/src/cmd/tsol/zones/SUNWtsoldef.xml index 30b777b4c9..4083f1c3d5 100644 --- a/usr/src/cmd/tsol/zones/SUNWtsoldef.xml +++ b/usr/src/cmd/tsol/zones/SUNWtsoldef.xml @@ -19,16 +19,14 @@ CDDL HEADER END - Copyright 2007 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. - ident "%Z%%M% %I% %E% SMI" - DO NOT EDIT THIS FILE. Use zonecfg(1M) instead. --> - + diff --git a/usr/src/cmd/zoneadmd/vplat.c b/usr/src/cmd/zoneadmd/vplat.c index b8ec982fb5..3ffb7611b8 100644 --- a/usr/src/cmd/zoneadmd/vplat.c +++ b/usr/src/cmd/zoneadmd/vplat.c @@ -4240,6 +4240,14 @@ vplat_create(zlog_t *zlogp, zone_mnt_t mount_cmd) goto error; } + if (!is_system_labeled() && + (strcmp(attr.ba_brandname, LABELED_BRAND_NAME) == 0)) { + brand_close(bh); + zerror(zlogp, B_FALSE, + "cannot boot labeled zone on unlabeled system"); + goto error; + } + /* * If this brand requires any kernel support, now is the time to * get it loaded and initialized. diff --git a/usr/src/cmd/zoneadmd/zoneadmd.c b/usr/src/cmd/zoneadmd/zoneadmd.c index 240985f427..961726f7f4 100644 --- a/usr/src/cmd/zoneadmd/zoneadmd.c +++ b/usr/src/cmd/zoneadmd/zoneadmd.c @@ -106,6 +106,7 @@ char *zone_name; /* zone which we are managing */ char brand_name[MAXNAMELEN]; boolean_t zone_isnative; boolean_t zone_iscluster; +boolean_t zone_islabeled; static zoneid_t zone_id; dladm_handle_t dld_handle = NULL; @@ -1175,7 +1176,8 @@ server(void *cookie, char *args, size_t alen, door_desc_t *dp, case Z_FORCEMOUNT: if (kernelcall) /* Invalid; can't happen */ abort(); - if (!zone_isnative && !zone_iscluster) { + if (!zone_isnative && !zone_iscluster && + !zone_islabeled) { /* * -U mounts the zone without lofs mounting * zone file systems back into the scratch @@ -1711,6 +1713,7 @@ main(int argc, char *argv[]) } zone_isnative = brand_is_native(bh); zone_iscluster = (strcmp(brand_name, CLUSTER_BRAND_NAME) == 0); + zone_islabeled = (strcmp(brand_name, LABELED_BRAND_NAME) == 0); /* Get state change brand hooks. */ if (brand_callback_init(bh, zone_name) == -1) { diff --git a/usr/src/cmd/zoneadmd/zoneadmd.h b/usr/src/cmd/zoneadmd/zoneadmd.h index 181f3c3c1b..c244852968 100644 --- a/usr/src/cmd/zoneadmd/zoneadmd.h +++ b/usr/src/cmd/zoneadmd/zoneadmd.h @@ -57,6 +57,7 @@ extern "C" { #define EXEC_LEN (strlen(EXEC_PREFIX)) #define CLUSTER_BRAND_NAME "cluster" +#define LABELED_BRAND_NAME "labeled" /* 0755 is the default directory mode. */ #define DEFAULT_DIR_MODE \ diff --git a/usr/src/lib/brand/Makefile b/usr/src/lib/brand/Makefile index 6c265d50fb..67b7597cd7 100644 --- a/usr/src/lib/brand/Makefile +++ b/usr/src/lib/brand/Makefile @@ -19,11 +19,9 @@ # CDDL HEADER END # # -# Copyright 2006 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # -# ident "%Z%%M% %I% %E% SMI" -# # lib/brand/Makefile # # include global definitions @@ -36,7 +34,7 @@ include ../../Makefile.master i386_SUBDIRS= lx i386_MSGSUBDIRS= lx -SUBDIRS= sn1 native $($(MACH)_SUBDIRS) +SUBDIRS= sn1 labeled native $($(MACH)_SUBDIRS) MSGSUBDIRS= $($(MACH)_MSGSUBDIRS) all := TARGET= all diff --git a/usr/src/lib/brand/labeled/Makefile b/usr/src/lib/brand/labeled/Makefile new file mode 100644 index 0000000000..228b0bb2ae --- /dev/null +++ b/usr/src/lib/brand/labeled/Makefile @@ -0,0 +1,43 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# + +# +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# + +BRAND= labeled +PROGS= pkgcreatezone +XMLDOCS= config.xml platform.xml + +all: $(PROGS) + +include ../Makefile.brand + +lint: + +clean: + -$(RM) $(PROGS) + +install: $(PROGS) $(ROOTPROGS) $(ROOTXMLDOCS) + +clobber: clean + -$(RM) $(ROOTPROGS) $(ROOTXMLDOCS) diff --git a/usr/src/lib/brand/labeled/config.xml b/usr/src/lib/brand/labeled/config.xml new file mode 100644 index 0000000000..c660b9b244 --- /dev/null +++ b/usr/src/lib/brand/labeled/config.xml @@ -0,0 +1,97 @@ + + + + + + + + + + /sbin/init + /usr/bin/login -z %Z -f %u + /usr/bin/getent passwd %u + + + /usr/lib/brand/labeled/pkgcreatezone -z %z -R %R %* + a:h + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/usr/src/lib/brand/labeled/pkgcreatezone.sh b/usr/src/lib/brand/labeled/pkgcreatezone.sh new file mode 100644 index 0000000000..845224859f --- /dev/null +++ b/usr/src/lib/brand/labeled/pkgcreatezone.sh @@ -0,0 +1,223 @@ +#!/bin/ksh -p +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# + +ZONE_SUBPROC_OK=0 +ZONE_SUBPROC_USAGE=253 +ZONE_SUBPROC_NOTCOMPLETE=254 +ZONE_SUBPROC_FATAL=255 + +f_img=$(gettext "failed to create image") +f_pkg=$(gettext "failed to install package") +f_interrupted=$(gettext "Installation cancelled due to interrupt.") + +m_image=$(gettext " Image: Preparing at %s ...") +m_catalog=$(gettext " Catalog: Retrieving from %s ...") +m_core=$(gettext " Installing: (output follows)\n") +m_smf=$(gettext "Postinstall: Copying SMF seed repository ...") +m_brokenness=$(gettext "Postinstall: Working around http://defect.opensolaris.org/bz/show_bug.cgi?id=681") +m_mannote=$(gettext " Note: Man pages can be obtained by installing SUNWman") +m_complete=$(gettext " Done: Installation completed in %s seconds.") +m_postnote=$(gettext " Next Steps: Boot the zone, then log into the zone console") + +m_done=$(gettext " done.") + + +fail_incomplete() { + print -u2 "$1" + exit $ZONE_SUBPROC_NOTCOMPLETE +} + +fail_fatal() { + print -u2 "$1" + exit $ZONE_SUBPROC_FATAL +} + + +fail_usage() { + print "Usage: $0 [-h] [-a ]" + exit $ZONE_SUBPROC_USAGE +} + +trap_cleanup() { + print "$f_interrupted" + exit $int_code +} + +int_code=$ZONE_SUBPROC_NOTCOMPLETE + +trap trap_cleanup INT + +zonename="" +zonepath="" + +# +# If there's a preferred authority set for the system, set that as our +# default. Otherwise use opensolaris.org. +# +authority="opensolaris.org=http://pkg.opensolaris.org" +if [[ -x /usr/bin/pkg ]]; then + sysauth=`LC_ALL=C /usr/bin/pkg authority | grep preferred | awk '{printf "%s=%s", $1, $3}'` + if [[ $? -eq 0 && -n "$sysauth" ]]; then + authority=$sysauth + fi +fi + +# Setup i18n output +TEXTDOMAIN="SUNW_OST_OSCMD" +export TEXTDOMAIN + + +while getopts "a:z:R:h" opt; do + case $opt in + h) fail_usage ;; + R) zonepath="$OPTARG" ;; + z) zonename="$OPTARG" ;; + a) authority="$OPTARG" ;; + *) fail_usage ;; + esac +done +shift $((OPTIND-1)) + +if [[ -z $zonepath || -z $zonename ]]; then + print -u2 "Brand error: No zone path or name" + exit $ZONE_SUBPROC_USAGE +fi + +# +# Temporary pre-Opensolaris hack: +# If we don't appear to be on Opensolaris, fallback to old way of +# zone install. +# +if [[ ! -x /usr/bin/pkg ]]; then + /usr/lib/brand/native/sw_support install $zonename $zonepath + exit $? +fi + +zoneroot=$zonepath/root + +printf "\n$m_image" $zoneroot +pkg image-create -z -F -a "$authority" $zoneroot || fail_fatal $f_img +printf "$m_done\n" + +PKG_IMAGE="$zoneroot" +export PKG_IMAGE + +printf "$m_catalog" `echo $authority | cut -d= -f 2` +pkg refresh > /dev/null 2>&1 || fail_fatal "$f_refresh" +if [[ $? -ne 0 ]]; then + print "Failed to retrieve catalog" + exit 1 +fi +printf "$m_done\n" + +printf "$m_core\n" +pkg install -q SUNWcsd || fail_incomplete "$f_pkg" + +pkglist="" +pkglist="$pkglist SUNWcnetr SUNWesu SUNWadmr SUNWadmap SUNWbzip SUNWgzip" + +# +# Workaround: in our test repo, SUNWipkg has no dependencies +# so we must supply it python. +# +pkglist="$pkglist SUNWPython SUNWipkg" + +# +# Get some diagnostic tools, truss, dtrace, etc. +# +pkglist="$pkglist SUNWtoo SUNWdtrc SUNWrcmdc SUNWbip" + +# +# Get at least one sensible shell, and vi +# +pkglist="$pkglist SUNWbash SUNWvim" + +# +# Get ssh and sshd. +# +pkglist="$pkglist SUNWsshcu SUNWssh SUNWsshd" + +# +# Get some name services. +# +pkglist="$pkglist SUNWnis SUNWlldap" + +# +# Get nfs client and autofs; it's a pain not to have them. +# +pkglist="$pkglist SUNWnfsc SUNWatfs" + +# +# Get opengl initialization +# +pkglist="$pkglist SUNWxwplr" +# +# Get D-Bus +# +pkglist="$pkglist SUNWdbus" + + +# +# Get man(1) but not the man pages +# +pkglist="$pkglist SUNWdoc" + +# Do the install +pkg install $pkglist || fail_incomplete "$f_pkg" + + +# This was formerly done in SUNWcsr/postinstall +printf "$m_smf" +ln -s ns_files.xml $zoneroot/var/svc/profile/name_service.xml +ln -s generic_limited_net.xml $zoneroot/var/svc/profile/generic.xml +ln -s inetd_generic.xml $zoneroot/var/svc/profile/inetd_services.xml +ln -s platform_none.xml $zoneroot/var/svc/profile/platform.xml + +# This was formerly done in i.manifest +cp $zoneroot/lib/svc/seed/nonglobal.db $zoneroot/etc/svc/repository.db +printf "$m_done\n" + + +printf "$m_brokenness\n" +# +# Remove "jack" user. +# +sed '/^jack:.*Default\ User.*$/D' $zoneroot/etc/passwd \ + > $zoneroot/etc/passwd.new && \ + mv -f $zoneroot/etc/passwd.new $zoneroot/etc/passwd + + +# +# Set root from a role back to... not a role. Grr. +# +sed 's/^root::::type=role;/root::::/' $zoneroot/etc/user_attr \ + > $zoneroot/etc/user_attr.new && \ + mv -f $zoneroot/etc/user_attr.new $zoneroot/etc/user_attr + +printf "$m_complete\n\n" ${SECONDS} +printf "$m_postnote\n" + +exit $ZONE_SUBPROC_OK diff --git a/usr/src/lib/brand/labeled/platform.xml b/usr/src/lib/brand/labeled/platform.xml new file mode 100644 index 0000000000..9d94f33def --- /dev/null +++ b/usr/src/lib/brand/labeled/platform.xml @@ -0,0 +1,136 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/usr/src/pkgdefs/SUNWtsu/prototype_com b/usr/src/pkgdefs/SUNWtsu/prototype_com index 7bde144efa..55842d62c9 100644 --- a/usr/src/pkgdefs/SUNWtsu/prototype_com +++ b/usr/src/pkgdefs/SUNWtsu/prototype_com @@ -19,11 +19,9 @@ # CDDL HEADER END # # -# Copyright 2007 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # -# ident "%Z%%M% %I% %E% SMI" -# # This required package information file contains a list of package contents. # The 'pkgmk' command uses this file to identify the contents of a package # and their location on the development machine when building the package. @@ -90,6 +88,14 @@ f none usr/demo/tsol/runinzone.ksh 555 root bin f none usr/demo/tsol/runwlabel.ksh 555 root bin f none usr/demo/tsol/waitforzone.ksh 555 root bin # +# Labeled Brand files +# +d none usr/lib/brand 755 root bin +d none usr/lib/brand/labeled 755 root sys +f none usr/lib/brand/labeled/config.xml 444 root bin +f none usr/lib/brand/labeled/platform.xml 444 root bin +f none usr/lib/brand/labeled/pkgcreatezone 755 root bin +# # Share and unshare scripts for zone exports # d none usr/lib/zones 755 root bin diff --git a/usr/src/uts/common/os/brand.c b/usr/src/uts/common/os/brand.c index 414e8e8558..b2bc8cc7d0 100644 --- a/usr/src/uts/common/os/brand.c +++ b/usr/src/uts/common/os/brand.c @@ -19,12 +19,10 @@ * CDDL HEADER END */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -#pragma ident "%Z%%M% %I% %E% SMI" - #include #include #include @@ -90,12 +88,6 @@ brand_register(brand_t *brand) if (brand == NULL) return (EINVAL); - if (is_system_labeled()) { - cmn_err(CE_WARN, - "Branded zones are not allowed on labeled systems."); - return (EINVAL); - } - if (brand->b_version != SUPPORTED_BRAND_VERSION) { if (brand->b_version < SUPPORTED_BRAND_VERSION) { cmn_err(CE_WARN, diff --git a/usr/src/uts/common/os/zone.c b/usr/src/uts/common/os/zone.c index af2cd869e0..6b4ba04b7b 100644 --- a/usr/src/uts/common/os/zone.c +++ b/usr/src/uts/common/os/zone.c @@ -2132,13 +2132,6 @@ zone_set_brand(zone_t *zone, const char *brand) return (EINVAL); } - if (is_system_labeled() && - strncmp(attrp->ba_brandname, NATIVE_BRAND_NAME, MAXNAMELEN) != 0) { - mutex_exit(&zone_status_lock); - brand_unregister_zone(bp); - return (EPERM); - } - /* set up the brand specific data */ zone->zone_brand = bp; ZBROP(zone)->b_init_brand_data(zone); diff --git a/usr/src/uts/common/sys/brand.h b/usr/src/uts/common/sys/brand.h index 4553cf7725..d9f2b63ba5 100644 --- a/usr/src/uts/common/sys/brand.h +++ b/usr/src/uts/common/sys/brand.h @@ -19,15 +19,13 @@ * CDDL HEADER END */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #ifndef _SYS_BRAND_H #define _SYS_BRAND_H -#pragma ident "%Z%%M% %I% %E% SMI" - #ifdef __cplusplus extern "C" { #endif @@ -63,6 +61,9 @@ struct brand_attr { /* What we call the native brand. */ #define NATIVE_BRAND_NAME "native" +/* What we call the labeled brand. */ +#define LABELED_BRAND_NAME "labeled" + #ifdef _KERNEL /* Root for branded zone's native binaries */ -- cgit v1.2.3