diff options
| author | Truong Nguyen <Truong.Q.Nguyen@Sun.COM> | 2009-02-14 00:35:26 -0800 |
|---|---|---|
| committer | Truong Nguyen <Truong.Q.Nguyen@Sun.COM> | 2009-02-14 00:35:26 -0800 |
| commit | eb1a34638eba7c5add1421327f3eb225a8ea7518 (patch) | |
| tree | 8248473bb88d0ad643e80e3c976123d722e5f944 /usr/src | |
| parent | f5c9e9f9ca94d949afcf832822366734d6daf6ea (diff) | |
| download | illumos-joyent-eb1a34638eba7c5add1421327f3eb225a8ea7518.tar.gz | |
6761070 PSARC 2008/580 Solaris host-based firewall
6236609 svc.startd resets auxiliary state on svcadm mark maintenance
6762307 SMF - expressing a service's maintenance state by request of another service
Diffstat (limited to 'usr/src')
84 files changed, 4415 insertions, 731 deletions
diff --git a/usr/src/cmd/cmd-inet/usr.lib/in.dhcpd/dhcp-server.xml b/usr/src/cmd/cmd-inet/usr.lib/in.dhcpd/dhcp-server.xml index eec66690c1..743decccc5 100644 --- a/usr/src/cmd/cmd-inet/usr.lib/in.dhcpd/dhcp-server.xml +++ b/usr/src/cmd/cmd-inet/usr.lib/in.dhcpd/dhcp-server.xml @@ -1,15 +1,14 @@ <?xml version='1.0'?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -24,8 +23,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -100,6 +97,18 @@ exec=':kill -HUP' timeout_seconds='60' /> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='name' type='astring' value='bootps' /> + </property_group> + + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/cmd-inet/usr.lib/inetd/inetd.c b/usr/src/cmd/cmd-inet/usr.lib/inetd/inetd.c index a18fceb2d2..72ebd39d0f 100644 --- a/usr/src/cmd/cmd-inet/usr.lib/inetd/inetd.c +++ b/usr/src/cmd/cmd-inet/usr.lib/inetd/inetd.c @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -285,6 +285,51 @@ instance_stopped(const instance_t *inst) } /* + * Given the instance fmri, obtain the corresonding scf_instance. + * Caller is responsible for freeing the returned scf_instance and + * its scf_handle. + */ +static int +fmri_to_instance(char *fmri, scf_instance_t **scf_instp) +{ + int retries, ret = 1; + scf_handle_t *h; + scf_instance_t *scf_inst; + + if ((h = scf_handle_create(SCF_VERSION)) == NULL) { + error_msg(gettext("Failed to get instance for %s"), fmri); + return (1); + } + + if ((scf_inst = scf_instance_create(h)) == NULL) + goto out; + + for (retries = 0; retries <= REP_OP_RETRIES; retries++) { + if (make_handle_bound(h) == -1) + break; + + if (scf_handle_decode_fmri(h, fmri, NULL, NULL, scf_inst, + NULL, NULL, SCF_DECODE_FMRI_EXACT) == 0) { + ret = 0; + *scf_instp = scf_inst; + break; + } + + if (scf_error() != SCF_ERROR_CONNECTION_BROKEN) + break; + } + +out: + if (ret != 0) { + error_msg(gettext("Failed to get instance for %s"), fmri); + scf_instance_destroy(scf_inst); + scf_handle_destroy(h); + } + + return (ret); +} + +/* * Updates the current and next repository states of instance 'inst'. If * any errors occur an error message is output. */ @@ -294,8 +339,10 @@ update_instance_states(instance_t *inst, internal_inst_state_t new_cur_state, { internal_inst_state_t old_cur = inst->cur_istate; internal_inst_state_t old_next = inst->next_istate; + scf_instance_t *scf_inst = NULL; scf_error_t sret; int ret; + char *aux = "none"; /* update the repository/cached internal state */ inst->cur_istate = new_cur_state; @@ -312,14 +359,46 @@ update_instance_states(instance_t *inst, internal_inst_state_t new_cur_state, error_msg(gettext("Failed to update state of instance %s in " "repository: %s"), inst->fmri, scf_strerror(sret)); + if (fmri_to_instance(inst->fmri, &scf_inst) == 0) { + /* + * If transitioning to maintenance, check auxiliary_tty set + * by svcadm and assign appropriate value to auxiliary_state. + * If the maintenance event comes from a service request, + * validate auxiliary_fmri and copy it to + * restarter/auxiliary_fmri. + */ + if (new_cur_state == IIS_MAINTENANCE) { + if (restarter_inst_ractions_from_tty(scf_inst) == 0) + aux = "service_request"; + else + aux = "administrative_request"; + } + + if (strcmp(aux, "service_request") == 0) { + if (restarter_inst_validate_ractions_aux_fmri( + scf_inst) == 0) { + if (restarter_inst_set_aux_fmri(scf_inst)) + error_msg(gettext("Could not set " + "auxiliary_fmri property for %s"), + inst->fmri); + } else { + if (restarter_inst_reset_aux_fmri(scf_inst)) + error_msg(gettext("Could not reset " + "auxiliary_fmri property for %s"), + inst->fmri); + } + } + scf_handle_destroy(scf_instance_handle(scf_inst)); + scf_instance_destroy(scf_inst); + } + /* update the repository SMF state */ if ((ret = restarter_set_states(rst_event_handle, inst->fmri, states[old_cur].smf_state, states[new_cur_state].smf_state, states[old_next].smf_state, states[new_next_state].smf_state, - err, 0)) != 0) + err, aux)) != 0) error_msg(gettext("Failed to update state of instance %s in " "repository: %s"), inst->fmri, strerror(ret)); - } void diff --git a/usr/src/cmd/cmd-inet/usr.lib/inetd/inetd.xml b/usr/src/cmd/cmd-inet/usr.lib/inetd/inetd.xml index f5bb357bec..4f5927e974 100644 --- a/usr/src/cmd/cmd-inet/usr.lib/inetd/inetd.xml +++ b/usr/src/cmd/cmd-inet/usr.lib/inetd/inetd.xml @@ -1,7 +1,7 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2008 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START @@ -1035,6 +1035,15 @@ Additional information about why a service is in the current state. Unused by i <visibility value='hidden' /> <cardinality min='1' max='1' /> </prop_pattern> + <prop_pattern name='auxiliary_fmri' type='astring' + required='false'> + <description> + <loctext xml:lang='C'> +Auxiliary fmri information for service state diagnosis. + </loctext> + </description> + <visibility value='hidden' /> + </prop_pattern> <prop_pattern name='state_timestamp' type='time' required='false'> <description> diff --git a/usr/src/cmd/cmd-inet/usr.lib/mdnsd/multicast.xml b/usr/src/cmd/cmd-inet/usr.lib/mdnsd/multicast.xml index 4ef679eaaa..3a37e51ab2 100644 --- a/usr/src/cmd/cmd-inet/usr.lib/mdnsd/multicast.xml +++ b/usr/src/cmd/cmd-inet/usr.lib/mdnsd/multicast.xml @@ -1,7 +1,7 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2007 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START @@ -28,7 +28,6 @@ operating system upgrade. Make customizations in a different file. -#ident "%Z%%M% %I% %E% SMI" --> <service_bundle type='manifest' name='SUNWdsdr:multicast'> @@ -121,6 +120,18 @@ <propval name='value_authorization' type='astring' value='solaris.smf.value.mdns' /> </property_group> + + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='name' type='astring' value='mdns' /> + </property_group> + + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> </instance> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/comsat.xml b/usr/src/cmd/cmd-inet/usr.sbin/comsat.xml index 30d030b7c8..dcfab5f69a 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/comsat.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/comsat.xml @@ -1,15 +1,14 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -24,8 +23,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -80,6 +77,14 @@ <propval name='isrpc' type='boolean' value='false' /> </property_group> + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/finger.xml b/usr/src/cmd/cmd-inet/usr.sbin/finger.xml index 910be817e3..3fd6e5321c 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/finger.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/finger.xml @@ -1,15 +1,14 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -24,8 +23,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -73,6 +70,14 @@ <propval name='isrpc' type='boolean' value='false' /> </property_group> + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/in.ftpd/Makefile b/usr/src/cmd/cmd-inet/usr.sbin/in.ftpd/Makefile index 7998c3fe87..6a6a563497 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/in.ftpd/Makefile +++ b/usr/src/cmd/cmd-inet/usr.sbin/in.ftpd/Makefile @@ -1,13 +1,12 @@ # -# ident "%Z%%M% %I% %E% SMI" -# -# Copyright 2007 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # PROG= in.ftpd ftpcount ftpshut ftprestart privatepw SCRIPTS= ftpaddhost ftpconfig MANIFEST= ftp.xml +SVCMETHOD= svc-ftp include ../../../Makefile.cmd @@ -106,7 +105,7 @@ $(ROOTFTPWHO): $(ROOTFTPCOUNT) $(LN) $(ROOTFTPCOUNT) $@ install: all $(ROOTUSRSBINPROG) $(ROOTFTPWHO) $(ROOTUSRSBINSCRIPTS) \ - $(ETCFTPDFILES) $(ROOTMANIFEST) + $(ETCFTPDFILES) $(ROOTMANIFEST) $(ROOTSVCMETHOD) check: $(CHKMANIFEST) diff --git a/usr/src/cmd/cmd-inet/usr.sbin/in.ftpd/ftp.xml b/usr/src/cmd/cmd-inet/usr.sbin/in.ftpd/ftp.xml index 6fe406e81d..dd6e492036 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/in.ftpd/ftp.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/in.ftpd/ftp.xml @@ -2,11 +2,9 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- - Copyright 2004 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -54,6 +52,19 @@ <propval name='isrpc' type='boolean' value='false' /> </property_group> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='ipf_method' type='astring' + value='/lib/svc/method/svc-ftp ipfilter' /> + </property_group> + + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/in.ftpd/svc-ftp b/usr/src/cmd/cmd-inet/usr.sbin/in.ftpd/svc-ftp new file mode 100644 index 0000000000..c0efb1dca4 --- /dev/null +++ b/usr/src/cmd/cmd-inet/usr.sbin/in.ftpd/svc-ftp @@ -0,0 +1,62 @@ +#!/sbin/sh +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# + +. /lib/svc/share/ipf_include.sh + +create_ipf_rules() +{ + FMRI=$1 + ipf_file=`fmri_to_file ${FMRI} $IPF_SUFFIX` + nat_file=`fmri_to_file ${FMRI} $NAT_SUFFIX` + policy=`get_policy ${FMRI}` + + # + # Ftp uses two ports, ftp and ftp-data, see /etc/services which + # is why it's necessary to have this custom method. + # + conn_port=`$SERVINFO -p -t -s ftp 2>/dev/null` + data_port=`$SERVINFO -p -t -s ftp-data 2>/dev/null` + + echo "# $FMRI" >$ipf_file + generate_rules $FMRI $policy "tcp" "any" $conn_port $ipf_file + generate_rules $FMRI $policy "tcp" "any" $data_port $ipf_file + + # Generate a custom NAT rule here to use the ftp-proxy + # + echo "# $FMRI" >$nat_file + echo "rdr * any -> 0/32 proxy port ftp ftp/tcp" >>$nat_file +} + +case "$1" in +'ipfilter') + create_ipf_rules $2 + ;; + +*) + echo "Usage: $0 ipfilter" + ;; +esac +exit 0 diff --git a/usr/src/cmd/cmd-inet/usr.sbin/in.rdisc/rdisc.xml b/usr/src/cmd/cmd-inet/usr.sbin/in.rdisc/rdisc.xml index 005b49158e..eb223ee0e4 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/in.rdisc/rdisc.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/in.rdisc/rdisc.xml @@ -1,7 +1,7 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2007 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START @@ -23,8 +23,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -117,6 +115,11 @@ privileges='basic,proc_owner,proc_fork,proc_exec,proc_info,proc_session,file_cho value='solaris.smf.value.routing' /> </property_group> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='ipf_method' type='astring' + value='/lib/svc/method/svc-rdisc ipfilter' /> + </property_group> + <template> <common_name> <loctext xml:lang='C'> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/in.rdisc/svc-rdisc b/usr/src/cmd/cmd-inet/usr.sbin/in.rdisc/svc-rdisc index 1bdb4dc11b..c945bee19c 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/in.rdisc/svc-rdisc +++ b/usr/src/cmd/cmd-inet/usr.sbin/in.rdisc/svc-rdisc @@ -20,16 +20,32 @@ # CDDL HEADER END # # -# Copyright 2007 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # -# ident "%Z%%M% %I% %E% SMI" . /lib/svc/share/smf_include.sh . /lib/svc/share/routing_include.sh +. /lib/svc/share/ipf_include.sh smf_configure_ip || exit $SMF_EXIT_OK +create_ipf_rules() +{ + FMRI=$1 + file=`fmri_to_file $FMRI $IPF_SUFFIX` + + # + # Allow incoming icmp from routers for successful discovery. + echo "# $FMRI" >$file + gen_IRDP_rules $file +} + +if [ -n "$1" -a "$1" = "ipfilter" ]; then + create_ipf_rules $2 + exit "$SMF_EXIT_OK" +fi + daemon_args=`get_daemon_args $SMF_FMRI` options="afsp:T:r" diff --git a/usr/src/cmd/cmd-inet/usr.sbin/in.routed/route.xml b/usr/src/cmd/cmd-inet/usr.sbin/in.routed/route.xml index 09df0b3567..22d0f1b4eb 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/in.routed/route.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/in.routed/route.xml @@ -1,7 +1,7 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2007 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START @@ -23,8 +23,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -138,6 +136,20 @@ privileges='basic,proc_owner,proc_fork,proc_exec,proc_info,proc_session,file_cho value='solaris.smf.value.routing' /> </property_group> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='name' type='astring' value='route' /> + <propval name='ipf_method' type='astring' + value='/lib/svc/method/svc-route ipfilter' /> + </property_group> + + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <template> <common_name> <loctext xml:lang='C'> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/in.routed/svc-route b/usr/src/cmd/cmd-inet/usr.sbin/in.routed/svc-route index 99262a3f1f..87da8c7386 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/in.routed/svc-route +++ b/usr/src/cmd/cmd-inet/usr.sbin/in.routed/svc-route @@ -20,16 +20,50 @@ # CDDL HEADER END # # -# Copyright 2007 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # -# ident "%Z%%M% %I% %E% SMI" . /lib/svc/share/smf_include.sh . /lib/svc/share/routing_include.sh +. /lib/svc/share/ipf_include.sh smf_configure_ip || exit $SMF_EXIT_OK +create_ipf_rules() +{ + FMRI=$1 + file=`fmri_to_file ${FMRI} $IPF_SUFFIX` + + # + # route:default is enabled iff route discovery is required. Allow + # incoming icmp from routers for successful discovery. + echo "# $FMRI" >$file + gen_IRDP_rules $file + + # + # A potential router so apply policy to RIP, 520 udp + # + policy=`get_policy $FMRI` + iana_name=`svcprop -p $FW_CONTEXT_PG/name ${FMRI} 2>/dev/null` + + tport=`$SERVINFO -p -t -s $iana_name 2>/dev/null` + uport=`$SERVINFO -p -u -s $iana_name 2>/dev/null` + + if [ -n "$tport" ]; then + generate_rules $FMRI $policy "tcp" "any" $tport $file + fi + + if [ -n "$uport" ]; then + generate_rules $FMRI $policy "udp" "any" $uport $file + fi +} + +if [ -n "$1" -a "$1" = "ipfilter" ]; then + create_ipf_rules $2 + exit "$SMF_EXIT_OK" +fi + daemon_args=`get_daemon_args $SMF_FMRI` options="AdghmnqsStvVzT:F:P:" diff --git a/usr/src/cmd/cmd-inet/usr.sbin/in.talkd/talk.xml b/usr/src/cmd/cmd-inet/usr.sbin/in.talkd/talk.xml index bddc7cbea1..a867c40d66 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/in.talkd/talk.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/in.talkd/talk.xml @@ -1,15 +1,14 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -24,8 +23,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -80,6 +77,14 @@ <propval name='isrpc' type='boolean' value='false' /> </property_group> + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/login.xml b/usr/src/cmd/cmd-inet/usr.sbin/login.xml index 05cd788095..25072149b8 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/login.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/login.xml @@ -2,15 +2,14 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -25,8 +24,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -74,6 +71,14 @@ timeout_seconds='0'> </exec_method> + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <property_group name='inetd' type='framework'> <propval name='name' type='astring' value='login' /> <propval name='proto' type='astring' value='tcp6' /> @@ -101,6 +106,14 @@ timeout_seconds='0'> </exec_method> + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='exception_list' type='astring' value='' /> + <propval name='override_list' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <!-- Only works over IPv4 at the moment --> <property_group name='inetd' type='framework'> <propval name='name' type='astring' value='klogin' /> @@ -130,6 +143,14 @@ timeout_seconds='0'> </exec_method> + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='exception_list' type='astring' value='' /> + <propval name='override_list' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <!-- Only works over IPv4 at the moment --> <property_group name='inetd' type='framework'> <propval name='name' type='astring' value='eklogin' /> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/rexec.xml b/usr/src/cmd/cmd-inet/usr.sbin/rexec.xml index 8eb11f4da7..924ced88c4 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/rexec.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/rexec.xml @@ -2,15 +2,14 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -25,8 +24,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -84,6 +81,14 @@ </property> </property_group> + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/shell.xml b/usr/src/cmd/cmd-inet/usr.sbin/shell.xml index 58e64d2d7b..826da18487 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/shell.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/shell.xml @@ -2,15 +2,14 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -25,8 +24,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -42,8 +39,6 @@ type='service' version='1'> - <create_default_instance enabled='false' /> - <restarter> <service_fmri value='svc:/network/inetd:default' /> </restarter> @@ -64,23 +59,6 @@ <service_fmri value='svc:/milestone/network' /> </dependency> - <exec_method - type='method' - name='inetd_start' - exec='/usr/sbin/in.rshd' - timeout_seconds='0'> - <method_context> - <method_credential user='root' group='root' /> - </method_context> - </exec_method> - - <exec_method - type='method' - name='inetd_disable' - exec=':kill' - timeout_seconds='0'> - </exec_method> - <!-- The proto setting here of both tcp and tcp6only is required in order to prevent breaking applications which assume that the socket they @@ -100,6 +78,33 @@ </property> </property_group> + <instance name='default' enabled='false' > + <exec_method + type='method' + name='inetd_start' + exec='/usr/sbin/in.rshd' + timeout_seconds='0'> + <method_context> + <method_credential user='root' group='root' /> + </method_context> + </exec_method> + + <exec_method + type='method' + name='inetd_disable' + exec=':kill' + timeout_seconds='0'> + </exec_method> + + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + </instance> + <!-- RSH - with kerberos authentication (only works over IPv4) --> @@ -125,6 +130,14 @@ <propval name='name' type='astring' value='kshell' /> <propval name='proto' type='astring' value='tcp' /> </property_group> + + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='default' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> </instance> <stability value='Unstable' /> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/telnet.xml b/usr/src/cmd/cmd-inet/usr.sbin/telnet.xml index 5ad1201d43..6b0ac5dfa5 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/telnet.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/telnet.xml @@ -1,15 +1,14 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -24,8 +23,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -73,6 +70,14 @@ <propval name='isrpc' type='boolean' value='false' /> </property_group> + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/fs.d/nfs/svc/cbd.xml b/usr/src/cmd/fs.d/nfs/svc/cbd.xml index 2e2ddbc95d..fed8bd027d 100644 --- a/usr/src/cmd/fs.d/nfs/svc/cbd.xml +++ b/usr/src/cmd/fs.d/nfs/svc/cbd.xml @@ -1,15 +1,14 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -24,8 +23,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -87,6 +84,13 @@ exec=':kill' timeout_seconds='60' /> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='isrpc' type='boolean' value='true' /> + <propval name='name' type='astring' value='1073741824' /> + <propval name='ipf_method' type='astring' + value='/lib/svc/method/nfs-server ipfilter' /> + </property_group> + <property_group name='application' type='framework'> <stability value='Evolving' /> <propval name='auto_enable' type='boolean' value='true' /> diff --git a/usr/src/cmd/fs.d/nfs/svc/nfs-server b/usr/src/cmd/fs.d/nfs/svc/nfs-server index 5aca9ecc66..35f78b4fa1 100644 --- a/usr/src/cmd/fs.d/nfs/svc/nfs-server +++ b/usr/src/cmd/fs.d/nfs/svc/nfs-server @@ -20,16 +20,47 @@ # CDDL HEADER END # # -# Copyright 2008 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # -#pragma ident "%Z%%M% %I% %E% SMI" # Start/stop processes required for server NFS . /lib/svc/share/smf_include.sh +. /lib/svc/share/ipf_include.sh zone=`smf_zonename` +# +# Handling a corner case here. If we were in offline state due to an +# unsatisfied dependency, the ipf_method process wouldn't have generated +# the ipfilter configuration. When we transition to online because the +# dependency is satisfied, the start method will have to generate the +# ipfilter configuration. To avoid all possible deadlock scenarios, +# we restart ipfilter which will regenerate the ipfilter configuration +# for the entire system. +# +# The ipf_method process signals that it didn't generate ipf rules by +# removing the service's ipf file. Thus we only restart network/ipfilter +# when the file is missing. +# +configure_ipfilter() +{ + ipfile=`fmri_to_file $SMF_FMRI $IPF_SUFFIX` + [ -f "$ipfile" ] && return 0 + + # + # Nothing to do if: + # - ipfilter isn't online + # - global policy is 'custom' + # - service's policy is 'use_global' + # + service_check_state $IPF_FMRI $SMF_ONLINE || return 0 + [ "`get_global_def_policy`" = "custom" ] && return 0 + [ "`get_policy $SMF_FMRI`" = "use_global" ] && return 0 + + svcadm restart $IPF_FMRI +} + case "$1" in 'start') # The NFS server is not supported in a local zone @@ -81,6 +112,8 @@ case "$1" in sleep 5 & exit $SMF_EXIT_ERR_FATAL fi + + configure_ipfilter else /usr/sbin/svcadm disable -t svc:/network/nfs/server echo "No NFS filesystems are shared" @@ -125,6 +158,125 @@ case "$1" in [ $? -ne 0 ] && exit 1 ;; +'ipfilter') + # + # NFS related services are RPC. nfs/server has nfsd which has + # well-defined port number but mountd is an RPC daemon. + # + # Essentially, we generate rules for the following "services" + # - nfs/server which has nfsd and mountd + # - nfs/rquota + # + # The following services are enabled for both nfs client and + # server so we'll treat them as client services and simply + # allow incoming traffic. + # - nfs/status + # - nfs/nlockmgr + # - nfs/cbd + # + NFS_FMRI="svc:/network/nfs/server:default" + RQUOTA_FMRI="svc:/network/nfs/rquota:default" + FMRI=$2 + + file=`fmri_to_file $FMRI $IPF_SUFFIX` + echo "# $FMRI" >$file + policy=`get_policy $NFS_FMRI` + ip="any" + + # + # nfs/server configuration is processed in the start method. + # + if [ "$FMRI" = "$NFS_FMRI" ]; then + service_check_state $FMRI $SMF_ONLINE + if [ $? -ne 0 ]; then + rm $file + exit $SMF_EXIT_OK + fi + + nfs_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI 2>/dev/null` + tport=`$SERVINFO -p -t -s $nfs_name 2>/dev/null` + if [ -n "$tport" ]; then + generate_rules $FMRI $policy "tcp" $ip $tport $file + fi + + uport=`$SERVINFO -p -u -s $nfs_name 2>/dev/null` + if [ -n "$uport" ]; then + generate_rules $FMRI $policy "udp" $ip $uport $file + fi + + tports=`$SERVINFO -R -p -t -s "mountd" 2>/dev/null` + if [ -n "$tports" ]; then + for tport in $tports; do + generate_rules $FMRI $policy "tcp" $ip \ + $tport $file + done + fi + + uports=`$SERVINFO -R -p -u -s "mountd" 2>/dev/null` + if [ -n "$uports" ]; then + for uport in $uports; do + generate_rules $FMRI $policy "udp" $ip \ + $uport $file + done + fi + + elif [ "$FMRI" = "$RQUOTA_FMRI" ]; then + iana_name=`svcprop -p inetd/name $FMRI` + + tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` + if [ -n "$tports" ]; then + for tport in $tports; do + generate_rules $NFS_FMRI $policy "tcp" \ + $ip $tport $file + done + fi + + uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` + if [ -n "$uports" ]; then + for uport in $uports; do + generate_rules $NFS_FMRI $policy "udp" \ + $ip $uport $file + done + fi + else + # + # Handle the client services here + # + restarter=`svcprop -p general/restarter $FMRI 2>/dev/null` + if [ "$restarter" = "$INETDFMRI" ]; then + iana_name=`svcprop -p inetd/name $FMRI` + isrpc=`svcprop -p inetd/isrpc $FMRI` + else + iana_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI` + isrpc=`svcprop -p $FW_CONTEXT_PG/isrpc $FMRI` + fi + + if [ "$isrpc" = "true" ]; then + tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` + uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` + else + tports=`$SERVINFO -p -t -s $iana_name 2>/dev/null` + uports=`$SERVINFO -p -u -s $iana_name 2>/dev/null` + fi + + if [ -n "$tports" ]; then + for tport in $tports; do + echo "pass in log quick proto tcp from any" \ + "to any port = ${tport} flags S " \ + "keep state" >>${file} + done + fi + + if [ -n "$uports" ]; then + for uport in $uports; do + echo "pass in log quick proto udp from any" \ + "to any port = ${uport}" >>${file} + done + fi + fi + + ;; + *) echo "Usage: $0 { start | stop | refresh }" exit 1 diff --git a/usr/src/cmd/fs.d/nfs/svc/nlockmgr.xml b/usr/src/cmd/fs.d/nfs/svc/nlockmgr.xml index 42ec7152a2..3f7309f31a 100644 --- a/usr/src/cmd/fs.d/nfs/svc/nlockmgr.xml +++ b/usr/src/cmd/fs.d/nfs/svc/nlockmgr.xml @@ -1,7 +1,7 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2006 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START @@ -23,8 +23,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -86,6 +84,13 @@ exec=':kill' timeout_seconds='60' /> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='isrpc' type='boolean' value='true' /> + <propval name='name' type='astring' value='nlockmgr' /> + <propval name='ipf_method' type='astring' + value='/lib/svc/method/nfs-server ipfilter' /> + </property_group> + <property_group name='application' type='framework'> <stability value='Evolving' /> <propval name='auto_enable' type='boolean' value='true' /> diff --git a/usr/src/cmd/fs.d/nfs/svc/rquota.xml b/usr/src/cmd/fs.d/nfs/svc/rquota.xml index 74ae40b6c9..08fad0b16f 100644 --- a/usr/src/cmd/fs.d/nfs/svc/rquota.xml +++ b/usr/src/cmd/fs.d/nfs/svc/rquota.xml @@ -2,15 +2,14 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -25,8 +24,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -93,6 +90,14 @@ <propval name='wait' type='boolean' value='true' /> </property_group> + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Stable' /> <template> diff --git a/usr/src/cmd/fs.d/nfs/svc/server.xml b/usr/src/cmd/fs.d/nfs/svc/server.xml index e1621ff08a..e709cc8b36 100644 --- a/usr/src/cmd/fs.d/nfs/svc/server.xml +++ b/usr/src/cmd/fs.d/nfs/svc/server.xml @@ -4,28 +4,26 @@ CDDL HEADER START - The contents of this file are subject to the terms of the - Common Development and Distribution License (the "License"). - You may not use this file except in compliance with the License. + The contents of this file are subject to the terms of the + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. - You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - or http://www.opensolaris.org/os/licensing. - See the License for the specific language governing permissions - and limitations under the License. + You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE + or http://www.opensolaris.org/os/licensing. + See the License for the specific language governing permissions + and limitations under the License. - When distributing Covered Code, include this CDDL HEADER in each - file and include the License file at usr/src/OPENSOLARIS.LICENSE. - If applicable, add the following below this CDDL HEADER, with the - fields enclosed by brackets "[]" replaced with your own identifying - information: Portions Copyright [yyyy] [name of copyright owner] + When distributing Covered Code, include this CDDL HEADER in each + file and include the License file at usr/src/OPENSOLARIS.LICENSE. + If applicable, add the following below this CDDL HEADER, with the + fields enclosed by brackets "[]" replaced with your own identifying + information: Portions Copyright [yyyy] [name of copyright owner] CDDL HEADER END - Copyright 2006 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -144,6 +142,20 @@ <propval name='auto_enable' type='boolean' value='true' /> </property_group> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='name' type='astring' value='nfsd' /> + <propval name='ipf_method' type='astring' + value='/lib/svc/method/nfs-server ipfilter' /> + </property_group> + + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Stable' /> <template> diff --git a/usr/src/cmd/fs.d/nfs/svc/status.xml b/usr/src/cmd/fs.d/nfs/svc/status.xml index 043aab0485..8412fd8bac 100644 --- a/usr/src/cmd/fs.d/nfs/svc/status.xml +++ b/usr/src/cmd/fs.d/nfs/svc/status.xml @@ -1,15 +1,14 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -24,8 +23,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -80,6 +77,13 @@ exec=':kill' timeout_seconds='60' /> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='isrpc' type='boolean' value='true' /> + <propval name='name' type='astring' value='status' /> + <propval name='ipf_method' type='astring' + value='/lib/svc/method/nfs-server ipfilter' /> + </property_group> + <property_group name='application' type='framework'> <stability value='Evolving' /> <propval name='auto_enable' type='boolean' value='true' /> diff --git a/usr/src/cmd/ipf/svc/Makefile b/usr/src/cmd/ipf/svc/Makefile index c1caf8d2d1..c2e75b1faa 100644 --- a/usr/src/cmd/ipf/svc/Makefile +++ b/usr/src/cmd/ipf/svc/Makefile @@ -19,22 +19,35 @@ # CDDL HEADER END # # -# Copyright 2006 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # -# ident "%Z%%M% %I% %E% SMI" -# + +PROG= svc.ipfd +SRCS = ipfd.c MANIFEST= ipfilter.xml SVCMETHOD= ipfilter include $(SRC)/cmd/Makefile.cmd +LDLIBS += -lscf -lumem + ROOTMANIFESTDIR= $(ROOTSVCNETWORK) +ROOTCMDDIR= $(ROOT)/lib/svc/bin + +all: $(PROG) + +$(PROG): $(SRCS) + $(LINK.c) -o $@ $(LDLIBS) $(SRCS) $(CTFMERGE_HOOK) + $(POST_PROCESS) + +clean: + $(RM) $(PROG) -all clean lint: +lint: lint_SRCS -install: $(ROOTMANIFEST) $(ROOTSVCMETHOD) +install: all $(ROOTCMD) $(ROOTMANIFEST) $(ROOTSVCMETHOD) check: $(CHKMANIFEST) diff --git a/usr/src/cmd/ipf/svc/ipfd.c b/usr/src/cmd/ipf/svc/ipfd.c new file mode 100644 index 0000000000..4d3ba294a0 --- /dev/null +++ b/usr/src/cmd/ipf/svc/ipfd.c @@ -0,0 +1,672 @@ +/* + * CDDL HEADER START + * + * The contents of this file are subject to the terms of the + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. + * + * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE + * or http://www.opensolaris.org/os/licensing. + * See the License for the specific language governing permissions + * and limitations under the License. + * + * When distributing Covered Code, include this CDDL HEADER in each + * file and include the License file at usr/src/OPENSOLARIS.LICENSE. + * If applicable, add the following below this CDDL HEADER, with the + * fields enclosed by brackets "[]" replaced with your own identifying + * information: Portions Copyright [yyyy] [name of copyright owner] + * + * CDDL HEADER END + */ + +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. + */ + +/* + * This file delivers svc.ipfd, the daemon that monitors changes to + * firewall capable services and requests IPfilter configuration update + * on behalf of the service. Essentially, the daemon listens for + * service changes and forks the program that update a service's + * IPfilter configuration. + * + * - A firewall capable SMF service can restrict network access to its + * service by providing a firewall policy that can be translated into + * a set of IPfilter rules. The mentioned firewall policy is stored in + * firewall_config and firewall_context property groups. If one of these + * two property groups exist, the service is considered to be firewall + * capable. + * + * - A request to update service's IPfilter configuration is made for + * actions that affect service's configuration or running state. The + * actions are: + * - enable/disable + * - refresh/restart + * - maintenance/clear maintenance + * + * Lacking a generic SMF mechanism to observe service state changes, the + * daemon observe change events by listening to changes to 'general', + * 'general_ovr', and 'restarter_actions' property groups. This is not a + * stable interface and should be replaced when a SMF supported mechanism + * becomes available. + * + * - The program responsible for updating service's IPfilter configuration + * is /lib/svc/method/ipfilter. This program is called as: + * + * /lib/svc/method/ipfilter fw_update fmri + * + * where fmri the instance fmri of the service to be updated. + */ + +#include <stdio.h> +#include <unistd.h> +#include <stdlib.h> +#include <assert.h> +#include <errno.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/wait.h> +#include <fcntl.h> +#include <umem.h> +#include <libscf.h> +#include <libscf_priv.h> +#include <signal.h> +#include <string.h> +#include <syslog.h> + +#define IPFILTER_FMRI "svc:/network/ipfilter:default" +#define RPCBIND_FMRI "svc:/network/rpc/bind:default" +#define IPF_UPDATE_CMD "/lib/svc/method/ipfilter" + +#define SCF_SNAPSHOT_RUNNING "running" +#define SCF_PG_FW_CONTEXT "firewall_context" +#define SCF_PG_FW_CONFIG "firewall_config" +#define SCF_PG_REFRESH "refresh" +#define SCF_PG_INETD "inetd" + +#define SCF_PROPERTY_ISRPC "isrpc" + +#define MAX_RETRY 7 +#define DEV_NULL "/dev/null" + +static scf_handle_t *h; +static ssize_t max_scf_fmri_size; +static ssize_t max_scf_name_size; + +static scf_instance_t *inst; +static scf_snapshot_t *snap; +static scf_propertygroup_t *scratch_pg; +static scf_property_t *scratch_prop; +static scf_value_t *scratch_v; + +static char *scratch_fmri; +static char *scratch_name; + +static const char *all_props[] = { + SCF_PROPERTY_REFRESH, SCF_PROPERTY_RESTART, SCF_PROPERTY_MAINT_ON, + SCF_PROPERTY_MAINT_ON_IMMEDIATE, SCF_PROPERTY_MAINT_ON_IMMTEMP, + SCF_PROPERTY_MAINT_ON_TEMPORARY, SCF_PROPERTY_MAINT_OFF +}; +#define ALL_PROPS_CNT 7 + +static const char *maint_props[] = { + SCF_PROPERTY_REFRESH, SCF_PROPERTY_RESTART, SCF_PROPERTY_MAINT_OFF }; +#define MAINT_PROPS_CNT 3 + +static int ipfilter_update(const char *); + +static int +daemonize_self(void) +{ + pid_t pid; + int fd; + + (void) close(STDIN_FILENO); + + if ((fd = open(DEV_NULL, O_RDONLY)) == -1) { + (void) printf("Could not open /dev/null: %s\n", + strerror(errno)); + } else if (fd != STDIN_FILENO) { + (void) dup2(fd, STDIN_FILENO); + (void) close(fd); + } + (void) dup2(STDERR_FILENO, STDOUT_FILENO); + closefrom(3); + + if ((pid = fork1()) < 0) { + (void) printf("fork() failed: %s\n", strerror(errno)); + return (1); + } + + if (pid != 0) + exit(0); + + (void) setsid(); + (void) chdir("/"); + + return (0); +} + +static void +repository_rebind(scf_handle_t *hndl) +{ + int c = 0; + + (void) scf_handle_unbind(hndl); + while ((scf_handle_bind(hndl)) != 0) { + if (c > MAX_RETRY) { + syslog(LOG_ERR | LOG_DAEMON, "Repository access " + "unavailable. Couldn't bind handle: %s\n", + scf_strerror(scf_error())); + syslog(LOG_ERR | LOG_DAEMON, "Service specific" + "IPfilter configuration may not be updated " + "properly\n"); + + exit(1); + } else { + c++; + } + + (void) sleep(1); + } +} + +static void +repository_notify_setup(scf_handle_t *h) +{ + for (;;) { + if (_scf_notify_add_pgtype(h, SCF_GROUP_FRAMEWORK) == + SCF_SUCCESS) + break; + + switch (scf_error()) { + case SCF_ERROR_CONNECTION_BROKEN: + repository_rebind(h); + break; + + case SCF_ERROR_NO_RESOURCES: + (void) sleep(1); + break; + + default: + syslog(LOG_ERR | LOG_DAEMON, + "Abort: Couldn't set up repository notification " + "for pg type %s: %s\n", SCF_GROUP_FRAMEWORK, + scf_strerror(scf_error())); + abort(); + } + } +} + +/* + * If the repository connection is lost, rebind and re-setup repository + * notification. During the repository connection outage, services that + * changed states wouldn't get the corresponding firewall update. To make + * we're not out of sync, update the entire system firewall configuration, + * invoke ipfilter_update(IPFILTER_FMRI). + */ +static void +repository_setup() +{ + repository_rebind(h); + repository_notify_setup(h); + if (ipfilter_update(IPFILTER_FMRI) == -1) { + syslog(LOG_ERR | LOG_DAEMON, + "Failed to reconfigure system firewall.\n"); + } +} + +static int +pg_get_prop_value(const scf_propertygroup_t *pg, const char *pname, + scf_value_t *v) +{ + if (pg == NULL || pname == NULL || v == NULL) + return (-1); + + if (scf_pg_get_property(pg, pname, scratch_prop) == -1 || + scf_property_get_value(scratch_prop, v) == -1) { + switch (scf_error()) { + case SCF_ERROR_NOT_FOUND: + case SCF_ERROR_DELETED: + break; + + default: + syslog(LOG_ERR | LOG_DAEMON, + "scf_pg_get_property failed for %s: %s\n", + pname, scf_strerror(scf_error())); + } + return (-1); + } + return (0); +} + +static int +is_correct_event(const char *fmri, const scf_propertygroup_t *pg, + const boolean_t isrpc) +{ + char *state = NULL; + const char **proplist = all_props; + int prop_cnt = ALL_PROPS_CNT; + + int i, ret = 0; + + if (scf_pg_get_name(pg, scratch_name, max_scf_name_size) < 0) { + syslog(LOG_ERR | LOG_DAEMON, "scf_pg_get_name failed: %s\n", + scf_strerror(scf_error())); + return (-1); + } + + /* + * We care about enable, disable, and refresh since that's + * when we activate, deactivate, or change firewall policy. + * + * - enable/disable -> change in "general" or "general_ovr" + * - refresh/restart -> change in "restarter_actions" + */ + if (strcmp(scratch_name, SCF_PG_GENERAL) == 0 || + strcmp(scratch_name, SCF_PG_GENERAL_OVR) == 0) { + syslog(LOG_DEBUG | LOG_DAEMON, "Action: %s", scratch_name); + return (1); + } + + if ((state = smf_get_state(fmri)) == NULL) { + syslog(LOG_ERR | LOG_DAEMON, "smf_get_state failed for %s: " + "%s\n", fmri, scf_strerror(scf_error())); + return (-1); + } + + syslog(LOG_DEBUG | LOG_DAEMON, "%s STATE: %s \n", fmri, state); + if (strcmp(state, SCF_STATE_STRING_MAINT) == 0) { + proplist = maint_props; + prop_cnt = MAINT_PROPS_CNT; + } + + /* + * Only concerned with refresh, restart, and maint on|off actions. + * RPC services are restarted whenever rpc/bind restarts so it's + * an automatic valid event for RPC services. + */ + if (isrpc) { + ret = 1; + goto out; + } else if (strcmp(scratch_name, SCF_PG_RESTARTER_ACTIONS) == 0) { + for (i = 0; i < prop_cnt; i++) { + if (pg_get_prop_value(pg, proplist[i], + scratch_v) == 0) { + syslog(LOG_DEBUG | LOG_DAEMON, "Action: %s/%s", + scratch_name, proplist[i]); + + ret = 1; + goto out; + } + } + } + +out: + if (state) + free(state); + + return (ret); +} + +static int +ipfilter_update(const char *fmri) +{ + pid_t pid; + int status, ret = 0; + + syslog(LOG_DEBUG | LOG_DAEMON, "ipfilter_update: %s\n", fmri); + + /* + * Start refresh in another process + */ + if ((pid = fork1()) < 0) { + syslog(LOG_ERR | LOG_DAEMON, "Couldn't fork to refresh " + "ipfilter for %s: %s", fmri, strerror(errno)); + ret = 1; + goto out; + } + + if (pid == 0) { + if (execl(IPF_UPDATE_CMD, IPF_UPDATE_CMD, "fw_update", fmri, + NULL) == -1) + syslog(LOG_ERR | LOG_DAEMON, "execl() failed for " + "%s: %s", fmri, strerror(errno)); + + exit(1); + } + + /* + * Parent - only one update at a time. + */ + (void) wait(&status); + if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) + ret = 1; + +out: + if (ret == 1) + syslog(LOG_ERR | LOG_DAEMON, "Firewall update failed " + "for: %s\n", fmri); + + return (ret); +} + +/* + * Determine whether a given instance is a RPC service. Repository and + * libscf errors are treated as if the service isn't an RPC service, + * returning B_FALSE to indicate validation failure. + */ +static boolean_t +service_is_rpc(const scf_instance_t *inst) +{ + scf_snapshot_t *lsnap = NULL; + uint8_t isrpc; + + if (scf_instance_get_snapshot(inst, SCF_SNAPSHOT_RUNNING, snap) != 0) { + syslog(LOG_DEBUG | LOG_DAEMON, + "Could not get running snapshot, using editing value\n"); + } else { + lsnap = snap; + } + + if (scf_instance_get_pg_composed(inst, lsnap, SCF_PG_INETD, + scratch_pg) == -1) { + switch (scf_error()) { + case SCF_ERROR_NOT_FOUND: + case SCF_ERROR_DELETED: + break; + + default: + syslog(LOG_ERR | LOG_DAEMON, + "scf_instance_get_pg_composed failed: %s\n", + scf_strerror(scf_error())); + return (B_FALSE); + } + + if (scf_instance_get_pg_composed(inst, lsnap, + SCF_PG_FW_CONTEXT, scratch_pg) == -1) { + switch (scf_error()) { + case SCF_ERROR_NOT_FOUND: + case SCF_ERROR_DELETED: + break; + + default: + syslog(LOG_ERR | LOG_DAEMON, + "scf_instance_get_pg_composed failed: %s\n", + scf_strerror(scf_error())); + } + return (B_FALSE); + } + } + + if (pg_get_prop_value(scratch_pg, SCF_PROPERTY_ISRPC, scratch_v) == -1) + return (B_FALSE); + + if (scf_value_get_boolean(scratch_v, &isrpc) == -1) { + syslog(LOG_ERR | LOG_DAEMON, "scf_value_get_boolean failed: " + "%s\n", scf_strerror(scf_error())); + return (B_FALSE); + } + + if (isrpc) + return (B_TRUE); + else + return (B_FALSE); +} + +static int +instance_has_firewall(scf_instance_t *inst) +{ + scf_snapshot_t *lsnap = NULL; + + if (scf_instance_get_snapshot(inst, SCF_SNAPSHOT_RUNNING, snap) == -1) { + switch (scf_error()) { + case SCF_ERROR_CONNECTION_BROKEN: + syslog(LOG_ERR | LOG_DAEMON, + "scf_instance_get_snapshot failed: %s\n", + scf_strerror(scf_error())); + repository_setup(); + return (-1); + + case SCF_ERROR_DELETED: + default: + /* + * If running snapshot is not available for + * other reasons, fall back to current values. + */ + syslog(LOG_DEBUG | LOG_DAEMON, "Could not get " + "running snapshot, using current value\n"); + } + } else { + lsnap = snap; + } + + /* + * Update service's IPfilter configuration if either + * SCF_PG_FW_CONTEXT or SCF_PG_FW_CONFIG exists. + */ + if (scf_instance_get_pg_composed(inst, lsnap, SCF_PG_FW_CONTEXT, + scratch_pg) == 0) { + return (1); + } else { + switch (scf_error()) { + case SCF_ERROR_NOT_FOUND: + case SCF_ERROR_DELETED: + break; + + case SCF_ERROR_CONNECTION_BROKEN: + repository_setup(); + /* FALLTHROUGH */ + default: + syslog(LOG_ERR | LOG_DAEMON, + "scf_instance_get_pg_composed failed: %s\n", + scf_strerror(scf_error())); + return (-1); + } + } + + if (scf_instance_get_pg_composed(inst, lsnap, SCF_PG_FW_CONFIG, + scratch_pg) == -1) { + /* + * It's either a non-firewall service or a failure to + * read firewall pg, just continue and listen for + * future events. + */ + switch (scf_error()) { + case SCF_ERROR_NOT_FOUND: + case SCF_ERROR_DELETED: + return (0); + + case SCF_ERROR_CONNECTION_BROKEN: + repository_setup(); + /* FALLTHROUGH */ + default: + syslog(LOG_ERR | LOG_DAEMON, + "scf_instance_get_pg_composed failed: %s\n", + scf_strerror(scf_error())); + return (-1); + } + } + return (1); +} + +static int +repository_event_process(scf_propertygroup_t *pg) +{ + boolean_t isrpc = B_FALSE; + int res; + + /* + * Figure out it's a firewall capable instance and call ipfilter_update + * if it is. + */ + if (scf_pg_get_parent_instance(pg, inst) == -1) { + /* Not an error if pg doesn't belong to a valid instance */ + if (scf_error() == SCF_ERROR_CONSTRAINT_VIOLATED) { + return (0); + } + + syslog(LOG_ERR | LOG_DAEMON, "scf_pg_get_parent_instance " + "failed: %s\n", scf_strerror(scf_error())); + + if (scf_error() == SCF_ERROR_CONNECTION_BROKEN) + repository_setup(); + + return (1); + } + + if (scf_instance_to_fmri(inst, scratch_fmri, max_scf_fmri_size) == -1) { + syslog(LOG_ERR | LOG_DAEMON, "scf_instance_to_fmri " + "failed: %s\n", scf_strerror(scf_error())); + + if (scf_error() == SCF_ERROR_CONNECTION_BROKEN) + repository_setup(); + + return (1); + } + + if (strcmp(scratch_fmri, IPFILTER_FMRI) == 0) { + return (0); + } + + isrpc = service_is_rpc(inst); + + /* + * If it's not an event we're interested in, returns success. + */ + res = is_correct_event(scratch_fmri, pg, isrpc); + if (res == -1) { + syslog(LOG_ERR | LOG_DAEMON, + "is_correct_event failed for %s.\n", scratch_fmri); + return (1); + } else if (res == 0) { + return (0); + } + + /* + * Proceed only if instance has firewall policy. + */ + res = instance_has_firewall(inst); + if (res == -1) { + syslog(LOG_ERR | LOG_DAEMON, + "instance_has_firewall failed for %s.\n", scratch_fmri); + return (1); + } else if (res == 0) { + return (0); + } + + if (ipfilter_update(scratch_fmri) == -1) { + return (1); + } + + return (0); +} + +static int +repository_event_wait() +{ + scf_propertygroup_t *pg; + char *fmri, *scratch; + const char *inst_name, *pg_name; + ssize_t res; + + if ((fmri = umem_alloc(max_scf_fmri_size, UMEM_DEFAULT)) == NULL) { + syslog(LOG_ERR | LOG_DAEMON, "Out of memory"); + return (1); + } + + if ((scratch = umem_alloc(max_scf_fmri_size, UMEM_DEFAULT)) == NULL) { + syslog(LOG_ERR | LOG_DAEMON, "Out of memory"); + return (1); + } + + if ((pg = scf_pg_create(h)) == NULL) { + syslog(LOG_ERR | LOG_DAEMON, "scf_pg_create failed: %s\n", + scf_strerror(scf_error())); + return (1); + } + + repository_notify_setup(h); + + for (;;) { + /* + * Calling _scf_notify_wait which will block this thread + * until it's notified of a framework event. + * + * Note: fmri is only set on delete events. + */ + res = _scf_notify_wait(pg, fmri, max_scf_fmri_size); + if (res < 0) { + syslog(LOG_ERR | LOG_DAEMON, "_scf_notify_wait " + "failed: %s\n", scf_strerror(scf_error())); + repository_setup(); + } else if (res == 0) { + if (repository_event_process(pg)) + syslog(LOG_ERR | LOG_DAEMON, "Service may have " + "incorrect IPfilter configuration\n"); + } else { + /* + * The received event is a deletion of a service, + * instance or pg. If it's a deletion of an instance, + * update the instance's IPfilter configuration. + */ + syslog(LOG_DEBUG | LOG_DAEMON, "Deleted: %s", fmri); + + (void) strlcpy(scratch, fmri, max_scf_fmri_size); + if (scf_parse_svc_fmri(scratch, NULL, NULL, &inst_name, + &pg_name, NULL) != SCF_SUCCESS) + continue; + + if (inst_name != NULL && pg_name == NULL) { + (void) ipfilter_update(fmri); + } + } + } + + /*NOTREACHED*/ +} + +int +main() +{ + if (daemonize_self() == 1) + return (1); + + max_scf_fmri_size = scf_limit(SCF_LIMIT_MAX_FMRI_LENGTH) + 1; + max_scf_name_size = scf_limit(SCF_LIMIT_MAX_NAME_LENGTH) + 1; + + assert(max_scf_fmri_size > 0); + assert(max_scf_name_size > 0); + + if ((h = scf_handle_create(SCF_VERSION)) == NULL) { + syslog(LOG_ERR | LOG_DAEMON, "scf_handle_create failed: %s\n", + scf_strerror(scf_error())); + return (1); + } + + repository_rebind(h); + + scratch_fmri = umem_alloc(max_scf_fmri_size, UMEM_DEFAULT); + scratch_name = umem_alloc(max_scf_name_size, UMEM_DEFAULT); + + if (scratch_fmri == NULL || scratch_name == NULL) { + syslog(LOG_ERR | LOG_DAEMON, "Out of memory"); + return (1); + } + + inst = scf_instance_create(h); + snap = scf_snapshot_create(h); + scratch_pg = scf_pg_create(h); + scratch_prop = scf_property_create(h); + scratch_v = scf_value_create(h); + + if (inst == NULL || snap == NULL || scratch_pg == NULL || + scratch_prop == NULL || scratch_v == NULL) { + syslog(LOG_ERR | LOG_DAEMON, "Initialization failed: %s\n", + scf_strerror(scf_error())); + return (1); + } + + return (repository_event_wait()); +} diff --git a/usr/src/cmd/ipf/svc/ipfilter b/usr/src/cmd/ipf/svc/ipfilter index cd57a51f22..6be1eeb7cc 100644 --- a/usr/src/cmd/ipf/svc/ipfilter +++ b/usr/src/cmd/ipf/svc/ipfilter @@ -25,13 +25,10 @@ # . /lib/svc/share/smf_include.sh +. /lib/svc/share/ipf_include.sh PATH=${PATH}:/usr/sbin:/usr/lib/ipf PIDFILE=/var/run/ipmon.pid -IPFILCONF=/etc/ipf/ipf.conf -IP6FILCONF=/etc/ipf/ipf6.conf -IPNATCONF=/etc/ipf/ipnat.conf -IPPOOLCONF=/etc/ipf/ippool.conf PFILCHECKED=no zone=`smf_zonename` @@ -50,13 +47,19 @@ logmsg() load_ipf() { bad=0 - if [ -r ${IPFILCONF} ]; then - ipf -IFa -f ${IPFILCONF} - if [ $? != 0 ]; then - echo "$0: load of ${IPFILCONF} into alternate set failed" - bad=1 + ipf -IFa + + for file in $IPFILOVRCONF $CONF_FILES $IPFILCONF; do + if [ -r ${file} ]; then + ipf -I -f ${file} + if [ $? != 0 ]; then + echo "$0: load of ${file} into alternate" \ + "set failed" + bad=1 + fi fi - fi + done + if [ -r ${IP6FILCONF} ]; then ipf -6IFa -f ${IP6FILCONF} if [ $? != 0 ]; then @@ -75,18 +78,18 @@ load_ipf() { load_ipnat() { - if [ -r ${IPNATCONF} ]; then - ipnat -CF -f ${IPNATCONF} - if [ $? != 0 ]; then - echo "$0: load of ${IPNATCONF} failed" - return 1 - else - ipf -y - return 0 - fi - else - return 0 - fi + ipnat -CF + for nfile in $NAT_FILES $IPNATCONF; do + if [ -r ${nfile} ]; then + ipnat -f ${nfile} + if [ $? != 0 ]; then + echo "$0: load of ${nfile} failed" + return 1 + else + ipf -y + fi + fi + done } @@ -105,21 +108,105 @@ load_ippool() { fi } +# +# Get current configuration version, fails if property doesn't exist. +# +config_get_version() +{ + ver=`svcprop -p $FW_CONFIG_DEF_PG/version $SMF_FMRI 2>/dev/null` + [ $? -ne 0 -o -z "$ver" ] && return 1 + + echo "$ver" +} + +# +# Version 1 configuration migration - if there's an existing ipf.conf file, set +# the default system-wide policy to "custom" and set the custom file value to +# "/etc/ipf/ipf.conf". Do this migration once and set the 'version' property +# to the current version value. +# +upgrade_config() +{ + old_ipfconf="/etc/ipf/ipf.conf" + + if [ -f ${old_ipfconf} ]; then + grep '^[ \t]*[^# \t]' ${old_ipfconf} >/dev/null 2>&1 + if [ $? -eq 0 ]; then + svccfg -s $SMF_FMRI setprop \ + $FW_CONFIG_DEF_PG/$POLICY_PROP = astring: \ + "custom" >/dev/null 2>&1 + svccfg -s $SMF_FMRI setprop \ + $FW_CONFIG_DEF_PG/$CUSTOM_FILE_PROP = astring: \ + "$old_ipfconf" >/dev/null 2>&1 + fi + fi + + svccfg -s $SMF_FMRI setprop $FW_CONFIG_DEF_PG/version = count: \ + "$CURRENT_VERSION" >/dev/null 2>&1 + svcadm refresh $SMF_FMRI >/dev/null 2>&1 +} + +configure_firewall() +{ + create_global_rules || exit $SMF_EXIT_ERR_CONFIG + create_global_ovr_rules || exit $SMF_EXIT_ERR_CONFIG + create_services_rules || exit $SMF_EXIT_ERR_CONFIG + + [ ! -f ${IPFILCONF} -a ! -f ${IPNATCONF} ] && exit 0 + ipf -E + load_ippool || exit $SMF_EXIT_ERR_CONFIG + load_ipf || exit $SMF_EXIT_ERR_CONFIG + load_ipnat || exit $SMF_EXIT_ERR_CONFIG +} +# +# We handle configuration migration as well as a model change (transient to +# contract based service) in the start, stop, and refresh methods. +# +# Configuration migration is straightforward, the start method will do the +# upgrade if the repository version value is not the same as the version +# defined in ipf_include.sh However, there are two problems. First, ipfilter +# can start in parallel with manifest-import, thus the new configuration +# properties and service definition may not be available to the start method +# on the first reboot after an upgrade. Second, a transient to contract based +# model change isn't well supported for an online service. +# +# - If the start method finds the property missing (manifest-import hasn't +# completed), it will allow the still transient network/ipfilter to stay +# 'online' and wait for manifest-import. Once manifest-import completes, the +# refresh method will run svcadm restart if the version value is not +# up-to-date and the subsequent start method will perform the upgrade. +# +# - Since the start method allows the service to stay online as a transient +# service (no contract), the svcadm restart invoked by refresh (described +# above) will result in a call to the stop method with no existing contract +# property. The ipfilter manifest cannot include contract/restarter token in +# its stop method definition since startd will fail to expand that token and +# place the service in maintenance. Thus, the stop method has to explicitly +# get the contract id before calling smf_kill_contract. +# case "$1" in start) - [ ! -f ${IPFILCONF} -a ! -f ${IPNATCONF} ] && exit 0 - ipf -E - [ -n "$pid" ] && kill -TERM $pid - if load_ippool && load_ipf && load_ipnat ; then - /usr/sbin/ipmon -Ds - else - exit $SMF_EXIT_ERR_CONFIG + ver=`config_get_version` + if [ $? -eq 1 ]; then + echo "Warning: firewall properties are not available" + exit $SMF_EXIT_OK fi + + [ "$ver" -ne "$CURRENT_VERSION" ] && upgrade_config + + configure_firewall + + /lib/svc/bin/svc.ipfd + /usr/sbin/ipmon -Ds ;; stop) - [ -n "$pid" ] && kill -TERM $pid + ctid=`svcprop -p restarter/contract $SMF_FMRI` + if [ -n "$ctid" ]; then + smf_kill_contract $ctid TERM 1 + fi + ipf -D [ -n "$ipfid" ] && modunload -i $ipfid ;; @@ -149,9 +236,18 @@ case "$1" in ;; reload) - load_ippool - load_ipf - load_ipnat + ver=`config_get_version` + if [ $? -eq 1 ]; then + echo "Warning: firewall properties are not available" + exit $SMF_EXIT_ERR_CONFIG + fi + + if [ "$ver" -ne "$CURRENT_VERSION" ]; then + svcadm restart $SMF_FMRI + exit $SMF_EXIT_OK + fi + + configure_firewall ;; reipf) @@ -162,6 +258,19 @@ case "$1" in load_ipnat ;; + fw_update) + # + # The second argument is the fmri of the service to be updated. + # If it's the network/ipfilter, we want to repopulate firewall + # configuration for the entire system. + # + if [ "$2" = "$SMF_FMRI" ]; then + configure_firewall + else + service_update $2 || exit 1 + fi + ;; + *) echo "Usage: $0 \c" >&2 echo "(start|stop|reload|reipf|reipnat|pause|resume)" >&2 diff --git a/usr/src/cmd/ipf/svc/ipfilter.xml b/usr/src/cmd/ipf/svc/ipfilter.xml index 81958feb90..397112ba69 100644 --- a/usr/src/cmd/ipf/svc/ipfilter.xml +++ b/usr/src/cmd/ipf/svc/ipfilter.xml @@ -38,18 +38,8 @@ type='service' version='1'> - <create_default_instance enabled='false' /> - <single_instance /> - <dependency - name='config' - grouping='require_all' - restart_on='restart' - type='path'> - <service_fmri value='file://localhost/etc/ipf/ipf.conf' /> - </dependency> - <dependency name='filesystem' grouping='require_all' @@ -74,6 +64,14 @@ <service_fmri value='svc:/system/identity:node' /> </dependency> + <dependency + name='domain' + grouping='require_all' + restart_on='restart' + type='service'> + <service_fmri value='svc:/system/identity:domain' /> + </dependency> + <dependent name='network' grouping='optional_all' @@ -84,14 +82,14 @@ <exec_method type='method' name='stop' - exec='/lib/svc/method/ipfilter stop' + exec='/lib/svc/method/ipfilter %m' timeout_seconds='60' > </exec_method> <exec_method type='method' name='start' - exec='/lib/svc/method/ipfilter start' + exec='/lib/svc/method/ipfilter %m' timeout_seconds='30' > </exec_method> @@ -102,11 +100,27 @@ timeout_seconds='30' > </exec_method> - <property_group - name='startd' - type='framework'> - <propval name='duration' type='astring' value='transient' /> - </property_group> + <instance name='default' enabled='false'> + <property_group name='firewall_config_default' + type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='none' /> + <propval name='custom_policy_file' type='astring' value='' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='open_ports' type='astring' value='' /> + <propval name='version' type='count' value='0' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + + <property_group name='firewall_config_override' + type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='none' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + </instance> <stability value='Unstable' /> @@ -123,6 +137,197 @@ <manpage title='ipfilter' section='5' manpath='/usr/share/man' /> </documentation> + + <pg_pattern name='firewall_config_default' + type='com.sun,fw_configuration' target='this' + required='false'> + <common_name> + <loctext xml:lang='C'> +Global Default firewall + </loctext> + </common_name> + <description> + <loctext xml:lang='C'> +The default system-wide firewall policy. + </loctext> + </description> + <prop_pattern name='policy' type='astring' + required='true'> + <common_name> + <loctext xml:lang='C'> +Global Default policy + </loctext> + </common_name> + <description> + <loctext xml:lang='C'> +Firewall policy. + </loctext> + </description> + <visibility value='readwrite'/> + <cardinality min='1' max='1'/> + <values> + <value name='none'> + <description> + <loctext xml:lang='C'> +No firewall (allow all), this is the default value. + </loctext> + + </description> + </value> + <value name='deny'> + <description> + <loctext xml:lang='C'> +Deny access to entities specified in 'apply_to' property. + </loctext> + </description> + </value> + <value name='allow'> + <description> + <loctext xml:lang='C'> +Allow access to entities specified in 'apply_to' property. + </loctext> + </description> + </value> + <value name='custom'> + <description> + <loctext xml:lang='C'> +Apply the custom ipfilter configuration stored in a custom file (custom file property must be set). + </loctext> + </description> + </value> + </values> + <choices> + <include_values type='values'/> + </choices> + </prop_pattern> + <prop_pattern name="apply_to" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Apply policy to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The host and network IPs, network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="exceptions" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Make exceptions to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The host and network IPs, network interfaces, and ippools which will be exempted from the set policy, accept if the policy is set to deny, or deny if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="custom_policy_file" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Custom policy IPfilter file + </loctext> + </common_name> + <description> + <loctext xml:lang='C'> +The file containing a custom ipfilter configuration to use if a custom policy is enforced. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="open_ports" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Open ports + </loctext> + </common_name> + <description> + <loctext xml:lang='C'> +A set of ports to leave open regardless of firewall policy. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="upgraded" type="boolean" + required="false"> + <visibility value='hidden'/> + </prop_pattern> + </pg_pattern> + + <pg_pattern name='firewall_config_override' + type='com.sun,fw_configuration' target='this' + required='false'> + <common_name> + <loctext xml:lang='C'> +Global Override firewall + </loctext> + </common_name> + <description> + <loctext xml:lang='C'> +The system-wide firewall policy that overrides default system-wide and all services' policies. + </loctext> + </description> + <prop_pattern name='policy' type='astring' + required='true'> + <common_name> + <loctext xml:lang='C'> +Global Override policy + </loctext> + </common_name> + <description> + <loctext xml:lang='C'> +Firewall policy. + </loctext> + </description> + <visibility value='readwrite'/> + <cardinality min='1' max='1'/> + <values> + <value name='none'> + <description> + <loctext xml:lang='C'> +No firewall (allow all), this is the default value. + </loctext> + </description> + </value> + <value name='deny'> + <description> + <loctext xml:lang='C'> +Deny access to entities specified in 'apply_to' property. + </loctext> + </description> + </value> + <value name='allow'> + <description> + <loctext xml:lang='C'> +Allow access to entities specified in 'apply_to' property. + </loctext> + </description> + </value> + </values> + <choices> + <include_values type='values'/> + </choices> + </prop_pattern> + <prop_pattern name="apply_to" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Apply policy to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The host and network IPs, network interfaces, and ippools to deny if the +policy is set to deny, or accept if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + </pg_pattern> + </template> </service> diff --git a/usr/src/cmd/lp/cmd/lpsched/print-svc b/usr/src/cmd/lp/cmd/lpsched/print-svc index 9cd6a07c17..97c48a9c68 100644 --- a/usr/src/cmd/lp/cmd/lpsched/print-svc +++ b/usr/src/cmd/lp/cmd/lpsched/print-svc @@ -20,14 +20,13 @@ # CDDL HEADER END # # -# Copyright 2006 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # -# ident "%Z%%M% %I% %E% SMI" -# . /lib/svc/share/smf_include.sh +. /lib/svc/share/ipf_include.sh # SERVICE = parent service name SERVICE=`echo $SMF_FMRI | /usr/bin/cut -f1,2 -d":"` @@ -117,6 +116,49 @@ fi /usr/lib/lp/local/lpshut ;; +'ipfilter') + FMRI=$2 + IPP_FMRI="svc:/application/print/ipp-listener:default" + RFC1179_FMRI="svc:/application/print/rfc1179:default" + IPP_CONF=/etc/apache/httpd-standalone-ipp.conf + ip="any" + + policy=`get_policy $FMRI` + + file=`fmri_to_file $RFC1179_FMRI $IPF_SUFFIX` + echo "# $RFC1179_FMRI" >$file + service_is_enabled ${RFC1179_FMRI} + if [ $? -eq 0 ]; then + rfc_name=`svcprop -p inetd/name ${RFC1179_FMRI} 2>/dev/null` + rfc_proto=`svcprop -p inetd/proto ${RFC1179_FMRI} 2>/dev/null | \ + sed 's/6/ /'` + rfc_port=`$SERVINFO -p -t -s $rfc_name` + generate_rules $FMRI $policy $rfc_proto $ip $rfc_port $file + fi + + file=`fmri_to_file $IPP_FMRI $IPF_SUFFIX` + echo "# $IPP_FMRI" >$file + service_is_enabled ${IPP_FMRI} + if [ $? -eq 0 ]; then + # + # If Listen directives are used, it's possibie to listen on + # more than one ports. Process the Port directives only when Listen + # directives don't exist. + # + ipp_ports=`grep '^[ \t]*[^# ]*Listen' ${IPP_CONF} | awk '{print $2}'` + + if [ -z "$ipp_ports" ]; then + ipp_ports=`grep '^[ \t]*[^# ]*Port' ${IPP_CONF} | \ + awk '{print $2}' | tail -1` + fi + + for port in $ipp_ports; do + generate_rules $FMRI $policy "tcp" $ip $port $file + done + fi + + ;; + *) echo "Usage: $0 { start | stop }" exit 1 diff --git a/usr/src/cmd/lp/cmd/lpsched/server.xml b/usr/src/cmd/lp/cmd/lpsched/server.xml index 3cbb4a4bff..790355f873 100644 --- a/usr/src/cmd/lp/cmd/lpsched/server.xml +++ b/usr/src/cmd/lp/cmd/lpsched/server.xml @@ -1,7 +1,7 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2007 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START @@ -23,8 +23,6 @@ CDDL HEADER END - pragma ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -107,6 +105,19 @@ value='solaris.print.admin' /> </property_group> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='ipf_method' type='astring' + value='/lib/svc/method/print-svc ipfilter' /> + </property_group> + + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/lvm/rpc.mdcommd/mdcomm.xml b/usr/src/cmd/lvm/rpc.mdcommd/mdcomm.xml index e9910ae6ef..49750cf02f 100644 --- a/usr/src/cmd/lvm/rpc.mdcommd/mdcomm.xml +++ b/usr/src/cmd/lvm/rpc.mdcommd/mdcomm.xml @@ -1,7 +1,7 @@ <?xml version='1.0'?> <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- - Copyright 2008 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START @@ -85,6 +85,14 @@ <propval name='proto' type='astring' value='tcp' /> </property_group> + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/lvm/rpc.metad/meta.xml b/usr/src/cmd/lvm/rpc.metad/meta.xml index 5ff0c60c8e..ad432f4352 100644 --- a/usr/src/cmd/lvm/rpc.metad/meta.xml +++ b/usr/src/cmd/lvm/rpc.metad/meta.xml @@ -1,7 +1,7 @@ <?xml version='1.0'?> <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- - Copyright 2007 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START @@ -23,8 +23,6 @@ CDDL HEADER END - pragma ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -87,6 +85,14 @@ <propval name='proto' type='astring' value='tcp' /> </property_group> + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/lvm/rpc.metamedd/metamed.xml b/usr/src/cmd/lvm/rpc.metamedd/metamed.xml index f7e40181e6..e5ff748fa5 100644 --- a/usr/src/cmd/lvm/rpc.metamedd/metamed.xml +++ b/usr/src/cmd/lvm/rpc.metamedd/metamed.xml @@ -1,7 +1,7 @@ <?xml version='1.0'?> <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- - Copyright 2007 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START @@ -23,8 +23,6 @@ CDDL HEADER END - pragma ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -87,6 +85,14 @@ <propval name='proto' type='astring' value='tcp' /> </property_group> + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/lvm/rpc.metamhd/metamh.xml b/usr/src/cmd/lvm/rpc.metamhd/metamh.xml index 06727c3ea1..f286297cf8 100644 --- a/usr/src/cmd/lvm/rpc.metamhd/metamh.xml +++ b/usr/src/cmd/lvm/rpc.metamhd/metamh.xml @@ -1,7 +1,7 @@ <?xml version='1.0'?> <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- - Copyright 2007 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START @@ -23,8 +23,6 @@ CDDL HEADER END - pragma ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -87,6 +85,14 @@ <propval name='proto' type='astring' value='tcp' /> </property_group> + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/print/bsd-sysv-commands/rfc1179.xml b/usr/src/cmd/print/bsd-sysv-commands/rfc1179.xml index 2307aeec16..9709da2a7e 100644 --- a/usr/src/cmd/print/bsd-sysv-commands/rfc1179.xml +++ b/usr/src/cmd/print/bsd-sysv-commands/rfc1179.xml @@ -21,11 +21,9 @@ CDDL HEADER END - Copyright 2007 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -88,6 +86,11 @@ value='solaris.print.admin' /> </property_group> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='ipf_method' type='astring' + value='/lib/svc/method/print-svc ipfilter svc:/application/print/server:default' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/rexd/rex.xml b/usr/src/cmd/rexd/rex.xml index 9775206520..8d3e77ffb0 100644 --- a/usr/src/cmd/rexd/rex.xml +++ b/usr/src/cmd/rexd/rex.xml @@ -2,15 +2,14 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -25,8 +24,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -90,6 +87,14 @@ <propval name='wait' type='boolean' value='true' /> </property_group> + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/rpcbind/bind.xml b/usr/src/cmd/rpcbind/bind.xml index 6ed1ca5575..6efc234ee9 100644 --- a/usr/src/cmd/rpcbind/bind.xml +++ b/usr/src/cmd/rpcbind/bind.xml @@ -21,7 +21,7 @@ CDDL HEADER END - Copyright 2008 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. Service manifest for rpcbind @@ -87,6 +87,14 @@ <service_fmri value='svc:/network/initial:default' /> </dependency> + <dependency + name='network_ipfilter' + grouping='optional_all' + restart_on='none' + type='service'> + <service_fmri value='svc:/network/ipfilter:default' /> + </dependency> + <exec_method type='method' name='start' @@ -185,7 +193,19 @@ <propval name='action_authorization' type='astring' value='solaris.smf.manage.rpc.bind' /> </property_group> - + + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='name' type='astring' value='sunrpc' /> + </property_group> + + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/rpcsvc/nisplus.xml b/usr/src/cmd/rpcsvc/nisplus.xml index ff29f5afe5..6634e53374 100644 --- a/usr/src/cmd/rpcsvc/nisplus.xml +++ b/usr/src/cmd/rpcsvc/nisplus.xml @@ -1,15 +1,14 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -24,8 +23,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -59,6 +56,19 @@ exec=':kill' timeout_seconds='60' /> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='isrpc' type='boolean' value='true' /> + <propval name='name' type='astring' value='100300' /> + </property_group> + + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <instance name='default' enabled='false'> <property_group name='application' type='application'> <stability value='Unstable' /> diff --git a/usr/src/cmd/rpcsvc/rpc.bootparamd/bootparams.xml b/usr/src/cmd/rpcsvc/rpc.bootparamd/bootparams.xml index d15b26e454..c372d710b0 100644 --- a/usr/src/cmd/rpcsvc/rpc.bootparamd/bootparams.xml +++ b/usr/src/cmd/rpcsvc/rpc.bootparamd/bootparams.xml @@ -1,15 +1,14 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -24,8 +23,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -88,6 +85,19 @@ exec=':kill' timeout_seconds='60' /> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='isrpc' type='boolean' value='true' /> + <propval name='name' type='astring' value='100026' /> + </property_group> + + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/rpcsvc/rstat.xml b/usr/src/cmd/rpcsvc/rstat.xml index 8e33cf17bd..cd60e85df7 100644 --- a/usr/src/cmd/rpcsvc/rstat.xml +++ b/usr/src/cmd/rpcsvc/rstat.xml @@ -2,15 +2,14 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -25,8 +24,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -91,6 +88,14 @@ <propval name='wait' type='boolean' value='true' /> </property_group> + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/rpcsvc/rusers.xml b/usr/src/cmd/rpcsvc/rusers.xml index c960c83e64..eb3ab91ccd 100644 --- a/usr/src/cmd/rpcsvc/rusers.xml +++ b/usr/src/cmd/rpcsvc/rusers.xml @@ -2,15 +2,14 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -25,8 +24,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -95,6 +92,14 @@ </property> </property_group> + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/rpcsvc/spray.xml b/usr/src/cmd/rpcsvc/spray.xml index f11bc45425..2b8bb3fe5b 100644 --- a/usr/src/cmd/rpcsvc/spray.xml +++ b/usr/src/cmd/rpcsvc/spray.xml @@ -2,15 +2,14 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -25,8 +24,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -91,6 +88,14 @@ <propval name='wait' type='boolean' value='true' /> </property_group> + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/rpcsvc/wall.xml b/usr/src/cmd/rpcsvc/wall.xml index b500e35062..835eafe117 100644 --- a/usr/src/cmd/rpcsvc/wall.xml +++ b/usr/src/cmd/rpcsvc/wall.xml @@ -2,15 +2,14 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -25,8 +24,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -91,6 +88,14 @@ <propval name='wait' type='boolean' value='true' /> </property_group> + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/sendmail/lib/smtp-sendmail.xml b/usr/src/cmd/sendmail/lib/smtp-sendmail.xml index a23655f509..95859d8bd1 100644 --- a/usr/src/cmd/sendmail/lib/smtp-sendmail.xml +++ b/usr/src/cmd/sendmail/lib/smtp-sendmail.xml @@ -20,11 +20,9 @@ CDDL HEADER END - Copyright 2008 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -80,6 +78,18 @@ <service_fmri value='svc:/system/system-log' /> </dependency> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='name' type='astring' value='smtp' /> + </property_group> + + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <instance name='sendmail' enabled='false'> <dependency diff --git a/usr/src/cmd/smbsrv/smbd/Makefile b/usr/src/cmd/smbsrv/smbd/Makefile index 8881929cc4..0f1fda4524 100644 --- a/usr/src/cmd/smbsrv/smbd/Makefile +++ b/usr/src/cmd/smbsrv/smbd/Makefile @@ -38,11 +38,14 @@ SRCS= \ include ../../Makefile.cmd -MANIFEST = server.xml +MANIFEST= server.xml +SVCMETHOD= svc-smbd ROOTMANIFESTDIR = $(ROOTSVCSMB) $(ROOTMANIFEST):= FILEMODE = 0444 +$(ROOTSVCMETHOD):= FILEMODE = 0555 + include ../Makefile.smbsrv.defs LDLIBS += -L$(ROOT)/usr/lib/smbsrv -lmlsvc -lmlrpc -lsmbrdr -lsmbns -lsmb \ @@ -76,4 +79,4 @@ _msg: include ../../Makefile.targ install: all .WAIT $(ROOTETCDEFAULTFILES) $(ROOTMANIFEST) \ - $(ROOTSMBDFILE) + $(ROOTSMBDFILE) ${ROOTSVCMETHOD} diff --git a/usr/src/cmd/smbsrv/smbd/server.xml b/usr/src/cmd/smbsrv/smbd/server.xml index ea64de7ccb..3775dcef6e 100644 --- a/usr/src/cmd/smbsrv/smbd/server.xml +++ b/usr/src/cmd/smbsrv/smbd/server.xml @@ -116,6 +116,19 @@ file. value='solaris.smf.manage.smb' /> </property_group> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='ipf_method' type='astring' + value='/lib/svc/method/svc-smbd ipfilter' /> + </property_group> + + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <property_group name='read' type='application'> <!-- To read protected parameters --> <propval name='read_authorization' type='astring' diff --git a/usr/src/cmd/smbsrv/smbd/svc-smbd b/usr/src/cmd/smbsrv/smbd/svc-smbd new file mode 100644 index 0000000000..175d2749d7 --- /dev/null +++ b/usr/src/cmd/smbsrv/smbd/svc-smbd @@ -0,0 +1,56 @@ +#!/sbin/sh +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# + +# Scripts that generate IPfilter rules for SMB server + +. /lib/svc/share/smf_include.sh +. /lib/svc/share/ipf_include.sh + +create_ipf_rules() +{ + FMRI=$1 + file=`fmri_to_file $FMRI $IPF_SUFFIX` + ip=any + policy=`get_policy ${FMRI}` + iana_names="microsoft-ds netbios-ns netbios-dgm netbios-ssn" + + # + # Enforce policy on each port + # + echo "# $FMRI" >$file + for name in $iana_names; do + port=`$SERVINFO -p -s $name 2>/dev/null` + if [ -z "$port" ]; then + continue; + fi + generate_rules $FMRI $policy "tcp" $ip $port $file + generate_rules $FMRI $policy "udp" $ip $port $file + done +} + +if [ "$1" = "ipfilter" ]; then + create_ipf_rules $2 +fi +exit 0 diff --git a/usr/src/cmd/ssh/etc/ssh.xml b/usr/src/cmd/ssh/etc/ssh.xml index 02af57779f..3a08195ff1 100644 --- a/usr/src/cmd/ssh/etc/ssh.xml +++ b/usr/src/cmd/ssh/etc/ssh.xml @@ -4,9 +4,8 @@ CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -21,11 +20,9 @@ CDDL HEADER END - Copyright 2004 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -86,6 +83,13 @@ <service_fmri value='svc:/system/utmp' /> </dependency> + <dependency name='network_ipfilter' + grouping='optional_all' + restart_on='error' + type='service'> + <service_fmri value='svc:/network/ipfilter:default' /> + </dependency> + <dependency name='config_data' grouping='require_all' restart_on='restart' @@ -133,6 +137,20 @@ value='solaris.smf.manage.ssh' /> </property_group> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='name' type='astring' value='ssh' /> + <propval name='ipf_method' type='astring' + value='/lib/svc/method/sshd ipfilter' /> + </property_group> + + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/ssh/etc/sshd b/usr/src/cmd/ssh/etc/sshd index 45042398de..dd2854ae90 100644 --- a/usr/src/cmd/ssh/etc/sshd +++ b/usr/src/cmd/ssh/etc/sshd @@ -1,9 +1,10 @@ #!/sbin/sh # -# Copyright 2004 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # -# ident "%Z%%M% %I% %E% SMI" + +. /lib/svc/share/ipf_include.sh SSHDIR=/etc/ssh KEYGEN="/usr/bin/ssh-keygen -q" @@ -28,6 +29,24 @@ create_key() return 0 } +create_ipf_rules() +{ + FMRI=$1 + ipf_file=`fmri_to_file ${FMRI} $IPF_SUFFIX` + policy=`get_policy ${FMRI}` + + # + # Get port from /etc/ssh/sshd_config + # + tports=`grep "^Port" /etc/ssh/sshd_config 2>/dev/null | \ + awk '{print $2}'` + + echo "# $FMRI" >$ipf_file + for port in $tports; do + generate_rules $FMRI $policy "tcp" "any" $port $ipf_file + done +} + # This script is being used for two purposes: as part of an SMF # start/stop/refresh method, and as a sysidconfig(1M)/sys-unconfig(1M) # application. @@ -49,6 +68,11 @@ case $1 in ;; # SMF arguments (start and restart [really "refresh"]) + +'ipfilter') + create_ipf_rules $2 + ;; + 'start') /usr/lib/ssh/sshd ;; diff --git a/usr/src/cmd/svc/Makefile b/usr/src/cmd/svc/Makefile index 22f3ce003e..27291de57b 100644 --- a/usr/src/cmd/svc/Makefile +++ b/usr/src/cmd/svc/Makefile @@ -2,9 +2,8 @@ # CDDL HEADER START # # The contents of this file are subject to the terms of the -# Common Development and Distribution License, Version 1.0 only -# (the "License"). You may not use this file except in compliance -# with the License. +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. @@ -20,14 +19,13 @@ # CDDL HEADER END # # -# Copyright 2005 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # -#ident "%Z%%M% %I% %E% SMI" include ../Makefile.cmd -SUBDIR_CMD= lsvcrun mfstscan prophist svcadm svccfg svcprop svcs +SUBDIR_CMD= lsvcrun mfstscan prophist servinfo svcadm svccfg svcprop svcs SUBDIR_DAEMON= configd startd SUBDIR_REPO= milestone profile seed SUBDIR_MISC= shell diff --git a/usr/src/cmd/svc/milestone/global.xml b/usr/src/cmd/svc/milestone/global.xml index 3023d0dae4..356655f735 100644 --- a/usr/src/cmd/svc/milestone/global.xml +++ b/usr/src/cmd/svc/milestone/global.xml @@ -1,7 +1,7 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2008 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START @@ -618,6 +618,147 @@ method executable, identifies an entry in exec_attr(4). </prop_pattern> </pg_pattern> + <pg_pattern name='firewall_context' + type='com.sun,fw_definition' target='all' required='false'> + <common_name> + <loctext xml:lang='C'> +Static definition + </loctext> + </common_name> + <description> + <loctext xml:lang='C'> +Service static network and firewall definition. + </loctext> + </description> + <prop_pattern name='name' type='astring' + required='false'> + <common_name> + <loctext xml:lang='C'> +Service name + </loctext> + </common_name> + <description> + <loctext xml:lang='C'> +IANA name or RPC name for non-inetd service, equivalent to inetd/name property. For RPC services, the value of this property is not an IANA name but is either an RPC program number or name, see rpc(4). + </loctext> + </description> + </prop_pattern> + <prop_pattern name='isrpc' type='boolean' + required='false'> + <common_name> + <loctext xml:lang='C'> +RPC service + </loctext> + </common_name> + <description> + <loctext xml:lang='C'> +A boolean property where a "true" value indicates an RPC service, equivalent to inetd/isrpc property. + </loctext> + </description> + </prop_pattern> + <prop_pattern name='ipf_method' type='astring' + required='false'> + <common_name> + <loctext xml:lang='C'> +Custom firewall script + </loctext> + </common_name> + <description> + <loctext xml:lang='C'> +A script that generates ipf rules for a service. Services that require custom IPfilter configuration can use this mechanism to generate and supply their own ipf rules. The firewall framework does not generate rules for services that has this property definition but expect these services to provide their own rules. + </loctext> + </description> + </prop_pattern> </pg_pattern> + + <pg_pattern name='firewall_config' + type='com.sun,fw_configuration' target='all' + required='false'> + <common_name> + <loctext xml:lang='C'> +Firewall configuration + </loctext> + </common_name> + <description> + <loctext xml:lang='C'> +Service firewall configuration. + </loctext> + </description> + <prop_pattern name='policy' type='astring' + required='true'> + <common_name> + <loctext xml:lang='C'> +Firewall policy + </loctext> + </common_name> + <description> + <loctext xml:lang='C'> +Service firewall policy. + </loctext> + </description> + <visibility value='readwrite'/> + <cardinality min='1' max='1'/> + <values> + <value name='use_global'> + <description> + <loctext xml:lang='C'> +Apply Global Default policy, specified in network/ipfilter for the service. This is the default value. + </loctext> + </description> + </value> + <value name='none'> + <description> + <loctext xml:lang='C'> +No firewall (allow all). + </loctext> + </description> + </value> + <value name='deny'> + <description> + <loctext xml:lang='C'> +Deny access to entities specified in 'apply_to' property. + </loctext> + </description> + </value> + <value name='allow'> + <description> + <loctext xml:lang='C'> +Allow access to entities specified in 'apply_to' property. + </loctext> + </description> + </value> + </values> + <choices> + <include_values type='values'/> + </choices> + </prop_pattern> + <prop_pattern name="apply_to" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Apply policy to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The host and network IPs, network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="exceptions" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Make exceptions to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The host and network IPs, network interfaces, and ippools to exempt from the set policy. That is, those to accept if the policy is set to deny, or to deny if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + </pg_pattern> + </template> </service> diff --git a/usr/src/cmd/svc/milestone/restarter.xml b/usr/src/cmd/svc/milestone/restarter.xml index 5bffde7424..79dbaca50b 100644 --- a/usr/src/cmd/svc/milestone/restarter.xml +++ b/usr/src/cmd/svc/milestone/restarter.xml @@ -1,7 +1,7 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2008 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START @@ -156,6 +156,15 @@ Restarter-set auxiliary information about the current state. <visibility value='readonly'/> <cardinality min='1' max='1'/> </prop_pattern> + <prop_pattern name='auxiliary_fmri' type='astring' + required='false'> + <description> + <loctext xml:lang='C'> +Auxiliary fmri information for service state diagnosis. + </loctext> + </description> + <visibility value='hidden' /> + </prop_pattern> <prop_pattern name='state_timestamp' type='time' required='false'> <description> diff --git a/usr/src/cmd/svc/servinfo/Makefile b/usr/src/cmd/svc/servinfo/Makefile new file mode 100644 index 0000000000..43bcfedb6f --- /dev/null +++ b/usr/src/cmd/svc/servinfo/Makefile @@ -0,0 +1,53 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# + +PROG = servinfo +OBJS = servinfo.o +SRCS = $(OBJS:%.o=%.c) +POFILES = $(OBJS:.o=.po) + +include ../../Makefile.cmd +include ../Makefile.ctf + +LDLIBS += -lnsl -lsocket + +lint := LINTFLAGS = -ux + +.KEEP_STATE: + +all: $(PROG) + +$(PROG): $(OBJS) + $(LINK.c) -o $@ $(OBJS) $(LDLIBS) $(CTFMERGE_HOOK) + $(POST_PROCESS) + +install: all $(ROOTLIBPROG) + +clean: + $(RM) $(OBJS) $(POFILES) $(PROG) + +lint: lint_SRCS + +include ../../Makefile.targ diff --git a/usr/src/cmd/svc/servinfo/servinfo.c b/usr/src/cmd/svc/servinfo/servinfo.c new file mode 100644 index 0000000000..d65b0f7d20 --- /dev/null +++ b/usr/src/cmd/svc/servinfo/servinfo.c @@ -0,0 +1,285 @@ +/* + * CDDL HEADER START + * + * The contents of this file are subject to the terms of the + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. + * + * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE + * or http://www.opensolaris.org/os/licensing. + * See the License for the specific language governing permissions + * and limitations under the License. + * + * When distributing Covered Code, include this CDDL HEADER in each + * file and include the License file at usr/src/OPENSOLARIS.LICENSE. + * If applicable, add the following below this CDDL HEADER, with the + * fields enclosed by brackets "[]" replaced with your own identifying + * information: Portions Copyright [yyyy] [name of copyright owner] + * + * CDDL HEADER END + */ + +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. + */ + +/* + * This file delivers /usr/lib/servinfo which provides description for + * IANA and running RPC services. Given a IANA name or RPC program name + * or number, the program uses getservbyname(3SOCKET) and rpcbind(3NSL) + * to obtain port and proto information for the specified service. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <strings.h> +#include <netconfig.h> +#include <netdb.h> +#include <rpc/rpc.h> +#include <rpc/rpcent.h> +#include <sys/types.h> +#include <netinet/in.h> +#include <netdir.h> +#include <inttypes.h> +#include <limits.h> +#include <libintl.h> +#include <locale.h> + +#ifndef TEXT_DOMAIN +#define TEXT_DOMAIN "SUNW_OST_OSCMD" +#endif /* TEXT_DOMAIN */ + +#define TCP "tcp" +#define TCP6 "tcp6" +#define UDP "udp" +#define UDP6 "udp6" + +#define DEFAULT 0x1 +#define PORT 0x2 +#define PROTO 0x4 + +#define NETID_LEN 12 /* length for a netid or 2^16 port value */ + +static void +usage(char *arg0) +{ + (void) fprintf(stderr, gettext("Usage: %s [-R] [-Pp] [-tu[6]] " + "-s service_name\n"), arg0); +} + +static rpcport_t +uaddr2port(char *addr) +{ + rpcport_t port = 0; + char *dot, *p; + + if ((dot = strrchr(addr, '.')) == 0) { + return (0); + } else { + if (dot == addr) + return (0); + + p = dot - 1; + while (*p != '.') { + /* + * If the first dot hasn't been seen, it's a + * malformed universal address. + */ + if (p == addr) + return (0); + p--; + } + + port = strtol(p + 1, &dot, 10) << 8; + port = port | strtol(dot + 1, (char **)NULL, 10); + } + + return (port); +} + +static int +svc_getrpcinfo(char *sname, char *sproto, int options) +{ + struct netconfig *nconf; + struct rpcblist *blist; + int prognum = -1; + rpcport_t rpc_port; + struct rpcent rentry; + struct rpcent *rpc; + char line[LINE_MAX] = ""; + int line_len = LINE_MAX - 1; + char buf[NETID_LEN]; + + prognum = atoi(sname); + if (prognum > 0) + rpc = (struct rpcent *)getrpcbynumber(prognum); + else + rpc = (struct rpcent *)getrpcbyname(sname); + + /* + * If an entry doesn't exist, it could be a running program + * without a registered RPC entry. + */ + if (rpc == NULL) { + if (prognum <= 0) { + (void) fprintf(stderr, + gettext("Can't get rpc entry\n")); + return (1); + } + + rpc = &rentry; + rpc->r_number = prognum; + rpc->r_name = sname; + } + + if (setnetconfig() == NULL) { + (void) fprintf(stderr, gettext("setnetconfig failed\n")); + return (1); + } + + if ((nconf = getnetconfigent(TCP)) == NULL) { + (void) fprintf(stderr, gettext("getnetconfig failed\n")); + return (1); + } + + if ((blist = (struct rpcblist *)rpcb_getmaps(nconf, "localhost")) + == NULL) { + (void) fprintf(stderr, + gettext("Failed: rpcb_getmaps failed\n")); + return (1); + } + + for (; blist != NULL; blist = blist->rpcb_next) { + if (blist->rpcb_map.r_prog != rpc->r_number) + continue; + + if (sproto) { + if (strcmp(blist->rpcb_map.r_netid, sproto) != 0) + continue; + } else { + if (strcmp(blist->rpcb_map.r_netid, UDP) && + strcmp(blist->rpcb_map.r_netid, UDP6) && + strcmp(blist->rpcb_map.r_netid, TCP) && + strcmp(blist->rpcb_map.r_netid, TCP6)) + continue; + } + rpc_port = uaddr2port(blist->rpcb_map.r_addr); + + if (options & DEFAULT) { + (void) printf("Program %ld\n", blist->rpcb_map.r_prog); + (void) printf("Protocol %s\n", blist->rpcb_map.r_netid); + (void) printf("Port %ld\n", rpc_port); + (void) printf("Version %ld\n", blist->rpcb_map.r_vers); + (void) printf("Name %s\n", rpc->r_name); + + } else if (options & PROTO) { + if (strstr(line, blist->rpcb_map.r_netid)) + continue; + + (void) snprintf(buf, sizeof (buf), "%5s ", + blist->rpcb_map.r_netid); + + if (strlen(buf) > line_len) + continue; + + line_len = line_len - strlen(buf); + (void) strlcat(line, buf, sizeof (line)); + } else { + (void) snprintf(buf, sizeof (buf), "%-7ld ", rpc_port); + + if (strstr(line, buf) || strlen(buf) > line_len) + continue; + + line_len = line_len - strlen(buf); + (void) strlcat(line, buf, sizeof (line)); + } + } + + /* + * Print the concatenated output if options is PROTO or PORT. + */ + if (options & (PROTO | PORT)) + (void) puts(line); + + return (0); +} + +int +main(int argc, char *argv[]) +{ + struct servent *service; + char *sname = NULL; + char *sproto = NULL; + int options = DEFAULT; + int c, isrpc = 0, v6_flag = 0; + + (void) setlocale(LC_ALL, ""); + (void) textdomain(TEXT_DOMAIN); + + optind = 1; + opterr = 1; + while ((c = getopt(argc, argv, "s:PplRtu6?")) != -1) { + switch (c) { + case 's': + sname = optarg; + break; + case 't': + sproto = TCP; + break; + case 'u': + sproto = UDP; + break; + case '6': + v6_flag = 1; + break; + case 'P': + options = PROTO; + break; + case 'p': + options = PORT; + break; + case 'R': + isrpc = 1; + break; + default: + usage(argv[0]); + return (1); + } + } + if (sname == NULL) { + usage(argv[0]); + return (1); + } + + /* + * Specified service is an RPC service. + */ + if (isrpc) { + if (sproto && v6_flag) { + if (strcmp(sproto, TCP) == 0) + sproto = TCP6; + if (strcmp(sproto, UDP) == 0) + sproto = UDP6; + } + + return (svc_getrpcinfo(sname, sproto, options)); + } + + if ((service = getservbyname(sname, sproto)) == NULL) { + (void) fprintf(stderr, gettext( + "Failed to get information for %s\n"), sname); + return (1); + } + + if (options & DEFAULT) { + (void) printf("Name %s\n", service->s_name); + (void) printf("Protocol %s\n", service->s_proto); + (void) printf("Port %d\n", htons(service->s_port)); + } else if (options & PROTO) + (void) printf("%s\n", service->s_proto); + else + (void) printf("%d\n", htons(service->s_port)); + + return (0); +} diff --git a/usr/src/cmd/svc/shell/Makefile b/usr/src/cmd/svc/shell/Makefile index 7f3238d95f..b55c507c4f 100644 --- a/usr/src/cmd/svc/shell/Makefile +++ b/usr/src/cmd/svc/shell/Makefile @@ -18,10 +18,9 @@ # # CDDL HEADER END # -# Copyright 2008 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # -#ident "%Z%%M% %I% %E% SMI" include ../../Makefile.cmd @@ -31,6 +30,7 @@ FILEMODE = 0444 SRCS = \ fs_include.sh \ + ipf_include.sh \ net_include.sh \ routing_include.sh \ smf_include.sh diff --git a/usr/src/cmd/svc/shell/ipf_include.sh b/usr/src/cmd/svc/shell/ipf_include.sh new file mode 100644 index 0000000000..1d750eea1b --- /dev/null +++ b/usr/src/cmd/svc/shell/ipf_include.sh @@ -0,0 +1,981 @@ +#!/sbin/sh +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# + +ETC_IPF_DIR=/etc/ipf +IP6FILCONF=$ETC_IPF_DIR/ipf6.conf +IPNATCONF=$ETC_IPF_DIR/ipnat.conf +IPPOOLCONF=$ETC_IPF_DIR/ippool.conf +VAR_IPF_DIR=/var/tmp/ipf +IPFILCONF=$VAR_IPF_DIR/ipf.conf +IPFILOVRCONF=$VAR_IPF_DIR/ipf_ovr.conf +IPF_LOCK=/var/run/ipflock +CONF_FILES="" +NAT_FILES="" +IPF_SUFFIX=".ipf" +NAT_SUFFIX=".nat" + +# version for configuration upgrades +CURRENT_VERSION=1 + +IPF_FMRI="svc:/network/ipfilter:default" +INETDFMRI="svc:/network/inetd:default" +RPCBINDFMRI="svc:/network/rpc/bind:default" + +SMF_ONLINE="online" +SMF_MAINT="maintenance" +SMF_NONE="none" + +FW_CONTEXT_PG="firewall_context" +METHOD_PROP="ipf_method" + +FW_CONFIG_PG="firewall_config" +POLICY_PROP="policy" +APPLY2_PROP="apply_to" +EXCEPTIONS_PROP="exceptions" + +FW_CONFIG_DEF_PG="firewall_config_default" +FW_CONFIG_OVR_PG="firewall_config_override" +CUSTOM_FILE_PROP="custom_policy_file" +OPEN_PORTS_PROP="open_ports" + +PREFIX_HOST="host:" +PREFIX_NET="network:" +PREFIX_POOL="pool:" +PREFIX_IF="if:" + +SERVINFO=/usr/lib/servinfo + +# +# Given a service, gets its config pg name +# +get_config_pg() +{ + if [ "$1" = "$IPF_FMRI" ]; then + echo "$FW_CONFIG_DEF_PG" + else + echo "$FW_CONFIG_PG" + fi + return 0 +} + +# +# Given a service, gets its firewall policy +# +get_policy() +{ + config_pg=`get_config_pg $1` + svcprop -p $config_pg/${POLICY_PROP} $1 2>/dev/null +} + +get_global_def_policy() +{ + svcprop -p ${FW_CONFIG_DEF_PG}/${POLICY_PROP} $IPF_FMRI 2>/dev/null +} + +# +# Given a service, gets its firewall policy +# +get_exceptions() +{ + config_pg=`get_config_pg $1` + svcprop -p $config_pg/${EXCEPTIONS_PROP} $1 2>/dev/null +} + +# +# Given a service, gets its firewall policy +# +get_apply2_list() +{ + config_pg=`get_config_pg $1` + svcprop -p $config_pg/${APPLY2_PROP} $1 2>/dev/null +} + +check_ipf_dir() +{ + [ -d $VAR_IPF_DIR ] && return 0 + mkdir $VAR_IPF_DIR >/dev/null 2>&1 || return 1 +} + +# +# fmri_to_file fmri suffix +# +fmri_to_file() +{ + check_ipf_dir || return 1 + fprefix="${VAR_IPF_DIR}/`echo $1 | tr -s '/:' '__'`" + echo "${fprefix}${2}" +} + +# +# Return service's enabled property +# +service_is_enabled() +{ + # + # Temporary enabled state overrides the persistent state + # so check it first. + # + enabled_ovr=`svcprop -c -p general_ovr/enabled $1 2>/dev/null` + if [ -n "$enabled_ovr" ]; then + [ "$enabled_ovr" = "true" ] && return 0 || return 1 + fi + + enabled=`svcprop -c -p general/enabled $1 2>/dev/null` + [ -n "$enabled" -a "$enabled" = "true" ] && return 0 || return 1 +} + +# +# Return whether service is desired state +# +# Args: fmri state +# Return: +# 0 - desired state is service's current state +# 1 - desired state is not service's current state +# +service_check_state() +{ + # + # Make sure we're done with ongoing state transition + # + while [ "`svcprop -p restarter/next_state $1`" != "$SMF_NONE" ]; do + sleep 1 + done + + [ "`svcprop -p restarter/state $1`" = "$2" ] && return 0 || return 1 +} + +# +# Deny/Allow list stores values in the form "host:addr", "network:addr/netmask", +# "pool:number", and "if:interface". This function returns the +# IP(addr or addr/netmask) value or a pool number. +# +get_IP() +{ + value_is_interface $1 && return 1 + echo "$1" | sed -n -e 's,^pool:\(.*\),pool/\1,p' \ + -e 's,^host:\(.*\),\1,p' \ + -e 's,^network:\(.*\),\1,p' +} + +get_interface() +{ + value_is_interface $1 || return 1 + scratch=`echo "$1" | sed -e 's/^if://'` + + ifconfig $scratch >/dev/null 2>&1 || return 1 + echo $scratch | sed -e 's/:.*//' +} + +# +# +# +value_is_interface() +{ + [ -z "$1" ] && return 1 + echo $1 | grep "^if:" >/dev/null 2>&1 +} + +# +# Remove rules in given file from active list without restarting ipfilter +# +remove_rules() +{ + [ -f "$1" ] && ipf -r -f $1 >/dev/null 2>&1 +} + +remove_nat_rules() +{ + [ -f "$1" ] && ipnat -r -f $1 >/dev/null 2>&1 +} + +check_ipf_syntax() +{ + ipf -n -f $1 >/dev/null 2>&1 +} + +check_nat_syntax() +{ + ipnat -n -f $1 >/dev/null 2>&1 +} + +file_get_ports() +{ + ipf -n -v -f $1 2>/dev/null | sed -n -e \ + 's/.*to.* port = \([a-z0-9]*\).*/\1/p' | uniq | \ + awk '{if (length($0) > 1) {printf("%s ", $1)}}' +} + +get_active_ports() +{ + ipfstat -io 2>/dev/null | sed -n -e \ + 's/.*to.* port = \([a-z0-9]*\).*/\1/p' | uniq | \ + awk '{if (length($0) > 1) {printf("%s ",$1)}}' +} + +# +# Given two list of ports, return failure if there's a duplicate. +# +sets_check_duplicate() +{ + # + # If either list is empty, there isn't any conflict. + # + [ -z "$1" -o -z "$2" ] && return 0 + + for p in $1; do + for ap in $2; do + [ "$p" = "$ap" ] && return 1 + done + done + + return 0 +} + +# +# Given a file containing ipf rules, check the syntax and verify +# the rules don't conflict, use same port number, with active +# rules (ipfstat -io output). +# +update_check_ipf_rules() +{ + check_ipf_syntax $1 || return 1 + + lports=`file_get_ports $1` + lactive_ports=`get_active_ports` + + sets_check_duplicate "$lports" "$lactive_ports" || return 1 +} + +server_port_list="" + +# +# Given a file containing ipf rules, check the syntax and verify +# the rules don't conflict with already processed services. +# +# The list of processed services' ports are maintained in the global +# variable 'server_port_list'. +# +check_ipf_rules() +{ + check_ipf_syntax $1 || return 1 + + lports=`file_get_ports $1` + sets_check_duplicate "$lports" "$server_port_list" || return 1 + server_port_list="$server_port_list $lports" + return 0 +} + +prepend_new_rules() +{ + check_ipf_syntax $1 && tail -r $1 | sed -e 's/^[a-z]/@0 &/' | \ + ipf -f - >/dev/null 2>&1 +} + +append_new_rules() +{ + check_ipf_syntax $1 && ipf -f $1 >/dev/null 2>&1 +} + +append_new_nat_rules() +{ + check_nat_syntax $1 && ipnat -f $1 >/dev/null 2>&1 +} + +# +# get port information from string of the form "proto:{port | port-port}" +# +tuple_get_port() +{ + port_str=`echo "$1" | sed -e 's/ //g; s/.*://' 2>/dev/null` + [ -z "$port_str" ] && return 1 + + echo $port_str | grep "-" >/dev/null + if [ $? -eq 0 ]; then + echo $port_str | grep '^[0-9]\{1,5\}-[0-9]\{1,5\}$' >/dev/null || \ + return 1 + ports=`echo $port_str | ( IFS=- read a b ; \ + [ $a \-le $b ] && echo $a $b || echo $b $a )` + + for p in $ports; do + [ $p -gt 65535 ] && return 1 + done + echo "$ports" + else + # + # port_str is a single port, verify and return it. + # + echo "$port_str" | grep '^[0-9]\{1,5\}$' >/dev/null || return 1 + [ $port_str -gt 65535 ] && return 1 + echo "$port_str" + fi +} + +# +# get proto info from string of the form "{tcp | udp}:port" +# +tuple_get_proto() +{ + proto=`echo "$1" | sed -e 's/ //g; s/:.*//' 2>/dev/null` + [ -z "$proto" ] && return 0 + + [ "$proto" = "tcp" -o "$proto" = "udp" ] && echo $proto || return 1 + return 0 +} + +ipf_get_lock() +{ + newpid=$$ + + if [ -f "$IPF_LOCK/pid" ]; then + curpid=`cat $IPF_LOCK/pid 2>/dev/null` + [ "$curpid" = "$newpid" ] && return 0 + + # + # Clear lock if the owning process is no longer around. + # + ps -p $curpid >/dev/null 2>&1 || rm -r $IPF_LOCK >/dev/null 2>&1 + fi + + # + # Grab the lock + # + while :; do + mkdir $IPF_LOCK 2>/dev/null && break; + sleep 1 + done + echo $newpid > $IPF_LOCK/pid +} + +# +# Remove lock if it's ours +# +ipf_remove_lock() +{ + if [ -f "$IPF_LOCK/pid" ]; then + [ "`cat $IPF_LOCK/pid`" = "$$" ] && rm -r $IPF_LOCK + fi + return 0 +} + +# +# Make IPFILCONF, /var/tmp/ipf/ipf.conf, a symlink to the input file argument. +# +custom_set_symlink() +{ + # + # Nothing to do if the input file doesn't exist or + # if the input file is the "/etc/ipf/ipf.conf" file. + # + [ ! -f "$1" ] && return 0 + + rm $IPFILCONF >/dev/null 2>&1 + ln -s $1 $IPFILCONF >/dev/null 2>&1 +} + +# +# New file replaces original file if they have different content +# +replace_file() +{ + orig=$1 + new=$2 + + # + # IPFILCONF may be a symlink, remove it if that's the case + # + if [ -L "$orig" ]; then + rm $orig + touch $orig + fi + + mv $new $orig && return 0 || return 1 +} + +# +# Given a service, gets the following details for ipf rule: +# - policy +# - protocol +# - port(IANA port obtained by running servinfo) +# +process_server_svc() +{ + service=$1 + ip="any" + policy=`get_policy ${service}` + + # + # Empties service's rules file so callers won't use existing rule if + # we fail here. + # + file=`fmri_to_file $service $IPF_SUFFIX` + [ -z "$file" ] && return 1 + echo "# $service" >${file} + + # + # Nothing to do if policy is "use_global" + # + [ "$policy" = "use_global" ] && return 0 + + restarter=`svcprop -p general/restarter $service 2>/dev/null` + if [ "$restarter" = "$INETDFMRI" ]; then + iana_name=`svcprop -p inetd/name $service 2>/dev/null` + isrpc=`svcprop -p inetd/isrpc $service 2>/dev/null` + else + iana_name=`svcprop -p $FW_CONTEXT_PG/name $service 2>/dev/null` + isrpc=`svcprop -p $FW_CONTEXT_PG/isrpc $service 2>/dev/null` + fi + + # + # Bail if iana_name isn't defined. Services with static rules + # like nis/client don't need to generate rules using + # iana name and protocol information. + # + [ -z "$iana_name" ] && return 1 + + # + # RPC services + # + if [ "$isrpc" = "true" ]; then + tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` + if [ -n "$tports" ]; then + for tport in $tports; do + generate_rules $service $policy "tcp" \ + $ip $tport $file + done + fi + + uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` + if [ -n "$uports" ]; then + for uport in $uports; do + generate_rules $service $policy "udp" \ + $ip $uport $file + done + fi + + return 0 + fi + + # + # Get the IANA port and supported protocols(tcp and udp) + # No support for IPv6 at this point. + # + tport=`$SERVINFO -p -t -s $iana_name 2>&1` + if [ $? -eq 0 -a -n "$tport" ]; then + generate_rules $service $policy "tcp" $ip $tport $file + fi + + uport=`$SERVINFO -p -u -s $iana_name 2>&1` + if [ $? -eq 0 -a -n "$uport" ]; then + generate_rules $service $policy "udp" $ip $uport $file + fi + + return 0 +} + +# +# Given a service's name, policy, protocol and port, generate ipf rules +# - list of host/network/interface to apply policy +# +# A 'use_global' policy inherits the system-wided Global Default policy +# from network/ipfilter. For {deny | allow} policies, the rules are +# ordered as: +# +# - make exceptions to policy for those in "exceptions" list +# - apply policy to those specified in "apply_to" list +# - policy rule +# +generate_rules() +{ + service=$1 + mypolicy=$2 + proto=$3 + ip=$4 + port=$5 + out=$6 + + # + # Default mode is to inherit from global's policy + # + [ "$mypolicy" = "use_global" ] && return 0 + + tcp_opts="" + [ "$proto" = "tcp" ] && tcp_opts="flags S keep state keep frags" + + # + # Allow all if policy is 'none' + # + if [ "$mypolicy" = "none" ]; then + echo "pass in log quick proto ${proto} from any to ${ip}" \ + "port = ${port} ${tcp_opts}" >>${out} + return 0 + fi + + # + # For now, let's concern only with incoming traffic. + # + [ "$mypolicy" = "deny" ] && { ecmd="pass"; acmd="block"; } + [ "$mypolicy" = "allow" ] && { ecmd="block"; acmd="pass"; } + + for name in `get_exceptions $service`; do + [ -z "$name" -o "$name" = '""' ] && continue + + ifc=`get_interface $name` + if [ $? -eq 0 -a -n "$ifc" ]; then + echo "${ecmd} in log quick on ${ifc} from any to" \ + "${ip} port = ${port}" >>${out} + continue + fi + + addr=`get_IP ${name}` + if [ $? -eq 0 -a -n "$addr" ]; then + echo "${ecmd} in log quick proto ${proto} from ${addr}" \ + "to ${ip} port = ${port} ${tcp_opts}" >>${out} + fi + done + + for name in `get_apply2_list $service`; do + [ -z "$name" -o "$name" = '""' ] && continue + + ifc=`get_interface $name` + if [ $? -eq 0 -a -n "$ifc" ]; then + echo "${acmd} in log quick on ${ifc} from any to" \ + "${ip} port = ${port}" >>${out} + continue + fi + + addr=`get_IP ${name}` + if [ $? -eq 0 -a -n "$addr" ]; then + echo "${acmd} in log quick proto ${proto} from ${addr}" \ + "to ${ip} port = ${port} ${tcp_opts}" >>${out} + fi + done + + echo "${ecmd} in log quick proto ${proto} from any to ${ip}" \ + "port = ${port} ${tcp_opts}" >>${out} + + return 0 +} + +# +# Service has either IANA ports and proto or its own firewall method to +# generate the rules. +# +# - if service has a custom method, use it to populate its rules +# - if service has a firewall_config pg, use process_server_svc +# +# Argument - fmri +# +process_service() +{ + # + # Don't process network/ipfilter + # + [ "$1" = "$IPF_FMRI" ] && return 0 + + service_check_state $1 $SMF_MAINT && return 1 + + method=`svcprop -p $FW_CONTEXT_PG/$METHOD_PROP $1 2>/dev/null | \ + sed 's/\\\//g'` + if [ -n "$method" -a "$method" != '""' ]; then + ( exec $method $1 >/dev/null ) + else + svcprop -p $FW_CONFIG_PG $1 >/dev/null 2>&1 || return 1 + process_server_svc $1 || return 1 + fi + return 0 +} + +# +# Generate rules for protocol/port defined in firewall_config_default/open_ports +# property. These are non-service programs whose network resource info are +# defined as "{tcp | upd}:{PORT | PORT-PORT}". Essentially, these programs need +# some specific local ports to be opened. For example, BitTorrent clients need to +# have 6881-6889 opened. +# +process_nonsvc_progs() +{ + out=$1 + echo "# Non-service programs rules" >>${out} + progs=`svcprop -p ${FW_CONFIG_DEF_PG}/${OPEN_PORTS_PROP} \ + $SMF_FMRI 2>/dev/null` + + for prog in $progs; do + [ -z "$prog" -o "$prog" = '""' ] && continue + + port=`tuple_get_port $prog` + [ $? -eq 1 -o -z "$port" ] && continue + + proto=`tuple_get_proto $prog` + [ $? -eq 1 ] && continue + + set -- $port + if [ $# -gt 1 ]; then + if [ -z "$proto" ]; then + echo "pass in log quick from any to any" \ + "port ${1} >< ${2}" >>${out} + else + echo "pass in log quick proto ${proto} from any" \ + "to any port ${1} >< ${2}" >>${out} + fi + else + if [ -z "$proto" ]; then + echo "pass in log quick from any to any" \ + "port = ${1}" >>${out} + else + echo "pass in log quick proto ${proto} from any" \ + "to any port = ${1}" >>${out} + fi + fi + done + + return 0 +} + +# +# Generate a new /etc/ipf/ipf.conf. If firewall policy is 'none', +# ipf.conf is empty . +# +create_global_rules() +{ + policy=`get_global_def_policy` + + if [ "$policy" = "custom" ]; then + file=`svcprop -p ${FW_CONFIG_DEF_PG}/${CUSTOM_FILE_PROP} $SMF_FMRI` + + [ -n "$file" ] && custom_set_symlink $file + return 0 + fi + + TEMP=`mktemp /var/run/ipf.conf.pid$$.XXXXXX` + process_nonsvc_progs $TEMP + + echo "# Global Default rules" >>${TEMP} + if [ "$policy" != "none" ]; then + echo "pass out log quick all keep state" >>${TEMP} + fi + + case "$policy" in + 'none') + # No rules + replace_file ${IPFILCONF} ${TEMP} + return $? + ;; + + 'deny') + ecmd="pass" + acmd="block" + ;; + + 'allow') + ecmd="block" + acmd="pass" + ;; + *) + return 1; + ;; + esac + + for name in `get_exceptions $SMF_FMRI`; do + [ -z "$name" -o "$name" = '""' ] && continue + + ifc=`get_interface $name` + if [ $? -eq 0 -a -n "$ifc" ]; then + echo "${ecmd} in log quick on ${ifc} all" >>${TEMP} + continue + fi + + addr=`get_IP ${name}` + if [ $? -eq 0 -a -n "$addr" ]; then + echo "${ecmd} in log quick from ${addr} to any" >>${TEMP} + fi + + done + + for name in `get_apply2_list $SMF_FMRI`; do + [ -z "$name" -o "$name" = '""' ] && continue + + ifc=`get_interface $name` + if [ $? -eq 0 -a -n "$ifc" ]; then + echo "${acmd} in log quick on ${ifc} all" >>${TEMP} + continue + fi + + addr=`get_IP ${name}` + if [ $? -eq 0 -a -n "$addr" ]; then + echo "${acmd} in log quick from ${addr} to any" >>${TEMP} + fi + done + + if [ "$policy" = "allow" ]; then + # + # Allow DHCP traffic if running as a DHCP client + # + /sbin/netstrategy | grep dhcp >/dev/null 2>&1 + if [ $? -eq 0 ]; then + echo "pass out log quick from any port = 68" \ + "keep state" >>${TEMP} + echo "pass out log quick from any port = 546" \ + "keep state" >>${TEMP} + echo "pass in log quick from any to any port = 68" >>${TEMP} + echo "pass in log quick from any to any port = 546" >>${TEMP} + fi + echo "block in log all" >>${TEMP} + fi + + replace_file ${IPFILCONF} ${TEMP} + return $? +} + +# +# Generate a new /etc/ipf/ipf_ovr.conf, the override system-wide policy. It's +# a simplified policy that doesn't support 'exceptions' entities. +# +# If firewall policy is "none", no rules are generated. +# +# Note that "pass" rules don't have "quick" as we don't want +# them to override services' block rules. +# +create_global_ovr_rules() +{ + # + # Simply empty override file if global policy is 'custom' + # + if [ "`get_global_def_policy`" = "custom" ]; then + echo "# 'custom' global policy" >$IPFILOVRCONF + return 0 + fi + + # + # Get and process override policy + # + ovr_policy=`svcprop -p ${FW_CONFIG_OVR_PG}/${POLICY_PROP} $IPF_FMRI` + TEMP=`mktemp /var/run/ipf_ovr.conf.pid$$.XXXXXX` + + [ "$ovr_policy" = "deny" ] && acmd="block in log quick" + [ "$ovr_policy" = "allow" ] && acmd="pass in log" + + apply2_list=`svcprop -p $FW_CONFIG_OVR_PG/$APPLY2_PROP $IPF_FMRI` + for name in $apply2_list; do + [ -z "$name" -o "$name" = '""' ] && continue + + ifc=`get_interface $name` + if [ $? -eq 0 -a -n "$ifc" ]; then + echo "${acmd} on ${ifc} all" >>${TEMP} + continue + fi + + addr=`get_IP ${name}` + if [ $? -eq 0 -a -n "$addr" ]; then + echo "${acmd} from ${addr} to any" >>${TEMP} + fi + done + + replace_file ${IPFILOVRCONF} ${TEMP} + return $? +} + +# +# Service is put into maintenance state due to its invalid firewall +# definition and/or policy. +# +svc_mark_maintenance() +{ + svcadm mark maintenance $1 >/dev/null 2>&1 + + date=`date` + echo "[ $date ${0}: $1 has invalid ipf configuration. ]" + echo "[ $date ${0}: placing $1 in maintenance. ]" + + # + # Move service's rule files to another location since + # they're most likely invalid. + # + ipfile=`fmri_to_file $1 $IPF_SUFFIX` + [ -f "$ipfile" ] && mv $ipfile "$ipfile.bak" + + natfile=`fmri_to_file $1 $NAT_SUFFIX` + [ -f "$natfile" ] && mv $natfile "$natfile.bak" + + return 0 +} + +svc_is_server() +{ + svcprop -p $FW_CONFIG_PG $1 >/dev/null 2>&1 +} + +# +# Create rules for enabled firewalling and client services. +# - obtain the list of enabled services and process them +# - save the list of rules file for later use +# +create_services_rules() +{ + # + # Do nothing if global policy is 'custom' + # + global_policy=`get_global_def_policy` + [ "$global_policy" = "custom" ] && return 0 + + ipf_get_lock + + # + # Get all enabled services + # + allsvcs=`svcprop -cf -p general/enabled -p general_ovr/enabled '*' \ + 2>/dev/null | sed -n 's,^\(svc:.*\)/:properties/.* true$,\1,p' | sort -u` + + # + # Process enabled services + # + for s in $allsvcs; do + service_is_enabled $s || continue + process_service $s || continue + + ipfile=`fmri_to_file $s $IPF_SUFFIX` + if [ -n "$ipfile" -a -r "$ipfile" ]; then + check_ipf_syntax $ipfile + if [ $? -ne 0 ]; then + svc_mark_maintenance $s + continue + fi + + svc_is_server $s + if [ $? -eq 0 ]; then + check_ipf_rules $ipfile + if [ $? -ne 0 ]; then + svc_mark_maintenance $s + continue + fi + fi + CONF_FILES="$CONF_FILES $ipfile" + fi + + natfile=`fmri_to_file $s $NAT_SUFFIX` + if [ -n "$natfile" -a -r "$natfile" ]; then + check_nat_syntax $natfile + if [ $? -ne 0 ]; then + svc_mark_maintenance $s + continue + fi + + NAT_FILES="$NAT_FILES $natfile" + fi + done + + ipf_remove_lock + return 0 +} + +# +# We update a services ipf ruleset in the following manners: +# - service is disabled, tear down its rules. +# - service is disable or refreshed(online), setup or update its rules. +# +service_update_rules() +{ + # + # If ipfilter isn't online or global policy is 'custom', + # nothing should be done. + # + service_check_state $SMF_FMRI $SMF_ONLINE || return 0 + [ "`get_global_def_policy`" = "custom" ] && return 0 + + svc=$1 + + ipfile=`fmri_to_file $svc $IPF_SUFFIX` + [ -z "$ipfile" ] && return 0 + + remove_rules $ipfile + + natfile=`fmri_to_file $svc $NAT_SUFFIX` + [ -n "$natfile" ] && remove_nat_rules $natfile + + # + # Don't go further if service is disabled or in maintenance. + # + service_is_enabled $svc || return 0 + service_check_state $1 $SMF_MAINT && return 0 + + process_service $svc || return 1 + if [ -f "$ipfile" ]; then + check_ipf_syntax $ipfile + if [ $? -ne 0 ]; then + svc_mark_maintenance $svc + return 1 + fi + fi + + if [ -f "$natfile" ]; then + check_nat_syntax $natfile + if [ $? -ne 0 ]; then + svc_mark_maintenance $svc + return 1 + fi + fi + + if [ -f "$ipfile" ]; then + svc_is_server $svc + if [ $? -eq 0 ]; then + update_check_ipf_rules $ipfile + if [ $? -ne 0 ]; then + svc_mark_maintenance $svc + return 1 + fi + fi + + prepend_new_rules $ipfile + + # + # reload Global Override rules to + # maintain correct ordering. + # + remove_rules $IPFILOVRCONF + prepend_new_rules $IPFILOVRCONF + fi + + [ -f "$natfile" ] && append_new_nat_rules $natfile + + return 0 +} + +# +# Call the service_update_rules with appropriate svc fmri. +# +# This is called from '/lib/svc/method/ipfilter fw_update' whenever +# a service is disabled/enabled/refreshed. +# +service_update() +{ + svc=$1 + ret=0 + + ipf_get_lock + service_update_rules $svc || ret=1 + + ipf_remove_lock + return $ret +} diff --git a/usr/src/cmd/svc/shell/routing_include.sh b/usr/src/cmd/svc/shell/routing_include.sh index bccba88d11..1f9495de40 100644 --- a/usr/src/cmd/svc/shell/routing_include.sh +++ b/usr/src/cmd/svc/shell/routing_include.sh @@ -20,10 +20,24 @@ # CDDL HEADER END # # -# Copyright 2006 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # -# ident "%Z%%M% %I% %E% SMI" + +# +# IPfilter's firewall +# +# routed and its siblings use ICMP Router Discovery protocol, simply allow +# these packets so the client portion of routed can work. +# +gen_IRDP_rules() +{ + # Allow incoming icmp from routers for successful discovery. + # IRDP - ICMP type 9 and 10, advertisement and solicitation, respectively. + # + echo "pass in log quick proto icmp from any to any icmp-type 10" >>${1} + echo "pass in log quick proto icmp from any to any icmp-type 9" >>${1} +} # # These functions are used to help map daemon arguments to appropriate diff --git a/usr/src/cmd/svc/startd/graph.c b/usr/src/cmd/svc/startd/graph.c index fe9ec901b6..fe17f6c4fc 100644 --- a/usr/src/cmd/svc/startd/graph.c +++ b/usr/src/cmd/svc/startd/graph.c @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -3771,7 +3771,7 @@ lookup: MUTEX_LOCK(&dgraph_lock); - r = libscf_inst_delete_prop(inst, SCF_PG_OPTIONS_OVR, + r = scf_instance_delete_prop(inst, SCF_PG_OPTIONS_OVR, SCF_PROPERTY_MILESTONE); switch (r) { case 0: @@ -3791,7 +3791,7 @@ lookup: break; default: - bad_error("libscf_inst_delete_prop", r); + bad_error("scf_instance_delete_prop", r); } MUTEX_UNLOCK(&dgraph_lock); diff --git a/usr/src/cmd/svc/startd/libscf.c b/usr/src/cmd/svc/startd/libscf.c index 243788dcb8..b9b38442e0 100644 --- a/usr/src/cmd/svc/startd/libscf.c +++ b/usr/src/cmd/svc/startd/libscf.c @@ -1576,170 +1576,12 @@ libscf_set_deathrow(scf_instance_t *inst, int deathrow) } /* - * Returns - * 0 - success - * ECONNABORTED - repository connection broken - * ECANCELED - inst was deleted - * EPERM - * EACCES - * EROFS - */ -int -libscf_inst_delete_prop(scf_instance_t *inst, const char *pgname, - const char *pname) -{ - scf_handle_t *h; - scf_propertygroup_t *pg; - scf_transaction_t *tx; - scf_transaction_entry_t *e; - scf_error_t serr; - int ret = 0, r; - - h = scf_instance_handle(inst); - pg = safe_scf_pg_create(h); - - if (scf_instance_get_pg(inst, pgname, pg) != 0) { - scf_pg_destroy(pg); - switch (scf_error()) { - case SCF_ERROR_CONNECTION_BROKEN: - default: - return (ECONNABORTED); - - case SCF_ERROR_DELETED: - return (ECANCELED); - - case SCF_ERROR_NOT_FOUND: - return (0); - - case SCF_ERROR_NOT_SET: - bad_error("scf_instance_get_pg", scf_error()); - } - } - - tx = safe_scf_transaction_create(h); - e = safe_scf_entry_create(h); - - for (;;) { - if (scf_transaction_start(tx, pg) != 0) { - switch (scf_error()) { - case SCF_ERROR_CONNECTION_BROKEN: - default: - ret = ECONNABORTED; - goto out; - - case SCF_ERROR_DELETED: - ret = 0; - goto out; - - case SCF_ERROR_PERMISSION_DENIED: - ret = EPERM; - goto out; - - case SCF_ERROR_BACKEND_ACCESS: - ret = EACCES; - goto out; - - case SCF_ERROR_BACKEND_READONLY: - ret = EROFS; - goto out; - - case SCF_ERROR_HANDLE_MISMATCH: - case SCF_ERROR_INVALID_ARGUMENT: - case SCF_ERROR_NOT_SET: - bad_error("scf_transaction_start", scf_error()); - } - } - - if (scf_transaction_property_delete(tx, e, pname) != 0) { - switch (scf_error()) { - case SCF_ERROR_CONNECTION_BROKEN: - default: - ret = ECONNABORTED; - goto out; - - case SCF_ERROR_DELETED: - case SCF_ERROR_NOT_FOUND: - ret = 0; - goto out; - - case SCF_ERROR_NOT_SET: - case SCF_ERROR_HANDLE_MISMATCH: - case SCF_ERROR_NOT_BOUND: - case SCF_ERROR_INVALID_ARGUMENT: - bad_error("scf_transaction_property_delete", - scf_error()); - } - } - - r = scf_transaction_commit(tx); - if (r == 1) - break; - if (r != 0) { - serr = scf_error(); - scf_transaction_reset(tx); - switch (serr) { - case SCF_ERROR_CONNECTION_BROKEN: - default: - ret = ECONNABORTED; - goto out; - - case SCF_ERROR_DELETED: - ret = 0; - goto out; - - case SCF_ERROR_PERMISSION_DENIED: - ret = EPERM; - goto out; - - case SCF_ERROR_BACKEND_ACCESS: - ret = EACCES; - goto out; - - case SCF_ERROR_BACKEND_READONLY: - ret = EROFS; - goto out; - - case SCF_ERROR_NOT_SET: - case SCF_ERROR_INVALID_ARGUMENT: - case SCF_ERROR_NOT_BOUND: - bad_error("scf_transaction_commit", serr); - } - } - - scf_transaction_reset(tx); - - if (scf_pg_update(pg) == -1) { - switch (scf_error()) { - case SCF_ERROR_CONNECTION_BROKEN: - default: - ret = ECONNABORTED; - goto out; - - case SCF_ERROR_DELETED: - ret = 0; - goto out; - - case SCF_ERROR_NOT_SET: - case SCF_ERROR_NOT_BOUND: - bad_error("scf_pg_update", scf_error()); - } - } - } - -out: - scf_transaction_destroy(tx); - (void) scf_entry_destroy(e); - scf_pg_destroy(pg); - return (ret); -} - -/* * Returns 0, ECONNABORTED, ECANCELED, or EPERM. */ int libscf_delete_enable_ovr(scf_instance_t *inst) { - return (libscf_inst_delete_prop(inst, SCF_PG_GENERAL_OVR, + return (scf_instance_delete_prop(inst, SCF_PG_GENERAL_OVR, SCF_PROPERTY_ENABLED)); } diff --git a/usr/src/cmd/svc/startd/restarter.c b/usr/src/cmd/svc/startd/restarter.c index 4b4e65ed6e..ea828797fc 100644 --- a/usr/src/cmd/svc/startd/restarter.c +++ b/usr/src/cmd/svc/startd/restarter.c @@ -19,12 +19,10 @@ * CDDL HEADER END */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -#pragma ident "%Z%%M% %I% %E% SMI" - /* * restarter.c - service manipulation * @@ -1197,7 +1195,7 @@ unmaintain_instance(scf_handle_t *h, restarter_inst_t *rip, "%s.\n", rip->ri_i.i_fmri, cp); (void) restarter_instance_update_states(h, rip, RESTARTER_STATE_UNINIT, - RESTARTER_STATE_NONE, RERR_RESTART, NULL); + RESTARTER_STATE_NONE, RERR_RESTART, "none"); /* * If we did ADMIN_MAINT_ON_IMMEDIATE, then there might still be @@ -1407,7 +1405,7 @@ start_instance(scf_handle_t *local_handle, restarter_inst_t *inst) log_framework(LOG_DEBUG, "%s: starting instance.\n", inst->ri_i.i_fmri); (void) restarter_instance_update_states(local_handle, inst, - inst->ri_i.i_state, RESTARTER_STATE_ONLINE, RERR_NONE, NULL); + inst->ri_i.i_state, RESTARTER_STATE_ONLINE, RERR_NONE, "none"); info = startd_zalloc(sizeof (fork_info_t)); @@ -1417,11 +1415,27 @@ start_instance(scf_handle_t *local_handle, restarter_inst_t *inst) inst->ri_method_thread = startd_thread_create(method_thread, info); } +static int +event_from_tty(scf_handle_t *h, restarter_inst_t *rip) +{ + scf_instance_t *inst; + int ret = 0; + + if (libscf_fmri_get_instance(h, rip->ri_i.i_fmri, &inst)) + return (-1); + + ret = restarter_inst_ractions_from_tty(inst); + + scf_instance_destroy(inst); + return (ret); +} + static void maintain_instance(scf_handle_t *h, restarter_inst_t *rip, int immediate, const char *aux) { fork_info_t *info; + scf_instance_t *scf_inst = NULL; assert(PTHREAD_MUTEX_HELD(&rip->ri_lock)); assert(aux != NULL); @@ -1439,6 +1453,31 @@ maintain_instance(scf_handle_t *h, restarter_inst_t *rip, int immediate, return; } + /* + * If aux state is "service_request" and + * restarter_actions/auxiliary_fmri property is set with a valid fmri, + * copy the fmri to restarter/auxiliary_fmri so svcs -x can use. + */ + if (strcmp(aux, "service_request") == 0 && libscf_fmri_get_instance(h, + rip->ri_i.i_fmri, &scf_inst) == 0) { + if (restarter_inst_validate_ractions_aux_fmri(scf_inst) == 0) { + if (restarter_inst_set_aux_fmri(scf_inst)) + log_framework(LOG_DEBUG, "%s: " + "restarter_inst_set_aux_fmri failed: ", + rip->ri_i.i_fmri); + } else { + log_framework(LOG_DEBUG, "%s: " + "restarter_inst_validate_ractions_aux_fmri " + "failed: ", rip->ri_i.i_fmri); + + if (restarter_inst_reset_aux_fmri(scf_inst)) + log_framework(LOG_DEBUG, "%s: " + "restarter_inst_reset_aux_fmri failed: ", + rip->ri_i.i_fmri); + } + scf_instance_destroy(scf_inst); + } + if (immediate || !instance_started(rip)) { if (rip->ri_i.i_primary_ctid != 0) { rip->ri_m_inst = safe_scf_instance_create(h); @@ -1629,11 +1668,21 @@ again: break; case RESTARTER_EVENT_TYPE_ADMIN_MAINT_ON: - maintain_instance(h, inst, 0, "administrative_request"); + if (event_from_tty(h, inst) == 0) + maintain_instance(h, inst, 0, + "service_request"); + else + maintain_instance(h, inst, 0, + "administrative_request"); break; case RESTARTER_EVENT_TYPE_ADMIN_MAINT_ON_IMMEDIATE: - maintain_instance(h, inst, 1, "administrative_request"); + if (event_from_tty(h, inst) == 0) + maintain_instance(h, inst, 1, + "service_request"); + else + maintain_instance(h, inst, 1, + "administrative_request"); break; case RESTARTER_EVENT_TYPE_ADMIN_MAINT_OFF: diff --git a/usr/src/cmd/svc/startd/startd.h b/usr/src/cmd/svc/startd/startd.h index c563c10925..8cc61dd830 100644 --- a/usr/src/cmd/svc/startd/startd.h +++ b/usr/src/cmd/svc/startd/startd.h @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -635,7 +635,6 @@ depgroup_type_t depgroup_read_grouping(scf_handle_t *, scf_propertygroup_t *); restarter_error_t depgroup_read_restart(scf_handle_t *, scf_propertygroup_t *); int libscf_set_enable_ovr(scf_instance_t *, int); int libscf_set_deathrow(scf_instance_t *, int); -int libscf_inst_delete_prop(scf_instance_t *, const char *, const char *); int libscf_delete_enable_ovr(scf_instance_t *); int libscf_get_milestone(scf_instance_t *, scf_property_t *, scf_value_t *, char *, size_t); diff --git a/usr/src/cmd/svc/svcadm/Makefile b/usr/src/cmd/svc/svcadm/Makefile index a1a1299dda..5f63d351de 100644 --- a/usr/src/cmd/svc/svcadm/Makefile +++ b/usr/src/cmd/svc/svcadm/Makefile @@ -2,9 +2,8 @@ # CDDL HEADER START # # The contents of this file are subject to the terms of the -# Common Development and Distribution License, Version 1.0 only -# (the "License"). You may not use this file except in compliance -# with the License. +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. @@ -20,10 +19,9 @@ # CDDL HEADER END # # -# Copyright 2004 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # -#ident "%Z%%M% %I% %E% SMI" PROG = svcadm OBJS = svcadm.o synch.o @@ -33,7 +31,7 @@ POFILES = $(OBJS:.o=.po) include ../../Makefile.cmd POFILE = $(PROG)_all.po -LDLIBS += -lscf -luutil +LDLIBS += -lscf -luutil -lcontract lint := LINTFLAGS = -ux diff --git a/usr/src/cmd/svc/svcadm/svcadm.c b/usr/src/cmd/svc/svcadm/svcadm.c index 1b39463419..34f5bd466c 100644 --- a/usr/src/cmd/svc/svcadm/svcadm.c +++ b/usr/src/cmd/svc/svcadm/svcadm.c @@ -19,12 +19,10 @@ * CDDL HEADER END */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -#pragma ident "%Z%%M% %I% %E% SMI" - /* * svcadm - request adminstrative actions for service instances */ @@ -33,12 +31,17 @@ #include <libintl.h> #include <libscf.h> #include <libscf_priv.h> +#include <libcontract.h> +#include <libcontract_priv.h> +#include <sys/contract/process.h> #include <libuutil.h> #include <stddef.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> +#include <fcntl.h> +#include <procfs.h> #include <assert.h> #include <errno.h> @@ -96,6 +99,8 @@ static struct ht_elt **visited; void do_scfdie(int lineno) __NORETURN; static void usage_milestone(void) __NORETURN; +static void set_astring_prop(const char *, const char *, const char *, + uint32_t, const char *, const char *); /* * Visitors from synch.c, needed for enable -s and disable -s. @@ -416,148 +421,121 @@ get_astring_prop(const scf_propertygroup_t *pg, const char *propname, } /* - * Returns - * 0 - success - * ECANCELED - pg was deleted - * EPERM - permission denied - * EACCES - access denied - * EROFS - readonly + * Returns 0 or EPERM. */ static int -delete_prop(scf_propertygroup_t *pg, const char *propname) +pg_get_or_add(const scf_instance_t *inst, const char *pgname, + const char *pgtype, uint32_t pgflags, scf_propertygroup_t *pg) { - scf_transaction_t *tx; - scf_transaction_entry_t *ent; - int ret = 0, r; +again: + if (scf_instance_get_pg(inst, pgname, pg) == 0) + return (0); - if ((tx = scf_transaction_create(h)) == NULL || - (ent = scf_entry_create(h)) == NULL) + if (scf_error() != SCF_ERROR_NOT_FOUND) scfdie(); - for (;;) { - if (scf_transaction_start(tx, pg) == -1) { - switch (scf_error()) { - case SCF_ERROR_DELETED: - ret = ECANCELED; - goto out; - - case SCF_ERROR_PERMISSION_DENIED: - ret = EPERM; - goto out; - - case SCF_ERROR_BACKEND_ACCESS: - ret = EACCES; - goto out; - - case SCF_ERROR_BACKEND_READONLY: - ret = EROFS; - goto out; - - case SCF_ERROR_CONNECTION_BROKEN: - case SCF_ERROR_HANDLE_MISMATCH: - case SCF_ERROR_NOT_BOUND: - case SCF_ERROR_NOT_SET: - case SCF_ERROR_IN_USE: - default: - scfdie(); - } - } - - if (scf_transaction_property_delete(tx, ent, propname) == -1) - switch (scf_error()) { - case SCF_ERROR_DELETED: - ret = ECANCELED; - goto out; - - case SCF_ERROR_NOT_FOUND: - ret = 0; - goto out; + if (scf_instance_add_pg(inst, pgname, pgtype, pgflags, pg) == 0) + return (0); - case SCF_ERROR_HANDLE_MISMATCH: - case SCF_ERROR_NOT_BOUND: - case SCF_ERROR_CONNECTION_BROKEN: - case SCF_ERROR_INVALID_ARGUMENT: - case SCF_ERROR_NOT_SET: - default: - scfdie(); - } + switch (scf_error()) { + case SCF_ERROR_EXISTS: + goto again; - r = scf_transaction_commit(tx); - if (r == 1) - break; + case SCF_ERROR_PERMISSION_DENIED: + return (EPERM); - scf_transaction_reset(tx); + default: + scfdie(); + /* NOTREACHED */ + } +} - if (r != 0) { - switch (scf_error()) { - case SCF_ERROR_DELETED: - ret = ECANCELED; - goto out; +static int +my_ct_name(char *out, size_t len) +{ + ct_stathdl_t st; + char *ct_fmri; + ctid_t ct; + int fd, errno, ret; - case SCF_ERROR_PERMISSION_DENIED: - ret = EPERM; - goto out; + if ((ct = getctid()) == -1) + uu_die(gettext("Could not get contract id for process")); - case SCF_ERROR_BACKEND_ACCESS: - ret = EACCES; - goto out; + fd = contract_open(ct, "process", "status", O_RDONLY); - case SCF_ERROR_BACKEND_READONLY: - ret = EROFS; - goto out; + if ((errno = ct_status_read(fd, CTD_ALL, &st)) != 0) + uu_warn(gettext("Could not read status of contract " + "%ld: %s.\n"), ct, strerror(errno)); - case SCF_ERROR_INVALID_ARGUMENT: - case SCF_ERROR_NOT_SET: - case SCF_ERROR_NOT_BOUND: - case SCF_ERROR_CONNECTION_BROKEN: - default: - scfdie(); - } - } + if ((errno = ct_pr_status_get_svc_fmri(st, &ct_fmri)) != 0) + uu_warn(gettext("Could not get svc_fmri for contract " + "%ld: %s.\n"), ct, strerror(errno)); - if (scf_pg_update(pg) == -1) { - if (scf_error() != SCF_ERROR_DELETED) - scfdie(); + ret = strlcpy(out, ct_fmri, len); - ret = ECANCELED; - goto out; - } - } + ct_status_free(st); + (void) close(fd); -out: - scf_transaction_destroy(tx); - scf_entry_destroy(ent); return (ret); } /* - * Returns 0 or EPERM. + * Set auxiliary_tty and auxiliary_fmri properties in restarter_actions pg to + * communicate whether the action is requested from a tty and the fmri of the + * responsible process. */ static int -pg_get_or_add(scf_instance_t *inst, const char *pgname, const char *pgtype, - uint32_t pgflags, scf_propertygroup_t *pg) +restarter_setup(const char *fmri, const scf_instance_t *inst) { -again: - if (scf_instance_get_pg(inst, pgname, pg) == 0) - return (0); + boolean_t b = B_FALSE; + scf_propertygroup_t *pg = NULL; - if (scf_error() != SCF_ERROR_NOT_FOUND) + if ((pg = scf_pg_create(h)) == NULL) scfdie(); - if (scf_instance_add_pg(inst, pgname, pgtype, pgflags, pg) == 0) - return (0); + if (pg_get_or_add(inst, SCF_PG_RESTARTER_ACTIONS, + SCF_PG_RESTARTER_ACTIONS_TYPE, SCF_PG_RESTARTER_ACTIONS_FLAGS, + pg) != 0) + scfdie(); - switch (scf_error()) { - case SCF_ERROR_EXISTS: - goto again; + /* Set auxiliary_tty property */ + if (isatty(STDIN_FILENO)) + b = B_TRUE; - case SCF_ERROR_PERMISSION_DENIED: - return (EPERM); + /* Create and set state to disabled */ + switch (set_bool_prop(pg, SCF_PROPERTY_AUX_TTY, b) != 0) { + case 0: + break; + + case EPERM: + uu_warn(gettext("Could not set %s/%s " + "property of %s: permission denied.\n"), + SCF_PG_RESTARTER_ACTIONS, SCF_PROPERTY_AUX_TTY, fmri); + break; + + case EROFS: + uu_warn(gettext("%s: Could not set %s/%s " + "(repository read-only).\n"), fmri, + SCF_PG_RESTARTER_ACTIONS, SCF_PROPERTY_AUX_TTY); + break; default: scfdie(); - /* NOTREACHED */ } + + if (my_ct_name(scratch_fmri, max_scf_fmri_sz) > 0) { + set_astring_prop(fmri, SCF_PG_RESTARTER_ACTIONS, + SCF_PG_RESTARTER_ACTIONS_TYPE, + SCF_PG_RESTARTER_ACTIONS_FLAGS, + SCF_PROPERTY_AUX_FMRI, scratch_fmri); + } else { + uu_warn(gettext("%s: Could not set %s/%s: " + "my_ct_name failed.\n"), fmri, + SCF_PG_RESTARTER_ACTIONS, SCF_PROPERTY_AUX_FMRI); + } + + scf_pg_destroy(pg); + return (0); } /* @@ -579,6 +557,10 @@ set_inst_enabled(const char *fmri, scf_instance_t *inst, boolean_t temp, if (pg == NULL) scfdie(); + if (restarter_setup(fmri, inst)) + uu_warn(gettext("Unable to record FMRI with request. svcs -l " + "output may be incomplete.\n")); + /* * An instance's configuration is incomplete if general/enabled * doesn't exist. Create both the property group and property @@ -707,53 +689,33 @@ again: } pgname = SCF_PG_GENERAL_OVR; - if (scf_instance_get_pg(inst, pgname, pg) == 0) { - r = delete_prop(pg, SCF_PROPERTY_ENABLED); - switch (r) { - case 0: - break; - - case ECANCELED: - uu_warn(emsg_no_service, fmri); - goto out; - - case EPERM: - goto eperm; - - case EACCES: - uu_warn(gettext("Could not delete %s/%s " - "property of %s: backend access denied.\n"), - pgname, SCF_PROPERTY_ENABLED, fmri); - goto out; + r = scf_instance_delete_prop(inst, pgname, + SCF_PROPERTY_ENABLED); + switch (r) { + case 0: + break; - case EROFS: - uu_warn(gettext("Could not delete %s/%s " - "property of %s: backend is read-only.\n"), - pgname, SCF_PROPERTY_ENABLED, fmri); - goto out; + case ECANCELED: + uu_warn(emsg_no_service, fmri); + goto out; - default: - bad_error("delete_prop", r); - } - } else { - switch (scf_error()) { - case SCF_ERROR_DELETED: - /* Print something? */ + case EPERM: + goto eperm; - case SCF_ERROR_NOT_FOUND: - break; + case EACCES: + uu_warn(gettext("Could not delete %s/%s " + "property of %s: backend access denied.\n"), + pgname, SCF_PROPERTY_ENABLED, fmri); + goto out; - case SCF_ERROR_HANDLE_MISMATCH: - case SCF_ERROR_INVALID_ARGUMENT: - case SCF_ERROR_NOT_SET: - assert(0); - abort(); - /* NOTREACHED */ + case EROFS: + uu_warn(gettext("Could not delete %s/%s " + "property of %s: backend is read-only.\n"), + pgname, SCF_PROPERTY_ENABLED, fmri); + goto out; - case SCF_ERROR_CONNECTION_BROKEN: - default: - scfdie(); - } + default: + bad_error("scf_instance_delete_prop", r); } if (verbose) @@ -1348,6 +1310,10 @@ set_inst_action(const char *fmri, const scf_instance_t *inst, (ent = scf_entry_create(h)) == NULL) scfdie(); + if (restarter_setup(fmri, inst)) + uu_warn(gettext("Failed to process %s: restarter_setup() " + "failed\n"), fmri); + if (scf_instance_get_pg(inst, scf_pg_restarter_actions, pg) == -1) { if (scf_error() != SCF_ERROR_NOT_FOUND) scfdie(); @@ -1970,59 +1936,40 @@ set_milestone(const char *fmri, boolean_t temporary) SCF_PG_OPTIONS_TYPE, SCF_PG_OPTIONS_FLAGS, SCF_PROPERTY_MILESTONE, fmri); - if (scf_instance_get_pg(inst, SCF_PG_OPTIONS_OVR, pg) == 0) { - r = delete_prop(pg, SCF_PROPERTY_MILESTONE); - switch (r) { - case 0: - break; - - case ECANCELED: - uu_warn(emsg_no_service, fmri); - exit_status = 1; - goto out; - - case EPERM: - uu_warn(gettext("Could not delete %s/%s property of " - "%s: permission denied.\n"), SCF_PG_OPTIONS_OVR, - SCF_PROPERTY_MILESTONE, SCF_SERVICE_STARTD); - exit_status = 1; - goto out; + r = scf_instance_delete_prop(inst, SCF_PG_OPTIONS_OVR, + SCF_PROPERTY_MILESTONE); + switch (r) { + case 0: + break; - case EACCES: - uu_warn(gettext("Could not delete %s/%s property of " - "%s: access denied.\n"), SCF_PG_OPTIONS_OVR, - SCF_PROPERTY_MILESTONE, SCF_SERVICE_STARTD); - exit_status = 1; - goto out; + case ECANCELED: + uu_warn(emsg_no_service, fmri); + exit_status = 1; + goto out; - case EROFS: - uu_warn(gettext("Could not delete %s/%s property of " - "%s: backend read-only.\n"), SCF_PG_OPTIONS_OVR, - SCF_PROPERTY_MILESTONE, SCF_SERVICE_STARTD); - exit_status = 1; - goto out; + case EPERM: + uu_warn(gettext("Could not delete %s/%s property of " + "%s: permission denied.\n"), SCF_PG_OPTIONS_OVR, + SCF_PROPERTY_MILESTONE, SCF_SERVICE_STARTD); + exit_status = 1; + goto out; - default: - bad_error("delete_prop", r); - } - } else { - switch (scf_error()) { - case SCF_ERROR_NOT_FOUND: - break; + case EACCES: + uu_warn(gettext("Could not delete %s/%s property of " + "%s: access denied.\n"), SCF_PG_OPTIONS_OVR, + SCF_PROPERTY_MILESTONE, SCF_SERVICE_STARTD); + exit_status = 1; + goto out; - case SCF_ERROR_DELETED: - uu_warn(emsg_no_service, fmri); - exit_status = 1; - goto out; + case EROFS: + uu_warn(gettext("Could not delete %s/%s property of " + "%s: backend read-only.\n"), SCF_PG_OPTIONS_OVR, + SCF_PROPERTY_MILESTONE, SCF_SERVICE_STARTD); + exit_status = 1; + goto out; - case SCF_ERROR_CONNECTION_BROKEN: - case SCF_ERROR_HANDLE_MISMATCH: - case SCF_ERROR_NOT_BOUND: - case SCF_ERROR_INVALID_ARGUMENT: - case SCF_ERROR_NOT_SET: - default: - scfdie(); - } + default: + bad_error("scf_instance_delete_prop", r); } out: diff --git a/usr/src/cmd/svc/svcs/explain.c b/usr/src/cmd/svc/svcs/explain.c index 271f48f4c3..5bb1674a9d 100644 --- a/usr/src/cmd/svc/svcs/explain.c +++ b/usr/src/cmd/svc/svcs/explain.c @@ -20,7 +20,7 @@ */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -88,6 +88,7 @@ #define DC_UNINIT "SMF-8000-4D" #define DC_RSTRDEAD "SMF-8000-5H" #define DC_ADMINMAINT "SMF-8000-63" +#define DC_SVCREQMAINT "SMF-8000-R4" #define DC_REPTFAIL "SMF-8000-7Y" #define DC_METHFAIL "SMF-8000-8Q" #define DC_NONE "SMF-8000-9C" @@ -106,6 +107,7 @@ #define DEFAULT_MAN_PATH "/usr/share/man" +#define AUX_STATE_INVALID "invalid_aux_state" #define uu_list_append(lst, e) uu_list_insert_before(lst, NULL, e) @@ -128,6 +130,7 @@ typedef struct { char next_state[MAX_SCF_STATE_STRING_SZ]; struct timeval stime; const char *aux_state; + const char *aux_fmri; int64_t start_method_waitstatus; uint8_t enabled; @@ -463,14 +466,21 @@ add_instance(const char *svcname, const char *instname, scf_instance_t *inst) SCF_TYPE_TIME, &instp->stime, 0, 0) != 0) return; + /* restarter may not set aux_state, allow to continue in that case */ if (pg_get_single_val(g_pg, SCF_PROPERTY_AUX_STATE, SCF_TYPE_ASTRING, - g_fmri, g_fmri_sz, 0) != 0) - return; - instp->aux_state = safe_strdup(g_fmri); + g_fmri, g_fmri_sz, 0) == 0) + instp->aux_state = safe_strdup(g_fmri); + else + instp->aux_state = safe_strdup(AUX_STATE_INVALID); (void) pg_get_single_val(g_pg, SCF_PROPERTY_START_METHOD_WAITSTATUS, SCF_TYPE_INTEGER, &instp->start_method_waitstatus, 0, 0); + /* Get the optional auxiliary_fmri */ + if (pg_get_single_val(g_pg, SCF_PROPERTY_AUX_FMRI, SCF_TYPE_ASTRING, + g_fmri, g_fmri_sz, 0) == 0) + instp->aux_fmri = safe_strdup(g_fmri); + if (scf_instance_get_pg(inst, SCF_PG_GENERAL_OVR, g_pg) == 0) { if (pg_get_single_val(g_pg, SCF_PROPERTY_ENABLED, SCF_TYPE_BOOLEAN, &instp->enabled, 0, 0) == 0) @@ -1653,6 +1663,35 @@ print_dependency_reasons(const inst_t *svcp, int verbose) } static void +print_logs(scf_instance_t *inst) +{ + if (scf_instance_get_pg(inst, SCF_PG_RESTARTER, g_pg) != 0) + return; + + if (pg_get_single_val(g_pg, SCF_PROPERTY_ALT_LOGFILE, + SCF_TYPE_ASTRING, (void *)g_value, g_value_sz, 0) == 0) + (void) printf(gettext(" See: %s\n"), g_value); + + if (pg_get_single_val(g_pg, SCF_PROPERTY_LOGFILE, + SCF_TYPE_ASTRING, (void *)g_value, g_value_sz, 0) == 0) + (void) printf(gettext(" See: %s\n"), g_value); +} + +static void +print_aux_fmri_logs(const char *fmri) +{ + scf_instance_t *scf_inst = scf_instance_create(h); + if (scf_inst == NULL) + return; + + if (scf_handle_decode_fmri(h, fmri, NULL, NULL, scf_inst, + NULL, NULL, SCF_DECODE_FMRI_EXACT) == 0) + print_logs(scf_inst); + + scf_instance_destroy(scf_inst); +} + +static void print_reasons(const inst_t *svcp, int verbose) { int r; @@ -1723,6 +1762,16 @@ print_reasons(const inst_t *svcp, int verbose) } else if (strcmp(svcp->aux_state, "fault_threshold_reached") == 0) { print_method_failure(svcp, &dc); + } else if (strcmp(svcp->aux_state, "service_request") == 0) { + if (svcp->aux_fmri) { + (void) printf(gettext("Reason: Maintenance " + "requested by \"%s\"\n"), svcp->aux_fmri); + print_aux_fmri_logs(svcp->aux_fmri); + } else { + (void) puts(gettext("Reason: Maintenance " + "requested by another service.")); + } + dc = DC_SVCREQMAINT; } else if (strcmp(svcp->aux_state, "invalid_dependency") == 0) { (void) puts(gettext("Reason: Has invalid dependency.")); dc = DC_INVALIDDEP; @@ -1901,21 +1950,6 @@ print_docs(scf_instance_t *inst, int verbose) return (0); } -static void -print_logs(scf_instance_t *inst) -{ - if (scf_instance_get_pg(inst, SCF_PG_RESTARTER, g_pg) != 0) - return; - - if (pg_get_single_val(g_pg, SCF_PROPERTY_ALT_LOGFILE, - SCF_TYPE_ASTRING, (void *)g_value, g_value_sz, 0) == 0) - (void) printf(gettext(" See: %s\n"), g_value); - - if (pg_get_single_val(g_pg, SCF_PROPERTY_LOGFILE, - SCF_TYPE_ASTRING, (void *)g_value, g_value_sz, 0) == 0) - (void) printf(gettext(" See: %s\n"), g_value); -} - static int first = 1; /* diff --git a/usr/src/cmd/syslogd/system-log.xml b/usr/src/cmd/syslogd/system-log.xml index 488e327f08..80f147f0fc 100644 --- a/usr/src/cmd/syslogd/system-log.xml +++ b/usr/src/cmd/syslogd/system-log.xml @@ -20,7 +20,7 @@ CDDL HEADER END - Copyright 2008 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. NOTE: This service manifest is not editable; its contents will @@ -134,6 +134,18 @@ value='solaris.smf.value.system-log' /> </property_group> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='name' type='astring' value='syslog' /> + </property_group> + + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/xntpd/xntpd/ntp.xml b/usr/src/cmd/xntpd/xntpd/ntp.xml index 0c8bbb9a3c..5b9207221f 100644 --- a/usr/src/cmd/xntpd/xntpd/ntp.xml +++ b/usr/src/cmd/xntpd/xntpd/ntp.xml @@ -1,11 +1,9 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2006 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -57,6 +55,20 @@ exec=':kill' timeout_seconds='60' /> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='name' type='astring' value='ntp' /> + <propval name='ipf_method' type='astring' + value='/lib/svc/method/xntp ipfilter' /> + </property_group> + + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/xntpd/xntpd/xntp b/usr/src/cmd/xntpd/xntpd/xntp index a8c64b45dd..15f9b35b45 100644 --- a/usr/src/cmd/xntpd/xntpd/xntp +++ b/usr/src/cmd/xntpd/xntpd/xntp @@ -1,12 +1,22 @@ #!/sbin/sh # -# Copyright 2006 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # -# ident "%Z%%M% %I% %E% SMI" -# . /lib/svc/share/smf_include.sh +. /lib/svc/share/ipf_include.sh + +# +# For ipfilter method. Normal start method will 'ignore' this information. +# +port=`$SERVINFO -p -s ntp 2>/dev/null` +if [ "$1" = "ipfilter" ]; then + FMRI=$2 + out=`fmri_to_file $FMRI $IPF_SUFFIX` +else + out=`fmri_to_file $SMF_FMRI $IPF_SUFFIX` +fi if [ ! -f /etc/inet/ntp.conf ]; then echo "Error: Configuration file '/etc/inet/ntp.conf' not found." \ @@ -26,13 +36,17 @@ ARGS=`/usr/bin/nawk ' first = 0 printf("-s -m") } - if (NF == 1) + if (NF == 1) { printf(" 224.0.1.1") - else + printf("pass in log quick from any to 224.0.1.1\n") > file + } else { printf(" %s", $2) + printf("pass in log quick from any to %s\n", $2) > file + } next } /^server 127.127/ { + printf("pass in log quick from any to 224.0.1.1\n") > file next } /^server[ \t]+|^peer[ \t]+/ { @@ -41,9 +55,31 @@ ARGS=`/usr/bin/nawk ' printf("-s") } printf(" %s", $2) + printf("pass in quick from %s to any port = %d\n", $2, port) > file next } - ' /etc/inet/ntp.conf` + ' port="$port" file="$out" /etc/inet/ntp.conf` + +# +# Create ipfilter rules +# +if [ -n "$1" -a "$1" = "ipfilter" ]; then + policy=`get_policy $FMRI` + + echo "# $FMRI server rules" >>$out + tport=`$SERVINFO -p -t -s "ntp" 2>/dev/null` + if [ -n "$tport" ]; then + generate_rules $FMRI $policy "tcp" "any" $tport $out + fi + + uport=`$SERVINFO -p -u -s "ntp" 2>/dev/null` + if [ -n "$uport" ]; then + generate_rules $FMRI $policy "udp" "any" $uport $out + fi + + exit $SMF_EXIT_OK +fi + # Run ntpdate to sync system to peer before starting xntpd [ -n "$ARGS" ] && /usr/sbin/ntpdate $ARGS /usr/lib/inet/xntpd diff --git a/usr/src/cmd/ypcmd/client.xml b/usr/src/cmd/ypcmd/client.xml index 23a4fa3f21..b7c1c587a1 100644 --- a/usr/src/cmd/ypcmd/client.xml +++ b/usr/src/cmd/ypcmd/client.xml @@ -1,15 +1,14 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -24,8 +23,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -85,6 +82,13 @@ exec=':kill' timeout_seconds='60' /> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='isrpc' type='boolean' value='true' /> + <propval name='name' type='astring' value='ypbind' /> + <propval name='ipf_method' type='astring' + value='/lib/svc/method/yp ipfilter' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/ypcmd/yp.sh b/usr/src/cmd/ypcmd/yp.sh index ba329f450d..63b7abc3d5 100644 --- a/usr/src/cmd/ypcmd/yp.sh +++ b/usr/src/cmd/ypcmd/yp.sh @@ -3,9 +3,8 @@ # CDDL HEADER START # # The contents of this file are subject to the terms of the -# Common Development and Distribution License, Version 1.0 only -# (the "License"). You may not use this file except in compliance -# with the License. +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. @@ -21,15 +20,91 @@ # CDDL HEADER END # # -# Copyright 2004 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # -# ident "%Z%%M% %I% %E% SMI" . /lib/svc/share/smf_include.sh +. /lib/svc/share/ipf_include.sh YPDIR=/usr/lib/netsvc/yp +create_client_ipf_rules() +{ + FMRI=$1 + file=`fmri_to_file $FMRI $IPF_SUFFIX` + iana_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI` + domain=`domainname` + + if [ -z "$domain" ]; then + return 0 + fi + + if [ ! -d /var/yp/binding/$domain ]; then + return + fi + echo "# $FMRI" >$file + + ypfile="/var/yp/binding/$domain/ypservers" + if [ -f $ypfile ]; then + tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` + uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` + + server_addrs="" + for ypsvr in `grep -v '^[ ]*#' $ypfile`; do + # + # Get corresponding IPv4 address in /etc/hosts + # + servers=`grep -v '^[ ]*#' /etc/hosts | awk ' { + if ($1 !~/:/) { + for (i=2; i<=NF; i++) { + if (s == $i) printf("%s ", $1); + } } + }' s="$ypsvr"` + + [ -z "$servers" ] && continue + server_addrs="$server_addrs $servers" + done + + [ -z "$server_addrs" ] && return 0 + for s in $server_addrs; do + if [ -n "$tports" ]; then + for tport in $tports; do + echo "pass in log quick proto tcp" \ + "from $s to any port = $tport" >>$file + done + fi + + if [ -n "$uports" ]; then + for uport in $uports; do + echo "pass in log quick proto udp" \ + "from $s to any port = $uport" >>$file + done + fi + done + else + # + # How do we handle the client broadcast case? Server replies + # to the outgoing port that sent the broadcast, but there's + # no way the client know a packet is the reply. + # + # Nis server should be specified and clients shouldn't be + # doing broadcasts but if it does, no choice but to allow + # all traffic. + # + echo "pass in log quick proto udp from any to any" \ + "port > 32768" >>$file + fi +} + +# +# Ipfilter method +# +if [ -n "$1" -a "$1" = "ipfilter" ]; then + create_client_ipf_rules $2 + exit $SMF_EXIT_OK +fi + case $SMF_FMRI in 'svc:/network/nis/client:default') domain=`domainname` diff --git a/usr/src/lib/librestart/common/librestart.c b/usr/src/lib/librestart/common/librestart.c index 253fe0a62a..d587f4497c 100644 --- a/usr/src/lib/librestart/common/librestart.c +++ b/usr/src/lib/librestart/common/librestart.c @@ -20,12 +20,10 @@ */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -#pragma ident "%Z%%M% %I% %E% SMI" - #include <librestart.h> #include <librestart_priv.h> #include <libscf.h> @@ -729,7 +727,6 @@ _restarter_commit_states(scf_handle_t *h, instance_data_t *id, int ret = 0, r; struct timeval now; ssize_t sz; - char *default_aux = "none"; scf_transaction_t *t = NULL; scf_transaction_entry_t *t_state = NULL, *t_state_next = NULL; @@ -741,10 +738,6 @@ _restarter_commit_states(scf_handle_t *h, instance_data_t *id, assert(new_state != RESTARTER_STATE_NONE); - /* If aux state is unset, set aux to a default string. */ - if (aux == NULL) - aux = default_aux; - if ((s_inst = scf_instance_create(h)) == NULL || (pg = scf_pg_create(h)) == NULL || (t = scf_transaction_create(h)) == NULL || @@ -801,10 +794,14 @@ _restarter_commit_states(scf_handle_t *h, instance_data_t *id, if (scf_value_set_astring(v_state, str_new_state) != 0 || - scf_value_set_astring(v_state_next, str_new_state_next) != 0 || - scf_value_set_astring(v_aux, aux) != 0) + scf_value_set_astring(v_state_next, str_new_state_next) != 0) bad_fail("scf_value_set_astring", scf_error()); + if (aux) { + if (scf_value_set_astring(v_aux, aux) != 0) + bad_fail("scf_value_set_astring", scf_error()); + } + if (scf_value_set_time(v_stime, now.tv_sec, now.tv_usec * 1000) != 0) bad_fail("scf_value_set_time", scf_error()); @@ -863,8 +860,6 @@ add_pg: SCF_TYPE_ASTRING, v_state)) != 0 || (r = tx_set_value(t, t_state_next, SCF_PROPERTY_NEXT_STATE, SCF_TYPE_ASTRING, v_state_next)) != 0 || - (r = tx_set_value(t, t_aux, SCF_PROPERTY_AUX_STATE, - SCF_TYPE_ASTRING, v_aux)) != 0 || (r = tx_set_value(t, t_stime, SCF_PROPERTY_STATE_TIMESTAMP, SCF_TYPE_TIME, v_stime)) != 0) { switch (r) { @@ -881,6 +876,24 @@ add_pg: } } + if (aux) { + if ((r = tx_set_value(t, t_aux, SCF_PROPERTY_AUX_STATE, + SCF_TYPE_ASTRING, v_aux)) != 0) { + switch (r) { + case ECONNABORTED: + ret = ECONNABORTED; + goto out; + + case ECANCELED: + scf_transaction_reset(t); + goto add_pg; + + default: + bad_fail("tx_set_value", r); + } + } + } + ret = scf_transaction_commit(t); if (ret == 1) break; @@ -1566,7 +1579,6 @@ restarter_rm_libs_loadable() return (1); } - static int get_astring_val(scf_propertygroup_t *pg, const char *name, char *buf, size_t bufsz, scf_property_t *prop, scf_value_t *val) @@ -1590,6 +1602,28 @@ get_astring_val(scf_propertygroup_t *pg, const char *name, char *buf, return (szret >= 0 ? 0 : -1); } +static int +get_boolean_val(scf_propertygroup_t *pg, const char *name, uint8_t *b, + scf_property_t *prop, scf_value_t *val) +{ + if (scf_pg_get_property(pg, name, prop) != SCF_SUCCESS) { + if (scf_error() == SCF_ERROR_CONNECTION_BROKEN) + uu_die(rcbroken); + return (-1); + } + + if (scf_property_get_value(prop, val) != SCF_SUCCESS) { + if (scf_error() == SCF_ERROR_CONNECTION_BROKEN) + uu_die(rcbroken); + return (-1); + } + + if (scf_value_get_boolean(val, b)) + return (-1); + + return (0); +} + /* * Try to load mcp->pwd, if it isn't already. * Fails with @@ -2981,3 +3015,209 @@ void restarter_event_get_time(restarter_event_t *e, hrtime_t *time) { } + +/* + * Check for and validate fmri specified in restarter_actions/auxiliary_fmri + * 0 - Success + * 1 - Failure + */ +int +restarter_inst_validate_ractions_aux_fmri(scf_instance_t *inst) +{ + scf_handle_t *h; + scf_propertygroup_t *pg; + scf_property_t *prop; + scf_value_t *val; + char *aux_fmri; + size_t size = scf_limit(SCF_LIMIT_MAX_VALUE_LENGTH); + int ret = 1; + + if ((aux_fmri = malloc(size)) == NULL) + return (1); + + h = scf_instance_handle(inst); + + pg = scf_pg_create(h); + prop = scf_property_create(h); + val = scf_value_create(h); + if (pg == NULL || prop == NULL || val == NULL) + goto out; + + if (instance_get_or_add_pg(inst, SCF_PG_RESTARTER_ACTIONS, + SCF_PG_RESTARTER_ACTIONS_TYPE, SCF_PG_RESTARTER_ACTIONS_FLAGS, + pg) != SCF_SUCCESS) + goto out; + + if (get_astring_val(pg, SCF_PROPERTY_AUX_FMRI, aux_fmri, size, + prop, val) != SCF_SUCCESS) + goto out; + + if (scf_parse_fmri(aux_fmri, NULL, NULL, NULL, NULL, NULL, + NULL) != SCF_SUCCESS) + goto out; + + ret = 0; + +out: + free(aux_fmri); + scf_value_destroy(val); + scf_property_destroy(prop); + scf_pg_destroy(pg); + return (ret); +} + +/* + * Get instance's boolean value in restarter_actions/auxiliary_tty + * Return -1 on failure + */ +int +restarter_inst_ractions_from_tty(scf_instance_t *inst) +{ + scf_handle_t *h; + scf_propertygroup_t *pg; + scf_property_t *prop; + scf_value_t *val; + uint8_t has_tty; + int ret = -1; + + h = scf_instance_handle(inst); + pg = scf_pg_create(h); + prop = scf_property_create(h); + val = scf_value_create(h); + if (pg == NULL || prop == NULL || val == NULL) + goto out; + + if (instance_get_or_add_pg(inst, SCF_PG_RESTARTER_ACTIONS, + SCF_PG_RESTARTER_ACTIONS_TYPE, SCF_PG_RESTARTER_ACTIONS_FLAGS, + pg) != SCF_SUCCESS) + goto out; + + if (get_boolean_val(pg, SCF_PROPERTY_AUX_TTY, &has_tty, prop, + val) != SCF_SUCCESS) + goto out; + + ret = has_tty; + +out: + scf_value_destroy(val); + scf_property_destroy(prop); + scf_pg_destroy(pg); + return (ret); +} + +static int +restarter_inst_set_astring_prop(scf_instance_t *inst, const char *pgname, + const char *pgtype, uint32_t pgflags, const char *pname, const char *str) +{ + scf_handle_t *h; + scf_propertygroup_t *pg; + scf_transaction_t *t; + scf_transaction_entry_t *e; + scf_value_t *v; + int ret = 1, r; + + h = scf_instance_handle(inst); + + pg = scf_pg_create(h); + t = scf_transaction_create(h); + e = scf_entry_create(h); + v = scf_value_create(h); + if (pg == NULL || t == NULL || e == NULL || v == NULL) + goto out; + + if (instance_get_or_add_pg(inst, pgname, pgtype, pgflags, pg)) + goto out; + + if (scf_value_set_astring(v, str) != SCF_SUCCESS) + goto out; + + for (;;) { + if (scf_transaction_start(t, pg) != 0) + goto out; + + if (tx_set_value(t, e, pname, SCF_TYPE_ASTRING, v) != 0) + goto out; + + if ((r = scf_transaction_commit(t)) == 1) + break; + + if (r == -1) + goto out; + + scf_transaction_reset(t); + if (scf_pg_update(pg) == -1) + goto out; + } + ret = 0; + +out: + scf_transaction_destroy(t); + scf_entry_destroy(e); + scf_value_destroy(v); + scf_pg_destroy(pg); + + return (ret); +} + +int +restarter_inst_set_aux_fmri(scf_instance_t *inst) +{ + scf_handle_t *h; + scf_propertygroup_t *pg; + scf_property_t *prop; + scf_value_t *val; + char *aux_fmri; + size_t size = scf_limit(SCF_LIMIT_MAX_VALUE_LENGTH); + int ret = 1; + + if ((aux_fmri = malloc(size)) == NULL) + return (1); + + h = scf_instance_handle(inst); + + pg = scf_pg_create(h); + prop = scf_property_create(h); + val = scf_value_create(h); + if (pg == NULL || prop == NULL || val == NULL) + goto out; + + /* + * Get auxiliary_fmri value from restarter_actions pg + */ + if (instance_get_or_add_pg(inst, SCF_PG_RESTARTER_ACTIONS, + SCF_PG_RESTARTER_ACTIONS_TYPE, SCF_PG_RESTARTER_ACTIONS_FLAGS, + pg) != SCF_SUCCESS) + goto out; + + if (get_astring_val(pg, SCF_PROPERTY_AUX_FMRI, aux_fmri, size, + prop, val) != SCF_SUCCESS) + goto out; + + /* + * Populate restarter/auxiliary_fmri with the obtained fmri. + */ + ret = restarter_inst_set_astring_prop(inst, SCF_PG_RESTARTER, + SCF_PG_RESTARTER_TYPE, SCF_PG_RESTARTER_FLAGS, + SCF_PROPERTY_AUX_FMRI, aux_fmri); + +out: + free(aux_fmri); + scf_value_destroy(val); + scf_property_destroy(prop); + scf_pg_destroy(pg); + return (ret); +} + +int +restarter_inst_reset_aux_fmri(scf_instance_t *inst) +{ + return (scf_instance_delete_prop(inst, + SCF_PG_RESTARTER, SCF_PROPERTY_AUX_FMRI)); +} + +int +restarter_inst_reset_ractions_aux_fmri(scf_instance_t *inst) +{ + return (scf_instance_delete_prop(inst, + SCF_PG_RESTARTER_ACTIONS, SCF_PROPERTY_AUX_FMRI)); +} diff --git a/usr/src/lib/librestart/common/librestart.h b/usr/src/lib/librestart/common/librestart.h index 60930f6a50..f77a9cf47a 100644 --- a/usr/src/lib/librestart/common/librestart.h +++ b/usr/src/lib/librestart/common/librestart.h @@ -19,15 +19,13 @@ * CDDL HEADER END */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #ifndef _LIBRESTART_H #define _LIBRESTART_H -#pragma ident "%Z%%M% %I% %E% SMI" - #include <libsysevent.h> #include <libcontract.h> #include <libscf.h> @@ -60,6 +58,11 @@ extern "C" { * defined set of fields. */ +/* + * Some of the functions have external contracted consumers, review contracts + * when making incompatible changes. + */ + typedef struct restarter_event_handle restarter_event_handle_t; typedef struct restarter_event restarter_event_t; @@ -146,7 +149,6 @@ typedef enum { RERR_RESTART, /* transition due to restart */ RERR_REFRESH /* transition due to refresh */ } restarter_error_t; - /* * restarter_store_contract() and restarter_remove_contract() types */ @@ -189,6 +191,16 @@ int restarter_event_get_current_states(restarter_event_t *, /* * Functions for updating the repository. */ + +/* + * When setting state to "maintenance", callers of restarter_set_states() can + * set aux_state to "service_request" to communicate that another service has + * requested maintenance state for the target service. + * + * Callers should use restarter_inst_validate_aux_fmri() to validate the fmri + * of the requested service and pass "service_request" for aux_state when + * calling restarter_set_states(). See inetd and startd for examples. + */ int restarter_set_states(restarter_event_handle_t *, const char *, restarter_instance_state_t, restarter_instance_state_t, restarter_instance_state_t, restarter_instance_state_t, restarter_error_t, @@ -240,6 +252,24 @@ int restarter_is_null_method(const char *); int restarter_is_kill_method(const char *); int restarter_is_kill_proc_method(const char *); +/* Validate the inst fmri specified in restarter_actions/auxiliary_fmri */ +int restarter_inst_validate_ractions_aux_fmri(scf_instance_t *); + +/* Delete instance's restarter_actions/auxiliary_fmri property */ +int restarter_inst_reset_ractions_aux_fmri(scf_instance_t *); + +/* Get boolean value from instance's restarter_actions/auxiliary_tty */ +int restarter_inst_ractions_from_tty(scf_instance_t *); + +/* Delete instance's restarter/auxiliary_fmri property */ +int restarter_inst_reset_aux_fmri(scf_instance_t *); + +/* + * Set instance's restarter/auxiliary_fmri, value come from + * restarter_actions/auxliary_fmri + */ +int restarter_inst_set_aux_fmri(scf_instance_t *); + #ifdef __cplusplus } #endif diff --git a/usr/src/lib/librestart/common/mapfile-vers b/usr/src/lib/librestart/common/mapfile-vers index 7495db3354..143ee73685 100644 --- a/usr/src/lib/librestart/common/mapfile-vers +++ b/usr/src/lib/librestart/common/mapfile-vers @@ -62,6 +62,11 @@ SUNWprivate_1.1 { restarter_state_to_string; restarter_store_contract; restarter_string_to_state; + restarter_inst_validate_ractions_aux_fmri; + restarter_inst_ractions_from_tty; + restarter_inst_reset_ractions_aux_fmri; + restarter_inst_reset_aux_fmri; + restarter_inst_set_aux_fmri; local: *; }; diff --git a/usr/src/lib/libscf/common/mapfile-vers b/usr/src/lib/libscf/common/mapfile-vers index 2859459644..e7517768b1 100644 --- a/usr/src/lib/libscf/common/mapfile-vers +++ b/usr/src/lib/libscf/common/mapfile-vers @@ -312,6 +312,7 @@ SUNWprivate_1.1 { scf_read_propvec; scf_write_propvec; scf_clean_propvec; + scf_instance_delete_prop; local: *; }; diff --git a/usr/src/lib/libscf/common/midlevel.c b/usr/src/lib/libscf/common/midlevel.c index f6ad278eda..a27854e82b 100644 --- a/usr/src/lib/libscf/common/midlevel.c +++ b/usr/src/lib/libscf/common/midlevel.c @@ -20,7 +20,7 @@ */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -2872,3 +2872,118 @@ out: return (SCF_SUCCESS); } + +/* + * Returns + * 0 - success + * ECONNABORTED - repository connection broken + * ECANCELED - inst was deleted + * EPERM + * EACCES + * EROFS + * ENOMEM + */ +int +scf_instance_delete_prop(scf_instance_t *inst, const char *pgname, + const char *pname) +{ + scf_handle_t *h; + scf_propertygroup_t *pg; + scf_transaction_t *tx; + scf_transaction_entry_t *e; + int error = 0, ret = 1, r; + + h = scf_instance_handle(inst); + + if ((pg = scf_pg_create(h)) == NULL) { + return (ENOMEM); + } + + if (scf_instance_get_pg(inst, pgname, pg) != 0) { + error = scf_error(); + scf_pg_destroy(pg); + switch (error) { + case SCF_ERROR_NOT_FOUND: + return (SCF_SUCCESS); + + case SCF_ERROR_DELETED: + return (ECANCELED); + + case SCF_ERROR_CONNECTION_BROKEN: + default: + return (ECONNABORTED); + + case SCF_ERROR_NOT_SET: + bad_error("scf_instance_get_pg", scf_error()); + } + } + + tx = scf_transaction_create(h); + e = scf_entry_create(h); + if (tx == NULL || e == NULL) { + ret = ENOMEM; + goto out; + } + + for (;;) { + if (scf_transaction_start(tx, pg) != 0) { + goto scferror; + } + + if (scf_transaction_property_delete(tx, e, pname) != 0) { + goto scferror; + } + + if ((r = scf_transaction_commit(tx)) == 1) { + ret = 0; + goto out; + } + + if (r == -1) { + goto scferror; + } + + scf_transaction_reset(tx); + if (scf_pg_update(pg) == -1) { + goto scferror; + } + } + +scferror: + switch (scf_error()) { + case SCF_ERROR_DELETED: + case SCF_ERROR_NOT_FOUND: + ret = 0; + break; + + case SCF_ERROR_PERMISSION_DENIED: + ret = EPERM; + break; + + case SCF_ERROR_BACKEND_ACCESS: + ret = EACCES; + break; + + case SCF_ERROR_BACKEND_READONLY: + ret = EROFS; + break; + + case SCF_ERROR_CONNECTION_BROKEN: + default: + ret = ECONNABORTED; + break; + + case SCF_ERROR_HANDLE_MISMATCH: + case SCF_ERROR_INVALID_ARGUMENT: + case SCF_ERROR_NOT_BOUND: + case SCF_ERROR_NOT_SET: + bad_error("scf_instance_delete_prop", scf_error()); + } + +out: + scf_transaction_destroy(tx); + scf_entry_destroy(e); + scf_pg_destroy(pg); + + return (ret); +} diff --git a/usr/src/lib/libscf/inc/libscf.h b/usr/src/lib/libscf/inc/libscf.h index eb303f04df..f3864f03f4 100644 --- a/usr/src/lib/libscf/inc/libscf.h +++ b/usr/src/lib/libscf/inc/libscf.h @@ -20,7 +20,7 @@ */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -280,6 +280,8 @@ typedef struct scf_tmpl_error scf_tmpl_error_t; * Standard property names */ #define SCF_PROPERTY_AUX_STATE ((const char *)"auxiliary_state") +#define SCF_PROPERTY_AUX_FMRI ((const char *)"auxiliary_fmri") +#define SCF_PROPERTY_AUX_TTY ((const char *)"auxiliary_tty") #define SCF_PROPERTY_CONTRACT ((const char *)"contract") #define SCF_PROPERTY_COREFILE_PATTERN ((const char *)"corefile_pattern") #define SCF_PROPERTY_DEGRADED ((const char *)"degraded") diff --git a/usr/src/lib/libscf/inc/libscf_priv.h b/usr/src/lib/libscf/inc/libscf_priv.h index 559f647a8e..cfc965e084 100644 --- a/usr/src/lib/libscf/inc/libscf_priv.h +++ b/usr/src/lib/libscf/inc/libscf_priv.h @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -519,6 +519,13 @@ char *_scf_read_tmpl_prop_type_as_string(const scf_prop_tmpl_t *); */ char *_scf_read_single_astring_from_pg(scf_propertygroup_t *, const char *); +/* + * scf_instance_delete_prop() + * Given instance, property group, and property, delete the property. + */ +int +scf_instance_delete_prop(scf_instance_t *, const char *, const char *); + #ifdef __cplusplus } #endif diff --git a/usr/src/lib/libsecdb/auth_attr.txt b/usr/src/lib/libsecdb/auth_attr.txt index 1fab02cddb..4322e59cb9 100644 --- a/usr/src/lib/libsecdb/auth_attr.txt +++ b/usr/src/lib/libsecdb/auth_attr.txt @@ -18,7 +18,7 @@ # # CDDL HEADER END # -# Copyright 2008 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # /etc/security/auth_attr @@ -153,6 +153,7 @@ solaris.smf.value.discovery.printers.snmp:::Manage Network Attached Device Disco solaris.smf.value.extended-accounting.flow:::Change Values of Flow Extended Accounting Service Properties::help=SmfValueExAcctFlow.html solaris.smf.value.extended-accounting.process:::Change Values of Process Extended Accounting Service Properties::help=SmfValueExAcctProcess.html solaris.smf.value.extended-accounting.task:::Change Values of Task Extended Accounting Service Properties::help=SmfValueExAcctTask.html +solaris.smf.value.firewall.config:::Change Service Firewall Config::help=SmfValueFirewall.html solaris.smf.value.idmap:::Change Values of SMF Identity Mapping Service Properties::help=SmfValueIdmap.html solaris.smf.value.inetd:::Change values of SMF Inetd configuration paramaters::help=SmfValueInted.html solaris.smf.value.ipsec:::Change Values of SMF IPsec Properties::help=SmfValueIPsec.html diff --git a/usr/src/lib/libsecdb/help/auths/SmfValueFirewall.html b/usr/src/lib/libsecdb/help/auths/SmfValueFirewall.html new file mode 100644 index 0000000000..4243b391ff --- /dev/null +++ b/usr/src/lib/libsecdb/help/auths/SmfValueFirewall.html @@ -0,0 +1,36 @@ +<HTML> +<!-- + CDDL HEADER START + + The contents of this file are subject to the terms of the + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. + + You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE + or http://www.opensolaris.org/os/licensing. + See the License for the specific language governing permissions + and limitations under the License. + + When distributing Covered Code, include this CDDL HEADER in each + file and include the License file at usr/src/OPENSOLARIS.LICENSE. + If applicable, add the following below this CDDL HEADER, with the + fields enclosed by brackets "[]" replaced with your own identifying + information: Portions Copyright [yyyy] [name of copyright owner] + + CDDL HEADER END + +Copyright 2009 Sun Microsystems, Inc. All rights reserved. +Use is subject to license terms. +--> +<!-- + <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> +--> +<BODY> +When Change Service Firewall Config is in the Authorizations +Include column, it grants the authorization to configure firewall policies. +<p> +If Change Service Firewall Config is grayed, then you are not +entitled to Add or Remove this authorization. +<BR> +</BODY> +</HTML> diff --git a/usr/src/lib/print/mod_ipp/ipp-listener.xml b/usr/src/lib/print/mod_ipp/ipp-listener.xml index 8e0437de04..686646a78c 100644 --- a/usr/src/lib/print/mod_ipp/ipp-listener.xml +++ b/usr/src/lib/print/mod_ipp/ipp-listener.xml @@ -21,10 +21,8 @@ CDDL HEADER END --> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2007 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. - - pragma ident "%Z%%M% %I% %E% SMI" --> <service_bundle type='manifest' name='SUNWipplr:ipp-listener'> @@ -63,6 +61,11 @@ CDDL HEADER END value='solaris.print.admin' /> </property_group> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='ipf_method' type='astring' + value='/lib/svc/method/print-svc ipfilter svc:/application/print/server:default' /> + </property_group> + <stability value='Unstable' /> <template> diff --git a/usr/src/pkgdefs/SUNWcsr/prototype_com b/usr/src/pkgdefs/SUNWcsr/prototype_com index b60abe0f00..d3bbcae315 100644 --- a/usr/src/pkgdefs/SUNWcsr/prototype_com +++ b/usr/src/pkgdefs/SUNWcsr/prototype_com @@ -342,6 +342,7 @@ f none lib/svc/bin/prophist 0555 root sys f none lib/svc/bin/restore_repository 0555 root sys f none lib/svc/bin/sqlite 0555 root sys f none lib/svc/bin/svc.configd 0555 root sys +f none lib/svc/bin/svc.ipfd 0555 root sys f none lib/svc/bin/svc.startd 0555 root sys d none lib/svc/capture 0755 root bin d none lib/svc/method 0755 root bin @@ -386,6 +387,7 @@ f none lib/svc/seed/nonglobal.db 0444 root sys d none lib/svc/share 0755 root bin f none lib/svc/share/README 0444 root bin f none lib/svc/share/fs_include.sh 0444 root bin +f none lib/svc/share/ipf_include.sh 0444 root bin f none lib/svc/share/net_include.sh 0444 root bin f none lib/svc/share/routing_include.sh 0444 root bin f none lib/svc/share/smf_include.sh 0444 root bin diff --git a/usr/src/pkgdefs/SUNWftpr/prototype_com b/usr/src/pkgdefs/SUNWftpr/prototype_com index 7386283b0e..22d9b1240b 100644 --- a/usr/src/pkgdefs/SUNWftpr/prototype_com +++ b/usr/src/pkgdefs/SUNWftpr/prototype_com @@ -1,9 +1,7 @@ # -# Copyright 2004 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # -# ident "%Z%%M% %I% %E% SMI" -# # This required package information file contains a list of package contents. # The 'pkgmk' command uses this file to identify the contents of a package # and their location on the development machine when building the package. @@ -41,3 +39,7 @@ d none var/svc 0755 root sys d none var/svc/manifest 0755 root sys d none var/svc/manifest/network 0755 root sys f manifest var/svc/manifest/network/ftp.xml 0444 root sys +d none lib 755 root bin +d none lib/svc 0755 root bin +d none lib/svc/method 0755 root bin +f none lib/svc/method/svc-ftp 0555 root bin diff --git a/usr/src/pkgdefs/SUNWipfr/prototype_com b/usr/src/pkgdefs/SUNWipfr/prototype_com index 261071a845..36de2bc93f 100644 --- a/usr/src/pkgdefs/SUNWipfr/prototype_com +++ b/usr/src/pkgdefs/SUNWipfr/prototype_com @@ -19,11 +19,9 @@ # CDDL HEADER END # # -# Copyright 2007 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # -#ident "%Z%%M% %I% %E% SMI" -# # This required package information file contains a list of package contents. # The 'pkgmk' command uses this file to identify the contents of a package # and their location on the development machine when building the package. @@ -54,6 +52,9 @@ d none lib 755 root bin d none lib/svc 0755 root bin d none lib/svc/method 0755 root bin f none lib/svc/method/ipfilter 0555 root bin +d none usr 755 root sys +d none usr/lib 0755 root bin +f none usr/lib/servinfo 0555 root bin d none var 755 root sys d none var/db 755 root sys d none var/db/ipf 755 root sys diff --git a/usr/src/pkgdefs/SUNWsmbsr/prototype_com b/usr/src/pkgdefs/SUNWsmbsr/prototype_com index 5e9c8c1a47..94dede9685 100644 --- a/usr/src/pkgdefs/SUNWsmbsr/prototype_com +++ b/usr/src/pkgdefs/SUNWsmbsr/prototype_com @@ -20,11 +20,9 @@ # # -# Copyright 2008 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # -# ident "%Z%%M% %I% %E% SMI" -# # packaging files i copyright i depend @@ -43,3 +41,7 @@ d none var/svc/manifest 0755 root sys d none var/svc/manifest/network 0755 root sys d none var/svc/manifest/network/smb 0755 root sys f manifest var/svc/manifest/network/smb/server.xml 0444 root sys +d none lib 755 root bin +d none lib/svc 0755 root bin +d none lib/svc/method 0755 root bin +f none lib/svc/method/svc-smbd 0555 root bin diff --git a/usr/src/tools/scripts/bfu.sh b/usr/src/tools/scripts/bfu.sh index 4eecbe62b6..ffd13b6a26 100644 --- a/usr/src/tools/scripts/bfu.sh +++ b/usr/src/tools/scripts/bfu.sh @@ -2294,14 +2294,6 @@ EOF smf_enable network/rpc/bootparams fi - # To handle the transition from pre-smf ipfilter to smf-aware ipfilter, - # check if ipfilter had been enabled with at least one rule, and if so - # enable the smf instance. - if grep '^[ \t]*[^# \t]' $rootprefix/etc/ipf/ipf.conf >/dev/null 2>&1 && - [[ $zone = global ]]; then - smf_enable network/ipfilter - fi - touch $rootprefix/var/svc/profile/.upgrade_prophist cat >> $rootprefix/var/svc/profile/upgrade <<EOF |