int
_zexec(const char *a_zoneName, const char *a_path, char *a_argv[])
{
zoneid_t zoneid;
zone_state_t st;
char **new_env = { NULL };
priv_set_t *privset;
/* entry assertions */
assert(a_zoneName != NULL);
assert(*a_zoneName != '\0');
assert(a_path != NULL);
assert(*a_path != '\0');
/* establish locale settings */
(void) setlocale(LC_ALL, "");
(void) textdomain(TEXT_DOMAIN);
/* can only be invoked from within the global zone */
if (getzoneid() != GLOBAL_ZONEID) {
_z_program_error(ERR_ZEXEC_NOT_IN_GZ, a_zoneName);
return (-1);
}
if (strcmp(a_zoneName, GLOBAL_ZONENAME) == 0) {
_z_program_error(ERR_ZEXEC_GZUSED, a_zoneName);
return (-1);
}
/* get the state of the specified zone */
if (zone_get_state((char *)a_zoneName, &st) != Z_OK) {
_z_program_error(ERR_ZEXEC_BADZONE, a_zoneName);
return (-1);
}
if (st < ZONE_STATE_INSTALLED) {
_z_program_error(ERR_ZEXEC_BADSTATE, a_zoneName,
zone_state_str(st));
return (-1);
}
if (st != ZONE_STATE_RUNNING && st != ZONE_STATE_MOUNTED) {
_z_program_error(ERR_ZEXEC_NOTRUNNING, a_zoneName,
zone_state_str(st));
return (-1);
}
/*
* In both console and non-console cases, we require all privs.
* In the console case, because we may need to startup zoneadmd.
* In the non-console case in order to do zone_enter(2), zonept()
* and other tasks.
*
* Future work: this solution is temporary. Ultimately, we need to
* move to a flexible system which allows the global admin to
* designate that a particular user can zlogin (and probably zlogin
* -C) to a particular zone. This all-root business we have now is
* quite sketchy.
*/
if ((privset = priv_allocset()) == NULL) {
_z_program_error(ERR_ZEXEC_PRIV_ALLOCSET, a_zoneName,
strerror(errno));
return (-1);
}
if (getppriv(PRIV_EFFECTIVE, privset) != 0) {
_z_program_error(ERR_ZEXEC_GETPPRIV, a_zoneName,
strerror(errno));
priv_freeset(privset);
return (-1);
}
if (priv_isfullset(privset) == B_FALSE) {
_z_program_error(ERR_ZEXEC_PRIVS, a_zoneName);
priv_freeset(privset);
return (-1);
}
priv_freeset(privset);
if ((zoneid = getzoneidbyname(a_zoneName)) == -1) {
_z_program_error(ERR_ZEXEC_NOZONEID, a_zoneName,
strerror(errno));
return (-1);
}
if ((new_env = _zexec_prep_env()) == NULL) {
_z_program_error(ERR_ZEXEC_ASSEMBLE, a_zoneName);
return (-1);
}
/*
* In case any of stdin, stdout or stderr are streams,
* anchor them to prevent malicious I_POPs.
*
* Future work: use pipes to entirely eliminate FD leakage
* into the zone.
*/
(void) ioctl(STDIN_FILENO, I_ANCHOR);
(void) ioctl(STDOUT_FILENO, I_ANCHOR);
(void) ioctl(STDERR_FILENO, I_ANCHOR);
if (zone_enter(zoneid) == -1) {
int lerrno = errno;
_z_program_error(ERR_ZEXEC_ZONEENTER, a_zoneName,
strerror(errno));
if (lerrno == EFAULT) {
_z_program_error(ERR_ZEXEC_EFAULT, a_zoneName);
}
free(new_env);
return (-1);
}
(void) execve(a_path, &a_argv[0], new_env);
_z_program_error(ERR_ZEXEC_EXECFAILURE, a_zoneName, strerror(errno));
return (-1);
}
static int
zsocket(zoneid_t zoneid, const char *path) {
char c = 0;
ctid_t ct = -1;
int _errno = 0;
int pid = 0;
int sock_fd = 0;
int sockfd[2] = {0};
int stat = 0;
int tmpl_fd = 0;
int flags;
struct sockaddr_un addr;
size_t addr_len = 0;
if (zoneid < 0) {
return (-1);
}
if (path == NULL) {
return (-1);
}
bzero(&addr, sizeof (addr));
pthread_mutex_lock(&lock);
if ((tmpl_fd = init_template()) < 0) {
pthread_mutex_unlock(&lock);
return (-1);
}
if (socketpair(AF_LOCAL, SOCK_STREAM, 0, sockfd) != 0) {
(void) ct_tmpl_clear(tmpl_fd);
pthread_mutex_unlock(&lock);
return (-1);
}
pid = fork();
debug("fork returned: %d\n", pid);
if (pid < 0) {
_errno = errno;
(void) ct_tmpl_clear(tmpl_fd);
close(sockfd[0]);
close(sockfd[1]);
errno = _errno;
pthread_mutex_unlock(&lock);
return (-1);
}
if (pid == 0) {
(void) ct_tmpl_clear(tmpl_fd);
(void) close(tmpl_fd);
(void) close(sockfd[0]);
if (zone_enter(zoneid) != 0) {
debug("CHILD: zone_enter(%d) => %s\n", zoneid, strerror(errno));
_exit(1);
}
debug("CHILD: zone_enter(%d) => %d\n", zoneid, 0);
(void) unlink(path);
sock_fd = socket(PF_UNIX, SOCK_STREAM, 0);
if (sock_fd < 0) {
debug("CHILD: socket => %d\n", errno);
_exit(2);
}
fcntl(sock_fd, F_SETFL, O_NONBLOCK);
addr.sun_family = AF_UNIX;
addr_len = sizeof (addr.sun_family) +
snprintf(addr.sun_path, sizeof (addr.sun_path), path);
if (bind(sock_fd, (struct sockaddr *) &addr, addr_len) != 0) {
debug("CHILD: bind => %d\n", errno);
_exit(3);
}
if (write_fd(sockfd[1], (void *)"", 1, sock_fd) < 0) {
debug("CHILD: write_fd => %d\n", errno);
_exit(4);
}
debug("CHILD: write_fd => %d\n", errno);
_exit(0);
}
if (contract_latest(&ct) == -1) {
ct = -1;
}
(void) ct_tmpl_clear(tmpl_fd);
(void) close(tmpl_fd);
(void) contract_abandon_id(ct);
(void) close(sockfd[1]);
debug("PARENT: waitforpid(%d)\n", pid);
while ((waitpid(pid, &stat, 0) != pid) && errno != ECHILD) {
/* DO NOTHING */;
}
if (WIFEXITED(stat) == 0) {
debug("PARENT: Child didn't exit\n");
_errno = ECHILD;
sock_fd = -1;
} else {
stat = WEXITSTATUS(stat);
debug("PARENT: Child exit status %d\n", stat);
if (stat == 0) {
read_fd(sockfd[0], &c, 1, &sock_fd);
} else {
_errno = stat;
sock_fd = -1;
}
}
close(sockfd[0]);
pthread_mutex_unlock(&lock);
if (sock_fd < 0) {
errno = _errno;
} else {
if ((flags = fcntl(sock_fd, F_GETFD)) != -1) {
flags |= FD_CLOEXEC;
(void) fcntl(sock_fd, F_SETFD, flags);
}
errno = 0;
}
debug("zsocket returning fd=%d, errno=%d\n", sock_fd, errno);
return (sock_fd);
}
/*
* Execute an operation on filename relative to zoneid's zone root. If the
* file is in the global zone, then the zfcb() callback will simply be called
* directly. If the file is in a non-global zone, then zfcb() will be called
* both from the global zone's context, and from the non-global zone's context
* (from a fork()'ed child that has entered the non-global zone). This is
* done to allow the callback to communicate with itself if needed (e.g. to
* pass back the file descriptor of an opened file).
*/
static int
dlmgmt_zfop(const char *filename, zoneid_t zoneid, zfcb_t *zfcb,
zfoparg_t *zfoparg)
{
int ctfd;
int err;
pid_t childpid;
siginfo_t info;
zfarg_t zfarg;
ctid_t ct;
if (zoneid != GLOBAL_ZONEID) {
/*
* We need to access a file that isn't in the global zone.
* Accessing non-global zone files from the global zone is
* unsafe (due to symlink attacks), we'll need to fork a child
* that enters the zone in question and executes the callback
* that will operate on the file.
*
* Before we proceed with this zone tango, we need to create a
* new process contract for the child, as required by
* zone_enter().
*/
errno = 0;
ctfd = open64("/system/contract/process/template", O_RDWR);
if (ctfd == -1)
return (errno);
if ((err = ct_tmpl_set_critical(ctfd, 0)) != 0 ||
(err = ct_tmpl_set_informative(ctfd, 0)) != 0 ||
(err = ct_pr_tmpl_set_fatal(ctfd, CT_PR_EV_HWERR)) != 0 ||
(err = ct_pr_tmpl_set_param(ctfd, CT_PR_PGRPONLY)) != 0 ||
(err = ct_tmpl_activate(ctfd)) != 0) {
(void) close(ctfd);
return (err);
}
childpid = fork();
switch (childpid) {
case -1:
(void) ct_tmpl_clear(ctfd);
(void) close(ctfd);
return (err);
case 0:
(void) ct_tmpl_clear(ctfd);
(void) close(ctfd);
/*
* Elevate our privileges as zone_enter() requires all
* privileges.
*/
if ((err = dlmgmt_elevate_privileges()) != 0)
_exit(err);
if (zone_enter(zoneid) == -1)
_exit(errno);
if ((err = dlmgmt_drop_privileges()) != 0)
_exit(err);
break;
default:
if (contract_latest(&ct) == -1)
ct = -1;
(void) ct_tmpl_clear(ctfd);
(void) close(ctfd);
if (waitid(P_PID, childpid, &info, WEXITED) == -1) {
(void) contract_abandon_id(ct);
return (errno);
}
(void) contract_abandon_id(ct);
if (info.si_status != 0)
return (info.si_status);
}
}
zfarg.zfarg_inglobalzone = (zoneid == GLOBAL_ZONEID || childpid != 0);
zfarg.zfarg_finglobalzone = (zoneid == GLOBAL_ZONEID);
zfarg.zfarg_filename = filename;
zfarg.zfarg_oparg = zfoparg;
err = zfcb(&zfarg);
if (!zfarg.zfarg_inglobalzone)
_exit(err);
return (err);
}
/*
* Note to future maintainers: with the change of wall to use the
* getutxent() API, the forked children (created by this function)
* must call _exit as opposed to exit. This is necessary to avoid
* unwanted fflushing of getutxent's stdio stream (caused by atexit
* processing).
*/
static void
sendmes(struct utmpx *p, zoneid_t zid)
{
int i;
char *s;
static char device[LMAX + 6];
char *bp;
int ibp;
FILE *f;
int fd, tmpl_fd;
boolean_t zoneenter = B_FALSE;
if (zid != getzoneid()) {
zoneenter = B_TRUE;
tmpl_fd = init_template();
if (tmpl_fd == -1) {
(void) fprintf(stderr, "Could not initialize "
"process contract");
return;
}
}
while ((i = (int)fork()) == -1) {
(void) alarm(60);
(void) wait((int *)0);
(void) alarm(0);
}
if (i)
return;
if (zoneenter && zone_enter(zid) == -1) {
char zonename[ZONENAME_MAX];
(void) getzonenamebyid(zid, zonename, ZONENAME_MAX);
(void) fprintf(stderr, "Could not enter zone "
"%s\n", zonename);
}
if (zoneenter)
(void) ct_tmpl_clear(tmpl_fd);
if (gflag)
if (!chkgrp(p->ut_user))
_exit(0);
(void) signal(SIGHUP, SIG_IGN);
(void) alarm(60);
s = &device[0];
(void) snprintf(s, sizeof (device), "/dev/%.*s", LMAX, p->ut_line);
/* check if the device is really a tty */
if ((fd = open(s, O_WRONLY|O_NOCTTY|O_NONBLOCK)) == -1) {
(void) fprintf(stderr, "Cannot send to %.*s on %s\n",
NMAX, p->ut_user, s);
perror("open");
(void) fflush(stderr);
_exit(1);
} else {
if (!isatty(fd)) {
(void) fprintf(stderr,
"Cannot send to device %.*s %s\n",
LMAX, p->ut_line,
"because it's not a tty");
openlog("wall", 0, LOG_AUTH);
syslog(LOG_CRIT, "%.*s in utmpx is not a tty\n",
LMAX, p->ut_line);
closelog();
(void) fflush(stderr);
_exit(1);
}
}
#ifdef DEBUG
(void) close(fd);
f = fopen("wall.debug", "a");
#else
f = fdopen(fd, "w");
#endif
if (f == NULL) {
(void) fprintf(stderr, "Cannot send to %-.*s on %s\n",
NMAX, &p->ut_user[0], s);
perror("open");
(void) fflush(stderr);
_exit(1);
}
(void) fprintf(f,
"\07\07\07Broadcast Message from %s (%s) on %s %19.19s",
who, line, systm, time_buf);
if (gflag)
(void) fprintf(f, " to group %s", grpname);
(void) fprintf(f, "...\n");
#ifdef DEBUG
(void) fprintf(f, "DEBUG: To %.*s on %s\n", NMAX, p->ut_user, s);
#endif
i = strlen(mesg);
for (bp = mesg; --i >= 0; bp++) {
ibp = (unsigned int)((unsigned char) *bp);
if (*bp == '\n')
(void) putc('\r', f);
if (isprint(ibp) || *bp == '\r' || *bp == '\013' ||
*bp == ' ' || *bp == '\t' || *bp == '\n' || *bp == '\007') {
(void) putc(*bp, f);
} else {
if (!isascii(*bp)) {
(void) fputs("M-", f);
*bp = toascii(*bp);
}
if (iscntrl(*bp)) {
(void) putc('^', f);
(void) putc(*bp + 0100, f);
}
else
(void) putc(*bp, f);
}
if (*bp == '\n')
(void) fflush(f);
if (ferror(f) || feof(f)) {
(void) printf("\n\007Write failed\n");
(void) fflush(stdout);
_exit(1);
}
}
(void) fclose(f);
(void) close(fd);
_exit(0);
}