root/usr/src/cmd/ipf/svc/ipfd.c 
/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

/*
 * This file delivers svc.ipfd, the daemon that monitors changes to
 * firewall capable services and requests IPfilter configuration update
 * on behalf of the service. Essentially, the daemon listens for
 * service changes and forks the program that update a service's
 * IPfilter configuration.
 *
 * - A firewall capable SMF service can restrict network access to its
 *   service by providing a firewall policy that can be translated into
 *   a set of IPfilter rules. The mentioned firewall policy is stored in
 *   firewall_config and firewall_context property groups. If one of these
 *   two property groups exist, the service is considered to be firewall
 *   capable.
 *
 * - A request to update service's IPfilter configuration is made for
 *   actions that affect service's configuration or running state. The
 *   actions are:
 *      - enable/disable
 *      - refresh/restart
 *      - maintenance/clear maintenance
 *
 * Lacking a generic SMF mechanism to observe service state changes, the
 * daemon observe change events by listening to changes to 'general',
 * 'general_ovr', and 'restarter_actions' property groups. This is not a
 * stable interface and should be replaced when a SMF supported mechanism
 * becomes available.
 *
 * - The program responsible for updating service's IPfilter configuration
 *   is /lib/svc/method/ipfilter. This program is called as:
 *
 *   /lib/svc/method/ipfilter fw_update fmri
 *
 *   where fmri the instance fmri of the service to be updated.
 */

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <assert.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <umem.h>
#include <libscf.h>
#include <libscf_priv.h>
#include <signal.h>
#include <string.h>
#include <syslog.h>

#define IPFILTER_FMRI           "svc:/network/ipfilter:default"
#define RPCBIND_FMRI            "svc:/network/rpc/bind:default"
#define IPF_UPDATE_CMD          "/lib/svc/method/ipfilter"

#define SCF_SNAPSHOT_RUNNING    "running"
#define SCF_PG_FW_CONTEXT       "firewall_context"
#define SCF_PG_FW_CONFIG        "firewall_config"
#define SCF_PG_REFRESH          "refresh"
#define SCF_PG_INETD            "inetd"

#define SCF_PROPERTY_ISRPC      "isrpc"

#define MAX_RETRY               7
#define DEV_NULL                "/dev/null"

static scf_handle_t *h;
static ssize_t max_scf_fmri_size;
static ssize_t max_scf_name_size;

static scf_instance_t *inst;
static scf_snapshot_t *snap;
static scf_propertygroup_t *scratch_pg;
static scf_property_t *scratch_prop;
static scf_value_t *scratch_v;

static char *scratch_fmri;
static char *scratch_name;

static const char *all_props[] = {
        SCF_PROPERTY_REFRESH, SCF_PROPERTY_RESTART, SCF_PROPERTY_MAINT_ON,
        SCF_PROPERTY_MAINT_ON_IMMEDIATE, SCF_PROPERTY_MAINT_ON_IMMTEMP,
        SCF_PROPERTY_MAINT_ON_TEMPORARY, SCF_PROPERTY_MAINT_OFF
};
#define ALL_PROPS_CNT           7

static const char *maint_props[] = {
        SCF_PROPERTY_REFRESH, SCF_PROPERTY_RESTART, SCF_PROPERTY_MAINT_OFF };
#define MAINT_PROPS_CNT         3

static int ipfilter_update(const char *);

static int
daemonize_self(void)
{
        pid_t pid;
        int fd;

        (void) close(STDIN_FILENO);

        if ((fd = open(DEV_NULL, O_RDONLY)) == -1) {
                (void) printf("Could not open /dev/null: %s\n",
                    strerror(errno));
        } else if (fd != STDIN_FILENO) {
                (void) dup2(fd, STDIN_FILENO);
                (void) close(fd);
        }
        (void) dup2(STDERR_FILENO, STDOUT_FILENO);
        closefrom(3);

        if ((pid = fork1()) < 0) {
                (void) printf("fork() failed: %s\n", strerror(errno));
                return (1);
        }

        if (pid != 0)
                exit(0);

        (void) setsid();
        (void) chdir("/");

        return (0);
}

static void
repository_rebind(scf_handle_t *hndl)
{
        int c = 0;

        (void) scf_handle_unbind(hndl);
        while ((scf_handle_bind(hndl)) != 0) {
                if (c > MAX_RETRY) {
                        syslog(LOG_ERR | LOG_DAEMON, "Repository access "
                            "unavailable. Couldn't bind handle: %s\n",
                            scf_strerror(scf_error()));
                        syslog(LOG_ERR | LOG_DAEMON, "Service specific"
                            "IPfilter configuration may not be updated "
                            "properly\n");

                        exit(1);
                } else {
                        c++;
                }

                (void) sleep(1);
        }
}

static void
repository_notify_setup(scf_handle_t *h)
{
        for (;;) {
                if (_scf_notify_add_pgtype(h, SCF_GROUP_FRAMEWORK) ==
                    SCF_SUCCESS)
                        break;

                switch (scf_error()) {
                case SCF_ERROR_CONNECTION_BROKEN:
                        repository_rebind(h);
                        break;

                case SCF_ERROR_NO_RESOURCES:
                        (void) sleep(1);
                        break;

                default:
                        syslog(LOG_ERR | LOG_DAEMON,
                            "Abort: Couldn't set up repository notification "
                            "for pg type %s: %s\n", SCF_GROUP_FRAMEWORK,
                            scf_strerror(scf_error()));
                        abort();
                }
        }
}

/*
 * If the repository connection is lost, rebind and re-setup repository
 * notification. During the repository connection outage, services that
 * changed states wouldn't get the corresponding firewall update. To make
 * we're not out of sync, update the entire system firewall configuration,
 * invoke ipfilter_update(IPFILTER_FMRI).
 */
static void
repository_setup()
{
        repository_rebind(h);
        repository_notify_setup(h);
        if (ipfilter_update(IPFILTER_FMRI) == -1) {
                syslog(LOG_ERR | LOG_DAEMON,
                    "Failed to reconfigure system firewall.\n");
        }
}

static int
pg_get_prop_value(const scf_propertygroup_t *pg, const char *pname,
    scf_value_t *v)
{
        if (pg == NULL || pname == NULL || v == NULL)
                return (-1);

        if (scf_pg_get_property(pg, pname, scratch_prop) == -1 ||
            scf_property_get_value(scratch_prop, v) == -1) {
                switch (scf_error()) {
                case SCF_ERROR_NOT_FOUND:
                case SCF_ERROR_DELETED:
                        break;

                default:
                        syslog(LOG_ERR | LOG_DAEMON,
                            "scf_pg_get_property failed for %s: %s\n",
                            pname, scf_strerror(scf_error()));
                }
                return (-1);
        }
        return (0);
}

static int
is_correct_event(const char *fmri, const scf_propertygroup_t *pg,
    const boolean_t isrpc)
{
        char *state = NULL;
        const char **proplist = all_props;
        int prop_cnt = ALL_PROPS_CNT;

        int i, ret = 0;

        if (scf_pg_get_name(pg, scratch_name, max_scf_name_size) < 0) {
                syslog(LOG_ERR | LOG_DAEMON, "scf_pg_get_name failed: %s\n",
                    scf_strerror(scf_error()));
                return (-1);
        }

        /*
         * We care about enable, disable, and refresh since that's
         * when we activate, deactivate, or change firewall policy.
         *
         *  - enable/disable -> change in "general" or "general_ovr"
         *  - refresh/restart -> change in "restarter_actions"
         */
        if (strcmp(scratch_name, SCF_PG_GENERAL) == 0 ||
            strcmp(scratch_name, SCF_PG_GENERAL_OVR) == 0) {
                syslog(LOG_DEBUG | LOG_DAEMON, "Action: %s", scratch_name);
                return (1);
        }

        if ((state = smf_get_state(fmri)) == NULL) {
                syslog(LOG_ERR | LOG_DAEMON, "smf_get_state failed for %s: "
                    "%s\n", fmri, scf_strerror(scf_error()));
                return (-1);
        }

        syslog(LOG_DEBUG | LOG_DAEMON, "%s STATE: %s \n", fmri, state);
        if (strcmp(state, SCF_STATE_STRING_MAINT) == 0) {
                proplist = maint_props;
                prop_cnt = MAINT_PROPS_CNT;
        }

        /*
         * Only concerned with refresh, restart, and maint on|off actions.
         * RPC services are restarted whenever rpc/bind restarts so it's
         * an automatic valid event for RPC services.
         */
        if (isrpc) {
                ret = 1;
                goto out;
        } else if (strcmp(scratch_name, SCF_PG_RESTARTER_ACTIONS) == 0) {
                for (i = 0; i < prop_cnt; i++) {
                        if (pg_get_prop_value(pg, proplist[i],
                            scratch_v) == 0) {
                                syslog(LOG_DEBUG | LOG_DAEMON, "Action: %s/%s",
                                    scratch_name, proplist[i]);

                                ret = 1;
                                goto out;
                        }
                }
        }

out:
        if (state)
                free(state);

        return (ret);
}

static int
ipfilter_update(const char *fmri)
{
        pid_t pid;
        int status, ret = 0;

        syslog(LOG_DEBUG | LOG_DAEMON, "ipfilter_update: %s\n", fmri);

        /*
         * Start refresh in another process
         */
        if ((pid = fork1()) < 0) {
                syslog(LOG_ERR | LOG_DAEMON, "Couldn't fork to refresh "
                    "ipfilter for %s: %s", fmri, strerror(errno));
                ret = 1;
                goto out;
        }

        if (pid == 0) {
                if (execl(IPF_UPDATE_CMD, IPF_UPDATE_CMD, "fw_update", fmri,
                    NULL) == -1)
                        syslog(LOG_ERR | LOG_DAEMON, "execl() failed for "
                            "%s: %s", fmri, strerror(errno));

                exit(1);
        }

        /*
         * Parent - only one update at a time.
         */
        (void) wait(&status);
        if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
                ret = 1;

out:
        if (ret == 1)
                syslog(LOG_ERR | LOG_DAEMON, "Firewall update failed "
                    "for: %s\n", fmri);

        return (ret);
}

/*
 * Determine whether a given instance is a RPC service. Repository and
 * libscf errors are treated as if the service isn't an RPC service,
 * returning B_FALSE to indicate validation failure.
 */
static boolean_t
service_is_rpc(const scf_instance_t *inst)
{
        scf_snapshot_t *lsnap = NULL;
        uint8_t isrpc;

        if (scf_instance_get_snapshot(inst, SCF_SNAPSHOT_RUNNING, snap) != 0) {
                syslog(LOG_DEBUG | LOG_DAEMON,
                    "Could not get running snapshot, using editing value\n");
        } else {
                lsnap = snap;
        }

        if (scf_instance_get_pg_composed(inst, lsnap, SCF_PG_INETD,
            scratch_pg) == -1) {
                switch (scf_error()) {
                case SCF_ERROR_NOT_FOUND:
                case SCF_ERROR_DELETED:
                        break;

                default:
                        syslog(LOG_ERR | LOG_DAEMON,
                            "scf_instance_get_pg_composed failed: %s\n",
                            scf_strerror(scf_error()));
                        return (B_FALSE);
                }

                if (scf_instance_get_pg_composed(inst, lsnap,
                    SCF_PG_FW_CONTEXT, scratch_pg) == -1) {
                        switch (scf_error()) {
                        case SCF_ERROR_NOT_FOUND:
                        case SCF_ERROR_DELETED:
                                break;

                        default:
                                syslog(LOG_ERR | LOG_DAEMON,
                                    "scf_instance_get_pg_composed failed: %s\n",
                                    scf_strerror(scf_error()));
                        }
                        return (B_FALSE);
                }
        }

        if (pg_get_prop_value(scratch_pg, SCF_PROPERTY_ISRPC, scratch_v) == -1)
                return (B_FALSE);

        if (scf_value_get_boolean(scratch_v, &isrpc) == -1) {
                syslog(LOG_ERR | LOG_DAEMON, "scf_value_get_boolean failed: "
                    "%s\n", scf_strerror(scf_error()));
                return (B_FALSE);
        }

        if (isrpc)
                return (B_TRUE);
        else
                return (B_FALSE);
}

static int
instance_has_firewall(scf_instance_t *inst)
{
        scf_snapshot_t *lsnap = NULL;

        if (scf_instance_get_snapshot(inst, SCF_SNAPSHOT_RUNNING, snap) == -1) {
                switch (scf_error()) {
                case SCF_ERROR_CONNECTION_BROKEN:
                        syslog(LOG_ERR | LOG_DAEMON,
                            "scf_instance_get_snapshot failed: %s\n",
                            scf_strerror(scf_error()));
                        repository_setup();
                        return (-1);

                case SCF_ERROR_DELETED:
                default:
                        /*
                         * If running snapshot is not available for
                         * other reasons, fall back to current values.
                         */
                        syslog(LOG_DEBUG | LOG_DAEMON, "Could not get "
                            "running snapshot, using current value\n");
                }
        } else {
                lsnap = snap;
        }

        /*
         * Update service's IPfilter configuration if either
         * SCF_PG_FW_CONTEXT or SCF_PG_FW_CONFIG exists.
         */
        if (scf_instance_get_pg_composed(inst, lsnap, SCF_PG_FW_CONTEXT,
            scratch_pg) == 0) {
                return (1);
        } else {
                switch (scf_error()) {
                case SCF_ERROR_NOT_FOUND:
                case SCF_ERROR_DELETED:
                        break;

                case SCF_ERROR_CONNECTION_BROKEN:
                        repository_setup();
                        /* FALLTHROUGH */
                default:
                        syslog(LOG_ERR | LOG_DAEMON,
                            "scf_instance_get_pg_composed failed: %s\n",
                            scf_strerror(scf_error()));
                        return (-1);
                }
        }

        if (scf_instance_get_pg_composed(inst, lsnap, SCF_PG_FW_CONFIG,
            scratch_pg) == -1) {
                /*
                 * It's either a non-firewall service or a failure to
                 * read firewall pg, just continue and listen for
                 * future events.
                 */
                switch (scf_error()) {
                case SCF_ERROR_NOT_FOUND:
                case SCF_ERROR_DELETED:
                        return (0);

                case SCF_ERROR_CONNECTION_BROKEN:
                        repository_setup();
                        /* FALLTHROUGH */
                default:
                        syslog(LOG_ERR | LOG_DAEMON,
                            "scf_instance_get_pg_composed failed: %s\n",
                            scf_strerror(scf_error()));
                        return (-1);
                }
        }
        return (1);
}

static int
repository_event_process(scf_propertygroup_t *pg)
{
        boolean_t isrpc = B_FALSE;
        int res;

        /*
         * Figure out it's a firewall capable instance and call ipfilter_update
         * if it is.
         */
        if (scf_pg_get_parent_instance(pg, inst) == -1) {
                /* Not an error if pg doesn't belong to a valid instance */
                if (scf_error() == SCF_ERROR_CONSTRAINT_VIOLATED) {
                        return (0);
                }

                syslog(LOG_ERR | LOG_DAEMON, "scf_pg_get_parent_instance "
                    "failed: %s\n", scf_strerror(scf_error()));

                if (scf_error() == SCF_ERROR_CONNECTION_BROKEN)
                        repository_setup();

                return (1);
        }

        if (scf_instance_to_fmri(inst, scratch_fmri, max_scf_fmri_size) == -1) {
                syslog(LOG_ERR | LOG_DAEMON, "scf_instance_to_fmri "
                    "failed: %s\n", scf_strerror(scf_error()));

                if (scf_error() == SCF_ERROR_CONNECTION_BROKEN)
                        repository_setup();

                return (1);
        }

        if (strcmp(scratch_fmri, IPFILTER_FMRI) == 0) {
                return (0);
        }

        isrpc = service_is_rpc(inst);

        /*
         * If it's not an event we're interested in, returns success.
         */
        res = is_correct_event(scratch_fmri, pg, isrpc);
        if (res == -1) {
                syslog(LOG_ERR | LOG_DAEMON,
                    "is_correct_event failed for %s.\n", scratch_fmri);
                return (1);
        } else if (res == 0) {
                return (0);
        }

        /*
         * Proceed only if instance has firewall policy.
         */
        res = instance_has_firewall(inst);
        if (res == -1) {
                syslog(LOG_ERR | LOG_DAEMON,
                    "instance_has_firewall failed for %s.\n", scratch_fmri);
                return (1);
        } else if (res == 0) {
                return (0);
        }

        if (ipfilter_update(scratch_fmri) == -1) {
                return (1);
        }

        return (0);
}

static int
repository_event_wait()
{
        scf_propertygroup_t *pg;
        char *fmri, *scratch;
        const char *inst_name, *pg_name;
        ssize_t res;

        if ((fmri = umem_alloc(max_scf_fmri_size, UMEM_DEFAULT)) == NULL) {
                syslog(LOG_ERR | LOG_DAEMON, "Out of memory");
                return (1);
        }

        if ((scratch = umem_alloc(max_scf_fmri_size, UMEM_DEFAULT)) == NULL) {
                syslog(LOG_ERR | LOG_DAEMON, "Out of memory");
                return (1);
        }

        if ((pg = scf_pg_create(h)) == NULL) {
                syslog(LOG_ERR | LOG_DAEMON, "scf_pg_create failed: %s\n",
                    scf_strerror(scf_error()));
                return (1);
        }

        repository_notify_setup(h);

        for (;;) {
                /*
                 * Calling _scf_notify_wait which will block this thread
                 * until it's notified of a framework event.
                 *
                 * Note: fmri is only set on delete events.
                 */
                res = _scf_notify_wait(pg, fmri, max_scf_fmri_size);
                if (res < 0) {
                        syslog(LOG_ERR | LOG_DAEMON, "_scf_notify_wait "
                            "failed: %s\n", scf_strerror(scf_error()));
                        repository_setup();
                } else if (res == 0) {
                        if (repository_event_process(pg))
                                syslog(LOG_ERR | LOG_DAEMON, "Service may have "
                                    "incorrect IPfilter configuration\n");
                } else {
                        /*
                         * The received event is a deletion of a service,
                         * instance or pg. If it's a deletion of an instance,
                         * update the instance's IPfilter configuration.
                         */
                        syslog(LOG_DEBUG | LOG_DAEMON, "Deleted: %s", fmri);

                        (void) strlcpy(scratch, fmri, max_scf_fmri_size);
                        if (scf_parse_svc_fmri(scratch, NULL, NULL, &inst_name,
                            &pg_name, NULL) != SCF_SUCCESS)
                                continue;

                        if (inst_name != NULL && pg_name == NULL) {
                                (void) ipfilter_update(fmri);
                        }
                }
        }

        /*NOTREACHED*/
}

int
main()
{
        if (daemonize_self() == 1)
                return (1);

        max_scf_fmri_size = scf_limit(SCF_LIMIT_MAX_FMRI_LENGTH) + 1;
        max_scf_name_size = scf_limit(SCF_LIMIT_MAX_NAME_LENGTH) + 1;

        assert(max_scf_fmri_size > 0);
        assert(max_scf_name_size > 0);

        if ((h = scf_handle_create(SCF_VERSION)) == NULL) {
                syslog(LOG_ERR | LOG_DAEMON, "scf_handle_create failed: %s\n",
                    scf_strerror(scf_error()));
                return (1);
        }

        repository_rebind(h);

        scratch_fmri = umem_alloc(max_scf_fmri_size, UMEM_DEFAULT);
        scratch_name = umem_alloc(max_scf_name_size, UMEM_DEFAULT);

        if (scratch_fmri == NULL || scratch_name == NULL) {
                syslog(LOG_ERR | LOG_DAEMON, "Out of memory");
                return (1);
        }

        inst = scf_instance_create(h);
        snap = scf_snapshot_create(h);
        scratch_pg = scf_pg_create(h);
        scratch_prop = scf_property_create(h);
        scratch_v = scf_value_create(h);

        if (inst == NULL || snap == NULL || scratch_pg == NULL ||
            scratch_prop == NULL || scratch_v == NULL) {
                syslog(LOG_ERR | LOG_DAEMON, "Initialization failed: %s\n",
                    scf_strerror(scf_error()));
                return (1);
        }

        return (repository_event_wait());
}