/*

 * CDDL HEADER START

 *

 * The contents of this file are subject to the terms of the

 * Common Development and Distribution License (the "License").

 * You may not use this file except in compliance with the License.

 *

 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE

 * or http://www.opensolaris.org/os/licensing.

 * See the License for the specific language governing permissions

 * and limitations under the License.

 *

 * When distributing Covered Code, include this CDDL HEADER in each

 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.

 * If applicable, add the following below this CDDL HEADER, with the

 * fields enclosed by brackets "[]" replaced with your own identifying

 * information: Portions Copyright [yyyy] [name of copyright owner]

 *

 * CDDL HEADER END

 */

/*

 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.

 */

/*

 * This module contains functions used to bring up and tear down the

 * Virtual Platform: [un]mounting file-systems, [un]plumbing network

 * interfaces, [un]configuring devices, establishing resource controls,

 * and creating/destroying the zone in the kernel.  These actions, on

 * the way up, ready the zone; on the way down, they halt the zone.

 * See the much longer block comment at the beginning of zoneadmd.c

 * for a bigger picture of how the whole program functions.

 *

 * This module also has primary responsibility for the layout of "scratch

 * zones."  These are mounted, but inactive, zones that are used during

 * operating system upgrade and potentially other administrative action.  The

 * scratch zone environment is similar to the miniroot environment.  The zone's

 * actual root is mounted read-write on /a, and the standard paths (/usr,

 * /sbin, /lib) all lead to read-only copies of the running system's binaries.

 * This allows the administrative tools to manipulate the zone using "-R /a"

 * without relying on any binaries in the zone itself.

 *

 * If the scratch zone is on an alternate root (Live Upgrade [LU] boot

 * environment), then we must resolve the lofs mounts used there to uncover

 * writable (unshared) resources.  Shared resources, though, are always

 * read-only.  In addition, if the "same" zone with a different root path is

 * currently running, then "/b" inside the zone points to the running zone's

 * root.  This allows LU to synchronize configuration files during the upgrade

 * process.

 *

 * To construct this environment, this module creates a tmpfs mount on

 * $ZONEPATH/lu.  Inside this scratch area, the miniroot-like environment as

 * described above is constructed on the fly.  The zone is then created using

 * $ZONEPATH/lu as the root.

 *

 * Note that scratch zones are inactive.  The zone's bits are not running and

 * likely cannot be run correctly until upgrade is done.  Init is not running

 * there, nor is SMF.  Because of this, the "mounted" state of a scratch zone

 * is not a part of the usual halt/ready/boot state machine.

 */

#include <sys/param.h>

#include <sys/mount.h>

#include <sys/mntent.h>

#include <sys/socket.h>

#include <sys/utsname.h>

#include <sys/types.h>

#include <sys/stat.h>

#include <sys/sockio.h>

#include <sys/stropts.h>

#include <sys/conf.h>

#include <sys/systeminfo.h>

#include <libdlpi.h>

#include <libdllink.h>

#include <libdlvlan.h>

#include <inet/tcp.h>

#include <arpa/inet.h>

#include <netinet/in.h>

#include <net/route.h>

#include <stdio.h>

#include <errno.h>

#include <fcntl.h>

#include <unistd.h>

#include <rctl.h>

#include <stdlib.h>

#include <string.h>

#include <strings.h>

#include <wait.h>

#include <limits.h>

#include <libgen.h>

#include <libzfs.h>

#include <libdevinfo.h>

#include <zone.h>

#include <assert.h>

#include <libcontract.h>

#include <libcontract_priv.h>

#include <uuid/uuid.h>

#include <sys/mntio.h>

#include <sys/mnttab.h>

#include <sys/fs/autofs.h>	/* for _autofssys() */

#include <sys/fs/lofs_info.h>

#include <sys/fs/zfs.h>

#include <pool.h>

#include <sys/pool.h>

#include <sys/priocntl.h>

#include <libbrand.h>

#include <sys/brand.h>

#include <libzonecfg.h>

#include <synch.h>

#include "zoneadmd.h"

#include <tsol/label.h>

#include <libtsnet.h>

#include <sys/priv.h>

#define	V4_ADDR_LEN	32

#define	V6_ADDR_LEN	128

	MNTOPT_RO "," MNTOPT_LOFS_NOSUB "," MNTOPT_NODEVICES

#define	DFSTYPES	"/etc/dfs/fstypes"

#define	MAXTNZLEN	2048

#define	ALT_MOUNT(mount_cmd) 	((mount_cmd) != Z_MNT_BOOT)

/* a reasonable estimate for the number of lwps per process */

#define	LWPS_PER_PROCESS	10

/* for routing socket */

static int rts_seqno = 0;

/* mangled zone name when mounting in an alternate root environment */

static char kernzone[ZONENAME_MAX];

/* array of cached mount entries for resolve_lofs */

static struct mnttab *resolve_lofs_mnts, *resolve_lofs_mnt_max;

/* for Trusted Extensions */

static tsol_zcent_t *get_zone_label(zlog_t *, priv_set_t *);

static int tsol_mounts(zlog_t *, char *, char *);

static void tsol_unmounts(zlog_t *, char *);

static m_label_t *zlabel = NULL;

static m_label_t *zid_label = NULL;

static priv_set_t *zprivs = NULL;

/* from libsocket, not in any header file */

extern int getnetmaskbyaddr(struct in_addr, struct in_addr *);

/* from zoneadmd */

extern char query_hook[];

/*

 * An optimization for build_mnttable: reallocate (and potentially copy the

 * data) only once every N times through the loop.

 */

#define	MNTTAB_HUNK	32

/*

 * Private autofs system call

 */

extern int _autofssys(int, void *);

static int

autofs_cleanup(zoneid_t zoneid)

{

	/*

	 * Ask autofs to unmount all trigger nodes in the given zone.

	 */

	return (_autofssys(AUTOFS_UNMOUNTALL, (void *)zoneid));

}

static void

free_mnttable(struct mnttab *mnt_array, uint_t nelem)

{

	uint_t i;

	if (mnt_array == NULL)

		return;

	for (i = 0; i < nelem; i++) {

		free(mnt_array[i].mnt_mountp);

		free(mnt_array[i].mnt_fstype);

		free(mnt_array[i].mnt_special);

		free(mnt_array[i].mnt_mntopts);

		assert(mnt_array[i].mnt_time == NULL);

	}

	free(mnt_array);

}

/*

 * Build the mount table for the zone rooted at "zroot", storing the resulting

 * array of struct mnttabs in "mnt_arrayp" and the number of elements in the

 * array in "nelemp".

 */

static int

build_mnttable(zlog_t *zlogp, const char *zroot, size_t zrootlen, FILE *mnttab,

    struct mnttab **mnt_arrayp, uint_t *nelemp)

{

	struct mnttab mnt;

	struct mnttab *mnts;

	struct mnttab *mnp;

	uint_t nmnt;

	rewind(mnttab);

	resetmnttab(mnttab);

	nmnt = 0;

	mnts = NULL;

	while (getmntent(mnttab, &mnt) == 0) {

		struct mnttab *tmp_array;

		if (strncmp(mnt.mnt_mountp, zroot, zrootlen) != 0)

			continue;

		if (nmnt % MNTTAB_HUNK == 0) {

			tmp_array = realloc(mnts,

			    (nmnt + MNTTAB_HUNK) * sizeof (*mnts));

			if (tmp_array == NULL) {

				free_mnttable(mnts, nmnt);

				return (-1);

			}

			mnts = tmp_array;

		}

		mnp = &mnts[nmnt++];

		/*

		 * Zero out any fields we're not using.

		 */

		(void) memset(mnp, 0, sizeof (*mnp));

		if (mnt.mnt_special != NULL)

			mnp->mnt_special = strdup(mnt.mnt_special);

		if (mnt.mnt_mntopts != NULL)

			mnp->mnt_mntopts = strdup(mnt.mnt_mntopts);

		mnp->mnt_mountp = strdup(mnt.mnt_mountp);

		mnp->mnt_fstype = strdup(mnt.mnt_fstype);

		if ((mnt.mnt_special != NULL && mnp->mnt_special == NULL) ||

		    (mnt.mnt_mntopts != NULL && mnp->mnt_mntopts == NULL) ||

		    mnp->mnt_mountp == NULL || mnp->mnt_fstype == NULL) {

			zerror(zlogp, B_TRUE, "memory allocation failed");

			free_mnttable(mnts, nmnt);

			return (-1);

		}

	}

	*mnt_arrayp = mnts;

	*nelemp = nmnt;

	return (0);

}

/*

 * This is an optimization.  The resolve_lofs function is used quite frequently

 * to manipulate file paths, and on a machine with a large number of zones,

 * there will be a huge number of mounted file systems.  Thus, we trigger a

 * reread of the list of mount points

 */

static void

lofs_discard_mnttab(void)

{

	free_mnttable(resolve_lofs_mnts,

	    resolve_lofs_mnt_max - resolve_lofs_mnts);

	resolve_lofs_mnts = resolve_lofs_mnt_max = NULL;

}

static int

lofs_read_mnttab(zlog_t *zlogp)

{

	FILE *mnttab;

	uint_t nmnts;

	if ((mnttab = fopen(MNTTAB, "r")) == NULL)

		return (-1);

	if (build_mnttable(zlogp, "", 0, mnttab, &resolve_lofs_mnts,

	    &nmnts) == -1) {

		(void) fclose(mnttab);

		return (-1);

	}

	(void) fclose(mnttab);

	resolve_lofs_mnt_max = resolve_lofs_mnts + nmnts;

	return (0);

}

/*

 * This function loops over potential loopback mounts and symlinks in a given

 * path and resolves them all down to an absolute path.

 */

void

resolve_lofs(zlog_t *zlogp, char *path, size_t pathlen)

{

	int len, arlen;

	const char *altroot;

	char tmppath[MAXPATHLEN];

	boolean_t outside_altroot;

	if ((len = resolvepath(path, tmppath, sizeof (tmppath))) == -1)

		return;

	tmppath[len] = '\0';

	(void) strlcpy(path, tmppath, sizeof (tmppath));

	/* This happens once per zoneadmd operation. */

	if (resolve_lofs_mnts == NULL && lofs_read_mnttab(zlogp) == -1)

		return;

	altroot = zonecfg_get_root();

	arlen = strlen(altroot);

	outside_altroot = B_FALSE;

	for (;;) {

		struct mnttab *mnp;

		/* Search in reverse order to find longest match */

		for (mnp = resolve_lofs_mnt_max - 1; mnp >= resolve_lofs_mnts;

		    mnp--) {

			if (mnp->mnt_fstype == NULL ||

			    mnp->mnt_mountp == NULL ||

			    mnp->mnt_special == NULL)

				continue;

			len = strlen(mnp->mnt_mountp);

			if (strncmp(mnp->mnt_mountp, path, len) == 0 &&

			    (path[len] == '/' || path[len] == '\0'))

				break;

		}

		if (mnp < resolve_lofs_mnts)

			break;

		/* If it's not a lofs then we're done */

		if (strcmp(mnp->mnt_fstype, MNTTYPE_LOFS) != 0)

			break;

		if (outside_altroot) {

			char *cp;

			int olen = sizeof (MNTOPT_RO) - 1;

			/*

			 * If we run into a read-only mount outside of the

			 * alternate root environment, then the user doesn't

			 * want this path to be made read-write.

			 */

			if (mnp->mnt_mntopts != NULL &&

			    (cp = strstr(mnp->mnt_mntopts, MNTOPT_RO)) !=

			    NULL &&

			    (cp == mnp->mnt_mntopts || cp[-1] == ',') &&

			    (cp[olen] == '\0' || cp[olen] == ',')) {

				break;

			}

		} else if (arlen > 0 &&

		    (strncmp(mnp->mnt_special, altroot, arlen) != 0 ||

		    (mnp->mnt_special[arlen] != '\0' &&

		    mnp->mnt_special[arlen] != '/'))) {

			outside_altroot = B_TRUE;

		}

		/* use temporary buffer because new path might be longer */

		(void) snprintf(tmppath, sizeof (tmppath), "%s%s",

		    mnp->mnt_special, path + len);

		if ((len = resolvepath(tmppath, path, pathlen)) == -1)

			break;

		path[len] = '\0';

	}

}

/*

 * For a regular mount, check if a replacement lofs mount is needed because the

 * referenced device is already mounted somewhere.

 */

static int

check_lofs_needed(zlog_t *zlogp, struct zone_fstab *fsptr)

{

	struct mnttab *mnp;

	zone_fsopt_t *optptr, *onext;

	/* This happens once per zoneadmd operation. */

	if (resolve_lofs_mnts == NULL && lofs_read_mnttab(zlogp) == -1)

		return (-1);

	/*

	 * If this special node isn't already in use, then it's ours alone;

	 * no need to worry about conflicting mounts.

	 */

	for (mnp = resolve_lofs_mnts; mnp < resolve_lofs_mnt_max;

	    mnp++) {

		if (strcmp(mnp->mnt_special, fsptr->zone_fs_special) == 0)

			break;

	}

	if (mnp >= resolve_lofs_mnt_max)

		return (0);

	/*

	 * Convert this duplicate mount into a lofs mount.

	 */

	(void) strlcpy(fsptr->zone_fs_special, mnp->mnt_mountp,

	    sizeof (fsptr->zone_fs_special));

	(void) strlcpy(fsptr->zone_fs_type, MNTTYPE_LOFS,

	    sizeof (fsptr->zone_fs_type));

	fsptr->zone_fs_raw[0] = '\0';

	/*

	 */

	optptr = fsptr->zone_fs_options;

	if (optptr == NULL) {

		optptr = malloc(sizeof (*optptr));

		if (optptr == NULL) {

			zerror(zlogp, B_TRUE, "cannot mount %s",

			    fsptr->zone_fs_dir);

			return (-1);

		}

	} else {

		while ((onext = optptr->zone_fsopt_next) != NULL) {

			optptr->zone_fsopt_next = onext->zone_fsopt_next;

			free(onext);

		}

	}

	optptr->zone_fsopt_next = NULL;

	fsptr->zone_fs_options = optptr;

	return (0);

}

int

make_one_dir(zlog_t *zlogp, const char *prefix, const char *subdir, mode_t mode,

    uid_t userid, gid_t groupid)

{

	char path[MAXPATHLEN];

	struct stat st;

	if (snprintf(path, sizeof (path), "%s%s", prefix, subdir) >

	    sizeof (path)) {

		zerror(zlogp, B_FALSE, "pathname %s%s is too long", prefix,

		    subdir);

		return (-1);

	}

	if (lstat(path, &st) == 0) {

		/*

		 * We don't check the file mode since presumably the zone

		 * administrator may have had good reason to change the mode,

		 * and we don't need to second guess him.

		 */

		if (!S_ISDIR(st.st_mode)) {

			if (S_ISREG(st.st_mode)) {

				/*

				 * Allow readonly mounts of /etc/ files; this

				 * is needed most by Trusted Extensions.

				 */

				if (strncmp(subdir, "/etc/",

				    strlen("/etc/")) != 0) {

					zerror(zlogp, B_FALSE,

					    "%s is not in /etc", path);

					return (-1);

				}

			} else {

				zerror(zlogp, B_FALSE,

				    "%s is not a directory", path);

				return (-1);

			}

		}

		return (0);

	}

	if (mkdirp(path, mode) != 0) {

		if (errno == EROFS)

			zerror(zlogp, B_FALSE, "Could not mkdir %s.\nIt is on "

			    "a read-only file system in this local zone.\nMake "

			    "sure %s exists in the global zone.", path, subdir);

		else

			zerror(zlogp, B_TRUE, "mkdirp of %s failed", path);

		return (-1);

	}

	(void) chown(path, userid, groupid);

	return (0);

}

static void

free_remote_fstypes(char **types)

{

	uint_t i;

	if (types == NULL)

		return;

	for (i = 0; types[i] != NULL; i++)

		free(types[i]);

	free(types);

}

static char **

get_remote_fstypes(zlog_t *zlogp)

{

	char **types = NULL;

	FILE *fp;

	char buf[MAXPATHLEN];

	char fstype[MAXPATHLEN];

	uint_t lines = 0;

	uint_t i;

	if ((fp = fopen(DFSTYPES, "r")) == NULL) {

		zerror(zlogp, B_TRUE, "failed to open %s", DFSTYPES);