manifest_hash.c revision 7475:9a5f7406e094 
1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23 * Use is subject to license terms.
24 */
25
26
27#include <sys/stat.h>
28#include <sys/types.h>
29
30#include <assert.h>
31#include <ctype.h>
32#include <errno.h>
33#include <fcntl.h>
34#include <libintl.h>
35#include <libscf.h>
36#include <libuutil.h>
37#include <limits.h>
38#include <md5.h>
39#include <pthread.h>
40#include <stdio.h>
41#include <stdlib.h>
42#include <string.h>
43#include <strings.h>
44#include <unistd.h>
45
46#include <manifest_hash.h>
47
48/*
49 * Translate a file name to property name.  Return an allocated string or NULL
50 * if realpath() fails. If deathrow is true, realpath() is skipped. This
51 * allows to return the property name even if the file doesn't exist.
52 */
53char *
54mhash_filename_to_propname(const char *in, boolean_t deathrow)
55{
56	char *out, *cp, *base;
57	size_t len, piece_len;
58
59	out = uu_zalloc(PATH_MAX + 1);
60	if (deathrow) {
61		/* used only for service deathrow handling */
62		if (strlcpy(out, in, PATH_MAX + 1) >= (PATH_MAX + 1)) {
63			uu_free(out);
64			return (NULL);
65		}
66	} else {
67		if (realpath(in, out) == NULL) {
68			uu_free(out);
69			return (NULL);
70		}
71	}
72
73	base = getenv("PKG_INSTALL_ROOT");
74
75	/*
76	 * We copy-shift over the basedir and the leading slash, since it's
77	 * not relevant to when we boot with this repository.
78	 */
79
80	cp = out + ((base != NULL)? strlen(base) : 0);
81	if (*cp == '/')
82		cp++;
83	(void) memmove(out, cp, strlen(cp) + 1);
84
85	len = strlen(out);
86	if (len > scf_limit(SCF_LIMIT_MAX_NAME_LENGTH)) {
87		/* Use the first half and the second half. */
88		piece_len = (scf_limit(SCF_LIMIT_MAX_NAME_LENGTH) - 3) / 2;
89
90		(void) strncpy(out + piece_len, "__", 2);
91
92		(void) memmove(out + piece_len + 2, out + (len - piece_len),
93		    piece_len + 1);
94	}
95
96	/*
97	 * Translate non-property characters to '_', first making sure that
98	 * we don't begin with '_'.
99	 */
100
101	if (!isalpha(*out))
102		*out = 'A';
103
104	for (cp = out + 1; *cp != '\0'; ++cp) {
105		if (!(isalnum(*cp) || *cp == '_' || *cp == '-'))
106			*cp = '_';
107	}
108
109	return (out);
110}
111
112int
113mhash_retrieve_entry(scf_handle_t *hndl, const char *name, uchar_t *hash)
114{
115	scf_scope_t *scope;
116	scf_service_t *svc;
117	scf_propertygroup_t *pg;
118	scf_property_t *prop;
119	scf_value_t *val;
120	ssize_t szret;
121	int result = 0;
122
123	/*
124	 * In this implementation the hash for name is the opaque value of
125	 * svc:/MHASH_SVC/:properties/name/MHASH_PROP
126	 */
127
128	if ((scope = scf_scope_create(hndl)) == NULL ||
129	    (svc = scf_service_create(hndl)) == NULL ||
130	    (pg = scf_pg_create(hndl)) == NULL ||
131	    (prop = scf_property_create(hndl)) == NULL ||
132	    (val = scf_value_create(hndl)) == NULL) {
133		result = -1;
134		goto out;
135	}
136
137	if (scf_handle_get_local_scope(hndl, scope) < 0) {
138		result = -1;
139		goto out;
140	}
141
142	if (scf_scope_get_service(scope, MHASH_SVC, svc) < 0) {
143		result = -1;
144		goto out;
145	}
146
147	if (scf_service_get_pg(svc, name, pg) != SCF_SUCCESS) {
148		result = -1;
149		goto out;
150	}
151
152	if (scf_pg_get_property(pg, MHASH_PROP, prop) != SCF_SUCCESS) {
153		result = -1;
154		goto out;
155	}
156
157	if (scf_property_get_value(prop, val) != SCF_SUCCESS) {
158		result = -1;
159		goto out;
160	}
161
162	szret = scf_value_get_opaque(val, hash, MHASH_SIZE);
163	if (szret < 0) {
164		result = -1;
165		goto out;
166	}
167
168	/*
169	 * Make sure that the old hash is returned with
170	 * remainder of the bytes zeroed.
171	 */
172	if (szret == MHASH_SIZE_OLD) {
173		(void) memset(hash + MHASH_SIZE_OLD, 0,
174		    MHASH_SIZE - MHASH_SIZE_OLD);
175	} else if (szret != MHASH_SIZE) {
176		scf_value_destroy(val);
177		result = -1;
178		goto out;
179	}
180
181out:
182	(void) scf_value_destroy(val);
183	scf_property_destroy(prop);
184	scf_pg_destroy(pg);
185	scf_service_destroy(svc);
186	scf_scope_destroy(scope);
187
188	return (result);
189}
190
191int
192mhash_store_entry(scf_handle_t *hndl, const char *name, uchar_t *hash,
193    char **errstr)
194{
195	scf_scope_t *scope = NULL;
196	scf_service_t *svc = NULL;
197	scf_propertygroup_t *pg = NULL;
198	scf_property_t *prop = NULL;
199	scf_value_t *val = NULL;
200	scf_transaction_t *tx = NULL;
201	scf_transaction_entry_t *e = NULL;
202	int ret, result = 0;
203
204	int i;
205
206	if ((scope = scf_scope_create(hndl)) == NULL ||
207	    (svc = scf_service_create(hndl)) == NULL ||
208	    (pg = scf_pg_create(hndl)) == NULL ||
209	    (prop = scf_property_create(hndl)) == NULL) {
210		if (errstr != NULL)
211			*errstr = gettext("Could not create scf objects");
212		result = -1;
213		goto out;
214	}
215
216	if (scf_handle_get_local_scope(hndl, scope) != SCF_SUCCESS) {
217		if (errstr != NULL)
218			*errstr = gettext("Could not get local scope");
219		result = -1;
220		goto out;
221	}
222
223	for (i = 0; i < 5; ++i) {
224		scf_error_t err;
225
226		if (scf_scope_get_service(scope, MHASH_SVC, svc) ==
227		    SCF_SUCCESS)
228			break;
229
230		if (scf_error() != SCF_ERROR_NOT_FOUND) {
231			if (errstr != NULL)
232				*errstr = gettext("Could not get manifest hash "
233				    "service");
234			result = -1;
235			goto out;
236		}
237
238		if (scf_scope_add_service(scope, MHASH_SVC, svc) ==
239		    SCF_SUCCESS)
240			break;
241
242		err = scf_error();
243
244		if (err == SCF_ERROR_EXISTS)
245			/* Try again. */
246			continue;
247		else if (err == SCF_ERROR_PERMISSION_DENIED) {
248			if (errstr != NULL)
249				*errstr = gettext("Could not store file hash: "
250				    "permission denied.\n");
251			result = -1;
252			goto out;
253		}
254
255		if (errstr != NULL)
256			*errstr = gettext("Could not add manifest hash "
257			    "service");
258		result = -1;
259		goto out;
260	}
261
262	if (i == 5) {
263		if (errstr != NULL)
264			*errstr = gettext("Could not store file hash: "
265			    "service addition contention.\n");
266		result = -1;
267		goto out;
268	}
269
270	for (i = 0; i < 5; ++i) {
271		scf_error_t err;
272
273		if (scf_service_get_pg(svc, name, pg) == SCF_SUCCESS)
274			break;
275
276		if (scf_error() != SCF_ERROR_NOT_FOUND) {
277			if (errstr != NULL)
278				*errstr = gettext("Could not get service's "
279				    "hash record)");
280			result = -1;
281			goto out;
282		}
283
284		if (scf_service_add_pg(svc, name, MHASH_PG_TYPE,
285		    MHASH_PG_FLAGS, pg) == SCF_SUCCESS)
286			break;
287
288		err = scf_error();
289
290		if (err == SCF_ERROR_EXISTS)
291			/* Try again. */
292			continue;
293		else if (err == SCF_ERROR_PERMISSION_DENIED) {
294			if (errstr != NULL)
295				*errstr = gettext("Could not store file hash: "
296				    "permission denied.\n");
297			result = -1;
298			goto out;
299		}
300
301		if (errstr != NULL)
302			*errstr = gettext("Could not store file hash");
303		result = -1;
304		goto out;
305	}
306	if (i == 5) {
307		if (errstr != NULL)
308			*errstr = gettext("Could not store file hash: "
309			    "property group addition contention.\n");
310		result = -1;
311		goto out;
312	}
313
314	if ((e = scf_entry_create(hndl)) == NULL ||
315	    (val = scf_value_create(hndl)) == NULL) {
316		if (errstr != NULL)
317			*errstr = gettext("Could not store file hash: "
318			    "permission denied.\n");
319		result = -1;
320		goto out;
321	}
322
323	ret = scf_value_set_opaque(val, hash, MHASH_SIZE);
324	assert(ret == SCF_SUCCESS);
325
326	tx = scf_transaction_create(hndl);
327	if (tx == NULL) {
328		if (errstr != NULL)
329			*errstr = gettext("Could not create transaction");
330		result = -1;
331		goto out;
332	}
333
334	do {
335		if (scf_pg_update(pg) == -1) {
336			if (errstr != NULL)
337				*errstr = gettext("Could not update hash "
338				    "entry");
339			result = -1;
340			goto out;
341		}
342		if (scf_transaction_start(tx, pg) != SCF_SUCCESS) {
343			if (scf_error() != SCF_ERROR_PERMISSION_DENIED) {
344				if (errstr != NULL)
345					*errstr = gettext("Could not start "
346					    "hash transaction.\n");
347				result = -1;
348				goto out;
349			}
350
351			if (errstr != NULL)
352				*errstr = gettext("Could not store file hash: "
353				    "permission denied.\n");
354			result = -1;
355
356			scf_transaction_destroy(tx);
357			(void) scf_entry_destroy(e);
358			goto out;
359		}
360
361		if (scf_transaction_property_new(tx, e, MHASH_PROP,
362		    SCF_TYPE_OPAQUE) != SCF_SUCCESS &&
363		    scf_transaction_property_change_type(tx, e, MHASH_PROP,
364		    SCF_TYPE_OPAQUE) != SCF_SUCCESS) {
365			if (errstr != NULL)
366				*errstr = gettext("Could not modify hash "
367				    "entry");
368			result = -1;
369			goto out;
370		}
371
372		ret = scf_entry_add_value(e, val);
373		assert(ret == SCF_SUCCESS);
374
375		ret = scf_transaction_commit(tx);
376
377		if (ret == 0)
378			scf_transaction_reset(tx);
379	} while (ret == 0);
380
381	if (ret < 0) {
382		if (scf_error() != SCF_ERROR_PERMISSION_DENIED) {
383			if (errstr != NULL)
384				*errstr = gettext("Could not store file hash: "
385				    "permission denied.\n");
386			result = -1;
387			goto out;
388		}
389
390		if (errstr != NULL)
391			*errstr = gettext("Could not commit transaction");
392		result = -1;
393	}
394
395	scf_transaction_destroy(tx);
396	(void) scf_entry_destroy(e);
397
398out:
399	(void) scf_value_destroy(val);
400	scf_property_destroy(prop);
401	scf_pg_destroy(pg);
402	scf_service_destroy(svc);
403	scf_scope_destroy(scope);
404
405	return (result);
406}
407
408/*
409 * Generate the md5 hash of a file; manifest files are smallish
410 * so we can read them in one gulp.
411 */
412static int
413md5_hash_file(const char *file, off64_t sz, uchar_t *hash)
414{
415	char *buf;
416	int fd;
417	ssize_t res;
418	int ret;
419
420	fd = open(file, O_RDONLY);
421	if (fd < 0)
422		return (-1);
423
424	buf = malloc(sz);
425	if (buf == NULL) {
426		(void) close(fd);
427		return (-1);
428	}
429
430	res = read(fd, buf, (size_t)sz);
431
432	(void) close(fd);
433
434	if (res == sz) {
435		ret = 0;
436		md5_calc(hash, (uchar_t *)buf, (unsigned int) sz);
437	} else {
438		ret = -1;
439	}
440
441	free(buf);
442	return (ret);
443}
444
445/*
446 * int mhash_test_file(scf_handle_t *, const char *, uint_t, char **, uchar_t *)
447 *   Test the given filename against the hashed metadata in the repository.
448 *   The behaviours for import and apply are slightly different.  For imports,
449 *   if the hash value is absent or different, then the import operation
450 *   continues.  For profile application, the operation continues only if the
451 *   hash value for the file is absent.
452 *
453 *   We keep two hashes: one which can be quickly test: the metadata hash,
454 *   and one which is more expensive to test: the file contents hash.
455 *
456 *   If either hash matches, the file does not need to be re-read.
457 *   If only one of the hashes matches, a side effect of this function
458 *   is to store the newly computed hash.
459 *   If neither hash matches, the hash computed for the new file is returned
460 *   and not stored.
461 *
462 *   Return values:
463 *	MHASH_NEWFILE	- the file no longer matches the hash or no hash existed
464 *			  ONLY in this case we return the new file's hash.
465 *	MHASH_FAILURE	- an internal error occurred, or the file was not found.
466 *	MHASH_RECONCILED- based on the metadata/file hash, the file does
467 *			  not need to be re-read; if necessary,
468 *			  the hash was upgraded or reconciled.
469 *
470 * NOTE: no hash is returned UNLESS MHASH_NEWFILE is returned.
471 */
472int
473mhash_test_file(scf_handle_t *hndl, const char *file, uint_t is_profile,
474    char **pnamep, uchar_t *hashbuf)
475{
476	boolean_t do_hash;
477	struct stat64 st;
478	char *cp;
479	char *data;
480	uchar_t stored_hash[MHASH_SIZE];
481	uchar_t hash[MHASH_SIZE];
482	char *pname;
483	int ret;
484	int hashash;
485	int metahashok = 0;
486
487	/*
488	 * In the case where we are doing automated imports, we reduce the UID,
489	 * the GID, the size, and the mtime into a string (to eliminate
490	 * endianness) which we then make opaque as a single MD5 digest.
491	 *
492	 * The previous hash was composed of the inode number, the UID, the file
493	 * size, and the mtime.  This formulation was found to be insufficiently
494	 * portable for use in highly replicated deployments.  The current
495	 * algorithm will allow matches of this "v1" hash, but always returns
496	 * the effective "v2" hash, such that updates result in the more
497	 * portable hash being used.
498	 *
499	 * An unwanted side effect of a hash based solely on the file
500	 * meta data is the fact that we pay no attention to the contents
501	 * which may remain the same despite meta data changes.  This happens
502	 * with (live) upgrades.  We extend the V2 hash with an additional
503	 * digest of the file contents and the code retrieving the hash
504	 * from the repository zero fills the remainder so we can detect
505	 * it is missing.
506	 *
507	 * If the the V2 digest matches, we check for the presence of
508	 * the contents digest and compute and store it if missing.
509	 *
510	 * If the V2 digest doesn't match but we also have a non-zero
511	 * file hash, we match the file content digest.  If it matches,
512	 * we compute and store the new complete hash so that later
513	 * checks will find the meta data digest correct.
514	 *
515	 * If the above matches fail and the V1 hash doesn't match either,
516	 * we consider the test to have failed, implying that some aspect
517	 * of the manifest has changed.
518	 */
519
520	cp = getenv("SVCCFG_CHECKHASH");
521	do_hash = (cp != NULL && *cp != '\0');
522	if (!do_hash) {
523		if (pnamep != NULL)
524			*pnamep = NULL;
525		return (MHASH_NEWFILE);
526	}
527
528	pname = mhash_filename_to_propname(file, B_FALSE);
529	if (pname == NULL)
530		return (MHASH_FAILURE);
531
532	hashash = mhash_retrieve_entry(hndl, pname, stored_hash) == 0;
533
534	/* Never reread a profile. */
535	if (hashash && is_profile) {
536		uu_free(pname);
537		return (MHASH_RECONCILED);
538	}
539
540	/*
541	 * No hash and not interested in one, then don't bother computing it.
542	 * We also skip returning the property name in that case.
543	 */
544	if (!hashash && hashbuf == NULL) {
545		uu_free(pname);
546		return (MHASH_NEWFILE);
547	}
548
549	do {
550		ret = stat64(file, &st);
551	} while (ret < 0 && errno == EINTR);
552	if (ret < 0) {
553		uu_free(pname);
554		return (MHASH_FAILURE);
555	}
556
557	data = uu_msprintf(MHASH_FORMAT_V2, st.st_uid, st.st_gid,
558	    st.st_size, st.st_mtime);
559	if (data == NULL) {
560		uu_free(pname);
561		return (MHASH_FAILURE);
562	}
563
564	(void) memset(hash, 0, MHASH_SIZE);
565	md5_calc(hash, (uchar_t *)data, strlen(data));
566
567	uu_free(data);
568
569	/*
570	 * Verify the meta data hash.
571	 */
572	if (hashash && memcmp(hash, stored_hash, MD5_DIGEST_LENGTH) == 0) {
573		int i;
574
575		metahashok = 1;
576		/*
577		 * The metadata hash matches; now we see if there was a
578		 * content hash; if not, we will continue on and compute and
579		 * store the updated hash.
580		 * If there was no content hash, mhash_retrieve_entry()
581		 * will have zero filled it.
582		 */
583		for (i = 0; i < MD5_DIGEST_LENGTH; i++) {
584			if (stored_hash[MD5_DIGEST_LENGTH+i] != 0) {
585				uu_free(pname);
586				return (MHASH_RECONCILED);
587			}
588		}
589	}
590
591	/*
592	 * Compute the file hash as we can no longer avoid having to know it.
593	 * Note: from this point on "hash" contains the full, current, hash.
594	 */
595	if (md5_hash_file(file, st.st_size, &hash[MHASH_SIZE_OLD]) != 0) {
596		uu_free(pname);
597		return (MHASH_FAILURE);
598	}
599	if (hashash) {
600		uchar_t hash_v1[MHASH_SIZE_OLD];
601
602		if (metahashok ||
603		    memcmp(&hash[MHASH_SIZE_OLD], &stored_hash[MHASH_SIZE_OLD],
604		    MD5_DIGEST_LENGTH) == 0) {
605
606			/*
607			 * Reconcile entry: we get here when either the
608			 * meta data hash matches or the content hash matches;
609			 * we then update the database with the complete
610			 * new hash so we can be a bit quicker next time.
611			 */
612			(void) mhash_store_entry(hndl, pname, hash, NULL);
613			uu_free(pname);
614			return (MHASH_RECONCILED);
615		}
616
617		/*
618		 * No match on V2 hash or file content; compare V1 hash.
619		 */
620		data = uu_msprintf(MHASH_FORMAT_V1, st.st_ino, st.st_uid,
621		    st.st_size, st.st_mtime);
622		if (data == NULL) {
623			uu_free(pname);
624			return (MHASH_FAILURE);
625		}
626
627		md5_calc(hash_v1, (uchar_t *)data, strlen(data));
628
629		uu_free(data);
630
631		if (memcmp(hash_v1, stored_hash, MD5_DIGEST_LENGTH) == 0) {
632			/*
633			 * Update the new entry so we don't have to go through
634			 * all this trouble next time.
635			 */
636			(void) mhash_store_entry(hndl, pname, hash, NULL);
637			uu_free(pname);
638			return (MHASH_RECONCILED);
639		}
640	}
641
642	if (pnamep != NULL)
643		*pnamep = pname;
644	else
645		uu_free(pname);
646
647	if (hashbuf != NULL)
648		(void) memcpy(hashbuf, hash, MHASH_SIZE);
649
650	return (MHASH_NEWFILE);
651}
652