commit d50da8306fcce5ec5cffdc525aae47698f6f3345
Author: Nils Goroll <nils.goroll@uplex.de>
Date: Tue Jun 2 13:33:33 2020 +0200
Solaris jail: manage INHERITABLE for JAIL_MASTER
we now dynamically manage the INHERITABLE set also, which has the
advantage of reducing the privileges available to anything we exec()
(likely via system()) from master which is not managed through
JAIL_SUBPROC.
See next commit.
diff --git a/bin/varnishd/mgt/mgt_jail_solaris.c b/bin/varnishd/mgt/mgt_jail_solaris.c
index ec3e788b9..3a50b572e 100644
--- a/bin/varnishd/mgt/mgt_jail_solaris.c
+++ b/bin/varnishd/mgt/mgt_jail_solaris.c
@@ -288,7 +288,7 @@ vjs_add(priv_set_t *sets[VJS_NSET], unsigned mask, const char *priv)
priv_setop_assert(priv_addset(sets[i], priv));
}
-/* add SUBPROC INHERITABLE and PERMITTED to MASTER */
+/* add SUBPROC INHERITABLE and PERMITTED to MASTER PERMITTED */
static int
vjs_master_rules(void)
{
@@ -301,7 +301,7 @@ vjs_master_rules(void)
priv_emptyset(punion);
for (vj = JAIL_SUBPROC; vj < JAIL_LIMIT; vj++)
priv_union(vjs_sets[vj][vs], punion);
- priv_union(punion, vjs_sets[JAIL_MASTER_ANY][vs]);
+ priv_union(punion, vjs_sets[JAIL_MASTER_ANY][VJS_PERMITTED]);
}
priv_freeset(punion);
@@ -347,11 +347,11 @@ vjs_init(char **args)
assert(JAIL_MASTER_ANY < JAIL_SUBPROC);
/* alloc privsets.
- * for master, anything but EFFECTIVE is shared
+ * for master, PERMITTED and LIMIT are shared
*/
for (vj = 0; vj < JAIL_SUBPROC; vj++)
for (vs = 0; vs < VJS_NSET; vs++) {
- if (vj == JAIL_MASTER_ANY || vs == VJS_EFFECTIVE) {
+ if (vj == JAIL_MASTER_ANY || vs < VJS_PERMITTED) {
vjs_sets[vj][vs] = vjs_alloc();
vjs_inverse[vj][vs] = vjs_alloc();
} else {
@@ -398,9 +398,6 @@ vjs_init(char **args)
priv_union(sets[VJS_INHERITABLE], sets[VJS_LIMIT]);
}
- /* extend inheritable */
- AZ(vjs_priv_on(VJS_INHERITABLE, vjs_sets[JAIL_MASTER_ANY]));
-
/* generate inverse */
for (vj = 0; vj < JAIL_LIMIT; vj++)
for (vs = 0; vs < VJS_NSET; vs++) {
@@ -453,6 +450,7 @@ vjs_subproc(enum jail_subproc_e jse)
{
AZ(vjs_priv_on(VJS_EFFECTIVE, vjs_sets[jse]));
+ AZ(vjs_priv_on(VJS_INHERITABLE, vjs_sets[jse]));
vjs_setuid();
vjs_waive(jse);
@@ -465,6 +463,7 @@ vjs_master(enum jail_master_e jme)
assert(jme < JAIL_SUBPROC);
AZ(vjs_priv_on(VJS_EFFECTIVE, vjs_sets[jme]));
+ AZ(vjs_priv_on(VJS_INHERITABLE, vjs_sets[jme]));
vjs_waive(jme);
}
_______________________________________________
varnish-commit mailing list
varnish-commit@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-commit
Author: Nils Goroll <nils.goroll@uplex.de>
Date: Tue Jun 2 13:33:33 2020 +0200
Solaris jail: manage INHERITABLE for JAIL_MASTER
we now dynamically manage the INHERITABLE set also, which has the
advantage of reducing the privileges available to anything we exec()
(likely via system()) from master which is not managed through
JAIL_SUBPROC.
See next commit.
diff --git a/bin/varnishd/mgt/mgt_jail_solaris.c b/bin/varnishd/mgt/mgt_jail_solaris.c
index ec3e788b9..3a50b572e 100644
--- a/bin/varnishd/mgt/mgt_jail_solaris.c
+++ b/bin/varnishd/mgt/mgt_jail_solaris.c
@@ -288,7 +288,7 @@ vjs_add(priv_set_t *sets[VJS_NSET], unsigned mask, const char *priv)
priv_setop_assert(priv_addset(sets[i], priv));
}
-/* add SUBPROC INHERITABLE and PERMITTED to MASTER */
+/* add SUBPROC INHERITABLE and PERMITTED to MASTER PERMITTED */
static int
vjs_master_rules(void)
{
@@ -301,7 +301,7 @@ vjs_master_rules(void)
priv_emptyset(punion);
for (vj = JAIL_SUBPROC; vj < JAIL_LIMIT; vj++)
priv_union(vjs_sets[vj][vs], punion);
- priv_union(punion, vjs_sets[JAIL_MASTER_ANY][vs]);
+ priv_union(punion, vjs_sets[JAIL_MASTER_ANY][VJS_PERMITTED]);
}
priv_freeset(punion);
@@ -347,11 +347,11 @@ vjs_init(char **args)
assert(JAIL_MASTER_ANY < JAIL_SUBPROC);
/* alloc privsets.
- * for master, anything but EFFECTIVE is shared
+ * for master, PERMITTED and LIMIT are shared
*/
for (vj = 0; vj < JAIL_SUBPROC; vj++)
for (vs = 0; vs < VJS_NSET; vs++) {
- if (vj == JAIL_MASTER_ANY || vs == VJS_EFFECTIVE) {
+ if (vj == JAIL_MASTER_ANY || vs < VJS_PERMITTED) {
vjs_sets[vj][vs] = vjs_alloc();
vjs_inverse[vj][vs] = vjs_alloc();
} else {
@@ -398,9 +398,6 @@ vjs_init(char **args)
priv_union(sets[VJS_INHERITABLE], sets[VJS_LIMIT]);
}
- /* extend inheritable */
- AZ(vjs_priv_on(VJS_INHERITABLE, vjs_sets[JAIL_MASTER_ANY]));
-
/* generate inverse */
for (vj = 0; vj < JAIL_LIMIT; vj++)
for (vs = 0; vs < VJS_NSET; vs++) {
@@ -453,6 +450,7 @@ vjs_subproc(enum jail_subproc_e jse)
{
AZ(vjs_priv_on(VJS_EFFECTIVE, vjs_sets[jse]));
+ AZ(vjs_priv_on(VJS_INHERITABLE, vjs_sets[jse]));
vjs_setuid();
vjs_waive(jse);
@@ -465,6 +463,7 @@ vjs_master(enum jail_master_e jme)
assert(jme < JAIL_SUBPROC);
AZ(vjs_priv_on(VJS_EFFECTIVE, vjs_sets[jme]));
+ AZ(vjs_priv_on(VJS_INHERITABLE, vjs_sets[jme]));
vjs_waive(jme);
}
_______________________________________________
varnish-commit mailing list
varnish-commit@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-commit