Mailing List Archive

commit 900e9f39371639582d2f08ccc2cc9a9fbc5b70ae
Author: Nils Goroll <nils.goroll@uplex.de>
Date: Tue Jun 2 12:36:52 2020 +0200

add JAIL_MASTER_SYSTEM for system() calls from master

Also (re)used to make fork privileges available when we start a
subprocess: As we are going to apply the JAIL_SUBPROC privileges to the
forked process, having slightly eleveated privileges only agross the
fork() should not cause any harm.

-

This concludes the current series of Solaris jail patches, hopefully.
With this commit, varnishd started with pfexec ("root privileges") keeps
the following privileges only (ppriv -v output) on Solaris:

* master::

flags = PRIV_AWARE
E: file_read,file_write,net_access
I: none
P: file_read,file_write,net_access,net_privaddr,proc_exec,proc_fork,proc_info,proc_owner,proc_setid
L: file_read,file_write,net_access,net_privaddr,proc_exec,proc_fork,proc_info,proc_owner,proc_setid

notes:

E: file_read is required for basic config files like /etc/netconfig
net_access is required for CLI communication

file_write could potentially be removed if any file write
operations (e.g. writing vcl files) were wrapped with
JAIL_MASTER_FILE, but I do not consider this a relevant gain for
now.

For other master jail states, E will be momentarily expanded.

I: will be momentarily expanded for system()

P: Contains the union of all privileges used anywhere in varnish

L: Could potentially be reduced further, but P already limits

* worker::

flags = PRIV_AWARE
E: file_read,file_write,net_access
I: none
P: file_read,file_write,net_access,proc_info
L: file_read,file_write,net_access,proc_info,proc_setid

proc_setid is only used when the worker starts and then dropped

proc_info is only used by vmod_unix

diff --git a/bin/varnishd/mgt/mgt.h b/bin/varnishd/mgt/mgt.h
index 25169384d..02a17f88a 100644
--- a/bin/varnishd/mgt/mgt.h
+++ b/bin/varnishd/mgt/mgt.h
@@ -104,6 +104,7 @@ void mgt_cli_init_cls(void);

enum jail_master_e {
JAIL_MASTER_LOW = 0,
+ JAIL_MASTER_SYSTEM,
JAIL_MASTER_FILE,
JAIL_MASTER_STORAGE,
JAIL_MASTER_PRIVPORT,
diff --git a/bin/varnishd/mgt/mgt_child.c b/bin/varnishd/mgt/mgt_child.c
index f2d90e52e..5b1b82b57 100644
--- a/bin/varnishd/mgt/mgt_child.c
+++ b/bin/varnishd/mgt/mgt_child.c
@@ -327,7 +327,9 @@ mgt_launch_child(struct cli *cli)

AN(heritage.param);
AN(heritage.panic_str);
+ VJ_master(JAIL_MASTER_SYSTEM);
if ((pid = fork()) < 0) {
+ VJ_master(JAIL_MASTER_LOW);
perror("Could not fork child");
exit(1); // XXX Harsh ?
}
@@ -389,6 +391,7 @@ mgt_launch_child(struct cli *cli)

exit(0);
}
+ VJ_master(JAIL_MASTER_LOW);
assert(pid > 1);
MGT_Complain(C_DEBUG, "Child (%jd) Started", (intmax_t)pid);
VSC_C_mgt->child_start++;
diff --git a/bin/varnishd/mgt/mgt_jail_solaris_tbl.h b/bin/varnishd/mgt/mgt_jail_solaris_tbl.h
index dfe912094..51dee41b6 100644
--- a/bin/varnishd/mgt/mgt_jail_solaris_tbl.h
+++ b/bin/varnishd/mgt/mgt_jail_solaris_tbl.h
@@ -44,14 +44,15 @@
* - INHERITABLE and PERMITTED joined from SUBPROC*
* - implicit rules from above
*/
-PRIV(MASTER_LOW, E , PRIV_PROC_EXEC) // XXX fork
-PRIV(MASTER_LOW, E , PRIV_PROC_FORK) // XXX fork
PRIV(MASTER_LOW, E , "file_write") // XXX vcl_boot
PRIV(MASTER_LOW, E , "file_read") // XXX library open
PRIV(MASTER_LOW, E , "net_access")

-PRIV(MASTER_FILE, E , PRIV_PROC_EXEC) // XXX rm -rf in shm
-PRIV(MASTER_FILE, E , PRIV_PROC_FORK) // XXX rm -rf in shm
+PRIV(MASTER_SYSTEM, E|I , PRIV_PROC_EXEC)
+PRIV(MASTER_SYSTEM, E|I , PRIV_PROC_FORK)
+PRIV(MASTER_SYSTEM, E|I , "file_read")
+PRIV(MASTER_SYSTEM, E|I , "file_write")
+
PRIV(MASTER_FILE, E , "file_read")
PRIV(MASTER_FILE, E , "file_write")

diff --git a/bin/varnishd/mgt/mgt_shmem.c b/bin/varnishd/mgt/mgt_shmem.c
index 439c9d42c..ca08e2e10 100644
--- a/bin/varnishd/mgt/mgt_shmem.c
+++ b/bin/varnishd/mgt/mgt_shmem.c
@@ -78,6 +78,7 @@ mgt_shm_atexit(void)
VJ_master(JAIL_MASTER_FILE);
VSMW_Destroy(&mgt_vsmw);
if (!MGT_DO_DEBUG(DBG_VTC_MODE)) {
+ VJ_master(JAIL_MASTER_SYSTEM);
AZ(system("rm -rf " VSM_MGT_DIRNAME));
AZ(system("rm -rf " VSM_CHILD_DIRNAME));
}
@@ -93,8 +94,9 @@ mgt_SHM_Init(void)
{
int fd;

- VJ_master(JAIL_MASTER_FILE);
+ VJ_master(JAIL_MASTER_SYSTEM);
AZ(system("rm -rf " VSM_MGT_DIRNAME));
+ VJ_master(JAIL_MASTER_FILE);
AZ(mkdir(VSM_MGT_DIRNAME, 0755));
fd = open(VSM_MGT_DIRNAME, O_RDONLY);
VJ_fix_fd(fd, JAIL_FIXFD_VSMMGT);
@@ -112,8 +114,9 @@ void
mgt_SHM_ChildNew(void)
{

- VJ_master(JAIL_MASTER_FILE);
+ VJ_master(JAIL_MASTER_SYSTEM);
AZ(system("rm -rf " VSM_CHILD_DIRNAME));
+ VJ_master(JAIL_MASTER_FILE);
AZ(mkdir(VSM_CHILD_DIRNAME, 0750));

heritage.vsm_fd = open(VSM_CHILD_DIRNAME, O_RDONLY);
@@ -140,7 +143,7 @@ mgt_SHM_ChildDestroy(void)

closefd(&heritage.vsm_fd);
if (!MGT_DO_DEBUG(DBG_VTC_MODE)) {
- VJ_master(JAIL_MASTER_FILE);
+ VJ_master(JAIL_MASTER_SYSTEM);
AZ(system("rm -rf " VSM_CHILD_DIRNAME));
VJ_master(JAIL_MASTER_LOW);
}
diff --git a/bin/varnishd/mgt/mgt_vcc.c b/bin/varnishd/mgt/mgt_vcc.c
index 1d1d86d58..0b85cbd93 100644
--- a/bin/varnishd/mgt/mgt_vcc.c
+++ b/bin/varnishd/mgt/mgt_vcc.c
@@ -229,7 +229,9 @@ mgt_vcc_compile(struct vcc_priv *vp, struct vsb *sb, int C_flag)
if (mgt_vcc_touchfile(VSB_data(vp->libfile), sb))
return (2);

+ VJ_master(JAIL_MASTER_SYSTEM);
subs = VSUB_run(sb, run_vcc, vp, "VCC-compiler", -1);
+ VJ_master(JAIL_MASTER_LOW);
if (subs)
return (subs);

@@ -247,11 +249,15 @@ mgt_vcc_compile(struct vcc_priv *vp, struct vsb *sb, int C_flag)
free(csrc);
}

+ VJ_master(JAIL_MASTER_SYSTEM);
subs = VSUB_run(sb, run_cc, vp, "C-compiler", 10);
+ VJ_master(JAIL_MASTER_LOW);
if (subs)
return (subs);

+ VJ_master(JAIL_MASTER_SYSTEM);
subs = VSUB_run(sb, run_dlopen, vp, "dlopen", 10);
+ VJ_master(JAIL_MASTER_LOW);
return (subs);
}

_______________________________________________
varnish-commit mailing list
varnish-commit@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-commit