[master] 559ebaa SUBPROC_VCC doesn't fork, so why should it have anything in (I)nheritable?
Nils Goroll
nils.goroll at uplex.de
Mon Mar 16 13:36:32 CET 2015
commit 559ebaa070564cd79adf4d1e99f73bf1fa49de57
Author: Nils Goroll <nils.goroll at uplex.de>
Date: Fri Mar 13 20:36:20 2015 +0100
SUBPROC_VCC doesn't fork, so why should it have anything in (I)nheritable?
diff --git a/bin/varnishd/mgt/mgt_jail_solaris.c b/bin/varnishd/mgt/mgt_jail_solaris.c
index 7d618aa..6c88991 100644
--- a/bin/varnishd/mgt/mgt_jail_solaris.c
+++ b/bin/varnishd/mgt/mgt_jail_solaris.c
@@ -295,8 +295,6 @@ vjs_add_inheritable(priv_set_t *pset, enum jail_gen_e jge)
{
switch (jge) {
case JAILG_SUBPROC_VCC:
- /* for /etc/resolv.conf and /etc/hosts */
- priv_setop_assert(priv_addset(pset, "file_read"));
break;
case JAILG_SUBPROC_CC:
priv_setop_assert(priv_addset(pset, PRIV_PROC_EXEC));
@@ -323,6 +321,9 @@ vjs_add_effective(priv_set_t *pset, enum jail_gen_e jge)
{
switch (jge) {
case JAILG_SUBPROC_VCC:
+ // open vmods
+ priv_setop_assert(priv_addset(pset, "file_read"));
+ // write .c output
priv_setop_assert(priv_addset(pset, "file_write"));
break;
case JAILG_SUBPROC_CC:
More information about the varnish-commit
mailing list