[master] d50da8306 Solaris jail: manage INHERITABLE for JAIL_MASTER

Tue Jun 2 12:23:07 UTC 2020

commit d50da8306fcce5ec5cffdc525aae47698f6f3345
Author: Nils Goroll <nils.goroll at uplex.de>
Date:   Tue Jun 2 13:33:33 2020 +0200

    Solaris jail: manage INHERITABLE for JAIL_MASTER
    
    we now dynamically manage the INHERITABLE set also, which has the
    advantage of reducing the privileges available to anything we exec()
    (likely via system()) from master which is not managed through
    JAIL_SUBPROC.
    
    See next commit.

diff --git a/bin/varnishd/mgt/mgt_jail_solaris.c b/bin/varnishd/mgt/mgt_jail_solaris.c
index ec3e788b9..3a50b572e 100644
--- a/bin/varnishd/mgt/mgt_jail_solaris.c
+++ b/bin/varnishd/mgt/mgt_jail_solaris.c
@@ -288,7 +288,7 @@ vjs_add(priv_set_t *sets[VJS_NSET], unsigned mask, const char *priv)
 			priv_setop_assert(priv_addset(sets[i], priv));
 }
 
-/* add SUBPROC INHERITABLE and PERMITTED to MASTER */
+/* add SUBPROC INHERITABLE and PERMITTED to MASTER PERMITTED */
 static int
 vjs_master_rules(void)
 {
@@ -301,7 +301,7 @@ vjs_master_rules(void)
 		priv_emptyset(punion);
 		for (vj = JAIL_SUBPROC; vj < JAIL_LIMIT; vj++)
 			priv_union(vjs_sets[vj][vs], punion);
-		priv_union(punion, vjs_sets[JAIL_MASTER_ANY][vs]);
+		priv_union(punion, vjs_sets[JAIL_MASTER_ANY][VJS_PERMITTED]);
 	}
 
 	priv_freeset(punion);
@@ -347,11 +347,11 @@ vjs_init(char **args)
 
 	assert(JAIL_MASTER_ANY < JAIL_SUBPROC);
 	/* alloc privsets.
-	 * for master, anything but EFFECTIVE is shared
+	 * for master, PERMITTED and LIMIT are shared
 	 */
 	for (vj = 0; vj < JAIL_SUBPROC; vj++)
 		for (vs = 0; vs < VJS_NSET; vs++) {
-			if (vj == JAIL_MASTER_ANY || vs == VJS_EFFECTIVE) {
+			if (vj == JAIL_MASTER_ANY || vs < VJS_PERMITTED) {
 				vjs_sets[vj][vs] = vjs_alloc();
 				vjs_inverse[vj][vs] = vjs_alloc();
 			} else {
@@ -398,9 +398,6 @@ vjs_init(char **args)
 		priv_union(sets[VJS_INHERITABLE], sets[VJS_LIMIT]);
 	}
 
-	/* extend inheritable */
-	AZ(vjs_priv_on(VJS_INHERITABLE, vjs_sets[JAIL_MASTER_ANY]));
-
 	/* generate inverse */
 	for (vj = 0; vj < JAIL_LIMIT; vj++)
 		for (vs = 0; vs < VJS_NSET; vs++) {
@@ -453,6 +450,7 @@ vjs_subproc(enum jail_subproc_e jse)
 {
 
 	AZ(vjs_priv_on(VJS_EFFECTIVE, vjs_sets[jse]));
+	AZ(vjs_priv_on(VJS_INHERITABLE, vjs_sets[jse]));
 
 	vjs_setuid();
 	vjs_waive(jse);
@@ -465,6 +463,7 @@ vjs_master(enum jail_master_e jme)
 	assert(jme < JAIL_SUBPROC);
 
 	AZ(vjs_priv_on(VJS_EFFECTIVE, vjs_sets[jme]));
+	AZ(vjs_priv_on(VJS_INHERITABLE, vjs_sets[jme]));
 
 	vjs_waive(jme);
 }
