[master] 15330c9 Make the sandbox interface more modular and tell the implementation which subprocess we are locking down.

Poul-Henning Kamp phk at varnish-cache.org
Mon Jul 30 17:07:13 CEST 2012


commit 15330c9023befc6653bec269eabb0576b61732cf
Author: Poul-Henning Kamp <phk at FreeBSD.org>
Date:   Mon Jul 30 15:05:25 2012 +0000

    Make the sandbox interface more modular and tell the implementation
    which subprocess we are locking down.
    
    Inspired by Geoff's patch for Solaris, but does not solve the
    Solaris problem, only makes it easier to fix.

diff --git a/bin/varnishd/cache/cache_session.c b/bin/varnishd/cache/cache_session.c
index 6478a00..a521f6f 100644
--- a/bin/varnishd/cache/cache_session.c
+++ b/bin/varnishd/cache/cache_session.c
@@ -179,7 +179,7 @@ ses_sess_pool_task(struct worker *wrk, void *arg)
  * VSL comes before anything else for this session.
  *
  * This is a separate procedure only to isolate the two stack buffers.
- * 
+ *
  */
 
 static void
diff --git a/bin/varnishd/mgt/mgt.h b/bin/varnishd/mgt/mgt.h
index 512c6dc..905fbcc 100644
--- a/bin/varnishd/mgt/mgt.h
+++ b/bin/varnishd/mgt/mgt.h
@@ -74,13 +74,19 @@ void MCF_DumpRstParam(void);
 extern struct params mgt_param;
 
 /* mgt_sandbox.c */
-void mgt_sandbox(void);
+enum sandbox_e {
+	SANDBOX_VCC = 1,
+	SANDBOX_CC = 2,
+	SANDBOX_VCLLOAD = 3,
+	SANDBOX_WORKER = 4,
+};
+
+typedef void mgt_sandbox_f(enum sandbox_e);
+extern mgt_sandbox_f *mgt_sandbox;
 
 /* mgt_sandbox_solaris.c */
 #ifdef HAVE_SETPPRIV
-void mgt_sandbox_solaris_init(void);
-void mgt_sandbox_solaris_fini(void);
-void mgt_sandbox_solaris_privsep(void);
+mgt_sandbox_f mgt_sandbox_solaris;
 #endif
 
 /* mgt_shmem.c */
diff --git a/bin/varnishd/mgt/mgt_child.c b/bin/varnishd/mgt/mgt_child.c
index 8661b73..c869897 100644
--- a/bin/varnishd/mgt/mgt_child.c
+++ b/bin/varnishd/mgt/mgt_child.c
@@ -338,7 +338,7 @@ start_child(struct cli *cli)
 		(void)signal(SIGINT, SIG_DFL);
 		(void)signal(SIGTERM, SIG_DFL);
 
-		mgt_sandbox();
+		mgt_sandbox(SANDBOX_WORKER);
 
 		child_main();
 
diff --git a/bin/varnishd/mgt/mgt_sandbox.c b/bin/varnishd/mgt/mgt_sandbox.c
index 3cd1d98..bf9802f 100644
--- a/bin/varnishd/mgt/mgt_sandbox.c
+++ b/bin/varnishd/mgt/mgt_sandbox.c
@@ -59,32 +59,41 @@
 
 /* Waive all privileges in the child, it does not need any */
 
-void
-mgt_sandbox(void)
+static void __match_proto__(mgt_sandbox_f)
+mgt_sandbox_unix(enum sandbox_e who)
 {
-#ifdef HAVE_SETPPRIV
-	mgt_sandbox_solaris_init();
-	mgt_sandbox_solaris_privsep();
-#else
+	(void)who;
 	if (geteuid() == 0) {
 		XXXAZ(setgid(mgt_param.gid));
 		XXXAZ(setuid(mgt_param.uid));
 	} else {
 		REPORT0(LOG_INFO, "Not running as root, no priv-sep");
 	}
-#endif
+}
 
-	/* On Linux >= 2.4, you need to set the dumpable flag
-	   to get core dumps after you have done a setuid. */
+/*--------------------------------------------------------------------*/
 
 #ifdef __linux__
-	if (prctl(PR_SET_DUMPABLE, 1) != 0)
+static void __match_proto__(mgt_sandbox_f)
+mgt_sandbox_linux(enum sandbox_e who)
+{
+	mgt_sandbox_unix(who);
+
+	if (prctl(PR_SET_DUMPABLE, 1) != 0) {
 		REPORT0(LOG_INFO,
 		    "Could not set dumpable bit.  Core dumps turned off\n");
+	}
+}
 #endif
 
-#ifdef HAVE_SETPPRIV
-	mgt_sandbox_solaris_fini();
-#endif
 
-}
+/*--------------------------------------------------------------------*/
+
+mgt_sandbox_f *mgt_sandbox =
+#ifdef HAVE_SETPRIV
+	mgt_sandbox_solaris;
+#elif defined (__linux__)
+	mgt_sandbox_linux;
+#else
+	mgt_sandbox_unix;
+#endif
diff --git a/bin/varnishd/mgt/mgt_vcc.c b/bin/varnishd/mgt/mgt_vcc.c
index 6f4642d..f7f199a 100644
--- a/bin/varnishd/mgt/mgt_vcc.c
+++ b/bin/varnishd/mgt/mgt_vcc.c
@@ -137,7 +137,7 @@ run_vcc(void *priv)
 	int fd, i, l;
 
 	CAST_OBJ_NOTNULL(vp, priv, VCC_PRIV_MAGIC);
-	mgt_sandbox();
+	mgt_sandbox(SANDBOX_VCC);
 	sb = VSB_new_auto();
 	XXXAN(sb);
 	VCC_VCL_dir(vcc, mgt_vcl_dir);
@@ -176,7 +176,7 @@ run_vcc(void *priv)
 static void
 run_cc(void *priv)
 {
-	mgt_sandbox();
+	mgt_sandbox(SANDBOX_CC);
 	(void)execl("/bin/sh", "/bin/sh", "-c", priv, NULL);
 }
 
@@ -193,7 +193,7 @@ run_dlopen(void *priv)
 
 	of = priv;
 
-	mgt_sandbox();
+	mgt_sandbox(SANDBOX_VCLLOAD);
 
 	/* Try to load the object into this sub-process */
 	if ((dlh = dlopen(of, RTLD_NOW | RTLD_LOCAL)) == NULL) {



More information about the varnish-commit mailing list