[master] 31ed885 Tailored assertions for priv_addset and setppriv, assert that setppriv(PRIV_OFF) succeeds when waiving privileges.
Poul-Henning Kamp
phk at varnish-cache.org
Mon Nov 5 10:41:20 CET 2012
commit 31ed885261920c0a220aad8004ef6db681a8d62c
Author: Poul-Henning Kamp <phk at FreeBSD.org>
Date: Mon Nov 5 09:40:37 2012 +0000
Tailored assertions for priv_addset and setppriv, assert that
setppriv(PRIV_OFF) succeeds when waiving privileges.
fixes varnish builds on any Solaris OS older than onnv_140 due to
too strict assertions from [c613b135570f87535839e3a94630880d16910f4f]
add history of solaris privileges
better comments
Submitted by: Nils Goroll
diff --git a/bin/varnishd/mgt/mgt_sandbox_solaris.c b/bin/varnishd/mgt/mgt_sandbox_solaris.c
index 728eca0..eaeab8a 100644
--- a/bin/varnishd/mgt/mgt_sandbox_solaris.c
+++ b/bin/varnishd/mgt/mgt_sandbox_solaris.c
@@ -52,13 +52,132 @@
/*--------------------------------------------------------------------
* SOLARIS PRIVILEGES: Note on use of symbolic PRIV_* constants
*
- * For privileges which existed in Solaris 10 FCS, we may use the constants from
- * sys/priv_names.h
+ * We assume backwards compatibility only for Solaris Releases after the
+ * OpenSolaris Launch. For privileges which existed at the time of the
+ * OpenSolaris Launch, we use the constants from sys/priv_names.h and assert
+ * that priv_addset must succeed.
*
- * For privileges which have been added later, we need to use strings in order
- * not to break builds of varnish on these platforms. To remain binary
- * compatible, we need to silently ignore errors from priv_addset when using
- * these strings.
+ * For privileges which have been added later, we need to use priv strings in
+ * order not to break builds of varnish on these platforms. To remain binary
+ * compatible, we can't assert that priv_addset succeeds, but we may assert that
+ * it either succeeds or fails with EINVAL.
+ */
+
+/* for priv_delset() and priv_addset() */
+static inline int
+priv_setop_check(int a) {
+ if (a == 0)
+ return (1);
+ if (errno == EINVAL)
+ return (1);
+ return (0);
+}
+
+#define priv_setop_assert(a) assert(priv_setop_check(a))
+
+/*
+ * we try to add all possible privileges to waive them later.
+ *
+ * when doing so, we need to expect EPERM
+ */
+
+/* for setppriv */
+static inline int
+setppriv_check(int a) {
+ if (a == 0)
+ return (1);
+ if (errno == EPERM)
+ return (1);
+ return (0);
+}
+
+#define setppriv_assert(a) assert(setppriv_check(a))
+
+
+/*
+ * brief histroy of introduction of privileges since OpenSolaris Launch
+ *
+ * (from hg log -gp usr/src/uts/common/os/priv_defs)
+ *
+ * ARC cases are not necessarily accurate (induced from commit msg)
+ * (marked with ?)
+ *
+ * privileges used here marked with *
+ *
+ *
+ * ARC case hg commit first release
+ *
+ * PSARC/2006/155? 37f4a3e2bd99 onnv_37
+ * - file_downgrade_sl
+ * - file_upgrade_sl
+ * - net_bindmlp
+ * - net_mac_aware
+ * - sys_trans_label
+ * - win_colormap
+ * - win_config
+ * - win_dac_read
+ * - win_dac_write
+ * - win_devices
+ * - win_dga
+ * - win_downgrade_sl
+ * - win_fontpath
+ * - win_mac_read
+ * - win_mac_write
+ * - win_selection
+ * - win_upgrade_sl
+ *
+ * PSARC/2006/218 5dbf296c1e57 onnv_39
+ * - graphics_access
+ * - graphics_map
+ *
+ * PSARC/2006/366 aaf16568054b onnv_57
+ * - net_config
+ *
+ * PSARC/2007/315? 3047ad28a67b onnv_77
+ * - file_flag_set
+ *
+ * PSARC/2007/560? 3047ad28a67b onnv_77
+ * - sys_smb
+ *
+ * PSARC 2008/046 47f6aa7a8077 onnv_85
+ * - contract_identify
+ *
+ * PSARC 2008/289 79a9dac325d9 onnv_92
+ * - virt_manage
+ * - xvm_control
+ *
+ * PSARC 2008/473 eff7960d93cd onnv_98
+ * - sys_dl_config
+ *
+ * PSARC/2006/475 faf256d5c16c onnv_103
+ * - net_observability
+ *
+ * PSARC/2009/317 8e29565352fc onnv_117
+ * - sys_ppp_config
+ *
+ * PSARC/2009/373 3be00c4a6835 onnv_125
+ * - sys_iptun_config
+ *
+ * PSARC/2008/252 e209937a4f19 onnv_128
+ * - net_mac_implicit
+ *
+ * PSARC/2009/685 8eca52188202 onnv_132
+ * * net_access
+ *
+ * PSARC/2009/378 63678502e95e onnv_140
+ * * file_read
+ * * file_write
+ *
+ * PSARC/2010/181 15439b11d535 onnv_142
+ * - sys_res_bind
+ *
+ * unknown unknown Solaris11
+ * - sys_flow_config
+ * - sys_share
+ *
+ *
+ * SOLARIS PRIVILEGES: Note on introtiction of new privileges (forward
+ * compatibility)
*
* For optimal build and binary forward comatibility, we could use subtractive
* set specs like
@@ -103,14 +222,13 @@ mgt_sandbox_solaris_add_inheritable(priv_set_t *pset, enum sandbox_e who)
switch (who) {
case SANDBOX_VCC:
/* for /etc/resolv.conf and /etc/hosts */
- AZ(priv_addset(pset, "file_read"));
+ priv_setop_assert(priv_addset(pset, "file_read"));
break;
case SANDBOX_CC:
- AZ(priv_addset(pset, "proc_exec"));
- AZ(priv_addset(pset, "proc_fork"));
- /* PSARC/2009/378 - 63678502e95e - onnv_140 */
- AZ(priv_addset(pset, "file_read"));
- AZ(priv_addset(pset, "file_write"));
+ priv_setop_assert(priv_addset(pset, PRIV_PROC_EXEC));
+ priv_setop_assert(priv_addset(pset, PRIV_PROC_FORK));
+ priv_setop_assert(priv_addset(pset, "file_read"));
+ priv_setop_assert(priv_addset(pset, "file_write"));
break;
case SANDBOX_VCLLOAD:
break;
@@ -132,20 +250,16 @@ mgt_sandbox_solaris_add_effective(priv_set_t *pset, enum sandbox_e who)
{
switch (who) {
case SANDBOX_VCC:
- /* PSARC/2009/378 - 63678502e95e - onnv_140 */
- AZ(priv_addset(pset, "file_write"));
+ priv_setop_assert(priv_addset(pset, "file_write"));
break;
case SANDBOX_CC:
break;
case SANDBOX_VCLLOAD:
- /* PSARC/2009/378 - 63678502e95e - onnv_140 */
- AZ(priv_addset(pset, "file_read"));
+ priv_setop_assert(priv_addset(pset, "file_read"));
case SANDBOX_WORKER:
- /* PSARC/2009/685 - 8eca52188202 - onnv_132 */
- AZ(priv_addset(pset, "net_access"));
- /* PSARC/2009/378 - 63678502e95e - onnv_140 */
- AZ(priv_addset(pset, "file_read"));
- AZ(priv_addset(pset, "file_write"));
+ priv_setop_assert(priv_addset(pset, "net_access"));
+ priv_setop_assert(priv_addset(pset, "file_read"));
+ priv_setop_assert(priv_addset(pset, "file_write"));
break;
default:
REPORT(LOG_ERR, "INCOMPLETE AT: %s(%d)\n", __func__, __LINE__);
@@ -218,9 +332,10 @@ mgt_sandbox_solaris_init(enum sandbox_e who)
mgt_sandbox_solaris_add_permitted(priv_all, who);
mgt_sandbox_solaris_add_initial(priv_all, who);
- setppriv(PRIV_ON, PRIV_PERMITTED, priv_all);
- setppriv(PRIV_ON, PRIV_EFFECTIVE, priv_all);
- setppriv(PRIV_ON, PRIV_INHERITABLE, priv_all);
+ /* try to get all possible privileges, expect EPERM here */
+ setppriv_assert(setppriv(PRIV_ON, PRIV_PERMITTED, priv_all));
+ setppriv_assert(setppriv(PRIV_ON, PRIV_EFFECTIVE, priv_all));
+ setppriv_assert(setppriv(PRIV_ON, PRIV_INHERITABLE, priv_all));
priv_freeset(priv_all);
}
@@ -292,18 +407,10 @@ mgt_sandbox_solaris_waive(enum sandbox_e who)
priv_inverse(effective);
priv_inverse(permitted);
-#define SETPPRIV(which, set) \
- if (setppriv(PRIV_OFF, which, set)) \
- REPORT(LOG_ERR, \
- "Sandbox warning: " \
- " Waiving privileges failed on %s: errno=%d (%s)", \
- #which, errno, strerror(errno));
-
- SETPPRIV(PRIV_LIMIT, permitted);
- SETPPRIV(PRIV_PERMITTED, permitted);
- SETPPRIV(PRIV_EFFECTIVE, effective);
- SETPPRIV(PRIV_INHERITABLE, inheritable);
-#undef SETPPRIV
+ AZ(setppriv(PRIV_OFF, PRIV_LIMIT, permitted));
+ AZ(setppriv(PRIV_OFF, PRIV_PERMITTED, permitted));
+ AZ(setppriv(PRIV_OFF, PRIV_EFFECTIVE, effective));
+ AZ(setppriv(PRIV_OFF, PRIV_INHERITABLE, inheritable));
priv_freeset(inheritable);
priv_freeset(effective);
More information about the varnish-commit
mailing list