[master] d586282 Run STV_GetFile() in JAIL_MASTER_HIGH and give jails a chance to frob the file after open.
Poul-Henning Kamp
phk at FreeBSD.org
Wed Feb 18 23:04:46 CET 2015
commit d5862828f8c3fb6c09c8b9b554b85958a9a986d8
Author: Poul-Henning Kamp <phk at FreeBSD.org>
Date: Wed Feb 18 22:04:02 2015 +0000
Run STV_GetFile() in JAIL_MASTER_HIGH and give jails a chance to
frob the file after open.
jail_unix makes the file varnish:varnish 0600
diff --git a/bin/varnishd/mgt/mgt.h b/bin/varnishd/mgt/mgt.h
index b51be28..dc28a00 100644
--- a/bin/varnishd/mgt/mgt.h
+++ b/bin/varnishd/mgt/mgt.h
@@ -80,6 +80,7 @@ typedef int jail_init_f(char **);
typedef void jail_master_f(enum jail_master_e);
typedef void jail_subproc_f(enum jail_subproc_e);
typedef void jail_make_workdir_f(const char *dname);
+typedef void jail_storage_file_f(int fd);
struct jail_tech {
unsigned magic;
@@ -89,12 +90,14 @@ struct jail_tech {
jail_master_f *master;
jail_subproc_f *subproc;
jail_make_workdir_f *make_workdir;
+ jail_storage_file_f *storage_file;
};
void VJ_Init(const char *j_arg);
void VJ_master(enum jail_master_e jme);
void VJ_subproc(enum jail_subproc_e jse);
void VJ_make_workdir(const char *dname);
+void VJ_storage_file(int fd);
extern const struct jail_tech jail_tech_unix;
extern const struct jail_tech jail_tech_solaris;
diff --git a/bin/varnishd/mgt/mgt_jail.c b/bin/varnishd/mgt/mgt_jail.c
index ac791ff..f95bc81 100644
--- a/bin/varnishd/mgt/mgt_jail.c
+++ b/bin/varnishd/mgt/mgt_jail.c
@@ -161,3 +161,12 @@ VJ_make_workdir(const char *dname)
AZ(close(fd));
AZ(unlink("_.testfile"));
}
+
+void
+VJ_storage_file(int fd)
+{
+
+ CHECK_OBJ_NOTNULL(vjt, JAIL_TECH_MAGIC);
+ if (vjt->storage_file != NULL)
+ vjt->storage_file(fd);
+}
diff --git a/bin/varnishd/mgt/mgt_jail_unix.c b/bin/varnishd/mgt/mgt_jail_unix.c
index 11792af..09d14f6 100644
--- a/bin/varnishd/mgt/mgt_jail_unix.c
+++ b/bin/varnishd/mgt/mgt_jail_unix.c
@@ -206,11 +206,21 @@ vju_make_workdir(const char *dname)
AZ(unlink("_.testfile"));
}
+static void
+vju_storage_file(int fd)
+{
+ /* Called under JAIL_MASTER_HIGH */
+
+ AZ(fchmod(fd, 0600));
+ AZ(fchown(fd, vju_uid, vju_gid));
+}
+
const struct jail_tech jail_tech_unix = {
.magic = JAIL_TECH_MAGIC,
.name = "unix",
.init = vju_init,
.master = vju_master,
.make_workdir = vju_make_workdir,
+ .storage_file = vju_storage_file,
.subproc = vju_subproc,
};
diff --git a/bin/varnishd/storage/stevedore_utils.c b/bin/varnishd/storage/stevedore_utils.c
index 32a447f..c6ec487 100644
--- a/bin/varnishd/storage/stevedore_utils.c
+++ b/bin/varnishd/storage/stevedore_utils.c
@@ -91,10 +91,13 @@ STV_GetFile(const char *fn, int *fdp, const char **fnp, const char *ctx)
*fdp = -1;
/* try to create a new file of this name */
+ VJ_master(JAIL_MASTER_HIGH);
fd = open(fn, O_RDWR | O_CREAT | O_EXCL | O_LARGEFILE, 0600);
if (fd >= 0) {
+ VJ_storage_file(fd);
*fdp = fd;
*fnp = fn;
+ VJ_master(JAIL_MASTER_LOW);
return (retval);
}
@@ -130,6 +133,8 @@ STV_GetFile(const char *fn, int *fdp, const char **fnp, const char *ctx)
ctx, fn);
*fdp = fd;
+ VJ_storage_file(fd);
+ VJ_master(JAIL_MASTER_LOW);
return (retval);
}
More information about the varnish-commit
mailing list