[master] 109201227 Solaris jail: Allow to pass a privilege specification for the worker

[Nils Goroll]

commit 10920122713844aa2df46fac1d71900cb7574ad5
Author: Nils Goroll <nils.goroll at uplex.de>
Date:   Tue Jun 2 15:26:43 2020 +0200

    Solaris jail: Allow to pass a privilege specification for the worker

diff --git a/bin/varnishd/mgt/mgt_jail_solaris.c b/bin/varnishd/mgt/mgt_jail_solaris.c
index 3a50b572e..fb118cfd6 100644
--- a/bin/varnishd/mgt/mgt_jail_solaris.c
+++ b/bin/varnishd/mgt/mgt_jail_solaris.c
@@ -323,12 +323,24 @@ vjs_alloc(void)
 static int v_matchproto_(jail_init_f)
 vjs_init(char **args)
 {
-	priv_set_t **sets, *permitted, *inheritable;
+	priv_set_t **sets, *permitted, *inheritable, *user = NULL;
+	const char *e;
 	int vj, vs;
 
 	if (args != NULL && *args != NULL) {
-		ARGV_ERR("-jsolaris takes no arguments.\n");
-		return (0);
+		for (;*args != NULL; args++) {
+			if (!strncmp(*args, "worker=", 7)) {
+				user = priv_str_to_set((*args) + 7, ",", &e);
+				if (user == NULL)
+					ARGV_ERR(
+					    "-jsolaris: parsing worker= "
+					    "argument failed near %s.\n",
+					    e);
+				continue;
+			}
+			ARGV_ERR("-jsolrais: unknown sub-argument '%s'\n",
+			    *args);
+		}
 	}
 
 	permitted = vjs_alloc();
@@ -372,6 +384,9 @@ vjs_init(char **args)
 #define PRIV(name, mask, priv) vjs_add(vjs_sets[JAIL_ ## name], mask, priv);
 #include "mgt_jail_solaris_tbl.h"
 
+	if (user != NULL)
+		priv_union(user, vjs_sets[JAIL_SUBPROC_WORKER][VJS_EFFECTIVE]);
+
 	/* mask by available privs */
 	for (vj = 0; vj < JAIL_LIMIT; vj++) {
 		sets = vjs_sets[vj];
diff --git a/doc/sphinx/reference/varnishd.rst b/doc/sphinx/reference/varnishd.rst
index dd01fbeba..3c4a1d931 100644
--- a/doc/sphinx/reference/varnishd.rst
+++ b/doc/sphinx/reference/varnishd.rst
@@ -392,11 +392,21 @@ Varnish jails are a generalization over various platform specific
 methods to reduce the privileges of varnish processes. They may have
 specific options. Available jails are:
 
--j solaris
+-j <solaris[,worker=`privspec`]>
 
-  Reduce privileges(5) for `varnishd` and sub-process to the minimally
-  required set. Only available on platforms which have the setppriv(2)
-  call.
+  Reduce `privileges(5)` for `varnishd` and sub-process to the
+  minimally required set. Only available on platforms which have the
+  `setppriv(2)` call.
+
+  The optional `worker` argument can be used to pass a
+  privilege-specification (see `ppriv(1)`) by which to extend the
+  effective set of the varnish worker process. While extended
+  privileges may be required by custom vmods, it is always the more
+  secure to *not* use the `worker` option.
+
+  Example to grant basic privileges to the worker process::
+
+    -j solaris,worker=basic
 
 -j <unix[,user=`user`][,ccgroup=`group`][,workuser=`user`]>