[master] 830525b63 jail: Add a Linux jail

Mon Aug 12 13:54:08 UTC 2024

commit 830525b63e5f4d42c52f1ea11c7c095a1b0edb20
Author: Thibaut Artis <thibaut.artis at varnish-software.com>
Date:   Tue Jul 2 15:46:31 2024 +0200

    jail: Add a Linux jail
    
    For now this jail delegates its work to the UNIX jail
    It is chosen as default on Linux systems

diff --git a/bin/varnishd/Makefile.am b/bin/varnishd/Makefile.am
index aabfce050..14067b466 100644
--- a/bin/varnishd/Makefile.am
+++ b/bin/varnishd/Makefile.am
@@ -84,6 +84,7 @@ varnishd_SOURCES = \
 	mgt/mgt_jail_solaris.c \
 	mgt/mgt_jail_solaris_tbl.h \
 	mgt/mgt_jail_unix.c \
+	mgt/mgt_jail_linux.c \
 	mgt/mgt_main.c \
 	mgt/mgt_param.c \
 	mgt/mgt_param_tcp.c \
diff --git a/bin/varnishd/mgt/mgt.h b/bin/varnishd/mgt/mgt.h
index 5b75a2da3..4c40e7ccf 100644
--- a/bin/varnishd/mgt/mgt.h
+++ b/bin/varnishd/mgt/mgt.h
@@ -163,6 +163,7 @@ void VJ_rmdir(const char *);
 
 extern const struct jail_tech jail_tech_unix;
 extern const struct jail_tech jail_tech_solaris;
+extern const struct jail_tech jail_tech_linux;
 
 /* mgt_main.c */
 extern struct vsb *vident;
diff --git a/bin/varnishd/mgt/mgt_jail.c b/bin/varnishd/mgt/mgt_jail.c
index 93711799c..769e854a1 100644
--- a/bin/varnishd/mgt/mgt_jail.c
+++ b/bin/varnishd/mgt/mgt_jail.c
@@ -85,6 +85,9 @@ static const struct jail_tech *vjt;
 static const struct choice vj_choice[] = {
 #ifdef HAVE_SETPPRIV
 	{ "solaris",	&jail_tech_solaris },
+#endif
+#ifdef __linux__
+	{ "linux",	&jail_tech_linux },
 #endif
 	{ "unix",	&jail_tech_unix },
 	{ "none",	&jail_tech_none },
diff --git a/bin/varnishd/mgt/mgt_jail_linux.c b/bin/varnishd/mgt/mgt_jail_linux.c
new file mode 100644
index 000000000..f6c2a515b
--- /dev/null
+++ b/bin/varnishd/mgt/mgt_jail_linux.c
@@ -0,0 +1,83 @@
+/*-
+ * Copyright (c) 2024 Varnish Software AS
+ * All rights reserved.
+ *
+ * Author: Thibaut Artis <thibaut.artis at varnish-software.com>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#include "config.h"
+
+#ifdef __linux__
+
+#include <fcntl.h>
+#include <grp.h>
+#include <pwd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/stat.h>
+
+#include "mgt/mgt.h"
+#include "common/heritage.h"
+
+static int vjl_init(char **args) {
+	return jail_tech_unix.init(args);
+}
+
+static void vjl_master(enum jail_master_e jme) {
+	jail_tech_unix.master(jme);
+}
+
+static void vjl_subproc(enum jail_subproc_e jse) {
+	jail_tech_unix.subproc(jse);
+}
+
+static int vjl_make_subdir(const char *dname, const char *what, struct vsb *vsb) {
+	return jail_tech_unix.make_subdir(dname, what, vsb);
+}
+
+static int vjl_make_workdir(const char *dname, const char *what, struct vsb *vsb) {
+	return jail_tech_unix.make_workdir(dname, what, vsb);
+}
+
+static void vjl_fixfd(int fd, enum jail_fixfd_e what) {
+	return jail_tech_unix.fixfd(fd, what);
+}
+
+const struct jail_tech jail_tech_linux = {
+	.magic =	JAIL_TECH_MAGIC,
+	.name =		"linux",
+	.init =		vjl_init,
+	.master =	vjl_master,
+	.make_subdir =	vjl_make_subdir,
+	.make_workdir =	vjl_make_workdir,
+	.fixfd =	vjl_fixfd,
+	.subproc =	vjl_subproc,
+};
+
+#endif /* __linux__ */
diff --git a/bin/varnishd/mgt/mgt_main.c b/bin/varnishd/mgt/mgt_main.c
index d6fe6bef3..2efd43d23 100644
--- a/bin/varnishd/mgt/mgt_main.c
+++ b/bin/varnishd/mgt/mgt_main.c
@@ -176,6 +176,9 @@ usage(void)
 	printf(FMT, "-j jail[,options]", "Jail specification");
 #ifdef HAVE_SETPPRIV
 	printf(FMT, "", "  -j solaris");
+#endif
+#ifdef __linux__
+	printf(FMT, "", "  -j linux");
 #endif
 	printf(FMT, "", "  -j unix");
 	printf(FMT, "", "  -j none");
diff --git a/doc/sphinx/reference/varnishd.rst b/doc/sphinx/reference/varnishd.rst
index 7db93dcf2..9132b3bea 100644
--- a/doc/sphinx/reference/varnishd.rst
+++ b/doc/sphinx/reference/varnishd.rst
@@ -445,6 +445,11 @@ specific options. Available jails are:
 
     -j solaris,worker=basic
 
+-j <linux[,user=`user`][,ccgroup=`group`][,workuser=`user`]>
+
+  Default on Linux platforms, it overloads the UNIX jail with
+  Linux-specific mechanisms.
+
 -j <unix[,user=`user`][,ccgroup=`group`][,workuser=`user`]>
 
   Default on all other platforms when `varnishd` is started with an
