Make the sandbox interface more modular and tell the implementation

which subprocess we are locking down.

Inspired by Geoff's patch for Solaris, but does not solve the
Solaris problem, only makes it easier to fix.

bin/varnishd/cache/cache_session.c

@@ -179,7 +179,7 @@ ses_sess_pool_task(struct worker *wrk, void *arg)
  * VSL comes before anything else for this session.
  *
  * This is a separate procedure only to isolate the two stack buffers.
- * 
+ *
  */
 
 static void

bin/varnishd/mgt/mgt.h

@@ -74,13 +74,19 @@ void MCF_DumpRstParam(void);
 extern struct params mgt_param;
 
 /* mgt_sandbox.c */
-void mgt_sandbox(void);
+enum sandbox_e {
+	SANDBOX_VCC = 1,
+	SANDBOX_CC = 2,
+	SANDBOX_VCLLOAD = 3,
+	SANDBOX_WORKER = 4,
+};
+
+typedef void mgt_sandbox_f(enum sandbox_e);
+extern mgt_sandbox_f *mgt_sandbox;
 
 /* mgt_sandbox_solaris.c */
 #ifdef HAVE_SETPPRIV
-void mgt_sandbox_solaris_init(void);
-void mgt_sandbox_solaris_fini(void);
-void mgt_sandbox_solaris_privsep(void);
+mgt_sandbox_f mgt_sandbox_solaris;
 #endif
 
 /* mgt_shmem.c */

bin/varnishd/mgt/mgt_child.c

@@ -338,7 +338,7 @@ start_child(struct cli *cli)
 		(void)signal(SIGINT, SIG_DFL);
 		(void)signal(SIGTERM, SIG_DFL);
 
-		mgt_sandbox();
+		mgt_sandbox(SANDBOX_WORKER);
 
 		child_main();
 

bin/varnishd/mgt/mgt_sandbox.c

@@ -59,32 +59,41 @@
 
 /* Waive all privileges in the child, it does not need any */
 
-void
-mgt_sandbox(void)
+static void __match_proto__(mgt_sandbox_f)
+mgt_sandbox_unix(enum sandbox_e who)
 {
-#ifdef HAVE_SETPPRIV
-	mgt_sandbox_solaris_init();
-	mgt_sandbox_solaris_privsep();
-#else
+	(void)who;
 	if (geteuid() == 0) {
 		XXXAZ(setgid(mgt_param.gid));
 		XXXAZ(setuid(mgt_param.uid));
 	} else {
 		REPORT0(LOG_INFO, "Not running as root, no priv-sep");
 	}
-#endif
+}
 
-	/* On Linux >= 2.4, you need to set the dumpable flag
-	   to get core dumps after you have done a setuid. */
+/*--------------------------------------------------------------------*/
 
 #ifdef __linux__
-	if (prctl(PR_SET_DUMPABLE, 1) != 0)
+static void __match_proto__(mgt_sandbox_f)
+mgt_sandbox_linux(enum sandbox_e who)
+{
+	mgt_sandbox_unix(who);
+
+	if (prctl(PR_SET_DUMPABLE, 1) != 0) {
 		REPORT0(LOG_INFO,
 		    "Could not set dumpable bit.  Core dumps turned off\n");
+	}
+}
 #endif
 
-#ifdef HAVE_SETPPRIV
-	mgt_sandbox_solaris_fini();
-#endif
 
-}
+/*--------------------------------------------------------------------*/
+
+mgt_sandbox_f *mgt_sandbox =
+#ifdef HAVE_SETPRIV
+	mgt_sandbox_solaris;
+#elif defined (__linux__)
+	mgt_sandbox_linux;
+#else
+	mgt_sandbox_unix;
+#endif

bin/varnishd/mgt/mgt_vcc.c

@@ -137,7 +137,7 @@ run_vcc(void *priv)
 	int fd, i, l;
 
 	CAST_OBJ_NOTNULL(vp, priv, VCC_PRIV_MAGIC);
-	mgt_sandbox();
+	mgt_sandbox(SANDBOX_VCC);
 	sb = VSB_new_auto();
 	XXXAN(sb);
 	VCC_VCL_dir(vcc, mgt_vcl_dir);
@@ -176,7 +176,7 @@ run_vcc(void *priv)
 static void
 run_cc(void *priv)
 {
-	mgt_sandbox();
+	mgt_sandbox(SANDBOX_CC);
 	(void)execl("/bin/sh", "/bin/sh", "-c", priv, NULL);
 }
 
@@ -193,7 +193,7 @@ run_dlopen(void *priv)
 
 	of = priv;
 
-	mgt_sandbox();
+	mgt_sandbox(SANDBOX_VCLLOAD);
 
 	/* Try to load the object into this sub-process */
 	if ((dlh = dlopen(of, RTLD_NOW | RTLD_LOCAL)) == NULL) {