Convert (and retire) the sandbox code to the new jail framework.

The retires the -u and -g arguments, and the user/group/group_cc
parameters, so that the jail-setup cannot be manipulated from CLI at all.

$user and group_cc are now sub-arguments to -junix, for instance:

	-junix,user=varnish1,ccgroup=ccowner

There is no group= subargument, the group information is taken
from the user id in question.

If no -j argument is specified, attempt:

	-junix,user=varnish

but fail silently if not possible.

The "vident" now contains information about jail-config.

Sandbox_solaris is not converted yet, (I'm hoping that Nils will
help with that.

bin/varnishd/Makefile.am

@@ -65,6 +65,7 @@ varnishd_SOURCES = \
 	mgt/mgt_child.c \
 	mgt/mgt_cli.c \
 	mgt/mgt_jail.c \
+	mgt/mgt_jail_unix.c \
 	mgt/mgt_main.c \
 	mgt/mgt_param.c \
 	mgt/mgt_param_tbl.c \
@@ -72,8 +73,6 @@ varnishd_SOURCES = \
 	mgt/mgt_param_tcp.c \
 	mgt/mgt_param_tweak.c \
 	mgt/mgt_pool.c \
-	mgt/mgt_sandbox.c \
-	mgt/mgt_sandbox_solaris.c \
 	mgt/mgt_shmem.c \
 	mgt/mgt_vcc.c \
 	storage/stevedore.c \

bin/varnishd/mgt/mgt.h

@@ -65,11 +65,10 @@ void mgt_cli_close_all(void);
 /* mgt_jail.c */
 
 enum jail_subproc_e {
-	JAIL_SP_TESTING,
-	JAIL_SP_VCC,
-	JAIL_SP_CC,
-	JAIL_SP_VCLLOAD,
-	JAIL_SP_WORKER,
+	JAIL_SUBPROC_VCC,
+	JAIL_SUBPROC_CC,
+	JAIL_SUBPROC_VCLLOAD,
+	JAIL_SUBPROC_WORKER,
 };
 
 enum jail_master_e {
@@ -94,6 +93,8 @@ void VJ_Init(const char *j_arg);
 void VJ_master(enum jail_master_e jme);
 void VJ_subproc(enum jail_subproc_e jse);
 
+extern const struct jail_tech jail_tech_unix;
+
 /* mgt_main.c */
 extern struct VSC_C_mgt	*VSC_C_mgt;
 extern struct VSC_C_mgt static_VSC_C_mgt;
@@ -118,24 +119,6 @@ extern struct params mgt_param;
 /* mgt_param_tcp.c */
 void MCF_TcpParams(void);
 
-/* mgt_sandbox.c */
-enum sandbox_e {
-	SANDBOX_TESTING,
-	SANDBOX_VCC,
-	SANDBOX_CC,
-	SANDBOX_VCLLOAD,
-	SANDBOX_WORKER,
-};
-
-typedef void mgt_sandbox_f(enum sandbox_e);
-extern mgt_sandbox_f *mgt_sandbox;
-void mgt_sandbox_init(void);
-
-/* mgt_sandbox_solaris.c */
-#ifdef HAVE_SETPPRIV
-mgt_sandbox_f mgt_sandbox_solaris;
-#endif
-
 /* mgt_shmem.c */
 void mgt_SHM_Init(void);
 void mgt_SHM_static_alloc(const void *, ssize_t size,

bin/varnishd/mgt/mgt_child.c

@@ -421,7 +421,7 @@ mgt_launch_child(struct cli *cli)
 		(void)signal(SIGINT, SIG_DFL);
 		(void)signal(SIGTERM, SIG_DFL);
 
-		mgt_sandbox(SANDBOX_WORKER);
+		VJ_subproc(JAIL_SUBPROC_WORKER);
 
 		child_main();
 

bin/varnishd/mgt/mgt_jail.c

@@ -33,9 +33,6 @@
 
 #include <stdio.h>
 #include <stdlib.h>
-#include <syslog.h>
-#include <string.h>
-#include <unistd.h>
 
 #include "mgt/mgt.h"
 #include "vav.h"
@@ -47,8 +44,8 @@
 static int __match_proto__(jail_init_f)
 vjn_init(char **args)
 {
-	if (*args != NULL)
-		ARGV_ERR("-Jnone takes no arguments.\n");
+	if (args != NULL && *args != NULL)
+		ARGV_ERR("-jnone takes no arguments.\n");
 	return (0);
 }
 
@@ -77,6 +74,7 @@ static const struct jail_tech jail_tech_none = {
 static const struct jail_tech *vjt;
 
 static const struct choice vj_choice[] = {
+	{ "unix",	&jail_tech_unix },
 	{ "none",	&jail_tech_none },
 	{ NULL,		NULL },
 };
@@ -96,22 +94,21 @@ VJ_Init(const char *j_arg)
 			ARGV_ERR("-j argument is emtpy\n");
 		vjt = pick(vj_choice, av[1], "jail");
 		CHECK_OBJ_NOTNULL(vjt, JAIL_TECH_MAGIC);
-		vjt->init(av + 2);
+		(void)vjt->init(av + 2);
 		VAV_Free(av);
 	} else {
 		/*
 		 * Go through list of jail technologies until one
 		 * succeeds, falling back to "none".
 		 */
-		av = VAV_Parse("", NULL, ARGV_COMMA);
 		for (i = 0; vj_choice[i].name != NULL; i++) {
 			vjt = vj_choice[i].ptr;
 			CHECK_OBJ_NOTNULL(vjt, JAIL_TECH_MAGIC);
-			if (!vjt->init(av + 1))
+			if (!vjt->init(NULL))
 				break;
 		}
-		VAV_Free(av);
 	}
+	VSB_printf(vident, ",-j%s", vjt->name);
 }
 
 void

bin/varnishd/mgt/mgt_jail_unix.c

+/*-
+ * Copyright (c) 2006-2015 Varnish Software AS
+ * All rights reserved.
+ *
+ * Author: Poul-Henning Kamp <phk@phk.freebsd.dk>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * Jailing processes the UNIX way, using setuid(2) etc.
+ */
+
+#include "config.h"
+
+#include <pwd.h>
+#include <grp.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "mgt/mgt.h"
+
+#ifdef __linux__
+#include <sys/prctl.h>
+#endif
+
+static uid_t vju_uid;
+static gid_t vju_gid;
+static const char *vju_user;
+static gid_t vju_cc_gid;
+static int vju_cc_gid_set;
+
+#ifndef JAIL_USER
+#define JAIL_USER "varnish"
+#endif
+
+#ifndef NGID
+#define NGID 2000
+#endif
+
+static int
+vju_getuid(const char *arg)
+{
+	struct passwd *pw;
+
+	pw = getpwnam(arg);
+	if (pw != NULL) {
+		vju_user = strdup(arg);
+		AN(vju_user);
+		vju_uid = pw->pw_uid;
+		vju_gid = pw->pw_gid;
+	}
+	endpwent();
+	return (pw == NULL ? -1 : 0);
+}
+
+static int
+vju_getccgid(const char *arg)
+{
+	struct group *gr;
+
+	gr = getgrnam(arg);
+	if (gr != NULL) {
+		vju_cc_gid_set = 1;
+		vju_cc_gid = gr->gr_gid;
+	}
+	endgrent();
+	return (gr == NULL ? -1 : 0);
+}
+
+/**********************************************************************
+ */
+
+static int __match_proto__(jail_init_f)
+vju_init(char **args)
+{
+	if (args == NULL) {
+		/* Autoconfig */
+		if (geteuid() != 0)
+			return (1);
+		if (vju_getuid(JAIL_USER))
+			return (1);
+		return (0);
+	}
+
+	if (geteuid() != 0)
+		ARGV_ERR("Unix Jail: Must be root.\n");
+
+	for (;*args != NULL; args++) {
+		if (!strncmp(*args, "user=", 5)) {
+			if (vju_getuid((*args) + 5)) {
+				ARGV_ERR("Unix jail: %s user not found.\n",
+				    (*args) + 5);
+			}
+			continue;
+		}
+		if (!strncmp(*args, "ccgroup=", 8)) {
+			if (vju_getccgid((*args) + 8)) {
+				ARGV_ERR("Unix jail: %s group not found.\n",
+				    (*args) + 8);
+			}
+			continue;
+		}
+		ARGV_ERR("Unix jail: unknown sub-argument '%s'\n", *args);
+	}
+
+	if (vju_user == NULL && vju_getuid(JAIL_USER))
+		ARGV_ERR("Unix jail: %s user not found.\n", JAIL_USER);
+
+	return (0);
+}
+
+static void __match_proto__(jail_master_f)
+vju_master(enum jail_master_e jme)
+{
+	(void)jme;
+}
+
+static void __match_proto__(jail_subproc_f)
+vju_subproc(enum jail_subproc_e jse)
+{
+	int i;
+	gid_t gid_list[NGID];
+
+	AZ(setgid(vju_gid));
+	AZ(initgroups(vju_user, vju_gid));
+
+	if (jse == JAIL_SUBPROC_CC && vju_cc_gid_set) {
+		/* Add the optional extra group for the C-compiler access */
+		i = getgroups(NGID, gid_list);
+		assert(i >= 0);
+		gid_list[i++] = vju_cc_gid;
+		AZ(setgroups(i, gid_list));
+	}
+
+	AZ(setuid(vju_uid));
+
+#ifdef __linux__
+	/*
+	 * On linux mucking about with uid/gid disables core-dumps,			 * reenable them again.
+	 */
+	if (prctl(PR_SET_DUMPABLE, 1) != 0) {
+		REPORT0(LOG_INFO,
+		    "Could not set dumpable bit.  Core dumps turned off\n");
+	}
+#endif
+}
+
+const struct jail_tech jail_tech_unix = {
+	.magic =	JAIL_TECH_MAGIC,
+	.name =		"unix",
+	.init =		vju_init,
+	.master =	vju_master,
+	.subproc =	vju_subproc,
+};

bin/varnishd/mgt/mgt_main.c

@@ -147,7 +147,6 @@ usage(void)
 	fprintf(stderr, FMT, "-d", "debug");
 	fprintf(stderr, FMT, "-f file", "VCL script");
 	fprintf(stderr, FMT, "-F", "Run in foreground");
-	fprintf(stderr, FMT, "-g group", "Privilege separation group id");
 	fprintf(stderr, FMT, "-h kind[,hashoptions]", "Hash specification");
 	fprintf(stderr, FMT, "", "  -h critbit [default]");
 	fprintf(stderr, FMT, "", "  -h simple_list");
@@ -181,7 +180,6 @@ usage(void)
 	fprintf(stderr, FMT, "-T address:port",
 	    "Telnet listen address and port");
 	fprintf(stderr, FMT, "-t", "Default TTL");
-	fprintf(stderr, FMT, "-u user", "Privilege separation user id");
 	fprintf(stderr, FMT, "-V", "version");
 #undef FMT
 	exit(1);
@@ -428,11 +426,6 @@ main(int argc, char * const *argv)
 	 */
 	SHA256_Test();
 
-	/*
-	 * Find out if we can sandbox
-	 */
-	mgt_sandbox_init();
-
 	/*
 	 * Create a cli for convenience in otherwise CLI functions
 	 */
@@ -450,7 +443,7 @@ main(int argc, char * const *argv)
 	cli_check(cli);
 
 	while ((o = getopt(argc, argv,
-	    "a:b:Cdf:Fg:h:i:j:l:M:n:P:p:r:S:s:T:t:u:Vx:")) != -1) {
+	    "a:b:Cdf:Fh:i:j:l:M:n:P:p:r:S:s:T:t:Vx:")) != -1) {
 		/*
 		 * -j must be the first argument if specified, because
 		 * it (may) affect subsequent argument processing.
@@ -487,9 +480,6 @@ main(int argc, char * const *argv)
 		case 'F':
 			F_flag = 1 - F_flag;
 			break;
-		case 'g':
-			MCF_ParamSet(cli, "group", optarg);
-			break;
 		case 'h':
 			h_arg = optarg;
 			break;
@@ -550,9 +540,6 @@ main(int argc, char * const *argv)
 			else
 				T_arg = NULL;
 			break;
-		case 'u':
-			MCF_ParamSet(cli, "user", optarg);
-			break;
 		case 'V':
 			/* XXX: we should print the ident here */
 			VCS_Message("varnishd");

bin/varnishd/mgt/mgt_param.c

@@ -416,12 +416,12 @@ mcf_wash_param(struct cli *cli, const struct parspec *pp, const char **val,
 
 	AN(*val);
 	VSB_clear(vsb);
-	VSB_printf(vsb, "FAILED to set %s for param %s = %s\n",
+	VSB_printf(vsb, "FAILED to set %s for param %s:\n\t%s",
 	    name, pp->name, *val);
 	err = pp->func(vsb, pp, *val);
 	AZ(VSB_finish(vsb));
 	if (err) {
-		VCLI_Out(cli, "%s", VSB_data(vsb));
+		VCLI_Out(cli, "%s\n", VSB_data(vsb));
 		VCLI_SetResult(cli, CLIS_CANT);
 		return;
 	}

bin/varnishd/mgt/mgt_sandbox.c

@@ -42,6 +42,8 @@
  *	FreeBSD: capsicum
  */
 
+#if 0
+
 #include "config.h"
 
 #ifdef __linux__
@@ -312,3 +314,5 @@ mgt_sandbox_init(void)
 	}
 	endgrent();
 }
+
+#endif

bin/varnishd/mgt/mgt_vcc.c

@@ -155,7 +155,7 @@ run_vcc(void *priv)
 	int fd, i, l;
 
 	CAST_OBJ_NOTNULL(vp, priv, VCC_PRIV_MAGIC);
-	mgt_sandbox(SANDBOX_VCC);
+	VJ_subproc(JAIL_SUBPROC_VCC);
 	sb = VSB_new_auto();
 	XXXAN(sb);
 	VCC_VCL_dir(vcc, mgt_vcl_dir);
@@ -199,7 +199,7 @@ run_cc(void *priv)
 	int pct;
 	char *p;
 
-	mgt_sandbox(SANDBOX_CC);
+	VJ_subproc(JAIL_SUBPROC_CC);
 	CAST_OBJ_NOTNULL(vp, priv, VCC_PRIV_MAGIC);
 
 	sb = VSB_new_auto();
@@ -248,7 +248,7 @@ run_dlopen(void *priv)
 	struct VCL_conf const *cnf;
 	struct vcc_priv *vp;
 
-	mgt_sandbox(SANDBOX_VCLLOAD);
+	VJ_subproc(JAIL_SUBPROC_VCLLOAD);
 	CAST_OBJ_NOTNULL(vp, priv, VCC_PRIV_MAGIC);
 
 	/* Try to load the object into this sub-process */