Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
V
varnish-cache
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Commits
Open sidebar
varnishcache
varnish-cache
Commits
55be20df
Commit
55be20df
authored
Mar 13, 2015
by
Nils Goroll
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
make the inheritable set independent, do away with the inheritable < effective construction rule
parent
559ebaa0
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
20 additions
and
15 deletions
+20
-15
mgt_jail_solaris.c
bin/varnishd/mgt/mgt_jail_solaris.c
+20
-15
No files found.
bin/varnishd/mgt/mgt_jail_solaris.c
View file @
55be20df
...
...
@@ -311,11 +311,6 @@ vjs_add_inheritable(priv_set_t *pset, enum jail_gen_e jge)
}
}
/*
* effective is initialized from inheritable (see vjs_waive)
* so only additionally required privileges need to be added here
*/
static
void
vjs_add_effective
(
priv_set_t
*
pset
,
enum
jail_gen_e
jge
)
{
...
...
@@ -327,6 +322,10 @@ vjs_add_effective(priv_set_t *pset, enum jail_gen_e jge)
priv_setop_assert
(
priv_addset
(
pset
,
"file_write"
));
break
;
case
JAILG_SUBPROC_CC
:
priv_setop_assert
(
priv_addset
(
pset
,
PRIV_PROC_EXEC
));
priv_setop_assert
(
priv_addset
(
pset
,
PRIV_PROC_FORK
));
priv_setop_assert
(
priv_addset
(
pset
,
"file_read"
));
priv_setop_assert
(
priv_addset
(
pset
,
"file_write"
));
break
;
case
JAILG_SUBPROC_VCLLOAD
:
priv_setop_assert
(
priv_addset
(
pset
,
"file_read"
));
...
...
@@ -448,11 +447,12 @@ vjs_privsep(enum jail_gen_e jge)
static
void
vjs_waive
(
enum
jail_gen_e
jge
)
{
priv_set_t
*
effective
,
*
inheritable
,
*
permitted
;
priv_set_t
*
effective
,
*
inheritable
,
*
permitted
,
*
limited
;
if
(
!
(
effective
=
priv_allocset
())
||
!
(
inheritable
=
priv_allocset
())
||
!
(
permitted
=
priv_allocset
()))
{
!
(
permitted
=
priv_allocset
())
||
!
(
limited
=
priv_allocset
()))
{
REPORT
(
LOG_ERR
,
"Solaris Jail warning: "
" vjs_waive - priv_allocset failed: errno=%d (%s)"
,
...
...
@@ -461,35 +461,40 @@ vjs_waive(enum jail_gen_e jge)
}
/*
* simple scheme:
* (inheritable subset-of effective) subset-of permitted
* inheritable and effective are distinct sets
* effective is a subset of permitted
* limit is the union of all
*/
priv_emptyset
(
inheritable
);
vjs_add_inheritable
(
inheritable
,
jge
);
priv_
copyset
(
inheritable
,
effective
);
priv_
emptyset
(
effective
);
vjs_add_effective
(
effective
,
jge
);
priv_copyset
(
effective
,
permitted
);
vjs_add_permitted
(
permitted
,
jge
);
priv_copyset
(
inheritable
,
limited
);
priv_union
(
permitted
,
limited
);
/*
* invert the sets and clear privileges such that setppriv will always
* succeed
*/
priv_inverse
(
inheritable
);
priv_inverse
(
effective
);
priv_inverse
(
limited
);
priv_inverse
(
permitted
);
priv_inverse
(
effective
);
priv_inverse
(
inheritable
);
AZ
(
setppriv
(
PRIV_OFF
,
PRIV_LIMIT
,
permit
ted
));
AZ
(
setppriv
(
PRIV_OFF
,
PRIV_LIMIT
,
limi
ted
));
AZ
(
setppriv
(
PRIV_OFF
,
PRIV_PERMITTED
,
permitted
));
AZ
(
setppriv
(
PRIV_OFF
,
PRIV_EFFECTIVE
,
effective
));
AZ
(
setppriv
(
PRIV_OFF
,
PRIV_INHERITABLE
,
inheritable
));
priv_freeset
(
inheritable
);
priv_freeset
(
effective
);
priv_freeset
(
limited
);
priv_freeset
(
permitted
);
priv_freeset
(
effective
);
priv_freeset
(
inheritable
);
}
static
void
__match_proto__
(
jail_subproc_f
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment