add JAIL_MASTER_SYSTEM for system() calls from master

Also (re)used to make fork privileges available when we start a
subprocess: As we are going to apply the JAIL_SUBPROC privileges to the
forked process, having slightly eleveated privileges only agross the
fork() should not cause any harm.

	-

This concludes the current series of Solaris jail patches, hopefully.
With this commit, varnishd started with pfexec ("root privileges") keeps
the following privileges only (ppriv -v output) on Solaris:

* master::

  flags = PRIV_AWARE
        E: file_read,file_write,net_access
        I: none
        P: file_read,file_write,net_access,net_privaddr,proc_exec,proc_fork,proc_info,proc_owner,proc_setid
        L: file_read,file_write,net_access,net_privaddr,proc_exec,proc_fork,proc_info,proc_owner,proc_setid

  notes:

  E: file_read is required for basic config files like /etc/netconfig
     net_access is required for CLI communication

     file_write could potentially be removed if any file write
     operations (e.g. writing vcl files) were wrapped with
     JAIL_MASTER_FILE, but I do not consider this a relevant gain for
     now.

     For other master jail states, E will be momentarily expanded.

  I: will be momentarily expanded for system()

  P: Contains the union of all privileges used anywhere in varnish

  L: Could potentially be reduced further, but P already limits

* worker::

  flags = PRIV_AWARE
        E: file_read,file_write,net_access
        I: none
        P: file_read,file_write,net_access,proc_info
        L: file_read,file_write,net_access,proc_info,proc_setid

  proc_setid is only used when the worker starts and then dropped

  proc_info is only used by vmod_unix

bin/varnishd/mgt/mgt.h

@@ -104,6 +104,7 @@ void mgt_cli_init_cls(void);
 
 enum jail_master_e {
 	JAIL_MASTER_LOW = 0,
+	JAIL_MASTER_SYSTEM,
 	JAIL_MASTER_FILE,
 	JAIL_MASTER_STORAGE,
 	JAIL_MASTER_PRIVPORT,

bin/varnishd/mgt/mgt_child.c

@@ -327,7 +327,9 @@ mgt_launch_child(struct cli *cli)
 
 	AN(heritage.param);
 	AN(heritage.panic_str);
+	VJ_master(JAIL_MASTER_SYSTEM);
 	if ((pid = fork()) < 0) {
+		VJ_master(JAIL_MASTER_LOW);
 		perror("Could not fork child");
 		exit(1);		// XXX Harsh ?
 	}
@@ -389,6 +391,7 @@ mgt_launch_child(struct cli *cli)
 
 		exit(0);
 	}
+	VJ_master(JAIL_MASTER_LOW);
 	assert(pid > 1);
 	MGT_Complain(C_DEBUG, "Child (%jd) Started", (intmax_t)pid);
 	VSC_C_mgt->child_start++;

bin/varnishd/mgt/mgt_jail_solaris_tbl.h

@@ -44,14 +44,15 @@
  * - INHERITABLE and PERMITTED joined from SUBPROC*
  * - implicit rules from above
  */
-PRIV(MASTER_LOW,	E	, PRIV_PROC_EXEC)	// XXX fork
-PRIV(MASTER_LOW,	E	, PRIV_PROC_FORK)	// XXX fork
 PRIV(MASTER_LOW,	E	, "file_write")	// XXX vcl_boot
 PRIV(MASTER_LOW,	E	, "file_read")	// XXX library open
 PRIV(MASTER_LOW,	E	, "net_access")
 
-PRIV(MASTER_FILE,	E	, PRIV_PROC_EXEC)	// XXX rm -rf in shm
-PRIV(MASTER_FILE,	E	, PRIV_PROC_FORK)	// XXX rm -rf in shm
+PRIV(MASTER_SYSTEM,	E|I	, PRIV_PROC_EXEC)
+PRIV(MASTER_SYSTEM,	E|I	, PRIV_PROC_FORK)
+PRIV(MASTER_SYSTEM,	E|I	, "file_read")
+PRIV(MASTER_SYSTEM,	E|I	, "file_write")
+
 PRIV(MASTER_FILE,	E	, "file_read")
 PRIV(MASTER_FILE,	E	, "file_write")
 

bin/varnishd/mgt/mgt_shmem.c

@@ -78,6 +78,7 @@ mgt_shm_atexit(void)
 	VJ_master(JAIL_MASTER_FILE);
 	VSMW_Destroy(&mgt_vsmw);
 	if (!MGT_DO_DEBUG(DBG_VTC_MODE)) {
+		VJ_master(JAIL_MASTER_SYSTEM);
 		AZ(system("rm -rf " VSM_MGT_DIRNAME));
 		AZ(system("rm -rf " VSM_CHILD_DIRNAME));
 	}
@@ -93,8 +94,9 @@ mgt_SHM_Init(void)
 {
 	int fd;
 
-	VJ_master(JAIL_MASTER_FILE);
+	VJ_master(JAIL_MASTER_SYSTEM);
 	AZ(system("rm -rf " VSM_MGT_DIRNAME));
+	VJ_master(JAIL_MASTER_FILE);
 	AZ(mkdir(VSM_MGT_DIRNAME, 0755));
 	fd = open(VSM_MGT_DIRNAME, O_RDONLY);
 	VJ_fix_fd(fd, JAIL_FIXFD_VSMMGT);
@@ -112,8 +114,9 @@ void
 mgt_SHM_ChildNew(void)
 {
 
-	VJ_master(JAIL_MASTER_FILE);
+	VJ_master(JAIL_MASTER_SYSTEM);
 	AZ(system("rm -rf " VSM_CHILD_DIRNAME));
+	VJ_master(JAIL_MASTER_FILE);
 	AZ(mkdir(VSM_CHILD_DIRNAME, 0750));
 
 	heritage.vsm_fd = open(VSM_CHILD_DIRNAME, O_RDONLY);
@@ -140,7 +143,7 @@ mgt_SHM_ChildDestroy(void)
 
 	closefd(&heritage.vsm_fd);
 	if (!MGT_DO_DEBUG(DBG_VTC_MODE)) {
-		VJ_master(JAIL_MASTER_FILE);
+		VJ_master(JAIL_MASTER_SYSTEM);
 		AZ(system("rm -rf " VSM_CHILD_DIRNAME));
 		VJ_master(JAIL_MASTER_LOW);
 	}

bin/varnishd/mgt/mgt_vcc.c

@@ -229,7 +229,9 @@ mgt_vcc_compile(struct vcc_priv *vp, struct vsb *sb, int C_flag)
 	if (mgt_vcc_touchfile(VSB_data(vp->libfile), sb))
 		return (2);
 
+	VJ_master(JAIL_MASTER_SYSTEM);
 	subs = VSUB_run(sb, run_vcc, vp, "VCC-compiler", -1);
+	VJ_master(JAIL_MASTER_LOW);
 	if (subs)
 		return (subs);
 
@@ -247,11 +249,15 @@ mgt_vcc_compile(struct vcc_priv *vp, struct vsb *sb, int C_flag)
 		free(csrc);
 	}
 
+	VJ_master(JAIL_MASTER_SYSTEM);
 	subs = VSUB_run(sb, run_cc, vp, "C-compiler", 10);
+	VJ_master(JAIL_MASTER_LOW);
 	if (subs)
 		return (subs);
 
+	VJ_master(JAIL_MASTER_SYSTEM);
 	subs = VSUB_run(sb, run_dlopen, vp, "dlopen", 10);
+	VJ_master(JAIL_MASTER_LOW);
 	return (subs);
 }