- 02 Jun, 2020 11 commits
-
-
Nils Goroll authored
Also (re)used to make fork privileges available when we start a subprocess: As we are going to apply the JAIL_SUBPROC privileges to the forked process, having slightly eleveated privileges only agross the fork() should not cause any harm. - This concludes the current series of Solaris jail patches, hopefully. With this commit, varnishd started with pfexec ("root privileges") keeps the following privileges only (ppriv -v output) on Solaris: * master:: flags = PRIV_AWARE E: file_read,file_write,net_access I: none P: file_read,file_write,net_access,net_privaddr,proc_exec,proc_fork,proc_info,proc_owner,proc_setid L: file_read,file_write,net_access,net_privaddr,proc_exec,proc_fork,proc_info,proc_owner,proc_setid notes: E: file_read is required for basic config files like /etc/netconfig net_access is required for CLI communication file_write could potentially be removed if any file write operations (e.g. writing vcl files) were wrapped with JAIL_MASTER_FILE, but I do not consider this a relevant gain for now. For other master jail states, E will be momentarily expanded. I: will be momentarily expanded for system() P: Contains the union of all privileges used anywhere in varnish L: Could potentially be reduced further, but P already limits * worker:: flags = PRIV_AWARE E: file_read,file_write,net_access I: none P: file_read,file_write,net_access,proc_info L: file_read,file_write,net_access,proc_info,proc_setid proc_setid is only used when the worker starts and then dropped proc_info is only used by vmod_unix
-
Nils Goroll authored
we now dynamically manage the INHERITABLE set also, which has the advantage of reducing the privileges available to anything we exec() (likely via system()) from master which is not managed through JAIL_SUBPROC. See next commit.
-
Nils Goroll authored
-
Nils Goroll authored
-
Nils Goroll authored
Avoid setppriv() tolerating EPERM by masking privileges with the available upper bound.
-
Nils Goroll authored
-
Dridi Boukelmoune authored
-
Dridi Boukelmoune authored
Reverts: 8eb42d2c f43679b6 6f1563cf
-
Nils Goroll authored
- simplify definition of privileges in a table file - only initialize priv sets once - implement the master jails
-
Nils Goroll authored
-
Nils Goroll authored
-
- 30 May, 2020 2 commits
-
-
Nils Goroll authored
We are also going to need JAIL_SUBPROC to determine the boundary between the MASTER and SUBPROC enum values.
-
Nils Goroll authored
depending on the compiler's mood
-
- 29 May, 2020 3 commits
-
-
Nils Goroll authored
-
Nils Goroll authored
this is to allow a follow-up simplification in the solaris to use a single array for privileges.
-
Martin Tzvetanov Grigorov authored
Add _amd64|_arm64 before the extension
-
- 28 May, 2020 2 commits
-
-
Poul-Henning Kamp authored
-
Poul-Henning Kamp authored
-
- 27 May, 2020 2 commits
-
-
Dridi Boukelmoune authored
-
Dridi Boukelmoune authored
For some reason this is failing on some platforms reporting on VTEST.
-
- 26 May, 2020 1 commit
-
-
Guillaume Quintard authored
-
- 25 May, 2020 8 commits
-
-
Dridi Boukelmoune authored
-
Poul-Henning Kamp authored
Mkdtemp(3) creates the directory with mode 0700, and since it already exists, we do not change the mode subsequently, which causes jailed with uid=vcache to keel over.
-
Poul-Henning Kamp authored
Previously it only did so if no -n argument was given. Fixes #3307
-
Poul-Henning Kamp authored
-
Poul-Henning Kamp authored
-
Poul-Henning Kamp authored
Add VJ_unlink() and VJ_rmdir() to do so.
-
Poul-Henning Kamp authored
-
Poul-Henning Kamp authored
Fixes: #3327
-
- 23 May, 2020 3 commits
-
-
Federico G. Schwindt authored
-
Poul-Henning Kamp authored
-
Poul-Henning Kamp authored
-
- 21 May, 2020 1 commit
-
-
Nils Goroll authored
and, in particular, matching client.ip against a vcl Ref #3334
-
- 19 May, 2020 5 commits
-
-
Martin Tzvetanov Grigorov authored
There is a problem with fakeroot-sysv on Ubuntu 20.04 aarch64: Install Build-Depends packages... + mk-build-deps --install debian/control + yes semop(1): encountered an error: Function not implemented Error in the build process: exit status 1
-
Dridi Boukelmoune authored
That is, in the context of varnish.m4, because this changes existing behavior in a way that breaks backward compatibility. Partial revert of 134d0633.
-
Dridi Boukelmoune authored
-
Nils Goroll authored
This is to support generated vcc files with out-of-tree vmod builds.
-
Nils Goroll authored
our python sources use spaces
-
- 18 May, 2020 1 commit
-
-
Dridi Boukelmoune authored
-
- 15 May, 2020 1 commit
-
-
Martin Tzvetanov Grigorov authored
-