[prev in list] [next in list] [prev in thread] [next in thread]
List: varnish-dev
Subject: Re: [PATCH] tailored assertions for priv_addset and setppriv
From: Nils Goroll <slink () schokola ! de>
Date: 2012-10-30 11:05:35
Message-ID: 508FB47F.9010408 () schokola ! de
[Download RAW message or body]
On 10/30/12 11:08 AM, Poul-Henning Kamp wrote:
> I think that is a good idea. Warnings tend to become "it always says that..."
:) Here we go.
["0001-tailored-assertions-for-priv_addset-and-setppriv-as.patch" (text/plain)]
> From 7a78a77d889b1a1c488c14ce836b33236d956601 Mon Sep 17 00:00:00 2001
From: Nils Goroll <nils.goroll@uplex.de>
Date: Mon, 29 Oct 2012 18:15:52 +0100
Subject: [PATCH] tailored assertions for priv_addset and setppriv, assert that \
setppriv(PRIV_OFF) succeeds when waiving privileges fixes varnish builds on any \
Solaris OS older than onnv_140 due to too strict assertions from \
[c613b135570f87535839e3a94630880d16910f4f] add history of solaris privileges
better comments
---
bin/varnishd/mgt/mgt_sandbox_solaris.c | 179 +++++++++++++++++++++++++-------
1 files changed, 143 insertions(+), 36 deletions(-)
diff --git a/bin/varnishd/mgt/mgt_sandbox_solaris.c \
b/bin/varnishd/mgt/mgt_sandbox_solaris.c index 728eca0..b4d2b22 100644
--- a/bin/varnishd/mgt/mgt_sandbox_solaris.c
+++ b/bin/varnishd/mgt/mgt_sandbox_solaris.c
@@ -52,13 +52,132 @@
/*--------------------------------------------------------------------
* SOLARIS PRIVILEGES: Note on use of symbolic PRIV_* constants
*
- * For privileges which existed in Solaris 10 FCS, we may use the constants from
- * sys/priv_names.h
+ * We assume backwards compatibility only for Solaris Releases after the
+ * OpenSolaris Launch. For privileges which existed at the time of the
+ * OpenSolaris Launch, we use the constants from sys/priv_names.h and assert
+ * that priv_addset must succeed.
*
- * For privileges which have been added later, we need to use strings in order
- * not to break builds of varnish on these platforms. To remain binary
- * compatible, we need to silently ignore errors from priv_addset when using
- * these strings.
+ * For privileges which have been added later, we need to use priv strings in
+ * order not to break builds of varnish on these platforms. To remain binary
+ * compatible, we can't assert that priv_addset succeeds, but we may assert that
+ * it either succeeds or fails with EINVAL.
+ */
+
+/* for priv_delset() and priv_addset() */
+static inline int
+priv_setop_check(int a) {
+ if (a == 0)
+ return (1);
+ if (errno == EINVAL)
+ return (1);
+ return (0);
+}
+
+#define priv_setop_assert(a) assert(priv_setop_check(a))
+
+/*
+ * we try to add all possible privileges to waive them later.
+ *
+ * when doing so, we need to expect EPERM
+ */
+
+/* for setppriv */
+static inline int
+setppriv_check(int a) {
+ if (a == 0)
+ return (1);
+ if (errno == EPERM)
+ return (1);
+ return (0);
+}
+
+#define setppriv_assert(a) assert(setppriv_check(a))
+
+
+/*
+ * brief histroy of introduction of privileges since OpenSolaris Launch
+ *
+ * (from hg log -gp usr/src/uts/common/os/priv_defs)
+ *
+ * ARC cases are not necessarily accurate (induced from commit msg)
+ * (marked with ?)
+ *
+ * privileges used here marked with *
+ *
+ *
+ * ARC case hg commit first release
+ *
+ * PSARC/2006/155? 37f4a3e2bd99 onnv_37
+ * - file_downgrade_sl
+ * - file_upgrade_sl
+ * - net_bindmlp
+ * - net_mac_aware
+ * - sys_trans_label
+ * - win_colormap
+ * - win_config
+ * - win_dac_read
+ * - win_dac_write
+ * - win_devices
+ * - win_dga
+ * - win_downgrade_sl
+ * - win_fontpath
+ * - win_mac_read
+ * - win_mac_write
+ * - win_selection
+ * - win_upgrade_sl
+ *
+ * PSARC/2006/218 5dbf296c1e57 onnv_39
+ * - graphics_access
+ * - graphics_map
+ *
+ * PSARC/2006/366 aaf16568054b onnv_57
+ * - net_config
+ *
+ * PSARC/2007/315? 3047ad28a67b onnv_77
+ * - file_flag_set
+ *
+ * PSARC/2007/560? 3047ad28a67b onnv_77
+ * - sys_smb
+ *
+ * PSARC 2008/046 47f6aa7a8077 onnv_85
+ * - contract_identify
+ *
+ * PSARC 2008/289 79a9dac325d9 onnv_92
+ * - virt_manage
+ * - xvm_control
+ *
+ * PSARC 2008/473 eff7960d93cd onnv_98
+ * - sys_dl_config
+ *
+ * PSARC/2006/475 faf256d5c16c onnv_103
+ * - net_observability
+ *
+ * PSARC/2009/317 8e29565352fc onnv_117
+ * - sys_ppp_config
+ *
+ * PSARC/2009/373 3be00c4a6835 onnv_125
+ * - sys_iptun_config
+ *
+ * PSARC/2008/252 e209937a4f19 onnv_128
+ * - net_mac_implicit
+ *
+ * PSARC/2009/685 8eca52188202 onnv_132
+ * * net_access
+ *
+ * PSARC/2009/378 63678502e95e onnv_140
+ * * file_read
+ * * file_write
+ *
+ * PSARC/2010/181 15439b11d535 onnv_142
+ * - sys_res_bind
+ *
+ * unknown unknown Solaris11
+ * - sys_flow_config
+ * - sys_share
+ *
+ *
+ * SOLARIS PRIVILEGES: Note on introtiction of new privileges (forward
+ * compatibility)
*
* For optimal build and binary forward comatibility, we could use subtractive
* set specs like
@@ -103,14 +222,13 @@ mgt_sandbox_solaris_add_inheritable(priv_set_t *pset, enum \
sandbox_e who) switch (who) {
case SANDBOX_VCC:
/* for /etc/resolv.conf and /etc/hosts */
- AZ(priv_addset(pset, "file_read"));
+ priv_setop_assert(priv_addset(pset, "file_read"));
break;
case SANDBOX_CC:
- AZ(priv_addset(pset, "proc_exec"));
- AZ(priv_addset(pset, "proc_fork"));
- /* PSARC/2009/378 - 63678502e95e - onnv_140 */
- AZ(priv_addset(pset, "file_read"));
- AZ(priv_addset(pset, "file_write"));
+ priv_setop_assert(priv_addset(pset, "proc_exec"));
+ priv_setop_assert(priv_addset(pset, "proc_fork"));
+ priv_setop_assert(priv_addset(pset, "file_read"));
+ priv_setop_assert(priv_addset(pset, "file_write"));
break;
case SANDBOX_VCLLOAD:
break;
@@ -132,20 +250,16 @@ mgt_sandbox_solaris_add_effective(priv_set_t *pset, enum \
sandbox_e who) {
switch (who) {
case SANDBOX_VCC:
- /* PSARC/2009/378 - 63678502e95e - onnv_140 */
- AZ(priv_addset(pset, "file_write"));
+ priv_setop_assert(priv_addset(pset, "file_write"));
break;
case SANDBOX_CC:
break;
case SANDBOX_VCLLOAD:
- /* PSARC/2009/378 - 63678502e95e - onnv_140 */
- AZ(priv_addset(pset, "file_read"));
+ priv_setop_assert(priv_addset(pset, "file_read"));
case SANDBOX_WORKER:
- /* PSARC/2009/685 - 8eca52188202 - onnv_132 */
- AZ(priv_addset(pset, "net_access"));
- /* PSARC/2009/378 - 63678502e95e - onnv_140 */
- AZ(priv_addset(pset, "file_read"));
- AZ(priv_addset(pset, "file_write"));
+ priv_setop_assert(priv_addset(pset, "net_access"));
+ priv_setop_assert(priv_addset(pset, "file_read"));
+ priv_setop_assert(priv_addset(pset, "file_write"));
break;
default:
REPORT(LOG_ERR, "INCOMPLETE AT: %s(%d)\n", __func__, __LINE__);
@@ -218,9 +332,10 @@ mgt_sandbox_solaris_init(enum sandbox_e who)
mgt_sandbox_solaris_add_permitted(priv_all, who);
mgt_sandbox_solaris_add_initial(priv_all, who);
- setppriv(PRIV_ON, PRIV_PERMITTED, priv_all);
- setppriv(PRIV_ON, PRIV_EFFECTIVE, priv_all);
- setppriv(PRIV_ON, PRIV_INHERITABLE, priv_all);
+ /* try to get all possible privileges, expect EPERM here */
+ setppriv_assert(setppriv(PRIV_ON, PRIV_PERMITTED, priv_all));
+ setppriv_assert(setppriv(PRIV_ON, PRIV_EFFECTIVE, priv_all));
+ setppriv_assert(setppriv(PRIV_ON, PRIV_INHERITABLE, priv_all));
priv_freeset(priv_all);
}
@@ -292,18 +407,10 @@ mgt_sandbox_solaris_waive(enum sandbox_e who)
priv_inverse(effective);
priv_inverse(permitted);
-#define SETPPRIV(which, set) \
- if (setppriv(PRIV_OFF, which, set)) \
- REPORT(LOG_ERR, \
- "Sandbox warning: " \
- " Waiving privileges failed on %s: errno=%d (%s)", \
- #which, errno, strerror(errno));
-
- SETPPRIV(PRIV_LIMIT, permitted);
- SETPPRIV(PRIV_PERMITTED, permitted);
- SETPPRIV(PRIV_EFFECTIVE, effective);
- SETPPRIV(PRIV_INHERITABLE, inheritable);
-#undef SETPPRIV
+ AZ(setppriv(PRIV_OFF, PRIV_LIMIT, permitted));
+ AZ(setppriv(PRIV_OFF, PRIV_PERMITTED, permitted));
+ AZ(setppriv(PRIV_OFF, PRIV_EFFECTIVE, effective));
+ AZ(setppriv(PRIV_OFF, PRIV_INHERITABLE, inheritable));
priv_freeset(inheritable);
priv_freeset(effective);
--
1.5.6.5
_______________________________________________
varnish-dev mailing list
varnish-dev@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic