static void
vjs_add_effective(priv_set_t *pset, enum jail_gen_e jge)
{
switch (jge) {
case JAILG_SUBPROC_VCC:
// open vmods
priv_setop_assert(priv_addset(pset, "file_read"));
// write .c output
priv_setop_assert(priv_addset(pset, "file_write"));
break;
case JAILG_SUBPROC_CC:
priv_setop_assert(priv_addset(pset, PRIV_PROC_EXEC));
priv_setop_assert(priv_addset(pset, PRIV_PROC_FORK));
priv_setop_assert(priv_addset(pset, "file_read"));
priv_setop_assert(priv_addset(pset, "file_write"));
break;
case JAILG_SUBPROC_VCLLOAD:
priv_setop_assert(priv_addset(pset, "file_read"));
break;
case JAILG_SUBPROC_WORKER:
priv_setop_assert(priv_addset(pset, "net_access"));
priv_setop_assert(priv_addset(pset, "file_read"));
priv_setop_assert(priv_addset(pset, "file_write"));
break;
default:
INCOMPL();
}
}
static void
vjs_add_inheritable(priv_set_t *pset, enum jail_gen_e jge)
{
switch (jge) {
case JAILG_SUBPROC_VCC:
break;
case JAILG_SUBPROC_CC:
priv_setop_assert(priv_addset(pset, PRIV_PROC_EXEC));
priv_setop_assert(priv_addset(pset, PRIV_PROC_FORK));
priv_setop_assert(priv_addset(pset, "file_read"));
priv_setop_assert(priv_addset(pset, "file_write"));
break;
case JAILG_SUBPROC_VCLLOAD:
break;
case JAILG_SUBPROC_WORKER:
break;
default:
INCOMPL();
}
}
static void
mgt_sandbox_solaris_add_effective(priv_set_t *pset, enum sandbox_e who)
{
switch (who) {
case SANDBOX_VCC:
priv_setop_assert(priv_addset(pset, "file_write"));
break;
case SANDBOX_CC:
break;
case SANDBOX_VCLLOAD:
priv_setop_assert(priv_addset(pset, "file_read"));
case SANDBOX_WORKER:
priv_setop_assert(priv_addset(pset, "net_access"));
priv_setop_assert(priv_addset(pset, "file_read"));
priv_setop_assert(priv_addset(pset, "file_write"));
break;
default:
REPORT(LOG_ERR, "INCOMPLETE AT: %s(%d)\n", __func__, __LINE__);
exit(1);
}
}
static void
mgt_sandbox_solaris_add_inheritable(priv_set_t *pset, enum sandbox_e who)
{
switch (who) {
case SANDBOX_VCC:
/* for /etc/resolv.conf and /etc/hosts */
priv_setop_assert(priv_addset(pset, "file_read"));
break;
case SANDBOX_CC:
priv_setop_assert(priv_addset(pset, PRIV_PROC_EXEC));
priv_setop_assert(priv_addset(pset, PRIV_PROC_FORK));
priv_setop_assert(priv_addset(pset, "file_read"));
priv_setop_assert(priv_addset(pset, "file_write"));
break;
case SANDBOX_VCLLOAD:
break;
case SANDBOX_WORKER:
break;
default:
REPORT(LOG_ERR, "INCOMPLETE AT: %s(%d)\n", __func__, __LINE__);
exit(1);
}
}