technocloud-public/nginx-unit
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Isolation: mounting of procfs by default when using "rootfs".

Browse Source
This commit is contained in:
Tiago Natel de Moura
2020-10-29 20:30:53 +00:00
parent 417f5d911d
commit 0390cb3a61
15 changed files with 355 additions and 200 deletions
Download Patch File Download Diff File Expand all files Collapse all files

115
src/nxt_fs.c
View File

@@ -18,15 +18,59 @@ static nxt_int_t nxt_fs_mkdir(const u_char *dir, mode_t mode);
nxt_int_t
nxt_fs_mount(nxt_task_t *task, nxt_fs_mount_t *mnt)
{
int rc;
int rc;
const char *fsname;
unsigned long flags;
rc = mount((const char *) mnt->src, (const char *) mnt->dst,
(const char *) mnt->fstype, mnt->flags, mnt->data);
flags = 0;
switch (mnt->type) {
case NXT_FS_BIND:
if (nxt_slow_path(mnt->flags != 0)) {
nxt_log(task, NXT_LOG_WARN,
"bind mount ignores additional flags");
}
fsname = "bind";
flags = MS_BIND | MS_REC;
break;
case NXT_FS_PROC:
fsname = "proc";
goto getflags;
case NXT_FS_TMP:
fsname = "tmpfs";
goto getflags;
default:
fsname = (const char *) mnt->name;
getflags:
if (mnt->flags & NXT_FS_FLAGS_NODEV) {
flags |= MS_NODEV;
}
if (mnt->flags & NXT_FS_FLAGS_NOEXEC) {
flags |= MS_NOEXEC;
}
if (mnt->flags & NXT_FS_FLAGS_NOSUID) {
flags |= MS_NOSUID;
}
if (!(mnt->flags & NXT_FS_FLAGS_NOTIME)) {
flags |= MS_RELATIME;
}
}
rc = mount((const char *) mnt->src, (const char *) mnt->dst, fsname, flags,
mnt->data);
if (nxt_slow_path(rc < 0)) {
nxt_alert(task, "mount(\"%s\", \"%s\", \"%s\", %d, \"%s\") %E",
mnt->src, mnt->dst, mnt->fstype, mnt->flags, mnt->data,
nxt_errno);
nxt_alert(task, "mount(\"%s\", \"%s\", \"%s\", %ul, \"%s\") %E",
mnt->src, mnt->dst, fsname, flags, mnt->data, nxt_errno);
return NXT_ERROR;
}
@@ -34,37 +78,66 @@ nxt_fs_mount(nxt_task_t *task, nxt_fs_mount_t *mnt)
return NXT_OK;
}
#elif (NXT_HAVE_FREEBSD_NMOUNT)
nxt_int_t
nxt_fs_mount(nxt_task_t *task, nxt_fs_mount_t *mnt)
{
int flags;
u_char *data, *p, *end;
size_t iovlen;
nxt_int_t ret;
const char *fstype;
const char *fsname;
struct iovec iov[128];
char errmsg[256];
if (nxt_strncmp(mnt->fstype, "bind", 4) == 0) {
fstype = "nullfs";
if (nxt_slow_path((mnt->flags & NXT_FS_FLAGS_NODEV) && !mnt->builtin)) {
nxt_alert(task, "nmount(2) doesn't support \"nodev\" option");
} else if (nxt_strncmp(mnt->fstype, "proc", 4) == 0) {
fstype = "procfs";
} else if (nxt_strncmp(mnt->fstype, "tmpfs", 5) == 0) {
fstype = "tmpfs";
} else {
nxt_alert(task, "mount type \"%s\" not implemented.", mnt->fstype);
return NXT_ERROR;
}
flags = 0;
switch (mnt->type) {
case NXT_FS_BIND:
fsname = "nullfs";
break;
case NXT_FS_PROC:
fsname = "procfs";
goto getflags;
case NXT_FS_TMP:
fsname = "tmpfs";
goto getflags;
default:
fsname = (const char *) mnt->name;
getflags:
if (mnt->flags & NXT_FS_FLAGS_NOEXEC) {
flags |= MNT_NOEXEC;
}
if (mnt->flags & NXT_FS_FLAGS_NOSUID) {
flags |= MNT_NOSUID;
}
if (mnt->flags & NXT_FS_FLAGS_NOTIME) {
flags |= MNT_NOATIME;
}
if (mnt->flags & NXT_FS_FLAGS_RDONLY) {
flags |= MNT_RDONLY;
}
}
iov[0].iov_base = (void *) "fstype";
iov[0].iov_len = 7;
iov[1].iov_base = (void *) fstype;
iov[1].iov_len = nxt_strlen(fstype) + 1;
iov[1].iov_base = (void *) fsname;
iov[1].iov_len = nxt_strlen(fsname) + 1;
iov[2].iov_base = (void *) "fspath";
iov[2].iov_len = 7;
iov[3].iov_base = (void *) mnt->dst;
@@ -117,7 +190,7 @@ nxt_fs_mount(nxt_task_t *task, nxt_fs_mount_t *mnt)
ret = NXT_OK;
if (nxt_slow_path(nmount(iov, iovlen, 0) < 0)) {
if (nxt_slow_path(nmount(iov, iovlen, flags) < 0)) {
nxt_alert(task, "nmount(%p, %d, 0) %s", iov, iovlen, errmsg);
ret = NXT_ERROR;
}