technocloud-public/nginx-unit
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Isolation: added option to disable "procfs" mount.

Browse Source 
Now users can disable the default procfs mount point
in the rootfs.

 {
     "isolation": {
         "automount": {
             "procfs": false
         }
     }
 }
This commit is contained in:
Tiago Natel de Moura
2020-11-16 17:56:12 +00:00
parent bbc29df8fe
commit e7d66acda7
3 changed files with 33 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/nxt_conf_validation.c
View File

@@ -844,6 +844,9 @@ static nxt_conf_vldt_object_t nxt_conf_vldt_app_automount_members[] = {
}, { }, {
.name = nxt_string("tmpfs"), .name = nxt_string("tmpfs"),
.type = NXT_CONF_VLDT_BOOLEAN, .type = NXT_CONF_VLDT_BOOLEAN,
}, {
.name = nxt_string("procfs"),
.type = NXT_CONF_VLDT_BOOLEAN,
}, },
NXT_CONF_VLDT_END NXT_CONF_VLDT_END

49
src/nxt_isolation.c
View File

@@ -485,11 +485,13 @@ nxt_isolation_set_automount(nxt_task_t *task, nxt_conf_value_t *isolation,
static nxt_str_t automount_name = nxt_string("automount"); static nxt_str_t automount_name = nxt_string("automount");
static nxt_str_t langdeps_name = nxt_string("language_deps"); static nxt_str_t langdeps_name = nxt_string("language_deps");
static nxt_str_t tmp_name = nxt_string("tmpfs"); static nxt_str_t tmp_name = nxt_string("tmpfs");
static nxt_str_t proc_name = nxt_string("procfs");
automount = &process->isolation.automount; automount = &process->isolation.automount;
automount->language_deps = 1; automount->language_deps = 1;
automount->tmpfs = 1; automount->tmpfs = 1;
automount->procfs = 1;
conf = nxt_conf_get_object_member(isolation, &automount_name, NULL); conf = nxt_conf_get_object_member(isolation, &automount_name, NULL);
if (conf != NULL) { if (conf != NULL) {
@@ -502,6 +504,11 @@ nxt_isolation_set_automount(nxt_task_t *task, nxt_conf_value_t *isolation,
if (value != NULL) { if (value != NULL) {
automount->tmpfs = nxt_conf_get_boolean(value); automount->tmpfs = nxt_conf_get_boolean(value);
} }
value = nxt_conf_get_object_member(conf, &proc_name, NULL);
if (value != NULL) {
automount->procfs = nxt_conf_get_boolean(value);
}
} }
return NXT_OK; return NXT_OK;
@@ -609,28 +616,30 @@ nxt_isolation_set_lang_mounts(nxt_task_t *task, nxt_process_t *process,
*p = '\0'; *p = '\0';
} }
mnt = nxt_array_add(mounts); if (process->isolation.automount.procfs) {
if (nxt_slow_path(mnt == NULL)) { mnt = nxt_array_add(mounts);
return NXT_ERROR; if (nxt_slow_path(mnt == NULL)) {
return NXT_ERROR;
}
mnt->name = (u_char *) "proc";
mnt->type = NXT_FS_PROC;
mnt->src = (u_char *) "none";
mnt->dst = nxt_mp_nget(mp, rootfs_len + nxt_length("/proc") + 1);
if (nxt_slow_path(mnt->dst == NULL)) {
return NXT_ERROR;
}
p = nxt_cpymem(mnt->dst, rootfs, rootfs_len);
p = nxt_cpymem(p, "/proc", 5);
*p = '\0';
mnt->data = (u_char *) "";
mnt->flags = NXT_FS_FLAGS_NOEXEC | NXT_FS_FLAGS_NOSUID;
mnt->builtin = 1;
mnt->deps = 0;
} }
mnt->name = (u_char *) "proc";
mnt->type = NXT_FS_PROC;
mnt->src = (u_char *) "none";
mnt->dst = nxt_mp_nget(mp, rootfs_len + nxt_length("/proc") + 1);
if (nxt_slow_path(mnt->dst == NULL)) {
return NXT_ERROR;
}
p = nxt_cpymem(mnt->dst, rootfs, rootfs_len);
p = nxt_cpymem(p, "/proc", 5);
*p = '\0';
mnt->data = (u_char *) "";
mnt->flags = NXT_FS_FLAGS_NOEXEC | NXT_FS_FLAGS_NOSUID;
mnt->builtin = 1;
mnt->deps = 0;
qsort(mounts->elts, mounts->nelts, sizeof(nxt_fs_mount_t), qsort(mounts->elts, mounts->nelts, sizeof(nxt_fs_mount_t),
nxt_isolation_mount_compare); nxt_isolation_mount_compare);

1
src/nxt_process.h
View File

@@ -76,6 +76,7 @@ typedef struct {
typedef struct { typedef struct {
uint8_t language_deps; /* 1-bit */ uint8_t language_deps; /* 1-bit */
uint8_t tmpfs; /* 1-bit */ uint8_t tmpfs; /* 1-bit */
uint8_t procfs; /* 1-bit */
} nxt_process_automount_t; } nxt_process_automount_t;