technocloud-public/nginx-unit
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Isolation: fixed build when features aren't detected.

Browse Source
This commit is contained in:
Tiago Natel de Moura
2020-06-23 12:11:27 +01:00
parent 0326cefef5
commit f8ba5d6c00
5 changed files with 116 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
auto/isolation
View File

@@ -94,24 +94,8 @@ nxt_feature_libs=
nxt_feature_test="#include <sys/mount.h> nxt_feature_test="#include <sys/mount.h>
int main() { int main() {
return mount((void*)0, (void*)0, (void*)0, 0, (void*)0); return mount(\"/\", \"/\", \"bind\",
}" MS_BIND | MS_REC, \"\");
. auto/feature
if [ $nxt_found = yes ]; then
NXT_HAVE_MOUNT=YES
fi
nxt_feature="Bind mount()"
nxt_feature_name=NXT_HAVE_BIND_MOUNT
nxt_feature_run=no
nxt_feature_incs=
nxt_feature_libs=
nxt_feature_test="#include <sys/mount.h>
int main() {
return MS_BIND | MS_REC
}" }"
. auto/feature . auto/feature

201
src/nxt_application.c
View File

@@ -41,19 +41,21 @@ static void nxt_discovery_quit(nxt_task_t *task, nxt_port_recv_msg_t *msg,
void *data); void *data);
static nxt_app_module_t *nxt_app_module_load(nxt_task_t *task, static nxt_app_module_t *nxt_app_module_load(nxt_task_t *task,
const char *name); const char *name);
static nxt_int_t nxt_app_prefork(nxt_task_t *task, nxt_process_t *process, static nxt_int_t nxt_app_main_prefork(nxt_task_t *task, nxt_process_t *process,
nxt_mp_t *mp); nxt_mp_t *mp);
static nxt_int_t nxt_app_setup(nxt_task_t *task, nxt_process_t *process); static nxt_int_t nxt_app_setup(nxt_task_t *task, nxt_process_t *process);
static nxt_int_t nxt_app_set_environment(nxt_conf_value_t *environment); static nxt_int_t nxt_app_set_environment(nxt_conf_value_t *environment);
static u_char *nxt_cstr_dup(nxt_mp_t *mp, u_char *dst, u_char *src); static u_char *nxt_cstr_dup(nxt_mp_t *mp, u_char *dst, u_char *src);
#if (NXT_HAVE_ISOLATION_ROOTFS) #if (NXT_HAVE_ISOLATION_ROOTFS)
static nxt_int_t nxt_app_prepare_rootfs(nxt_task_t *task, static nxt_int_t nxt_app_set_isolation_mounts(nxt_task_t *task,
nxt_process_t *process); nxt_process_t *process, nxt_str_t *app_type);
static nxt_int_t nxt_app_prepare_lang_mounts(nxt_task_t *task, static nxt_int_t nxt_app_set_lang_mounts(nxt_task_t *task,
nxt_process_t *process, nxt_array_t *syspaths); nxt_process_t *process, nxt_array_t *syspaths);
static nxt_int_t nxt_app_set_isolation_rootfs(nxt_task_t *task, static nxt_int_t nxt_app_set_isolation_rootfs(nxt_task_t *task,
nxt_conf_value_t *isolation, nxt_process_t *process); nxt_conf_value_t *isolation, nxt_process_t *process);
static nxt_int_t nxt_app_prepare_rootfs(nxt_task_t *task,
nxt_process_t *process);
#endif #endif
static nxt_int_t nxt_app_set_isolation(nxt_task_t *task, static nxt_int_t nxt_app_set_isolation(nxt_task_t *task,
@@ -124,7 +126,7 @@ const nxt_process_init_t nxt_discovery_process = {
const nxt_process_init_t nxt_app_process = { const nxt_process_init_t nxt_app_process = {
.type = NXT_PROCESS_APP, .type = NXT_PROCESS_APP,
.setup = nxt_app_setup, .setup = nxt_app_setup,
.prefork = nxt_app_prefork, .prefork = nxt_app_main_prefork,
.restart = 0, .restart = 0,
.start = NULL, /* set to module->start */ .start = NULL, /* set to module->start */
.port_handlers = &nxt_app_process_port_handlers, .port_handlers = &nxt_app_process_port_handlers,
@@ -472,22 +474,16 @@ nxt_discovery_quit(nxt_task_t *task, nxt_port_recv_msg_t *msg, void *data)
static nxt_int_t static nxt_int_t
nxt_app_prefork(nxt_task_t *task, nxt_process_t *process, nxt_mp_t *mp) nxt_app_main_prefork(nxt_task_t *task, nxt_process_t *process, nxt_mp_t *mp)
{ {
nxt_int_t cap_setid, cap_chroot; nxt_int_t cap_setid;
nxt_int_t ret; nxt_int_t ret;
nxt_runtime_t *rt; nxt_runtime_t *rt;
nxt_common_app_conf_t *app_conf; nxt_common_app_conf_t *app_conf;
nxt_app_lang_module_t *lang;
rt = task->thread->runtime; rt = task->thread->runtime;
app_conf = process->data.app; app_conf = process->data.app;
cap_setid = rt->capabilities.setid; cap_setid = rt->capabilities.setid;
cap_chroot = rt->capabilities.chroot;
lang = nxt_app_lang_module(rt, &app_conf->type);
nxt_assert(lang != NULL);
if (app_conf->isolation != NULL) { if (app_conf->isolation != NULL) {
ret = nxt_app_set_isolation(task, app_conf->isolation, process); ret = nxt_app_set_isolation(task, app_conf->isolation, process);
@@ -499,24 +495,14 @@ nxt_app_prefork(nxt_task_t *task, nxt_process_t *process, nxt_mp_t *mp)
#if (NXT_HAVE_CLONE_NEWUSER) #if (NXT_HAVE_CLONE_NEWUSER)
if (nxt_is_clone_flag_set(process->isolation.clone.flags, NEWUSER)) { if (nxt_is_clone_flag_set(process->isolation.clone.flags, NEWUSER)) {
cap_setid = 1; cap_setid = 1;
cap_chroot = 1;
} }
#endif #endif
#if (NXT_HAVE_ISOLATION_ROOTFS) #if (NXT_HAVE_ISOLATION_ROOTFS)
if (process->isolation.rootfs != NULL) { if (process->isolation.rootfs != NULL) {
if (!cap_chroot) { ret = nxt_app_set_isolation_mounts(task, process, &app_conf->type);
nxt_log(task, NXT_LOG_ERR,
"The \"rootfs\" field requires privileges");
return NXT_ERROR;
}
if (lang->mounts != NULL && lang->mounts->nelts > 0) {
ret = nxt_app_prepare_lang_mounts(task, process, lang->mounts);
if (nxt_slow_path(ret != NXT_OK)) { if (nxt_slow_path(ret != NXT_OK)) {
return NXT_ERROR; return ret;
}
} }
} }
#endif #endif
@@ -765,71 +751,6 @@ nxt_app_set_isolation_namespaces(nxt_task_t *task, nxt_conf_value_t *isolation,
#endif #endif
#if (NXT_HAVE_ISOLATION_ROOTFS)
static nxt_int_t
nxt_app_set_isolation_rootfs(nxt_task_t *task, nxt_conf_value_t *isolation,
nxt_process_t *process)
{
nxt_str_t str;
nxt_conf_value_t *obj;
static nxt_str_t rootfs_name = nxt_string("rootfs");
obj = nxt_conf_get_object_member(isolation, &rootfs_name, NULL);
if (obj != NULL) {
nxt_conf_get_string(obj, &str);
if (nxt_slow_path(str.length <= 1 || str.start[0] != '/')) {
nxt_log(task, NXT_LOG_ERR, "rootfs requires an absolute path other "
"than \"/\" but given \"%V\"", &str);
return NXT_ERROR;
}
if (str.start[str.length - 1] == '/') {
str.length--;
}
process->isolation.rootfs = nxt_mp_alloc(process->mem_pool,
str.length + 1);
if (nxt_slow_path(process->isolation.rootfs == NULL)) {
return NXT_ERROR;
}
nxt_memcpy(process->isolation.rootfs, str.start, str.length);
process->isolation.rootfs[str.length] = '\0';
}
return NXT_OK;
}
#endif
#if (NXT_HAVE_PR_SET_NO_NEW_PRIVS)
static nxt_int_t
nxt_app_set_isolation_new_privs(nxt_task_t *task, nxt_conf_value_t *isolation,
nxt_process_t *process)
{
nxt_conf_value_t *obj;
static nxt_str_t new_privs_name = nxt_string("new_privs");
obj = nxt_conf_get_object_member(isolation, &new_privs_name, NULL);
if (obj != NULL) {
process->isolation.new_privs = nxt_conf_get_boolean(obj);
}
return NXT_OK;
}
#endif
#if (NXT_HAVE_CLONE_NEWUSER) #if (NXT_HAVE_CLONE_NEWUSER)
static nxt_int_t static nxt_int_t
@@ -1002,7 +923,83 @@ nxt_app_clone_flags(nxt_task_t *task, nxt_conf_value_t *namespaces,
#if (NXT_HAVE_ISOLATION_ROOTFS) #if (NXT_HAVE_ISOLATION_ROOTFS)
static nxt_int_t static nxt_int_t
nxt_app_prepare_lang_mounts(nxt_task_t *task, nxt_process_t *process, nxt_app_set_isolation_rootfs(nxt_task_t *task, nxt_conf_value_t *isolation,
nxt_process_t *process)
{
nxt_str_t str;
nxt_conf_value_t *obj;
static nxt_str_t rootfs_name = nxt_string("rootfs");
obj = nxt_conf_get_object_member(isolation, &rootfs_name, NULL);
if (obj != NULL) {
nxt_conf_get_string(obj, &str);
if (nxt_slow_path(str.length <= 1 || str.start[0] != '/')) {
nxt_log(task, NXT_LOG_ERR, "rootfs requires an absolute path other "
"than \"/\" but given \"%V\"", &str);
return NXT_ERROR;
}
if (str.start[str.length - 1] == '/') {
str.length--;
}
process->isolation.rootfs = nxt_mp_alloc(process->mem_pool,
str.length + 1);
if (nxt_slow_path(process->isolation.rootfs == NULL)) {
return NXT_ERROR;
}
nxt_memcpy(process->isolation.rootfs, str.start, str.length);
process->isolation.rootfs[str.length] = '\0';
}
return NXT_OK;
}
static nxt_int_t
nxt_app_set_isolation_mounts(nxt_task_t *task, nxt_process_t *process,
nxt_str_t *app_type)
{
nxt_int_t ret, cap_chroot;
nxt_runtime_t *rt;
nxt_app_lang_module_t *lang;
rt = task->thread->runtime;
cap_chroot = rt->capabilities.chroot;
lang = nxt_app_lang_module(rt, app_type);
nxt_assert(lang != NULL);
#if (NXT_HAVE_CLONE_NEWUSER)
if (nxt_is_clone_flag_set(process->isolation.clone.flags, NEWUSER)) {
cap_chroot = 1;
}
#endif
if (!cap_chroot) {
nxt_log(task, NXT_LOG_ERR, "The \"rootfs\" field requires privileges");
return NXT_ERROR;
}
if (lang->mounts != NULL && lang->mounts->nelts > 0) {
ret = nxt_app_set_lang_mounts(task, process, lang->mounts);
if (nxt_slow_path(ret != NXT_OK)) {
return NXT_ERROR;
}
}
return NXT_OK;
}
static nxt_int_t
nxt_app_set_lang_mounts(nxt_task_t *task, nxt_process_t *process,
nxt_array_t *lang_mounts) nxt_array_t *lang_mounts)
{ {
u_char *p; u_char *p;
@@ -1045,7 +1042,6 @@ nxt_app_prepare_lang_mounts(nxt_task_t *task, nxt_process_t *process,
} }
static nxt_int_t static nxt_int_t
nxt_app_prepare_rootfs(nxt_task_t *task, nxt_process_t *process) nxt_app_prepare_rootfs(nxt_task_t *task, nxt_process_t *process)
{ {
@@ -1137,6 +1133,27 @@ undo:
#endif #endif
#if (NXT_HAVE_PR_SET_NO_NEW_PRIVS)
static nxt_int_t
nxt_app_set_isolation_new_privs(nxt_task_t *task, nxt_conf_value_t *isolation,
nxt_process_t *process)
{
nxt_conf_value_t *obj;
static nxt_str_t new_privs_name = nxt_string("new_privs");
obj = nxt_conf_get_object_member(isolation, &new_privs_name, NULL);
if (obj != NULL) {
process->isolation.new_privs = nxt_conf_get_boolean(obj);
}
return NXT_OK;
}
#endif
static u_char * static u_char *
nxt_cstr_dup(nxt_mp_t *mp, u_char *dst, u_char *src) nxt_cstr_dup(nxt_mp_t *mp, u_char *dst, u_char *src)
{ {

16
src/nxt_process.c
View File

@@ -35,17 +35,14 @@ static void nxt_process_created_error(nxt_task_t *task,
#if (NXT_HAVE_ISOLATION_ROOTFS) #if (NXT_HAVE_ISOLATION_ROOTFS)
static nxt_int_t nxt_process_chroot(nxt_task_t *task, const char *path); static nxt_int_t nxt_process_chroot(nxt_task_t *task, const char *path);
#endif
#if (NXT_HAVE_PIVOT_ROOT) #if (NXT_HAVE_PIVOT_ROOT) && (NXT_HAVE_CLONE_NEWNS)
static nxt_int_t nxt_process_pivot_root(nxt_task_t *task, const char *rootfs); static nxt_int_t nxt_process_pivot_root(nxt_task_t *task, const char *rootfs);
static nxt_int_t nxt_process_private_mount(nxt_task_t *task, static nxt_int_t nxt_process_private_mount(nxt_task_t *task,
const char *rootfs); const char *rootfs);
#endif
#if (NXT_HAVE_PIVOT_ROOT)
static int nxt_pivot_root(const char *new_root, const char *old_root); static int nxt_pivot_root(const char *new_root, const char *old_root);
#endif #endif
#endif
/* A cached process pid. */ /* A cached process pid. */
nxt_pid_t nxt_pid; nxt_pid_t nxt_pid;
@@ -590,11 +587,6 @@ nxt_process_change_root(nxt_task_t *task, nxt_process_t *process)
#endif #endif
#endif
#if (NXT_HAVE_ISOLATION_ROOTFS)
static nxt_int_t static nxt_int_t
nxt_process_chroot(nxt_task_t *task, const char *path) nxt_process_chroot(nxt_task_t *task, const char *path)
{ {
@@ -625,8 +617,6 @@ nxt_process_unmount_all(nxt_task_t *task, nxt_process_t *process)
} }
} }
#endif
#if (NXT_HAVE_PIVOT_ROOT) && (NXT_HAVE_CLONE_NEWNS) #if (NXT_HAVE_PIVOT_ROOT) && (NXT_HAVE_CLONE_NEWNS)
@@ -856,6 +846,8 @@ nxt_pivot_root(const char *new_root, const char *old_root)
#endif #endif
#endif
static nxt_int_t static nxt_int_t
nxt_process_send_ready(nxt_task_t *task, nxt_process_t *process) nxt_process_send_ready(nxt_task_t *task, nxt_process_t *process)

4
src/perl/nxt_perl_psgi.c
View File

@@ -118,12 +118,8 @@ NXT_EXPORT nxt_app_module_t nxt_app_module = {
nxt_perl_psgi_compat, nxt_perl_psgi_compat,
nxt_string("perl"), nxt_string("perl"),
PERL_VERSION_STRING, PERL_VERSION_STRING,
#if (NXT_HAVE_ISOLATION_ROOTFS)
NULL, NULL,
0, 0,
#endif
NULL, NULL,
nxt_perl_psgi_start, nxt_perl_psgi_start,
}; };

2
src/ruby/nxt_ruby.c
View File

@@ -79,10 +79,8 @@ NXT_EXPORT nxt_app_module_t nxt_app_module = {
compat, compat,
nxt_string("ruby"), nxt_string("ruby"),
ruby_version, ruby_version,
#if (NXT_HAVE_ISOLATION_ROOTFS)
nxt_ruby_mounts, nxt_ruby_mounts,
nxt_nitems(nxt_ruby_mounts), nxt_nitems(nxt_ruby_mounts),
#endif
NULL, NULL,
nxt_ruby_start, nxt_ruby_start,
}; };