summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorTiago Natel de Moura <t.nateldemoura@f5.com>2020-11-16 17:56:12 +0000
committerTiago Natel de Moura <t.nateldemoura@f5.com>2020-11-16 17:56:12 +0000
commite7d66acda726490fb7b8da03f0d4788857918d5a (patch)
tree9c742e8cded9cfc6d3b72bc5dcb6aa37c86ce179
parentbbc29df8fe4400e881829741c969f2fb77487423 (diff)
downloadunit-e7d66acda726490fb7b8da03f0d4788857918d5a.tar.gz
unit-e7d66acda726490fb7b8da03f0d4788857918d5a.tar.bz2
Isolation: added option to disable "procfs" mount.
Now users can disable the default procfs mount point in the rootfs. { "isolation": { "automount": { "procfs": false } } }
Diffstat (limited to '')
-rw-r--r--src/nxt_conf_validation.c3
-rw-r--r--src/nxt_isolation.c45
-rw-r--r--src/nxt_process.h1
3 files changed, 31 insertions, 18 deletions
diff --git a/src/nxt_conf_validation.c b/src/nxt_conf_validation.c
index 69a47274..dca56881 100644
--- a/src/nxt_conf_validation.c
+++ b/src/nxt_conf_validation.c
@@ -844,6 +844,9 @@ static nxt_conf_vldt_object_t nxt_conf_vldt_app_automount_members[] = {
}, {
.name = nxt_string("tmpfs"),
.type = NXT_CONF_VLDT_BOOLEAN,
+ }, {
+ .name = nxt_string("procfs"),
+ .type = NXT_CONF_VLDT_BOOLEAN,
},
NXT_CONF_VLDT_END
diff --git a/src/nxt_isolation.c b/src/nxt_isolation.c
index f0ef625f..1e6323bc 100644
--- a/src/nxt_isolation.c
+++ b/src/nxt_isolation.c
@@ -485,11 +485,13 @@ nxt_isolation_set_automount(nxt_task_t *task, nxt_conf_value_t *isolation,
static nxt_str_t automount_name = nxt_string("automount");
static nxt_str_t langdeps_name = nxt_string("language_deps");
static nxt_str_t tmp_name = nxt_string("tmpfs");
+ static nxt_str_t proc_name = nxt_string("procfs");
automount = &process->isolation.automount;
automount->language_deps = 1;
automount->tmpfs = 1;
+ automount->procfs = 1;
conf = nxt_conf_get_object_member(isolation, &automount_name, NULL);
if (conf != NULL) {
@@ -502,6 +504,11 @@ nxt_isolation_set_automount(nxt_task_t *task, nxt_conf_value_t *isolation,
if (value != NULL) {
automount->tmpfs = nxt_conf_get_boolean(value);
}
+
+ value = nxt_conf_get_object_member(conf, &proc_name, NULL);
+ if (value != NULL) {
+ automount->procfs = nxt_conf_get_boolean(value);
+ }
}
return NXT_OK;
@@ -609,27 +616,29 @@ nxt_isolation_set_lang_mounts(nxt_task_t *task, nxt_process_t *process,
*p = '\0';
}
- mnt = nxt_array_add(mounts);
- if (nxt_slow_path(mnt == NULL)) {
- return NXT_ERROR;
- }
+ if (process->isolation.automount.procfs) {
+ mnt = nxt_array_add(mounts);
+ if (nxt_slow_path(mnt == NULL)) {
+ return NXT_ERROR;
+ }
- mnt->name = (u_char *) "proc";
- mnt->type = NXT_FS_PROC;
- mnt->src = (u_char *) "none";
- mnt->dst = nxt_mp_nget(mp, rootfs_len + nxt_length("/proc") + 1);
- if (nxt_slow_path(mnt->dst == NULL)) {
- return NXT_ERROR;
- }
+ mnt->name = (u_char *) "proc";
+ mnt->type = NXT_FS_PROC;
+ mnt->src = (u_char *) "none";
+ mnt->dst = nxt_mp_nget(mp, rootfs_len + nxt_length("/proc") + 1);
+ if (nxt_slow_path(mnt->dst == NULL)) {
+ return NXT_ERROR;
+ }
- p = nxt_cpymem(mnt->dst, rootfs, rootfs_len);
- p = nxt_cpymem(p, "/proc", 5);
- *p = '\0';
+ p = nxt_cpymem(mnt->dst, rootfs, rootfs_len);
+ p = nxt_cpymem(p, "/proc", 5);
+ *p = '\0';
- mnt->data = (u_char *) "";
- mnt->flags = NXT_FS_FLAGS_NOEXEC | NXT_FS_FLAGS_NOSUID;
- mnt->builtin = 1;
- mnt->deps = 0;
+ mnt->data = (u_char *) "";
+ mnt->flags = NXT_FS_FLAGS_NOEXEC | NXT_FS_FLAGS_NOSUID;
+ mnt->builtin = 1;
+ mnt->deps = 0;
+ }
qsort(mounts->elts, mounts->nelts, sizeof(nxt_fs_mount_t),
nxt_isolation_mount_compare);
diff --git a/src/nxt_process.h b/src/nxt_process.h
index 99ba8022..7afb8803 100644
--- a/src/nxt_process.h
+++ b/src/nxt_process.h
@@ -76,6 +76,7 @@ typedef struct {
typedef struct {
uint8_t language_deps; /* 1-bit */
uint8_t tmpfs; /* 1-bit */
+ uint8_t procfs; /* 1-bit */
} nxt_process_automount_t;