diff options
| author | Tiago Natel de Moura <t.nateldemoura@f5.com> | 2020-11-16 17:56:12 +0000 |
|---|---|---|
| committer | Tiago Natel de Moura <t.nateldemoura@f5.com> | 2020-11-16 17:56:12 +0000 |
| commit | e7d66acda726490fb7b8da03f0d4788857918d5a (patch) | |
| tree | 9c742e8cded9cfc6d3b72bc5dcb6aa37c86ce179 | |
| parent | bbc29df8fe4400e881829741c969f2fb77487423 (diff) | |
| download | unit-e7d66acda726490fb7b8da03f0d4788857918d5a.tar.gz unit-e7d66acda726490fb7b8da03f0d4788857918d5a.tar.bz2 | |
Isolation: added option to disable "procfs" mount.
Now users can disable the default procfs mount point
in the rootfs.
{
"isolation": {
"automount": {
"procfs": false
}
}
}
| -rw-r--r-- | src/nxt_conf_validation.c | 3 | ||||
| -rw-r--r-- | src/nxt_isolation.c | 45 | ||||
| -rw-r--r-- | src/nxt_process.h | 1 |
3 files changed, 31 insertions, 18 deletions
diff --git a/src/nxt_conf_validation.c b/src/nxt_conf_validation.c index 69a47274..dca56881 100644 --- a/src/nxt_conf_validation.c +++ b/src/nxt_conf_validation.c @@ -844,6 +844,9 @@ static nxt_conf_vldt_object_t nxt_conf_vldt_app_automount_members[] = { }, { .name = nxt_string("tmpfs"), .type = NXT_CONF_VLDT_BOOLEAN, + }, { + .name = nxt_string("procfs"), + .type = NXT_CONF_VLDT_BOOLEAN, }, NXT_CONF_VLDT_END diff --git a/src/nxt_isolation.c b/src/nxt_isolation.c index f0ef625f..1e6323bc 100644 --- a/src/nxt_isolation.c +++ b/src/nxt_isolation.c @@ -485,11 +485,13 @@ nxt_isolation_set_automount(nxt_task_t *task, nxt_conf_value_t *isolation, static nxt_str_t automount_name = nxt_string("automount"); static nxt_str_t langdeps_name = nxt_string("language_deps"); static nxt_str_t tmp_name = nxt_string("tmpfs"); + static nxt_str_t proc_name = nxt_string("procfs"); automount = &process->isolation.automount; automount->language_deps = 1; automount->tmpfs = 1; + automount->procfs = 1; conf = nxt_conf_get_object_member(isolation, &automount_name, NULL); if (conf != NULL) { @@ -502,6 +504,11 @@ nxt_isolation_set_automount(nxt_task_t *task, nxt_conf_value_t *isolation, if (value != NULL) { automount->tmpfs = nxt_conf_get_boolean(value); } + + value = nxt_conf_get_object_member(conf, &proc_name, NULL); + if (value != NULL) { + automount->procfs = nxt_conf_get_boolean(value); + } } return NXT_OK; @@ -609,27 +616,29 @@ nxt_isolation_set_lang_mounts(nxt_task_t *task, nxt_process_t *process, *p = '\0'; } - mnt = nxt_array_add(mounts); - if (nxt_slow_path(mnt == NULL)) { - return NXT_ERROR; - } + if (process->isolation.automount.procfs) { + mnt = nxt_array_add(mounts); + if (nxt_slow_path(mnt == NULL)) { + return NXT_ERROR; + } - mnt->name = (u_char *) "proc"; - mnt->type = NXT_FS_PROC; - mnt->src = (u_char *) "none"; - mnt->dst = nxt_mp_nget(mp, rootfs_len + nxt_length("/proc") + 1); - if (nxt_slow_path(mnt->dst == NULL)) { - return NXT_ERROR; - } + mnt->name = (u_char *) "proc"; + mnt->type = NXT_FS_PROC; + mnt->src = (u_char *) "none"; + mnt->dst = nxt_mp_nget(mp, rootfs_len + nxt_length("/proc") + 1); + if (nxt_slow_path(mnt->dst == NULL)) { + return NXT_ERROR; + } - p = nxt_cpymem(mnt->dst, rootfs, rootfs_len); - p = nxt_cpymem(p, "/proc", 5); - *p = '\0'; + p = nxt_cpymem(mnt->dst, rootfs, rootfs_len); + p = nxt_cpymem(p, "/proc", 5); + *p = '\0'; - mnt->data = (u_char *) ""; - mnt->flags = NXT_FS_FLAGS_NOEXEC | NXT_FS_FLAGS_NOSUID; - mnt->builtin = 1; - mnt->deps = 0; + mnt->data = (u_char *) ""; + mnt->flags = NXT_FS_FLAGS_NOEXEC | NXT_FS_FLAGS_NOSUID; + mnt->builtin = 1; + mnt->deps = 0; + } qsort(mounts->elts, mounts->nelts, sizeof(nxt_fs_mount_t), nxt_isolation_mount_compare); diff --git a/src/nxt_process.h b/src/nxt_process.h index 99ba8022..7afb8803 100644 --- a/src/nxt_process.h +++ b/src/nxt_process.h @@ -76,6 +76,7 @@ typedef struct { typedef struct { uint8_t language_deps; /* 1-bit */ uint8_t tmpfs; /* 1-bit */ + uint8_t procfs; /* 1-bit */ } nxt_process_automount_t; |