Isolation: mounting of procfs by default when using "rootfs".

author: Tiago Natel de Moura <t.nateldemoura@f5.com> 2020-10-29 20:30:53 +0000
committer: Tiago Natel de Moura <t.nateldemoura@f5.com> 2020-10-29 20:30:53 +0000
commit: 0390cb3a61051dd93e206d50591aff5759cf42fc (patch)
tree: d2105e88cbe4ef30a25243d7ccb07fae706c1003 /src/nxt_fs.c
parent: 417f5d911ddb3a46b590d89e73313856a32ff435 (diff)
download: unit-0390cb3a61051dd93e206d50591aff5759cf42fc.tar.gz
unit-0390cb3a61051dd93e206d50591aff5759cf42fc.tar.bz2
1 files changed, 93 insertions, 20 deletions
diff --git a/src/nxt_fs.c b/src/nxt_fs.c
index 0228c25a..87d3b4a5 100644
--- a/src/nxt_fs.c
+++ b/src/nxt_fs.c
@@ -18,15 +18,59 @@ static nxt_int_t nxt_fs_mkdir(const u_char *dir, mode_t mode);
 nxt_int_t
 nxt_fs_mount(nxt_task_t *task, nxt_fs_mount_t *mnt)
 {
-    int  rc;
+    int            rc;
+    const char     *fsname;
+    unsigned long  flags;
 
-    rc = mount((const char *) mnt->src, (const char *) mnt->dst,
-               (const char *) mnt->fstype, mnt->flags, mnt->data);
+    flags = 0;
+
+    switch (mnt->type) {
+    case NXT_FS_BIND:
+        if (nxt_slow_path(mnt->flags != 0)) {
+            nxt_log(task, NXT_LOG_WARN,
+                    "bind mount ignores additional flags");
+        }
+
+        fsname = "bind";
+        flags = MS_BIND | MS_REC;
+        break;
+
+    case NXT_FS_PROC:
+        fsname = "proc";
+        goto getflags;
+
+    case NXT_FS_TMP:
+        fsname = "tmpfs";
+        goto getflags;
+
+    default:
+        fsname = (const char *) mnt->name;
+
+    getflags:
+
+        if (mnt->flags & NXT_FS_FLAGS_NODEV) {
+            flags |= MS_NODEV;
+        }
+
+        if (mnt->flags & NXT_FS_FLAGS_NOEXEC) {
+            flags |= MS_NOEXEC;
+        }
+
+        if (mnt->flags & NXT_FS_FLAGS_NOSUID) {
+            flags |= MS_NOSUID;
+        }
+
+        if (!(mnt->flags & NXT_FS_FLAGS_NOTIME)) {
+            flags |= MS_RELATIME;
+        }
+    }
+
+    rc = mount((const char *) mnt->src, (const char *) mnt->dst, fsname, flags,
+               mnt->data);
 
     if (nxt_slow_path(rc < 0)) {
-        nxt_alert(task, "mount(\"%s\", \"%s\", \"%s\", %d, \"%s\") %E",
-                  mnt->src, mnt->dst, mnt->fstype, mnt->flags, mnt->data,
-                  nxt_errno);
+        nxt_alert(task, "mount(\"%s\", \"%s\", \"%s\", %ul, \"%s\") %E",
+                  mnt->src, mnt->dst, fsname, flags, mnt->data, nxt_errno);
 
         return NXT_ERROR;
     }
@@ -34,37 +78,66 @@ nxt_fs_mount(nxt_task_t *task, nxt_fs_mount_t *mnt)
     return NXT_OK;
 }
 
-
 #elif (NXT_HAVE_FREEBSD_NMOUNT)
 
 nxt_int_t
 nxt_fs_mount(nxt_task_t *task, nxt_fs_mount_t *mnt)
 {
+    int           flags;
     u_char        *data, *p, *end;
     size_t        iovlen;
     nxt_int_t     ret;
-    const char    *fstype;
+    const char    *fsname;
     struct iovec  iov[128];
     char          errmsg[256];
 
-    if (nxt_strncmp(mnt->fstype, "bind", 4) == 0) {
-        fstype = "nullfs";
+    if (nxt_slow_path((mnt->flags & NXT_FS_FLAGS_NODEV) && !mnt->builtin)) {
+        nxt_alert(task, "nmount(2) doesn't support \"nodev\" option");
 
-    } else if (nxt_strncmp(mnt->fstype, "proc", 4) == 0) {
-        fstype = "procfs";
+        return NXT_ERROR;
+    }
 
-    } else if (nxt_strncmp(mnt->fstype, "tmpfs", 5) == 0) {
-        fstype = "tmpfs";
+    flags = 0;
 
-    } else {
-        nxt_alert(task, "mount type \"%s\" not implemented.", mnt->fstype);
-        return NXT_ERROR;
+    switch (mnt->type) {
+    case NXT_FS_BIND:
+        fsname = "nullfs";
+        break;
+
+    case NXT_FS_PROC:
+        fsname = "procfs";
+        goto getflags;
+
+    case NXT_FS_TMP:
+        fsname = "tmpfs";
+        goto getflags;
+
+    default:
+        fsname = (const char *) mnt->name;
+
+    getflags:
+
+        if (mnt->flags & NXT_FS_FLAGS_NOEXEC) {
+            flags |= MNT_NOEXEC;
+        }
+
+        if (mnt->flags & NXT_FS_FLAGS_NOSUID) {
+            flags |= MNT_NOSUID;
+        }
+
+        if (mnt->flags & NXT_FS_FLAGS_NOTIME) {
+            flags |= MNT_NOATIME;
+        }
+
+        if (mnt->flags & NXT_FS_FLAGS_RDONLY) {
+            flags |= MNT_RDONLY;
+        }
     }
 
     iov[0].iov_base = (void *) "fstype";
     iov[0].iov_len = 7;
-    iov[1].iov_base = (void *) fstype;
-    iov[1].iov_len = nxt_strlen(fstype) + 1;
+    iov[1].iov_base = (void *) fsname;
+    iov[1].iov_len = nxt_strlen(fsname) + 1;
     iov[2].iov_base = (void *) "fspath";
     iov[2].iov_len = 7;
     iov[3].iov_base = (void *) mnt->dst;
@@ -117,7 +190,7 @@ nxt_fs_mount(nxt_task_t *task, nxt_fs_mount_t *mnt)
 
     ret = NXT_OK;
 
-    if (nxt_slow_path(nmount(iov, iovlen, 0) < 0)) {
+    if (nxt_slow_path(nmount(iov, iovlen, flags) < 0)) {
         nxt_alert(task, "nmount(%p, %d, 0) %s", iov, iovlen, errmsg);
         ret = NXT_ERROR;
     }
author	Tiago Natel de Moura <t.nateldemoura@f5.com>	2020-10-29 20:30:53 +0000
committer	Tiago Natel de Moura <t.nateldemoura@f5.com>	2020-10-29 20:30:53 +0000
commit	0390cb3a61051dd93e206d50591aff5759cf42fc (patch)
tree	d2105e88cbe4ef30a25243d7ccb07fae706c1003 /src/nxt_fs.c
parent	417f5d911ddb3a46b590d89e73313856a32ff435 (diff)
download	unit-0390cb3a61051dd93e206d50591aff5759cf42fc.tar.gz unit-0390cb3a61051dd93e206d50591aff5759cf42fc.tar.bz2