Isolation: added "automount" option.

Now it's possible to disable default bind mounts of
languages by setting:

  {
      "isolation": {
           "automount": {
               "language_deps": false
           }
     }
  }

In this case, the user is responsible to provide a "rootfs"
containing the language libraries and required files for
the application.

5 files changed, 98 insertions, 20 deletions

diff --git a/src/nxt_conf_validation.c b/src/nxt_conf_validation.c
index 16ed87c6..9dd4f715 100644
--- a/src/nxt_conf_validation.c
+++ b/src/nxt_conf_validation.c
@@ -616,6 +616,21 @@ static nxt_conf_vldt_object_t nxt_conf_vldt_app_procmap_members[] = {
 #endif
 
 
+#if (NXT_HAVE_ISOLATION_ROOTFS)
+
+static nxt_conf_vldt_object_t  nxt_conf_vldt_app_automount_members[] = {
+    { nxt_string("language_deps"),
+      NXT_CONF_VLDT_BOOLEAN,
+      0,
+      NULL,
+      NULL },
+
+    NXT_CONF_VLDT_END
+};
+
+#endif
+
+
 static nxt_conf_vldt_object_t  nxt_conf_vldt_app_isolation_members[] = {
     { nxt_string("namespaces"),
       NXT_CONF_VLDT_OBJECT,
@@ -647,6 +662,12 @@ static nxt_conf_vldt_object_t  nxt_conf_vldt_app_isolation_members[] = {
       NULL,
       NULL },
 
+    { nxt_string("automount"),
+      NXT_CONF_VLDT_OBJECT,
+      0,
+      &nxt_conf_vldt_object,
+      (void *) &nxt_conf_vldt_app_automount_members },
+
 #endif
 
 #if (NXT_HAVE_PR_SET_NO_NEW_PRIVS)
diff --git a/src/nxt_fs.h b/src/nxt_fs.h
index 9f3266d8..bbd7ab9f 100644
--- a/src/nxt_fs.h
+++ b/src/nxt_fs.h
@@ -44,11 +44,12 @@
 
 
 typedef struct {
-    u_char     *src;
-    u_char     *dst;
-    u_char     *fstype;
-    nxt_int_t  flags;
-    u_char     *data;
+    u_char      *src;
+    u_char      *dst;
+    u_char      *fstype;
+    nxt_int_t   flags;
+    u_char      *data;
+    nxt_uint_t  builtin;  /* 1-bit */
 } nxt_fs_mount_t;
 
 
diff --git a/src/nxt_isolation.c b/src/nxt_isolation.c
index 586c0368..a497b729 100644
--- a/src/nxt_isolation.c
+++ b/src/nxt_isolation.c
@@ -35,6 +35,8 @@ static nxt_int_t nxt_isolation_vldt_creds(nxt_task_t *task,
 #if (NXT_HAVE_ISOLATION_ROOTFS)
 static nxt_int_t nxt_isolation_set_rootfs(nxt_task_t *task,
     nxt_conf_value_t *isolation, nxt_process_t *process);
+static nxt_int_t nxt_isolation_set_automount(nxt_task_t *task,
+    nxt_conf_value_t *isolation, nxt_process_t *process);
 static nxt_int_t nxt_isolation_set_mounts(nxt_task_t *task,
     nxt_process_t *process, nxt_str_t *app_type);
 static nxt_int_t nxt_isolation_set_lang_mounts(nxt_task_t *task,
@@ -159,6 +161,12 @@ nxt_isolation_set(nxt_task_t *task, nxt_conf_value_t *isolation,
     {
         return NXT_ERROR;
     }
+
+    if (nxt_slow_path(nxt_isolation_set_automount(task, isolation, process)
+                      != NXT_OK))
+    {
+        return NXT_ERROR;
+    }
 #endif
 
 #if (NXT_HAVE_PR_SET_NO_NEW_PRIVS)
@@ -452,6 +460,32 @@ nxt_isolation_set_rootfs(nxt_task_t *task, nxt_conf_value_t *isolation,
 
 
 static nxt_int_t
+nxt_isolation_set_automount(nxt_task_t *task, nxt_conf_value_t *isolation,
+    nxt_process_t *process)
+{
+    nxt_conf_value_t         *conf, *value;
+    nxt_process_automount_t  *automount;
+
+    static nxt_str_t  automount_name = nxt_string("automount");
+    static nxt_str_t  langdeps_name = nxt_string("language_deps");
+
+    automount = &process->isolation.automount;
+
+    automount->language_deps = 1;
+
+    conf = nxt_conf_get_object_member(isolation, &automount_name, NULL);
+    if (conf != NULL) {
+        value = nxt_conf_get_object_member(conf, &langdeps_name, NULL);
+        if (value != NULL) {
+            automount->language_deps = nxt_conf_get_boolean(value);
+        }
+    }
+
+    return NXT_OK;
+}
+
+
+static nxt_int_t
 nxt_isolation_set_mounts(nxt_task_t *task, nxt_process_t *process,
     nxt_str_t *app_type)
 {
@@ -535,6 +569,7 @@ nxt_isolation_set_lang_mounts(nxt_task_t *task, nxt_process_t *process,
     mnt->fstype = (u_char *) "tmpfs";
     mnt->flags = NXT_MS_NOSUID | NXT_MS_NODEV | NXT_MS_NOEXEC | NXT_MS_RELATIME;
     mnt->data = (u_char *) "size=1m,mode=777";
+    mnt->builtin = 1;
 
     mnt->dst = nxt_mp_nget(mp, rootfs_len + nxt_length("/tmp") + 1);
     if (nxt_slow_path(mnt->dst == NULL)) {
@@ -581,17 +616,23 @@ nxt_isolation_set_lang_mounts(nxt_task_t *task, nxt_process_t *process,
 void
 nxt_isolation_unmount_all(nxt_task_t *task, nxt_process_t *process)
 {
-    size_t          i, n;
-    nxt_array_t     *mounts;
-    nxt_fs_mount_t  *mnt;
+    size_t                   i, n;
+    nxt_array_t              *mounts;
+    nxt_fs_mount_t           *mnt;
+    nxt_process_automount_t  *automount;
 
     nxt_debug(task, "unmount all (%s)", process->name);
 
+    automount = &process->isolation.automount;
     mounts = process->isolation.mounts;
     n = mounts->nelts;
     mnt = mounts->elts;
 
     for (i = 0; i < n; i++) {
+        if (mnt[i].builtin && !automount->language_deps) {
+            continue;
+        }
+
         nxt_fs_unmount(mnt[i].dst);
     }
 }
@@ -600,13 +641,15 @@ nxt_isolation_unmount_all(nxt_task_t *task, nxt_process_t *process)
 nxt_int_t
 nxt_isolation_prepare_rootfs(nxt_task_t *task, nxt_process_t *process)
 {
-    size_t          i, n;
-    nxt_int_t       ret;
-    struct stat     st;
-    nxt_array_t     *mounts;
-    const u_char    *dst;
-    nxt_fs_mount_t  *mnt;
-
+    size_t                   i, n;
+    nxt_int_t                ret;
+    struct stat              st;
+    nxt_array_t              *mounts;
+    const u_char             *dst;
+    nxt_fs_mount_t           *mnt;
+    nxt_process_automount_t  *automount;
+
+    automount = &process->isolation.automount;
     mounts = process->isolation.mounts;
 
     n = mounts->nelts;
@@ -615,6 +658,10 @@ nxt_isolation_prepare_rootfs(nxt_task_t *task, nxt_process_t *process)
     for (i = 0; i < n; i++) {
         dst = mnt[i].dst;
 
+        if (mnt[i].builtin && !automount->language_deps) {
+            continue;
+        }
+
         if (nxt_slow_path(nxt_memcmp(mnt[i].fstype, "bind", 4) == 0
                           && stat((const char *) mnt[i].src, &st) != 0))
         {
diff --git a/src/nxt_main_process.c b/src/nxt_main_process.c
index a7b84b73..544a0cbd 100644
--- a/src/nxt_main_process.c
+++ b/src/nxt_main_process.c
@@ -1290,6 +1290,8 @@ nxt_main_port_modules_handler(nxt_task_t *task, nxt_port_recv_msg_t *msg)
                 goto fail;
             }
 
+            mnt->builtin = 1;
+
             ret = nxt_conf_map_object(rt->mem_pool, value,
                                       nxt_app_lang_mounts_map,
                                       nxt_nitems(nxt_app_lang_mounts_map), mnt);
diff --git a/src/nxt_process.h b/src/nxt_process.h
index f2383687..d9b4dff1 100644
--- a/src/nxt_process.h
+++ b/src/nxt_process.h
@@ -72,18 +72,25 @@ typedef struct {
     nxt_port_mmap_t     *elts;
 } nxt_port_mmaps_t;
 
+
+typedef struct {
+    uint8_t             language_deps;      /* 1-byte */
+} nxt_process_automount_t;
+
+
 typedef struct {
-    u_char                     *rootfs;
-    nxt_array_t                *mounts;     /* of nxt_mount_t */
+    u_char                   *rootfs;
+    nxt_process_automount_t  automount;
+    nxt_array_t              *mounts;     /* of nxt_mount_t */
 
-    nxt_isolation_cleanup_t    cleanup;
+    nxt_isolation_cleanup_t  cleanup;
 
 #if (NXT_HAVE_CLONE)
-    nxt_clone_t                clone;
+    nxt_clone_t              clone;
 #endif
 
 #if (NXT_HAVE_PR_SET_NO_NEW_PRIVS)
-    uint8_t                    new_privs;   /* 1 bit */
+    uint8_t                  new_privs;   /* 1 bit */
 #endif
 } nxt_process_isolation_t;