diff options
Diffstat (limited to '')
| -rw-r--r-- | auto/isolation | 20 | ||||
| -rw-r--r-- | src/nxt_application.c | 203 | ||||
| -rw-r--r-- | src/nxt_process.c | 16 | ||||
| -rw-r--r-- | src/perl/nxt_perl_psgi.c | 4 | ||||
| -rw-r--r-- | src/ruby/nxt_ruby.c | 2 |
5 files changed, 116 insertions, 129 deletions
diff --git a/auto/isolation b/auto/isolation index 4238b859..fd35f8ed 100644 --- a/auto/isolation +++ b/auto/isolation @@ -94,24 +94,8 @@ nxt_feature_libs= nxt_feature_test="#include <sys/mount.h> int main() { - return mount((void*)0, (void*)0, (void*)0, 0, (void*)0); - }" -. auto/feature - -if [ $nxt_found = yes ]; then - NXT_HAVE_MOUNT=YES -fi - - -nxt_feature="Bind mount()" -nxt_feature_name=NXT_HAVE_BIND_MOUNT -nxt_feature_run=no -nxt_feature_incs= -nxt_feature_libs= -nxt_feature_test="#include <sys/mount.h> - - int main() { - return MS_BIND | MS_REC + return mount(\"/\", \"/\", \"bind\", + MS_BIND | MS_REC, \"\"); }" . auto/feature diff --git a/src/nxt_application.c b/src/nxt_application.c index 566bf256..62167040 100644 --- a/src/nxt_application.c +++ b/src/nxt_application.c @@ -41,19 +41,21 @@ static void nxt_discovery_quit(nxt_task_t *task, nxt_port_recv_msg_t *msg, void *data); static nxt_app_module_t *nxt_app_module_load(nxt_task_t *task, const char *name); -static nxt_int_t nxt_app_prefork(nxt_task_t *task, nxt_process_t *process, +static nxt_int_t nxt_app_main_prefork(nxt_task_t *task, nxt_process_t *process, nxt_mp_t *mp); static nxt_int_t nxt_app_setup(nxt_task_t *task, nxt_process_t *process); static nxt_int_t nxt_app_set_environment(nxt_conf_value_t *environment); static u_char *nxt_cstr_dup(nxt_mp_t *mp, u_char *dst, u_char *src); #if (NXT_HAVE_ISOLATION_ROOTFS) -static nxt_int_t nxt_app_prepare_rootfs(nxt_task_t *task, - nxt_process_t *process); -static nxt_int_t nxt_app_prepare_lang_mounts(nxt_task_t *task, +static nxt_int_t nxt_app_set_isolation_mounts(nxt_task_t *task, + nxt_process_t *process, nxt_str_t *app_type); +static nxt_int_t nxt_app_set_lang_mounts(nxt_task_t *task, nxt_process_t *process, nxt_array_t *syspaths); static nxt_int_t nxt_app_set_isolation_rootfs(nxt_task_t *task, nxt_conf_value_t *isolation, nxt_process_t *process); +static nxt_int_t nxt_app_prepare_rootfs(nxt_task_t *task, + nxt_process_t *process); #endif static nxt_int_t nxt_app_set_isolation(nxt_task_t *task, @@ -124,7 +126,7 @@ const nxt_process_init_t nxt_discovery_process = { const nxt_process_init_t nxt_app_process = { .type = NXT_PROCESS_APP, .setup = nxt_app_setup, - .prefork = nxt_app_prefork, + .prefork = nxt_app_main_prefork, .restart = 0, .start = NULL, /* set to module->start */ .port_handlers = &nxt_app_process_port_handlers, @@ -472,22 +474,16 @@ nxt_discovery_quit(nxt_task_t *task, nxt_port_recv_msg_t *msg, void *data) static nxt_int_t -nxt_app_prefork(nxt_task_t *task, nxt_process_t *process, nxt_mp_t *mp) +nxt_app_main_prefork(nxt_task_t *task, nxt_process_t *process, nxt_mp_t *mp) { - nxt_int_t cap_setid, cap_chroot; + nxt_int_t cap_setid; nxt_int_t ret; nxt_runtime_t *rt; nxt_common_app_conf_t *app_conf; - nxt_app_lang_module_t *lang; rt = task->thread->runtime; app_conf = process->data.app; cap_setid = rt->capabilities.setid; - cap_chroot = rt->capabilities.chroot; - - lang = nxt_app_lang_module(rt, &app_conf->type); - - nxt_assert(lang != NULL); if (app_conf->isolation != NULL) { ret = nxt_app_set_isolation(task, app_conf->isolation, process); @@ -499,24 +495,14 @@ nxt_app_prefork(nxt_task_t *task, nxt_process_t *process, nxt_mp_t *mp) #if (NXT_HAVE_CLONE_NEWUSER) if (nxt_is_clone_flag_set(process->isolation.clone.flags, NEWUSER)) { cap_setid = 1; - cap_chroot = 1; } #endif #if (NXT_HAVE_ISOLATION_ROOTFS) if (process->isolation.rootfs != NULL) { - if (!cap_chroot) { - nxt_log(task, NXT_LOG_ERR, - "The \"rootfs\" field requires privileges"); - - return NXT_ERROR; - } - - if (lang->mounts != NULL && lang->mounts->nelts > 0) { - ret = nxt_app_prepare_lang_mounts(task, process, lang->mounts); - if (nxt_slow_path(ret != NXT_OK)) { - return NXT_ERROR; - } + ret = nxt_app_set_isolation_mounts(task, process, &app_conf->type); + if (nxt_slow_path(ret != NXT_OK)) { + return ret; } } #endif @@ -765,71 +751,6 @@ nxt_app_set_isolation_namespaces(nxt_task_t *task, nxt_conf_value_t *isolation, #endif -#if (NXT_HAVE_ISOLATION_ROOTFS) - -static nxt_int_t -nxt_app_set_isolation_rootfs(nxt_task_t *task, nxt_conf_value_t *isolation, - nxt_process_t *process) -{ - nxt_str_t str; - nxt_conf_value_t *obj; - - static nxt_str_t rootfs_name = nxt_string("rootfs"); - - obj = nxt_conf_get_object_member(isolation, &rootfs_name, NULL); - if (obj != NULL) { - nxt_conf_get_string(obj, &str); - - if (nxt_slow_path(str.length <= 1 || str.start[0] != '/')) { - nxt_log(task, NXT_LOG_ERR, "rootfs requires an absolute path other " - "than \"/\" but given \"%V\"", &str); - - return NXT_ERROR; - } - - if (str.start[str.length - 1] == '/') { - str.length--; - } - - process->isolation.rootfs = nxt_mp_alloc(process->mem_pool, - str.length + 1); - - if (nxt_slow_path(process->isolation.rootfs == NULL)) { - return NXT_ERROR; - } - - nxt_memcpy(process->isolation.rootfs, str.start, str.length); - - process->isolation.rootfs[str.length] = '\0'; - } - - return NXT_OK; -} - -#endif - - -#if (NXT_HAVE_PR_SET_NO_NEW_PRIVS) - -static nxt_int_t -nxt_app_set_isolation_new_privs(nxt_task_t *task, nxt_conf_value_t *isolation, - nxt_process_t *process) -{ - nxt_conf_value_t *obj; - - static nxt_str_t new_privs_name = nxt_string("new_privs"); - - obj = nxt_conf_get_object_member(isolation, &new_privs_name, NULL); - if (obj != NULL) { - process->isolation.new_privs = nxt_conf_get_boolean(obj); - } - - return NXT_OK; -} - -#endif - - #if (NXT_HAVE_CLONE_NEWUSER) static nxt_int_t @@ -1002,7 +923,83 @@ nxt_app_clone_flags(nxt_task_t *task, nxt_conf_value_t *namespaces, #if (NXT_HAVE_ISOLATION_ROOTFS) static nxt_int_t -nxt_app_prepare_lang_mounts(nxt_task_t *task, nxt_process_t *process, +nxt_app_set_isolation_rootfs(nxt_task_t *task, nxt_conf_value_t *isolation, + nxt_process_t *process) +{ + nxt_str_t str; + nxt_conf_value_t *obj; + + static nxt_str_t rootfs_name = nxt_string("rootfs"); + + obj = nxt_conf_get_object_member(isolation, &rootfs_name, NULL); + if (obj != NULL) { + nxt_conf_get_string(obj, &str); + + if (nxt_slow_path(str.length <= 1 || str.start[0] != '/')) { + nxt_log(task, NXT_LOG_ERR, "rootfs requires an absolute path other " + "than \"/\" but given \"%V\"", &str); + + return NXT_ERROR; + } + + if (str.start[str.length - 1] == '/') { + str.length--; + } + + process->isolation.rootfs = nxt_mp_alloc(process->mem_pool, + str.length + 1); + + if (nxt_slow_path(process->isolation.rootfs == NULL)) { + return NXT_ERROR; + } + + nxt_memcpy(process->isolation.rootfs, str.start, str.length); + + process->isolation.rootfs[str.length] = '\0'; + } + + return NXT_OK; +} + + +static nxt_int_t +nxt_app_set_isolation_mounts(nxt_task_t *task, nxt_process_t *process, + nxt_str_t *app_type) +{ + nxt_int_t ret, cap_chroot; + nxt_runtime_t *rt; + nxt_app_lang_module_t *lang; + + rt = task->thread->runtime; + cap_chroot = rt->capabilities.chroot; + lang = nxt_app_lang_module(rt, app_type); + + nxt_assert(lang != NULL); + +#if (NXT_HAVE_CLONE_NEWUSER) + if (nxt_is_clone_flag_set(process->isolation.clone.flags, NEWUSER)) { + cap_chroot = 1; + } +#endif + + if (!cap_chroot) { + nxt_log(task, NXT_LOG_ERR, "The \"rootfs\" field requires privileges"); + return NXT_ERROR; + } + + if (lang->mounts != NULL && lang->mounts->nelts > 0) { + ret = nxt_app_set_lang_mounts(task, process, lang->mounts); + if (nxt_slow_path(ret != NXT_OK)) { + return NXT_ERROR; + } + } + + return NXT_OK; +} + + +static nxt_int_t +nxt_app_set_lang_mounts(nxt_task_t *task, nxt_process_t *process, nxt_array_t *lang_mounts) { u_char *p; @@ -1045,7 +1042,6 @@ nxt_app_prepare_lang_mounts(nxt_task_t *task, nxt_process_t *process, } - static nxt_int_t nxt_app_prepare_rootfs(nxt_task_t *task, nxt_process_t *process) { @@ -1137,6 +1133,27 @@ undo: #endif +#if (NXT_HAVE_PR_SET_NO_NEW_PRIVS) + +static nxt_int_t +nxt_app_set_isolation_new_privs(nxt_task_t *task, nxt_conf_value_t *isolation, + nxt_process_t *process) +{ + nxt_conf_value_t *obj; + + static nxt_str_t new_privs_name = nxt_string("new_privs"); + + obj = nxt_conf_get_object_member(isolation, &new_privs_name, NULL); + if (obj != NULL) { + process->isolation.new_privs = nxt_conf_get_boolean(obj); + } + + return NXT_OK; +} + +#endif + + static u_char * nxt_cstr_dup(nxt_mp_t *mp, u_char *dst, u_char *src) { diff --git a/src/nxt_process.c b/src/nxt_process.c index c4c44d14..215c529c 100644 --- a/src/nxt_process.c +++ b/src/nxt_process.c @@ -35,17 +35,14 @@ static void nxt_process_created_error(nxt_task_t *task, #if (NXT_HAVE_ISOLATION_ROOTFS) static nxt_int_t nxt_process_chroot(nxt_task_t *task, const char *path); -#endif -#if (NXT_HAVE_PIVOT_ROOT) +#if (NXT_HAVE_PIVOT_ROOT) && (NXT_HAVE_CLONE_NEWNS) static nxt_int_t nxt_process_pivot_root(nxt_task_t *task, const char *rootfs); static nxt_int_t nxt_process_private_mount(nxt_task_t *task, const char *rootfs); -#endif - -#if (NXT_HAVE_PIVOT_ROOT) static int nxt_pivot_root(const char *new_root, const char *old_root); #endif +#endif /* A cached process pid. */ nxt_pid_t nxt_pid; @@ -590,11 +587,6 @@ nxt_process_change_root(nxt_task_t *task, nxt_process_t *process) #endif -#endif - - -#if (NXT_HAVE_ISOLATION_ROOTFS) - static nxt_int_t nxt_process_chroot(nxt_task_t *task, const char *path) { @@ -625,8 +617,6 @@ nxt_process_unmount_all(nxt_task_t *task, nxt_process_t *process) } } -#endif - #if (NXT_HAVE_PIVOT_ROOT) && (NXT_HAVE_CLONE_NEWNS) @@ -856,6 +846,8 @@ nxt_pivot_root(const char *new_root, const char *old_root) #endif +#endif + static nxt_int_t nxt_process_send_ready(nxt_task_t *task, nxt_process_t *process) diff --git a/src/perl/nxt_perl_psgi.c b/src/perl/nxt_perl_psgi.c index 14e107e4..16079a38 100644 --- a/src/perl/nxt_perl_psgi.c +++ b/src/perl/nxt_perl_psgi.c @@ -118,12 +118,8 @@ NXT_EXPORT nxt_app_module_t nxt_app_module = { nxt_perl_psgi_compat, nxt_string("perl"), PERL_VERSION_STRING, - -#if (NXT_HAVE_ISOLATION_ROOTFS) NULL, 0, -#endif - NULL, nxt_perl_psgi_start, }; diff --git a/src/ruby/nxt_ruby.c b/src/ruby/nxt_ruby.c index 489ddcf4..9c4126f6 100644 --- a/src/ruby/nxt_ruby.c +++ b/src/ruby/nxt_ruby.c @@ -79,10 +79,8 @@ NXT_EXPORT nxt_app_module_t nxt_app_module = { compat, nxt_string("ruby"), ruby_version, -#if (NXT_HAVE_ISOLATION_ROOTFS) nxt_ruby_mounts, nxt_nitems(nxt_ruby_mounts), -#endif NULL, nxt_ruby_start, }; |