5 files changed, 235 insertions, 3 deletions

diff --git a/auto/isolation b/auto/isolation
index d231de12..4238b859 100644
--- a/auto/isolation
+++ b/auto/isolation
@@ -6,6 +6,9 @@
 NXT_ISOLATION=NO
 NXT_HAVE_CLONE=NO
 NXT_HAVE_CLONE_NEWUSER=NO
+NXT_HAVE_MOUNT=NO
+NXT_HAVE_UNMOUNT=NO
+NXT_HAVE_ROOTFS=NO
 
 nsflags="USER NS PID NET UTS CGROUP"
 
@@ -55,3 +58,130 @@ if [ $nxt_found = yes ]; then
         fi
     done
 fi
+
+
+nxt_feature="Linux pivot_root()"
+nxt_feature_name=NXT_HAVE_PIVOT_ROOT
+nxt_feature_run=no
+nxt_feature_incs=
+nxt_feature_libs=
+nxt_feature_test="#include <sys/syscall.h>
+
+                  int main() {
+                      return __NR_pivot_root;
+                  }"
+. auto/feature
+
+
+nxt_feature="prctl(PR_SET_NO_NEW_PRIVS)"
+nxt_feature_name=NXT_HAVE_PR_SET_NO_NEW_PRIVS0
+nxt_feature_run=no
+nxt_feature_incs=
+nxt_feature_libs=
+nxt_feature_test="#include <sys/prctl.h>
+
+                  int main() {
+                      return PR_SET_NO_NEW_PRIVS;
+                  }"
+. auto/feature
+
+
+nxt_feature="Linux mount()"
+nxt_feature_name=NXT_HAVE_LINUX_MOUNT
+nxt_feature_run=no
+nxt_feature_incs=
+nxt_feature_libs=
+nxt_feature_test="#include <sys/mount.h>
+
+                  int main() {
+                      return mount((void*)0, (void*)0, (void*)0, 0, (void*)0);
+                  }"
+. auto/feature
+
+if [ $nxt_found = yes ]; then
+    NXT_HAVE_MOUNT=YES
+fi
+
+
+nxt_feature="Bind mount()"
+nxt_feature_name=NXT_HAVE_BIND_MOUNT
+nxt_feature_run=no
+nxt_feature_incs=
+nxt_feature_libs=
+nxt_feature_test="#include <sys/mount.h>
+
+                  int main() {
+                      return MS_BIND | MS_REC
+                  }"
+. auto/feature
+
+if [ $nxt_found = yes ]; then
+    NXT_HAVE_MOUNT=YES
+fi
+
+
+if [ $nxt_found = no ]; then
+    nxt_feature="FreeBSD nmount()"
+    nxt_feature_name=NXT_HAVE_FREEBSD_NMOUNT
+    nxt_feature_run=no
+    nxt_feature_incs=
+    nxt_feature_libs=
+    nxt_feature_test="#include <sys/mount.h>
+
+                    int main() {
+                        return nmount((void *)0, 0, 0);
+                    }"
+    . auto/feature
+
+    if [ $nxt_found = yes ]; then
+        NXT_HAVE_MOUNT=YES
+    fi
+fi
+
+
+nxt_feature="Linux umount2()"
+nxt_feature_name=NXT_HAVE_LINUX_UMOUNT2
+nxt_feature_run=no
+nxt_feature_incs=
+nxt_feature_libs=
+nxt_feature_test="#include <sys/mount.h>
+
+                  int main() {
+                      return umount2((void *)0, 0);
+                  }"
+. auto/feature
+
+if [ $nxt_found = yes ]; then
+    NXT_HAVE_UNMOUNT=YES
+fi
+
+if [ $nxt_found = no ]; then
+    nxt_feature="unmount()"
+    nxt_feature_name=NXT_HAVE_UNMOUNT
+    nxt_feature_run=no
+    nxt_feature_incs=
+    nxt_feature_libs=
+    nxt_feature_test="#include <sys/mount.h>
+
+                    int main() {
+                        return unmount((void *)0, 0);
+                    }"
+    . auto/feature
+
+    if [ $nxt_found = yes ]; then
+        NXT_HAVE_UNMOUNT=YES
+    fi
+fi
+
+if [ $NXT_HAVE_MOUNT = YES -a $NXT_HAVE_UNMOUNT = YES ]; then
+    NXT_HAVE_ROOTFS=YES
+
+    cat << END >> $NXT_AUTO_CONFIG_H
+
+#ifndef NXT_HAVE_ISOLATION_ROOTFS
+#define NXT_HAVE_ISOLATION_ROOTFS  1
+#endif
+
+END
+
+fi
diff --git a/auto/modules/java b/auto/modules/java
index 68b10836..2e6f292d 100644
--- a/auto/modules/java
+++ b/auto/modules/java
@@ -172,13 +172,13 @@ if [ -z "$NXT_JAVA_LIB_PATH" ]; then
         exit 1
     fi
 
-    NXT_JAVA_LIB_PATH="${NXT_JAVA_LIB_PATH}/server"
+    NXT_JAVA_LIB_SERVER_PATH="${NXT_JAVA_LIB_PATH}/server"
 
     $echo " $NXT_JAVA_LIB_PATH"
     $echo "got library path $NXT_JAVA_LIB_PATH" >> $NXT_AUTOCONF_ERR
 fi
 
-NXT_JAVA_LDFLAGS="-L${NXT_JAVA_LIB_PATH} -Wl,-rpath ${NXT_JAVA_LIB_PATH} -ljvm"
+NXT_JAVA_LDFLAGS="-L${NXT_JAVA_LIB_SERVER_PATH} -Wl,-rpath ${NXT_JAVA_LIB_SERVER_PATH} -ljvm"
 
 
 nxt_found=no
@@ -227,6 +227,7 @@ NXT_JAVA_INSTALL_JARS=
 NXT_JAVA_UNINSTALL_JARS=
 
 NXT_JAVA_JARS=$NXT_BUILD_DIR/$NXT_JAVA_MODULE/nxt_jars.h
+NXT_JAVA_MOUNTS_HEADER=$NXT_BUILD_DIR/$NXT_JAVA_MODULE/nxt_java_mounts.h
 mkdir -p $NXT_BUILD_DIR/$NXT_JAVA_MODULE
 
 cat << END > $NXT_JAVA_JARS
@@ -308,6 +309,32 @@ cat << END >> $NXT_JAVA_JARS
 #endif /* _NXT_JAVA_JARS_INCLUDED_ */
 END
 
+NXT_JAVA_LIBJVM="$NXT_JAVA_LIB_SERVER_PATH/libjvm.so"
+
+if [ "$NXT_SYSTEM" = "Darwin" ]; then
+NXT_JAVA_LIBC_DIR="/usr/lib"
+else
+NXT_JAVA_LIBC_DIR=`ldd "$NXT_JAVA_LIBJVM" | grep libc.so | cut -d' ' -f3`
+NXT_JAVA_LIBC_DIR=`dirname $NXT_JAVA_LIBC_DIR`
+fi
+
+cat << END > $NXT_JAVA_MOUNTS_HEADER
+#ifndef _NXT_JAVA_MOUNTS_H_INCLUDED_
+#define _NXT_JAVA_MOUNTS_H_INCLUDED_
+
+
+static const nxt_fs_mount_t  nxt_java_mounts[] = {
+    {(u_char *) "proc", (u_char *) "/proc", (u_char *) "proc", 0, NULL},
+    {(u_char *) "$NXT_JAVA_LIBC_DIR", (u_char *) "$NXT_JAVA_LIBC_DIR",
+     (u_char *) "bind", NXT_MS_BIND | NXT_MS_REC, NULL},
+    {(u_char *) "$NXT_JAVA_HOME", (u_char *) "$NXT_JAVA_HOME",
+     (u_char *) "bind", NXT_MS_BIND | NXT_MS_REC, NULL},
+};
+
+
+#endif /* _NXT_JAVA_MOUNTS_H_INCLUDED_ */
+END
+
 $echo " + Java module: ${NXT_JAVA_MODULE}.unit.so"
 
 . auto/cc/deps
diff --git a/auto/modules/python b/auto/modules/python
index 6c8198f5..ad862f3c 100644
--- a/auto/modules/python
+++ b/auto/modules/python
@@ -68,6 +68,7 @@ if /bin/sh -c "$NXT_PYTHON_CONFIG --prefix" >> $NXT_AUTOCONF_ERR 2>&1; then
         NXT_PYTHON_CONFIG="${NXT_PYTHON_CONFIG} --embed"
     fi
 
+    NXT_PYTHON_EXEC=`${NXT_PYTHON_CONFIG} --exec-prefix`/bin/${NXT_PYTHON}
     NXT_PYTHON_INCLUDE=`${NXT_PYTHON_CONFIG} --includes`
     NXT_PYTHON_LIBS=`${NXT_PYTHON_CONFIG} --ldflags`
 
@@ -129,6 +130,37 @@ if grep ^$NXT_PYTHON_MODULE: $NXT_MAKEFILE 2>&1 > /dev/null; then
     exit 1;
 fi
 
+
+NXT_PYTHON_MOUNTS_HEADER=$NXT_BUILD_DIR/nxt_python_mounts.h
+
+$NXT_PYTHON_EXEC -c 'import os.path
+import sys
+pyver = "python" + str(sys.version_info[0]) + "." + str(sys.version_info[1])
+
+print("static const nxt_fs_mount_t  nxt_python%d%d_mounts[] = {" % (sys.version_info[0], sys.version_info[1]))
+
+pattern = "{(u_char *) \"%s\", (u_char *) \"%s\", (u_char *) \"bind\", NXT_MS_BIND|NXT_MS_REC, NULL},"
+base = None
+for p in sys.path:
+    if len(p) > 0:
+        if os.path.basename(p) == pyver:
+            base = p
+
+if base is None:
+    raise Exception("failed to compute sys.path mount points")
+
+print(pattern % (base, base))
+
+for p in sys.path:
+    if len(p) > 0:
+        if not p.startswith(base):
+            print(pattern % (p, p))
+
+print("};\n\n")
+
+' >> $NXT_PYTHON_MOUNTS_HEADER
+
+
 $echo " + Python module: ${NXT_PYTHON_MODULE}.unit.so"
 
 . auto/cc/deps
@@ -165,7 +197,7 @@ END
 
 done
 
- 
+
 cat << END >> $NXT_MAKEFILE
 
 .PHONY: ${NXT_PYTHON_MODULE}
diff --git a/auto/modules/ruby b/auto/modules/ruby
index 407406ce..f7334cc7 100644
--- a/auto/modules/ruby
+++ b/auto/modules/ruby
@@ -51,6 +51,7 @@ $echo "configuring Ruby module ..." >> $NXT_AUTOCONF_ERR
 
 NXT_RUBY=${NXT_RUBY=ruby}
 NXT_RUBY_MODULE=${NXT_RUBY_MODULE=${NXT_RUBY}}
+NXT_RUBY_MOUNTS_HEADER=$NXT_BUILD_DIR/nxt_ruby_mounts.h
 
 nxt_found=no
 
@@ -58,6 +59,14 @@ if /bin/sh -c "$NXT_RUBY -v" >> $NXT_AUTOCONF_ERR 2>&1; then
 
     NXT_RUBY_RUBYHDRDIR=`$NXT_RUBY -r rbconfig -e 'printf("%s",RbConfig::CONFIG["rubyhdrdir"])'`
     NXT_RUBY_ARCHHDRDIR=`$NXT_RUBY -r rbconfig -e 'printf("%s",RbConfig::CONFIG["rubyarchhdrdir"])'`
+    NXT_RUBY_SITEARCHDIR=`$NXT_RUBY -r rbconfig -e 'printf("%s",RbConfig::CONFIG["sitearchhdrdir"])'`
+    NXT_RUBY_SITEDIR=`$NXT_RUBY -r rbconfig -e 'printf("%s",RbConfig::CONFIG["sitedir"])'`
+    NXT_RUBY_LIBDIR=`$NXT_RUBY -r rbconfig -e 'printf("%s",RbConfig::CONFIG["rubylibdir"])'`
+    NXT_RUBY_TOPDIR=`$NXT_RUBY -r rbconfig -e 'printf("%s",RbConfig::CONFIG["topdir"])'`
+    NXT_RUBY_PREFIXDIR=`$NXT_RUBY -r rbconfig -e 'printf("%s",RbConfig::CONFIG["rubylibprefix"])'`
+    NXT_RUBY_GEMDIR=`gem environment gemdir`
+    NXT_RUBY_GEMPATH=`gem environment gempath`
+
     NXT_RUBY_INCPATH="-I$NXT_RUBY_ARCHHDRDIR -I$NXT_RUBY_RUBYHDRDIR"
 
     NXT_RUBY_LIBNAME=`$NXT_RUBY -r rbconfig -e 'printf("%s",RbConfig::CONFIG["RUBY_SO_NAME"])'`
@@ -135,6 +144,35 @@ if grep ^$NXT_RUBY_MODULE: $NXT_MAKEFILE 2>&1 > /dev/null; then
     exit 1;
 fi
 
+
+cat << END > $NXT_RUBY_MOUNTS_HEADER
+
+static const nxt_fs_mount_t  nxt_ruby_mounts[] = {
+    {(u_char *) "$NXT_RUBY_RUBYHDRDIR", (u_char *) "$NXT_RUBY_RUBYHDRDIR",
+     (u_char *) "bind", NXT_MS_BIND | NXT_MS_REC, NULL},
+    {(u_char *) "$NXT_RUBY_ARCHHDRDIR", (u_char *) "$NXT_RUBY_ARCHHDRDIR",
+     (u_char *) "bind", NXT_MS_BIND | NXT_MS_REC, NULL},
+    {(u_char *) "$NXT_RUBY_SITEDIR", (u_char *) "$NXT_RUBY_SITEDIR",
+     (u_char *) "bind", NXT_MS_BIND | NXT_MS_REC, NULL},
+    {(u_char *) "$NXT_RUBY_LIBDIR", (u_char *) "$NXT_RUBY_LIBDIR",
+     (u_char *) "bind", NXT_MS_BIND | NXT_MS_REC, NULL},
+    {(u_char *) "$NXT_RUBY_GEMDIR", (u_char *) "$NXT_RUBY_GEMDIR",
+     (u_char *) "bind", NXT_MS_BIND | NXT_MS_REC, NULL},
+    {(u_char *) "$NXT_RUBY_TOPDIR", (u_char *) "$NXT_RUBY_TOPDIR",
+     (u_char *) "bind", NXT_MS_BIND | NXT_MS_REC, NULL},
+    {(u_char *) "$NXT_RUBY_PREFIXDIR", (u_char *) "$NXT_RUBY_PREFIXDIR",
+     (u_char *) "bind", NXT_MS_BIND | NXT_MS_REC, NULL},
+
+END
+
+for path in `echo $NXT_RUBY_GEMPATH | tr ':' '\n'`; do
+   $echo "{(u_char *) \"$path\", (u_char *) \"$path\"," >> $NXT_RUBY_MOUNTS_HEADER
+   $echo "(u_char *) \"bind\", NXT_MS_BIND | NXT_MS_REC, NULL}," >> $NXT_RUBY_MOUNTS_HEADER
+done
+
+$echo "};" >> $NXT_RUBY_MOUNTS_HEADER
+
+
 $echo " + Ruby module: ${NXT_RUBY_MODULE}.unit.so"
 
 . auto/cc/deps
diff --git a/auto/sources b/auto/sources
index 4ac132dd..2075ca0f 100644
--- a/auto/sources
+++ b/auto/sources
@@ -177,6 +177,11 @@ NXT_LIB_UTF8_FILE_NAME_TEST_SRCS=" \
 "
 
 
+if [ $NXT_HAVE_ROOTFS = YES ]; then
+    NXT_LIB_SRCS="$NXT_LIB_SRCS src/nxt_fs.c"
+fi
+
+
 if [ $NXT_TLS = YES ]; then
     nxt_have=NXT_TLS . auto/have
     NXT_LIB_SRCS="$NXT_LIB_SRCS $NXT_LIB_TLS_SRCS"