From 3ecdd2c69c4864526c63b8e55df22ad1a86f3c72 Mon Sep 17 00:00:00 2001
From: Andrew Clayton <a.clayton@nginx.com>
Date: Fri, 18 Nov 2022 23:42:44 +0000
Subject: Isolation: Rename NXT_HAVE_CLONE -> NXT_HAVE_LINUX_NS.

Due to the need to replace our use of clone/__NR_clone on Linux with
fork(2)/unshare(2) for enabling Linux namespaces(7) to keep the
pthreads(7) API working.  Let's rename NXT_HAVE_CLONE to
NXT_HAVE_LINUX_NS, i.e name it after the feature, not how it's
implemented, then in future if we change how we do namespaces again we
don't have to rename this.

Reviewed-by: Alejandro Colomar <alx@nginx.com>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
---
 src/nxt_isolation.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'src/nxt_isolation.c')

diff --git a/src/nxt_isolation.c b/src/nxt_isolation.c
index b6b13c59..e43cf1f7 100644
--- a/src/nxt_isolation.c
+++ b/src/nxt_isolation.c
@@ -21,7 +21,7 @@ static nxt_int_t nxt_isolation_set_cgroup(nxt_task_t *task,
     nxt_conf_value_t *isolation, nxt_process_t *process);
 #endif
 
-#if (NXT_HAVE_CLONE)
+#if (NXT_HAVE_LINUX_NS)
 static nxt_int_t nxt_isolation_set_namespaces(nxt_task_t *task,
     nxt_conf_value_t *isolation, nxt_process_t *process);
 static nxt_int_t nxt_isolation_clone_flags(nxt_task_t *task,
@@ -169,7 +169,7 @@ nxt_isolation_set(nxt_task_t *task, nxt_conf_value_t *isolation,
     }
 #endif
 
-#if (NXT_HAVE_CLONE)
+#if (NXT_HAVE_LINUX_NS)
     if (nxt_slow_path(nxt_isolation_set_namespaces(task, isolation, process)
                       != NXT_OK))
     {
@@ -247,7 +247,7 @@ nxt_isolation_set_cgroup(nxt_task_t *task, nxt_conf_value_t *isolation,
 #endif
 
 
-#if (NXT_HAVE_CLONE)
+#if (NXT_HAVE_LINUX_NS)
 
 static nxt_int_t
 nxt_isolation_set_namespaces(nxt_task_t *task, nxt_conf_value_t *isolation,
@@ -409,7 +409,7 @@ nxt_isolation_vldt_creds(nxt_task_t *task, nxt_process_t *process)
 #endif
 
 
-#if (NXT_HAVE_CLONE)
+#if (NXT_HAVE_LINUX_NS)
 
 static nxt_int_t
 nxt_isolation_clone_flags(nxt_task_t *task, nxt_conf_value_t *namespaces,
-- 
cgit 


From ffa86b6edcb4ac06825557f969fb657948d8c35e Mon Sep 17 00:00:00 2001
From: Andrew Clayton <a.clayton@nginx.com>
Date: Wed, 22 Feb 2023 16:04:53 +0000
Subject: Isolation: rootfs: Set the sticky bit on the tmp directory.

When using the 'rootfs' isolation option, by default a tmpfs filesystem
is mounted on tmp/. Currently this is mounted with a mode of 0777, i.e

  drwxrwxrwx.   3 root   root   60 Feb 22 11:56 tmp

however this should really have the sticky bit[0] set (as is per-normal for
such directories) to prevent users from having free reign on the files
contained within.

What we really want is it mounted with a mode of 01777, i.e

  drwxrwxrwt.   3 root   root   60 Feb 22 11:57 tmp

[0]: To quote inode(7)

 "The sticky bit (S_ISVTX) on a directory means that a file in that
  directory can be renamed or deleted only by the owner of the file, by
  the owner of the directory, and by a privileged process."

Reviewed-by: Liam Crilly <liam@nginx.com>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
---
 src/nxt_isolation.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/nxt_isolation.c')

diff --git a/src/nxt_isolation.c b/src/nxt_isolation.c
index e43cf1f7..614d6bb5 100644
--- a/src/nxt_isolation.c
+++ b/src/nxt_isolation.c
@@ -652,7 +652,7 @@ nxt_isolation_set_lang_mounts(nxt_task_t *task, nxt_process_t *process,
         mnt->flags = (NXT_FS_FLAGS_NOSUID
                       | NXT_FS_FLAGS_NODEV
                       | NXT_FS_FLAGS_NOEXEC);
-        mnt->data = (u_char *) "size=1m,mode=777";
+        mnt->data = (u_char *) "size=1m,mode=1777";
         mnt->builtin = 1;
         mnt->deps = 0;
 
-- 
cgit 


From c18dd1f65b9eba988bb621a4b540fb6c7bda36c8 Mon Sep 17 00:00:00 2001
From: Andrew Clayton <a.clayton@nginx.com>
Date: Thu, 16 Mar 2023 21:35:01 +0000
Subject: Default PR_SET_NO_NEW_PRIVS to off.

This prctl(2) option was enabled in commit 0277d8f1 ("Isolation: Fix the
enablement of PR_SET_NO_NEW_PRIVS.") and this was being set by default.

This prctl(2) when enabled renders (amongst other things) the set-UID
and set-GID bits on executables ineffective after an execve(2).

This causes an issue for applications that want to execute the
sendmail(8) binary, this includes the PHP mail() function, which is
usually set-GID.

After some internal discussion it was decided to disable this option by
default.

Closes: <https://github.com/nginx/unit/issues/852>
Fixes: 0277d8f1 ("Isolation: Fix the enablement of PR_SET_NO_NEW_PRIVS.")
Fixes: e2b53e16 ("Added "rootfs" feature.")
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
---
 src/nxt_isolation.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src/nxt_isolation.c')

diff --git a/src/nxt_isolation.c b/src/nxt_isolation.c
index 614d6bb5..cfa494a8 100644
--- a/src/nxt_isolation.c
+++ b/src/nxt_isolation.c
@@ -80,6 +80,10 @@ nxt_isolation_main_prefork(nxt_task_t *task, nxt_process_t *process,
     app_conf = process->data.app;
     cap_setid = rt->capabilities.setid;
 
+#if (NXT_HAVE_PR_SET_NO_NEW_PRIVS)
+    process->isolation.new_privs = 1;
+#endif
+
     if (app_conf->isolation != NULL) {
         ret = nxt_isolation_set(task, app_conf->isolation, process);
         if (nxt_slow_path(ret != NXT_OK)) {
-- 
cgit