Initial applications isolation support using Linux namespaces.

nginx · Sep 19, 2019 · c554941 · c554941
1 parent 6346e64
commit c554941
Show file tree

Hide file tree

Showing 21 changed files with 1,431 additions and 165 deletions.
diff --git a/auto/capability b/auto/capability
@@ -0,0 +1,19 @@
+
+# Copyright (C) Igor Sysoev
+# Copyright (C) NGINX, Inc.
+
+# Linux capability
+
+nxt_feature="Linux capability"
+nxt_feature_name=NXT_HAVE_LINUX_CAPABILITY
+nxt_feature_test="#include <linux/capability.h>
+                  #include <unistd.h>
+                  #include <sys/syscall.h>
+
+                  int main() {
+                      struct __user_cap_header_struct hdr;
+                      hdr.version = _LINUX_CAPABILITY_VERSION;
+                      syscall(SYS_capget, &hdr, 0);
+                      return 0;
+                  }"
+. auto/feature
diff --git a/auto/isolation b/auto/isolation
@@ -0,0 +1,52 @@
+# Copyright (C) Igor Sysoev
+# Copyright (C) NGINX, Inc.
+
+# Linux clone syscall.
+
+NXT_ISOLATION=NO
+NXT_HAVE_CLONE=NO
+
+nsflags="USER NS PID NET UTS CGROUP"
+
+nxt_feature="clone(2)"
+nxt_feature_name=NXT_HAVE_CLONE
+nxt_feature_run=no
+nxt_feature_incs=
+nxt_feature_libs=
+nxt_feature_test="#include <sys/wait.h>
+                  #include <sys/syscall.h>
+
+                  int main() {
+                      return __NR_clone | SIGCHLD;
+                  }"
+. auto/feature
+
+if [ $nxt_found = yes ]; then
+    NXT_HAVE_CLONE=YES
+
+    # Test all isolation flags
+    for flag in $nsflags; do
+        nxt_feature="CLONE_NEW${flag}"
+        nxt_feature_name=NXT_HAVE_CLONE_NEW${flag}
+        nxt_feature_run=no
+        nxt_feature_incs=
+        nxt_feature_libs=
+        nxt_feature_test="#define _GNU_SOURCE
+                          #include <sys/wait.h>
+                          #include <sys/syscall.h>
+                          #include <sched.h>
+
+                          int main() {
+                              return CLONE_NEW$flag;
+                         }"
+        . auto/feature
+
+        if [ $nxt_found = yes ]; then
+            if [ "$NXT_ISOLATION" = "NO" ]; then
+                NXT_ISOLATION=$flag
+            else
+                NXT_ISOLATION="$NXT_ISOLATION $flag"
+            fi
+        fi
+    done
+fi
diff --git a/auto/sources b/auto/sources
@@ -71,6 +71,7 @@ NXT_LIB_SRCS=" \
     src/nxt_upstream_round_robin.c \
     src/nxt_http_parse.c \
     src/nxt_app_log.c \
+    src/nxt_capability.c \
     src/nxt_runtime.c \
     src/nxt_conf.c \
     src/nxt_conf_validation.c \
@@ -132,6 +133,7 @@ NXT_LIB_SOLARIS_SENDFILEV_SRCS="src/nxt_solaris_sendfilev.c"
 NXT_LIB_MACOSX_SENDFILE_SRCS="src/nxt_macosx_sendfile.c"
 NXT_LIB_AIX_SEND_FILE_SRCS="src/nxt_aix_send_file.c"
 NXT_LIB_HPUX_SENDFILE_SRCS="src/nxt_hpux_sendfile.c"
+NXT_LIB_CLONE_SRCS="src/nxt_clone.c"
 
 NXT_TEST_BUILD_DEPS="src/nxt_test_build.h"
 NXT_TEST_BUILD_SRCS="src/nxt_test_build.c"
@@ -257,6 +259,11 @@ if [ "$NXT_HAVE_HPUX_SENDFILE" = "YES" \
 fi
 
 
+if [ "$NXT_HAVE_CLONE" = "YES" ]; then
+    NXT_LIB_SRCS="$NXT_LIB_SRCS $NXT_LIB_CLONE_SRCS"
+fi
+
+
 if [ "$NXT_TEST_BUILD" = "YES" ]; then
     NXT_LIB_SRCS="$NXT_LIB_SRCS $NXT_TEST_BUILD_SRCS"
 fi

diff --git a/auto/summary b/auto/summary
@@ -26,6 +26,8 @@ Unit configuration summary:
   Unix domain sockets support: $NXT_UNIX_DOMAIN
   TLS support: ............... $NXT_OPENSSL
 
+  process isolation: ......... $NXT_ISOLATION
+
   debug logging: ............. $NXT_DEBUG
 
 END
diff --git a/configure b/configure
@@ -126,6 +126,8 @@ NXT_LIBRT=
 . auto/os/conf
 . auto/ssltls
 . auto/pcre
+. auto/isolation
+. auto/capability
 
 
 case "$NXT_SYSTEM_PLATFORM" in

diff --git a/src/nxt_application.h b/src/nxt_application.h
@@ -88,6 +88,8 @@ struct nxt_common_app_conf_s {
     char                       *working_directory;
     nxt_conf_value_t           *environment;
 
+    nxt_conf_value_t           *isolation;
+
     union {
         nxt_external_app_conf_t  external;
         nxt_python_app_conf_t    python;

diff --git a/src/nxt_capability.c b/src/nxt_capability.c
@@ -0,0 +1,104 @@
+/*
+ * Copyright (C) Igor Sysoev
+ * Copyright (C) NGINX, Inc.
+ */
+
+#include <nxt_main.h>
+
+#if (NXT_HAVE_LINUX_CAPABILITY)
+
+#include <linux/capability.h>
+#include <sys/syscall.h>
+
+#define nxt_capget(hdrp, datap)                                               \
+            syscall(SYS_capget, hdrp, datap)
+#define nxt_capset(hdrp, datap)                                               \
+            syscall(SYS_capset, hdrp, datap)
+
+#endif /* NXT_HAVE_LINUX_CAPABILITY */
+
+
+static nxt_int_t nxt_capability_specific_set(nxt_task_t *task,
+    nxt_capabilities_t *cap);
+
+
+nxt_int_t
+nxt_capability_set(nxt_task_t *task, nxt_capabilities_t *cap)
+{
+    nxt_assert(cap->setid == 0);
+
+    if (geteuid() == 0) {
+        cap->setid = 1;
+        return NXT_OK;
+    }
+
+    return nxt_capability_specific_set(task, cap);
+}
+
+
+#if (NXT_HAVE_LINUX_CAPABILITY)
+
+static uint32_t
+nxt_capability_linux_get_version()
+{
+    struct __user_cap_header_struct hdr;
+
+    hdr.version = _LINUX_CAPABILITY_VERSION;
+    hdr.pid     = nxt_pid;
+
+    nxt_capget(&hdr, NULL);
+    return hdr.version;
+}
+
+
+static nxt_int_t
+nxt_capability_specific_set(nxt_task_t *task, nxt_capabilities_t *cap)
+{
+    struct __user_cap_data_struct    *val, data[2];
+    struct __user_cap_header_struct  hdr;
+
+    /*
+     * Linux capability v1 fills an u32 struct.
+     * Linux capability v2 and v3 fills an u64 struct.
+     * We allocate data[2] for compatibility, we waste 4 bytes on v1.
+     *
+     * This is safe as we only need to check CAP_SETUID and CAP_SETGID
+     * that resides in the first 32-bit chunk.
+     */
+
+    val = &data[0];
+
+    /*
+     * Ask the kernel the preferred capability version
+     * instead of using _LINUX_CAPABILITY_VERSION from header.
+     * This is safer when distributing a pre-compiled Unit binary.
+     */
+    hdr.version = nxt_capability_linux_get_version();
+    hdr.pid = nxt_pid;
+
+    if (nxt_slow_path(nxt_capget(&hdr, val) == -1)) {
+        nxt_alert(task, "failed to get process capabilities: %E", nxt_errno);
+        return NXT_ERROR;
+    }
+
+    if ((val->effective & (1 << CAP_SETUID)) == 0) {
+        return NXT_OK;
+    }
+
+    if ((val->effective & (1 << CAP_SETGID)) == 0) {
+        return NXT_OK;
+    }
+
+    cap->setid = 1;
+    return NXT_OK;
+}
+
+#else
+
+static nxt_int_t
+nxt_capability_specific_set(nxt_task_t *task, nxt_capabilities_t *cap)
+{
+    return NXT_OK;
+}
+
+#endif
diff --git a/src/nxt_capability.h b/src/nxt_capability.h
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Igor Sysoev
+ * Copyright (C) NGINX, Inc.
+ */
+
+#ifndef _NXT_CAPABILITY_INCLUDED_
+#define _NXT_CAPABILITY_INCLUDED_
+
+typedef struct {
+    uint8_t  setid;  /* 1 bit */
+} nxt_capabilities_t;
+
+
+NXT_EXPORT nxt_int_t nxt_capability_set(nxt_task_t *task,
+    nxt_capabilities_t *cap);
+
+#endif /* _NXT_CAPABILITY_INCLUDED_ */