-
Notifications
You must be signed in to change notification settings - Fork 322
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Initial applications isolation support using Linux namespaces.
- Loading branch information
Showing
21 changed files
with
1,431 additions
and
165 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
|
||
# Copyright (C) Igor Sysoev | ||
# Copyright (C) NGINX, Inc. | ||
|
||
# Linux capability | ||
|
||
nxt_feature="Linux capability" | ||
nxt_feature_name=NXT_HAVE_LINUX_CAPABILITY | ||
nxt_feature_test="#include <linux/capability.h> | ||
#include <unistd.h> | ||
#include <sys/syscall.h> | ||
|
||
int main() { | ||
struct __user_cap_header_struct hdr; | ||
hdr.version = _LINUX_CAPABILITY_VERSION; | ||
syscall(SYS_capget, &hdr, 0); | ||
return 0; | ||
}" | ||
. auto/feature |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
# Copyright (C) Igor Sysoev | ||
# Copyright (C) NGINX, Inc. | ||
|
||
# Linux clone syscall. | ||
|
||
NXT_ISOLATION=NO | ||
NXT_HAVE_CLONE=NO | ||
|
||
nsflags="USER NS PID NET UTS CGROUP" | ||
|
||
nxt_feature="clone(2)" | ||
nxt_feature_name=NXT_HAVE_CLONE | ||
nxt_feature_run=no | ||
nxt_feature_incs= | ||
nxt_feature_libs= | ||
nxt_feature_test="#include <sys/wait.h> | ||
#include <sys/syscall.h> | ||
|
||
int main() { | ||
return __NR_clone | SIGCHLD; | ||
}" | ||
. auto/feature | ||
|
||
if [ $nxt_found = yes ]; then | ||
NXT_HAVE_CLONE=YES | ||
|
||
# Test all isolation flags | ||
for flag in $nsflags; do | ||
nxt_feature="CLONE_NEW${flag}" | ||
nxt_feature_name=NXT_HAVE_CLONE_NEW${flag} | ||
nxt_feature_run=no | ||
nxt_feature_incs= | ||
nxt_feature_libs= | ||
nxt_feature_test="#define _GNU_SOURCE | ||
#include <sys/wait.h> | ||
#include <sys/syscall.h> | ||
#include <sched.h> | ||
|
||
int main() { | ||
return CLONE_NEW$flag; | ||
}" | ||
. auto/feature | ||
|
||
if [ $nxt_found = yes ]; then | ||
if [ "$NXT_ISOLATION" = "NO" ]; then | ||
NXT_ISOLATION=$flag | ||
else | ||
NXT_ISOLATION="$NXT_ISOLATION $flag" | ||
fi | ||
fi | ||
done | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
/* | ||
* Copyright (C) Igor Sysoev | ||
* Copyright (C) NGINX, Inc. | ||
*/ | ||
|
||
#include <nxt_main.h> | ||
|
||
#if (NXT_HAVE_LINUX_CAPABILITY) | ||
|
||
#include <linux/capability.h> | ||
#include <sys/syscall.h> | ||
|
||
#define nxt_capget(hdrp, datap) \ | ||
syscall(SYS_capget, hdrp, datap) | ||
#define nxt_capset(hdrp, datap) \ | ||
syscall(SYS_capset, hdrp, datap) | ||
|
||
#endif /* NXT_HAVE_LINUX_CAPABILITY */ | ||
|
||
|
||
static nxt_int_t nxt_capability_specific_set(nxt_task_t *task, | ||
nxt_capabilities_t *cap); | ||
|
||
|
||
nxt_int_t | ||
nxt_capability_set(nxt_task_t *task, nxt_capabilities_t *cap) | ||
{ | ||
nxt_assert(cap->setid == 0); | ||
|
||
if (geteuid() == 0) { | ||
cap->setid = 1; | ||
return NXT_OK; | ||
} | ||
|
||
return nxt_capability_specific_set(task, cap); | ||
} | ||
|
||
|
||
#if (NXT_HAVE_LINUX_CAPABILITY) | ||
|
||
static uint32_t | ||
nxt_capability_linux_get_version() | ||
{ | ||
struct __user_cap_header_struct hdr; | ||
|
||
hdr.version = _LINUX_CAPABILITY_VERSION; | ||
hdr.pid = nxt_pid; | ||
|
||
nxt_capget(&hdr, NULL); | ||
return hdr.version; | ||
} | ||
|
||
|
||
static nxt_int_t | ||
nxt_capability_specific_set(nxt_task_t *task, nxt_capabilities_t *cap) | ||
{ | ||
struct __user_cap_data_struct *val, data[2]; | ||
struct __user_cap_header_struct hdr; | ||
|
||
/* | ||
* Linux capability v1 fills an u32 struct. | ||
* Linux capability v2 and v3 fills an u64 struct. | ||
* We allocate data[2] for compatibility, we waste 4 bytes on v1. | ||
* | ||
* This is safe as we only need to check CAP_SETUID and CAP_SETGID | ||
* that resides in the first 32-bit chunk. | ||
*/ | ||
|
||
val = &data[0]; | ||
|
||
/* | ||
* Ask the kernel the preferred capability version | ||
* instead of using _LINUX_CAPABILITY_VERSION from header. | ||
* This is safer when distributing a pre-compiled Unit binary. | ||
*/ | ||
hdr.version = nxt_capability_linux_get_version(); | ||
hdr.pid = nxt_pid; | ||
|
||
if (nxt_slow_path(nxt_capget(&hdr, val) == -1)) { | ||
nxt_alert(task, "failed to get process capabilities: %E", nxt_errno); | ||
return NXT_ERROR; | ||
} | ||
|
||
if ((val->effective & (1 << CAP_SETUID)) == 0) { | ||
return NXT_OK; | ||
} | ||
|
||
if ((val->effective & (1 << CAP_SETGID)) == 0) { | ||
return NXT_OK; | ||
} | ||
|
||
cap->setid = 1; | ||
return NXT_OK; | ||
} | ||
|
||
#else | ||
|
||
static nxt_int_t | ||
nxt_capability_specific_set(nxt_task_t *task, nxt_capabilities_t *cap) | ||
{ | ||
return NXT_OK; | ||
} | ||
|
||
#endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
/* | ||
* Copyright (C) Igor Sysoev | ||
* Copyright (C) NGINX, Inc. | ||
*/ | ||
|
||
#ifndef _NXT_CAPABILITY_INCLUDED_ | ||
#define _NXT_CAPABILITY_INCLUDED_ | ||
|
||
typedef struct { | ||
uint8_t setid; /* 1 bit */ | ||
} nxt_capabilities_t; | ||
|
||
|
||
NXT_EXPORT nxt_int_t nxt_capability_set(nxt_task_t *task, | ||
nxt_capabilities_t *cap); | ||
|
||
#endif /* _NXT_CAPABILITY_INCLUDED_ */ |
Oops, something went wrong.