unit: add drop capabilites patch

2024-11-22 21:50:55 +00:00 · 2019-12-26 17:51:53 +03:00 · 2019-12-26 17:51:53 +03:00 · b5bd159690
parent 681dca1b67
commit b5bd159690
2 changed files with 84 additions and 0 deletions
--- a/pkgs/servers/http/unit/default.nix
+++ b/pkgs/servers/http/unit/default.nix
@ -27,6 +27,11 @@ stdenv.mkDerivation rec {
    sha256 = "01anczfcdwd22hb0y4zw647f86ivk5zq8lcd13xfxjvkmnsnbj9w";
  };

+  patches = [
+    # https://github.com/nginx/unit/issues/357
+    ./drop_cap.patch
+  ];
+
  nativeBuildInputs = [ which ];

  buildInputs = [ ]
--- a/pkgs/servers/http/unit/drop_cap.patch
+++ b/pkgs/servers/http/unit/drop_cap.patch
@ -0,0 +1,79 @@
+diff -r ed17ce89119f src/nxt_capability.c
+--- a/src/nxt_capability.c      Fri Dec 06 17:02:23 2019 +0000
+++ b/src/nxt_capability.c      Mon Dec 09 23:23:00 2019 +0000
+@@ -93,6 +93,26 @@ nxt_capability_specific_set(nxt_task_t *
+     return NXT_OK;
+ }
+ 
+
+nxt_int_t
+nxt_capability_drop_all(nxt_task_t *task)
+{
+    struct __user_cap_header_struct hdr;
+    struct __user_cap_data_struct data[2];
+
+    hdr.version = nxt_capability_linux_get_version();
+    hdr.pid = nxt_pid;
+
+    nxt_memset(data, 0, sizeof(data));
+
+    if (nxt_slow_path(nxt_capset(&hdr, data) == -1)) {
+        nxt_alert(task, "failed to drop capabilities %E", nxt_errno);
+        return NXT_ERROR;
+    }
+
+    return NXT_OK;
+}
+
+ #else
+ 
+ static nxt_int_t
+diff -r ed17ce89119f src/nxt_capability.h
+--- a/src/nxt_capability.h      Fri Dec 06 17:02:23 2019 +0000
+++ b/src/nxt_capability.h      Mon Dec 09 23:23:00 2019 +0000
+@@ -14,4 +14,6 @@ typedef struct {
+ NXT_EXPORT nxt_int_t nxt_capability_set(nxt_task_t *task,
+     nxt_capabilities_t *cap);
+ 
+NXT_EXPORT nxt_int_t nxt_capability_drop_all(nxt_task_t *task);
+
+ #endif /* _NXT_CAPABILITY_INCLUDED_ */
+diff -r ed17ce89119f src/nxt_process.c
+--- a/src/nxt_process.c Fri Dec 06 17:02:23 2019 +0000
+++ b/src/nxt_process.c Mon Dec 09 23:23:00 2019 +0000
+@@ -264,7 +264,7 @@ cleanup:
+ static void
+ nxt_process_start(nxt_task_t *task, nxt_process_t *process)
+ {
+-    nxt_int_t                    ret, cap_setid;
+    nxt_int_t                    ret, cap_setid, drop_caps;
+     nxt_port_t                   *port, *main_port;
+     nxt_thread_t                 *thread;
+     nxt_runtime_t                *rt;
+@@ -285,9 +285,12 @@ nxt_process_start(nxt_task_t *task, nxt_
+ 
+     cap_setid = rt->capabilities.setid;
+ 
+    drop_caps = cap_setid;
+
+ #if (NXT_HAVE_CLONE_NEWUSER)
+-    if (!cap_setid && NXT_CLONE_USER(init->isolation.clone.flags)) {
+    if (NXT_CLONE_USER(init->isolation.clone.flags)) {
+         cap_setid = 1;
+        drop_caps = 0;
+     }
+ #endif
+ 
+@@ -301,6 +304,12 @@ nxt_process_start(nxt_task_t *task, nxt_
+         if (nxt_slow_path(ret != NXT_OK)) {
+             goto fail;
+         }
+
+#if (NXT_HAVE_LINUX_CAPABILITY)
+        if (drop_caps && nxt_capability_drop_all(task) != NXT_OK) {
+            goto fail;
+        }
+#endif
+     }
+ 
+     rt->type = init->type;