summary refs log tree commit diff
path: root/pkgs/servers/http/unit/drop_cap.patch
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/servers/http/unit/drop_cap.patch')
-rw-r--r--pkgs/servers/http/unit/drop_cap.patch79
1 files changed, 79 insertions, 0 deletions
diff --git a/pkgs/servers/http/unit/drop_cap.patch b/pkgs/servers/http/unit/drop_cap.patch
new file mode 100644
index 00000000000..87caf77904e
--- /dev/null
+++ b/pkgs/servers/http/unit/drop_cap.patch
@@ -0,0 +1,79 @@
+diff -r ed17ce89119f src/nxt_capability.c
+--- a/src/nxt_capability.c      Fri Dec 06 17:02:23 2019 +0000
++++ b/src/nxt_capability.c      Mon Dec 09 23:23:00 2019 +0000
+@@ -93,6 +93,26 @@ nxt_capability_specific_set(nxt_task_t *
+     return NXT_OK;
+ }
+ 
++
++nxt_int_t
++nxt_capability_drop_all(nxt_task_t *task)
++{
++    struct __user_cap_header_struct hdr;
++    struct __user_cap_data_struct data[2];
++
++    hdr.version = nxt_capability_linux_get_version();
++    hdr.pid = nxt_pid;
++
++    nxt_memset(data, 0, sizeof(data));
++
++    if (nxt_slow_path(nxt_capset(&hdr, data) == -1)) {
++        nxt_alert(task, "failed to drop capabilities %E", nxt_errno);
++        return NXT_ERROR;
++    }
++
++    return NXT_OK;
++}
++
+ #else
+ 
+ static nxt_int_t
+diff -r ed17ce89119f src/nxt_capability.h
+--- a/src/nxt_capability.h      Fri Dec 06 17:02:23 2019 +0000
++++ b/src/nxt_capability.h      Mon Dec 09 23:23:00 2019 +0000
+@@ -14,4 +14,6 @@ typedef struct {
+ NXT_EXPORT nxt_int_t nxt_capability_set(nxt_task_t *task,
+     nxt_capabilities_t *cap);
+ 
++NXT_EXPORT nxt_int_t nxt_capability_drop_all(nxt_task_t *task);
++
+ #endif /* _NXT_CAPABILITY_INCLUDED_ */
+diff -r ed17ce89119f src/nxt_process.c
+--- a/src/nxt_process.c Fri Dec 06 17:02:23 2019 +0000
++++ b/src/nxt_process.c Mon Dec 09 23:23:00 2019 +0000
+@@ -264,7 +264,7 @@ cleanup:
+ static void
+ nxt_process_start(nxt_task_t *task, nxt_process_t *process)
+ {
+-    nxt_int_t                    ret, cap_setid;
++    nxt_int_t                    ret, cap_setid, drop_caps;
+     nxt_port_t                   *port, *main_port;
+     nxt_thread_t                 *thread;
+     nxt_runtime_t                *rt;
+@@ -285,9 +285,12 @@ nxt_process_start(nxt_task_t *task, nxt_
+ 
+     cap_setid = rt->capabilities.setid;
+ 
++    drop_caps = cap_setid;
++
+ #if (NXT_HAVE_CLONE_NEWUSER)
+-    if (!cap_setid && NXT_CLONE_USER(init->isolation.clone.flags)) {
++    if (NXT_CLONE_USER(init->isolation.clone.flags)) {
+         cap_setid = 1;
++        drop_caps = 0;
+     }
+ #endif
+ 
+@@ -301,6 +304,12 @@ nxt_process_start(nxt_task_t *task, nxt_
+         if (nxt_slow_path(ret != NXT_OK)) {
+             goto fail;
+         }
++
++#if (NXT_HAVE_LINUX_CAPABILITY)
++        if (drop_caps && nxt_capability_drop_all(task) != NXT_OK) {
++            goto fail;
++        }
++#endif
+     }
+ 
+     rt->type = init->type;
\ No newline at end of file
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-04-26 15:12:24 +0000