From 681dca1b67840a2c608f1c1480a72aba95665f8d Mon Sep 17 00:00:00 2001 From: Izorkin Date: Thu, 26 Dec 2019 17:39:14 +0300 Subject: unit: 1.13.0 -> 1.14.0 --- pkgs/servers/http/unit/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'pkgs/servers') diff --git a/pkgs/servers/http/unit/default.nix b/pkgs/servers/http/unit/default.nix index 8711be4b5c0..deda9441b0d 100644 --- a/pkgs/servers/http/unit/default.nix +++ b/pkgs/servers/http/unit/default.nix @@ -17,14 +17,14 @@ with stdenv.lib; stdenv.mkDerivation rec { - version = "1.13.0"; + version = "1.14.0"; pname = "unit"; src = fetchFromGitHub { owner = "nginx"; repo = "unit"; rev = version; - sha256 = "1b5il05isq5yvnx2qpnihsrmj0jliacvhrm58i87d48anwpv1k8q"; + sha256 = "01anczfcdwd22hb0y4zw647f86ivk5zq8lcd13xfxjvkmnsnbj9w"; }; nativeBuildInputs = [ which ]; -- cgit 1.4.1 From b5bd159690216f36c18c94520a29d26ebfb81f95 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Thu, 26 Dec 2019 17:51:53 +0300 Subject: unit: add drop capabilites patch --- pkgs/servers/http/unit/default.nix | 5 +++ pkgs/servers/http/unit/drop_cap.patch | 79 +++++++++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 pkgs/servers/http/unit/drop_cap.patch (limited to 'pkgs/servers') diff --git a/pkgs/servers/http/unit/default.nix b/pkgs/servers/http/unit/default.nix index deda9441b0d..ab99f94df47 100644 --- a/pkgs/servers/http/unit/default.nix +++ b/pkgs/servers/http/unit/default.nix @@ -27,6 +27,11 @@ stdenv.mkDerivation rec { sha256 = "01anczfcdwd22hb0y4zw647f86ivk5zq8lcd13xfxjvkmnsnbj9w"; }; + patches = [ + # https://github.com/nginx/unit/issues/357 + ./drop_cap.patch + ]; + nativeBuildInputs = [ which ]; buildInputs = [ ] diff --git a/pkgs/servers/http/unit/drop_cap.patch b/pkgs/servers/http/unit/drop_cap.patch new file mode 100644 index 00000000000..87caf77904e --- /dev/null +++ b/pkgs/servers/http/unit/drop_cap.patch @@ -0,0 +1,79 @@ +diff -r ed17ce89119f src/nxt_capability.c +--- a/src/nxt_capability.c Fri Dec 06 17:02:23 2019 +0000 ++++ b/src/nxt_capability.c Mon Dec 09 23:23:00 2019 +0000 +@@ -93,6 +93,26 @@ nxt_capability_specific_set(nxt_task_t * + return NXT_OK; + } + ++ ++nxt_int_t ++nxt_capability_drop_all(nxt_task_t *task) ++{ ++ struct __user_cap_header_struct hdr; ++ struct __user_cap_data_struct data[2]; ++ ++ hdr.version = nxt_capability_linux_get_version(); ++ hdr.pid = nxt_pid; ++ ++ nxt_memset(data, 0, sizeof(data)); ++ ++ if (nxt_slow_path(nxt_capset(&hdr, data) == -1)) { ++ nxt_alert(task, "failed to drop capabilities %E", nxt_errno); ++ return NXT_ERROR; ++ } ++ ++ return NXT_OK; ++} ++ + #else + + static nxt_int_t +diff -r ed17ce89119f src/nxt_capability.h +--- a/src/nxt_capability.h Fri Dec 06 17:02:23 2019 +0000 ++++ b/src/nxt_capability.h Mon Dec 09 23:23:00 2019 +0000 +@@ -14,4 +14,6 @@ typedef struct { + NXT_EXPORT nxt_int_t nxt_capability_set(nxt_task_t *task, + nxt_capabilities_t *cap); + ++NXT_EXPORT nxt_int_t nxt_capability_drop_all(nxt_task_t *task); ++ + #endif /* _NXT_CAPABILITY_INCLUDED_ */ +diff -r ed17ce89119f src/nxt_process.c +--- a/src/nxt_process.c Fri Dec 06 17:02:23 2019 +0000 ++++ b/src/nxt_process.c Mon Dec 09 23:23:00 2019 +0000 +@@ -264,7 +264,7 @@ cleanup: + static void + nxt_process_start(nxt_task_t *task, nxt_process_t *process) + { +- nxt_int_t ret, cap_setid; ++ nxt_int_t ret, cap_setid, drop_caps; + nxt_port_t *port, *main_port; + nxt_thread_t *thread; + nxt_runtime_t *rt; +@@ -285,9 +285,12 @@ nxt_process_start(nxt_task_t *task, nxt_ + + cap_setid = rt->capabilities.setid; + ++ drop_caps = cap_setid; ++ + #if (NXT_HAVE_CLONE_NEWUSER) +- if (!cap_setid && NXT_CLONE_USER(init->isolation.clone.flags)) { ++ if (NXT_CLONE_USER(init->isolation.clone.flags)) { + cap_setid = 1; ++ drop_caps = 0; + } + #endif + +@@ -301,6 +304,12 @@ nxt_process_start(nxt_task_t *task, nxt_ + if (nxt_slow_path(ret != NXT_OK)) { + goto fail; + } ++ ++#if (NXT_HAVE_LINUX_CAPABILITY) ++ if (drop_caps && nxt_capability_drop_all(task) != NXT_OK) { ++ goto fail; ++ } ++#endif + } + + rt->type = init->type; \ No newline at end of file -- cgit 1.4.1