pkgs/servers/http/unit/drop_cap.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

diff -r ed17ce89119f src/nxt_capability.c
--- a/src/nxt_capability.c      Fri Dec 06 17:02:23 2019 +0000
+++ b/src/nxt_capability.c      Mon Dec 09 23:23:00 2019 +0000
@@ -93,6 +93,26 @@ nxt_capability_specific_set(nxt_task_t *
     return NXT_OK;
 }
 
+
+nxt_int_t
+nxt_capability_drop_all(nxt_task_t *task)
+{
+    struct __user_cap_header_struct hdr;
+    struct __user_cap_data_struct data[2];
+
+    hdr.version = nxt_capability_linux_get_version();
+    hdr.pid = nxt_pid;
+
+    nxt_memset(data, 0, sizeof(data));
+
+    if (nxt_slow_path(nxt_capset(&hdr, data) == -1)) {
+        nxt_alert(task, "failed to drop capabilities %E", nxt_errno);
+        return NXT_ERROR;
+    }
+
+    return NXT_OK;
+}
+
 #else
 
 static nxt_int_t
diff -r ed17ce89119f src/nxt_capability.h
--- a/src/nxt_capability.h      Fri Dec 06 17:02:23 2019 +0000
+++ b/src/nxt_capability.h      Mon Dec 09 23:23:00 2019 +0000
@@ -14,4 +14,6 @@ typedef struct {
 NXT_EXPORT nxt_int_t nxt_capability_set(nxt_task_t *task,
     nxt_capabilities_t *cap);
 
+NXT_EXPORT nxt_int_t nxt_capability_drop_all(nxt_task_t *task);
+
 #endif /* _NXT_CAPABILITY_INCLUDED_ */
diff -r ed17ce89119f src/nxt_process.c
--- a/src/nxt_process.c Fri Dec 06 17:02:23 2019 +0000
+++ b/src/nxt_process.c Mon Dec 09 23:23:00 2019 +0000
@@ -264,7 +264,7 @@ cleanup:
 static void
 nxt_process_start(nxt_task_t *task, nxt_process_t *process)
 {
-    nxt_int_t                    ret, cap_setid;
+    nxt_int_t                    ret, cap_setid, drop_caps;
     nxt_port_t                   *port, *main_port;
     nxt_thread_t                 *thread;
     nxt_runtime_t                *rt;
@@ -285,9 +285,12 @@ nxt_process_start(nxt_task_t *task, nxt_
 
     cap_setid = rt->capabilities.setid;
 
+    drop_caps = cap_setid;
+
 #if (NXT_HAVE_CLONE_NEWUSER)
-    if (!cap_setid && NXT_CLONE_USER(init->isolation.clone.flags)) {
+    if (NXT_CLONE_USER(init->isolation.clone.flags)) {
         cap_setid = 1;
+        drop_caps = 0;
     }
 #endif
 
@@ -301,6 +304,12 @@ nxt_process_start(nxt_task_t *task, nxt_
         if (nxt_slow_path(ret != NXT_OK)) {
             goto fail;
         }
+
+#if (NXT_HAVE_LINUX_CAPABILITY)
+        if (drop_caps && nxt_capability_drop_all(task) != NXT_OK) {
+            goto fail;
+        }
+#endif
     }
 
     rt->type = init->type;