diff options
| author | Izorkin <izorkin@elven.pw> | 2020-04-15 08:48:09 +0300 |
|---|---|---|
| committer | Izorkin <izorkin@elven.pw> | 2020-05-06 12:27:12 +0300 |
| commit | f87bc139309991449031678217ab472810dcaa93 (patch) | |
| tree | a6032c4a631efb75a0a76310e025ec91624ae3c9 /pkgs/servers/http | |
| parent | cfad151ac56248dd6b74c298a4f864546ac78a3e (diff) | |
| download | nixlib-f87bc139309991449031678217ab472810dcaa93.tar nixlib-f87bc139309991449031678217ab472810dcaa93.tar.gz nixlib-f87bc139309991449031678217ab472810dcaa93.tar.bz2 nixlib-f87bc139309991449031678217ab472810dcaa93.tar.lz nixlib-f87bc139309991449031678217ab472810dcaa93.tar.xz nixlib-f87bc139309991449031678217ab472810dcaa93.tar.zst nixlib-f87bc139309991449031678217ab472810dcaa93.zip | |
unit: remove drop capabilites patch
Diffstat (limited to 'pkgs/servers/http')
| -rw-r--r-- | pkgs/servers/http/unit/default.nix | 5 | ||||
| -rw-r--r-- | pkgs/servers/http/unit/drop_cap.patch | 79 |
2 files changed, 0 insertions, 84 deletions
diff --git a/pkgs/servers/http/unit/default.nix b/pkgs/servers/http/unit/default.nix index 0779a31f1064..f90395b3cece 100644 --- a/pkgs/servers/http/unit/default.nix +++ b/pkgs/servers/http/unit/default.nix @@ -39,11 +39,6 @@ in stdenv.mkDerivation rec { sha256 = "19gclqhwccpi7y4386ap33ycwhylv4s4kwfc6ik8scmc4pw3sj9l"; }; - patches = [ - # https://github.com/nginx/unit/issues/357 - ./drop_cap.patch - ]; - nativeBuildInputs = [ which ]; buildInputs = [ ] diff --git a/pkgs/servers/http/unit/drop_cap.patch b/pkgs/servers/http/unit/drop_cap.patch deleted file mode 100644 index 87caf77904e2..000000000000 --- a/pkgs/servers/http/unit/drop_cap.patch +++ /dev/null @@ -1,79 +0,0 @@ -diff -r ed17ce89119f src/nxt_capability.c ---- a/src/nxt_capability.c Fri Dec 06 17:02:23 2019 +0000 -+++ b/src/nxt_capability.c Mon Dec 09 23:23:00 2019 +0000 -@@ -93,6 +93,26 @@ nxt_capability_specific_set(nxt_task_t * - return NXT_OK; - } - -+ -+nxt_int_t -+nxt_capability_drop_all(nxt_task_t *task) -+{ -+ struct __user_cap_header_struct hdr; -+ struct __user_cap_data_struct data[2]; -+ -+ hdr.version = nxt_capability_linux_get_version(); -+ hdr.pid = nxt_pid; -+ -+ nxt_memset(data, 0, sizeof(data)); -+ -+ if (nxt_slow_path(nxt_capset(&hdr, data) == -1)) { -+ nxt_alert(task, "failed to drop capabilities %E", nxt_errno); -+ return NXT_ERROR; -+ } -+ -+ return NXT_OK; -+} -+ - #else - - static nxt_int_t -diff -r ed17ce89119f src/nxt_capability.h ---- a/src/nxt_capability.h Fri Dec 06 17:02:23 2019 +0000 -+++ b/src/nxt_capability.h Mon Dec 09 23:23:00 2019 +0000 -@@ -14,4 +14,6 @@ typedef struct { - NXT_EXPORT nxt_int_t nxt_capability_set(nxt_task_t *task, - nxt_capabilities_t *cap); - -+NXT_EXPORT nxt_int_t nxt_capability_drop_all(nxt_task_t *task); -+ - #endif /* _NXT_CAPABILITY_INCLUDED_ */ -diff -r ed17ce89119f src/nxt_process.c ---- a/src/nxt_process.c Fri Dec 06 17:02:23 2019 +0000 -+++ b/src/nxt_process.c Mon Dec 09 23:23:00 2019 +0000 -@@ -264,7 +264,7 @@ cleanup: - static void - nxt_process_start(nxt_task_t *task, nxt_process_t *process) - { -- nxt_int_t ret, cap_setid; -+ nxt_int_t ret, cap_setid, drop_caps; - nxt_port_t *port, *main_port; - nxt_thread_t *thread; - nxt_runtime_t *rt; -@@ -285,9 +285,12 @@ nxt_process_start(nxt_task_t *task, nxt_ - - cap_setid = rt->capabilities.setid; - -+ drop_caps = cap_setid; -+ - #if (NXT_HAVE_CLONE_NEWUSER) -- if (!cap_setid && NXT_CLONE_USER(init->isolation.clone.flags)) { -+ if (NXT_CLONE_USER(init->isolation.clone.flags)) { - cap_setid = 1; -+ drop_caps = 0; - } - #endif - -@@ -301,6 +304,12 @@ nxt_process_start(nxt_task_t *task, nxt_ - if (nxt_slow_path(ret != NXT_OK)) { - goto fail; - } -+ -+#if (NXT_HAVE_LINUX_CAPABILITY) -+ if (drop_caps && nxt_capability_drop_all(task) != NXT_OK) { -+ goto fail; -+ } -+#endif - } - - rt->type = init->type; \ No newline at end of file |