From 0277d8f1034f6f3dcdb5fd88dc3a9a3f04c1de89 Mon Sep 17 00:00:00 2001
From: Andrew Clayton <a.clayton@nginx.com>
Date: Fri, 25 Nov 2022 10:32:20 +0000
Subject: Isolation: Fix the enablement of PR_SET_NO_NEW_PRIVS.

This prctl(2) option is checked for in auto/isolation, unfortunately due
to a typo this feature has never been enabled.

In the auto/isolation script the feature name was down as
NXT_HAVE_PR_SET_NO_NEW_PRIVS0, which means we end up with the following
in build/nxt_auto_config.h

  #ifndef NXT_HAVE_PR_SET_NO_NEW_PRIVS0
  #define NXT_HAVE_PR_SET_NO_NEW_PRIVS0  1
  #endif

Whereas everywhere else is checking for NXT_HAVE_PR_SET_NO_NEW_PRIVS.

This also guards the inclusion of sys/prctl.h in src/nxt_process.c which
is required by a subsequent commit.

Fixes: e2b53e1 ("Added "rootfs" feature.")
Reviewed-by: Alejandro Colomar <alx@nginx.com>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
---
 auto/isolation | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'auto/isolation')

diff --git a/auto/isolation b/auto/isolation
index cbf42d9d..b706c94d 100644
--- a/auto/isolation
+++ b/auto/isolation
@@ -90,7 +90,7 @@ nxt_feature_test="#include <mntent.h>
 
 
 nxt_feature="prctl(PR_SET_NO_NEW_PRIVS)"
-nxt_feature_name=NXT_HAVE_PR_SET_NO_NEW_PRIVS0
+nxt_feature_name=NXT_HAVE_PR_SET_NO_NEW_PRIVS
 nxt_feature_run=no
 nxt_feature_incs=
 nxt_feature_libs=
-- 
cgit 


From b7f1d7253a8f44f31c2e1a8d9c8962ef30be83e9 Mon Sep 17 00:00:00 2001
From: Andrew Clayton <a.clayton@nginx.com>
Date: Fri, 18 Nov 2022 23:42:44 +0000
Subject: Isolation: Rename NXT_HAVE_CLONE -> NXT_HAVE_LINUX_NS.

Due to the need to replace our use of clone/__NR_clone on Linux with
fork(2)/unshare(2) for enabling Linux namespaces(7) to keep the
pthreads(7) API working.  Let's rename NXT_HAVE_CLONE to
NXT_HAVE_LINUX_NS, i.e name it after the feature, not how it's
implemented, then in future if we change how we do namespaces again we
don't have to rename this.

Reviewed-by: Alejandro Colomar <alx@nginx.com>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
---
 auto/isolation | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'auto/isolation')

diff --git a/auto/isolation b/auto/isolation
index b706c94d..27f44624 100644
--- a/auto/isolation
+++ b/auto/isolation
@@ -4,7 +4,7 @@
 # Linux clone syscall.
 
 NXT_ISOLATION=NO
-NXT_HAVE_CLONE=NO
+NXT_HAVE_LINUX_NS=NO
 NXT_HAVE_CLONE_NEWUSER=NO
 NXT_HAVE_MOUNT=NO
 NXT_HAVE_UNMOUNT=NO
@@ -12,21 +12,21 @@ NXT_HAVE_ROOTFS=NO
 
 nsflags="USER NS PID NET UTS CGROUP"
 
-nxt_feature="clone(2)"
-nxt_feature_name=NXT_HAVE_CLONE
+nxt_feature="Linux unshare()"
+nxt_feature_name=NXT_HAVE_LINUX_NS
 nxt_feature_run=no
 nxt_feature_incs=
 nxt_feature_libs=
-nxt_feature_test="#include <sys/wait.h>
-                  #include <sys/syscall.h>
+nxt_feature_test="#define _GNU_SOURCE
+                  #include <sched.h>
 
                   int main(void) {
-                      return SYS_clone | SIGCHLD;
+                      return unshare(0);
                   }"
 . auto/feature
 
 if [ $nxt_found = yes ]; then
-    NXT_HAVE_CLONE=YES
+    NXT_HAVE_LINUX_NS=YES
 
     # Test all isolation flags
     for flag in $nsflags; do
-- 
cgit 


From a83354f47331db1214cba4dd8899f2a002295b2f Mon Sep 17 00:00:00 2001
From: Andrew Clayton <a.clayton@nginx.com>
Date: Wed, 30 Nov 2022 00:13:22 +0000
Subject: Enable the PR_SET_CHILD_SUBREAPER prctl(2) option on Linux.

This prctl(2) option can be used to set the "child subreaper" attribute
of the calling process.  This allows a process to take on the role of
'init', which means the process will inherit descendant processes when
their immediate parent terminates.

This will be used in an upcoming commit that uses a double fork(2) +
unshare(2) to create a new PID namespace.  The parent from the second
fork will terminate leaving the child process to be inherited by 'init'.
Aside from it being better to maintain the parent/child relationships
between the various unit processes, without setting this you need to ^C
twice to fully quit unit when running in the foreground after the double
fork.

Reviewed-by: Alejandro Colomar <alx@nginx.com>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
---
 auto/isolation | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'auto/isolation')

diff --git a/auto/isolation b/auto/isolation
index 27f44624..c535e80a 100644
--- a/auto/isolation
+++ b/auto/isolation
@@ -102,6 +102,19 @@ nxt_feature_test="#include <sys/prctl.h>
 . auto/feature
 
 
+nxt_feature="prctl(PR_SET_CHILD_SUBREAPER)"
+nxt_feature_name=NXT_HAVE_PR_SET_CHILD_SUBREAPER
+nxt_feature_run=no
+nxt_feature_incs=
+nxt_feature_libs=
+nxt_feature_test="#include <sys/prctl.h>
+
+                  int main(void) {
+                      return PR_SET_CHILD_SUBREAPER;
+                  }"
+. auto/feature
+
+
 nxt_feature="Linux mount()"
 nxt_feature_name=NXT_HAVE_LINUX_MOUNT
 nxt_feature_run=no
-- 
cgit