diff --git a/nixos/modules/services/web-servers/unit/default.nix b/nixos/modules/services/web-servers/unit/default.nix index 2303dfa95404..b0b837cd1929 100644 --- a/nixos/modules/services/web-servers/unit/default.nix +++ b/nixos/modules/services/web-servers/unit/default.nix @@ -111,7 +111,7 @@ in { AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ]; # Security NoNewPrivileges = true; - # Sanboxing + # Sandboxing ProtectSystem = "full"; ProtectHome = true; RuntimeDirectory = "unit"; diff --git a/pkgs/servers/http/unit/default.nix b/pkgs/servers/http/unit/default.nix index d210fcefc85c..c3af0d555438 100644 --- a/pkgs/servers/http/unit/default.nix +++ b/pkgs/servers/http/unit/default.nix @@ -18,16 +18,21 @@ with stdenv.lib; stdenv.mkDerivation rec { - version = "1.13.0"; + version = "1.14.0"; pname = "unit"; src = fetchFromGitHub { owner = "nginx"; repo = "unit"; rev = version; - sha256 = "1b5il05isq5yvnx2qpnihsrmj0jliacvhrm58i87d48anwpv1k8q"; + sha256 = "01anczfcdwd22hb0y4zw647f86ivk5zq8lcd13xfxjvkmnsnbj9w"; }; + patches = [ + # https://github.com/nginx/unit/issues/357 + ./drop_cap.patch + ]; + nativeBuildInputs = [ which ]; buildInputs = [ ] diff --git a/pkgs/servers/http/unit/drop_cap.patch b/pkgs/servers/http/unit/drop_cap.patch new file mode 100644 index 000000000000..87caf77904e2 --- /dev/null +++ b/pkgs/servers/http/unit/drop_cap.patch @@ -0,0 +1,79 @@ +diff -r ed17ce89119f src/nxt_capability.c +--- a/src/nxt_capability.c Fri Dec 06 17:02:23 2019 +0000 ++++ b/src/nxt_capability.c Mon Dec 09 23:23:00 2019 +0000 +@@ -93,6 +93,26 @@ nxt_capability_specific_set(nxt_task_t * + return NXT_OK; + } + ++ ++nxt_int_t ++nxt_capability_drop_all(nxt_task_t *task) ++{ ++ struct __user_cap_header_struct hdr; ++ struct __user_cap_data_struct data[2]; ++ ++ hdr.version = nxt_capability_linux_get_version(); ++ hdr.pid = nxt_pid; ++ ++ nxt_memset(data, 0, sizeof(data)); ++ ++ if (nxt_slow_path(nxt_capset(&hdr, data) == -1)) { ++ nxt_alert(task, "failed to drop capabilities %E", nxt_errno); ++ return NXT_ERROR; ++ } ++ ++ return NXT_OK; ++} ++ + #else + + static nxt_int_t +diff -r ed17ce89119f src/nxt_capability.h +--- a/src/nxt_capability.h Fri Dec 06 17:02:23 2019 +0000 ++++ b/src/nxt_capability.h Mon Dec 09 23:23:00 2019 +0000 +@@ -14,4 +14,6 @@ typedef struct { + NXT_EXPORT nxt_int_t nxt_capability_set(nxt_task_t *task, + nxt_capabilities_t *cap); + ++NXT_EXPORT nxt_int_t nxt_capability_drop_all(nxt_task_t *task); ++ + #endif /* _NXT_CAPABILITY_INCLUDED_ */ +diff -r ed17ce89119f src/nxt_process.c +--- a/src/nxt_process.c Fri Dec 06 17:02:23 2019 +0000 ++++ b/src/nxt_process.c Mon Dec 09 23:23:00 2019 +0000 +@@ -264,7 +264,7 @@ cleanup: + static void + nxt_process_start(nxt_task_t *task, nxt_process_t *process) + { +- nxt_int_t ret, cap_setid; ++ nxt_int_t ret, cap_setid, drop_caps; + nxt_port_t *port, *main_port; + nxt_thread_t *thread; + nxt_runtime_t *rt; +@@ -285,9 +285,12 @@ nxt_process_start(nxt_task_t *task, nxt_ + + cap_setid = rt->capabilities.setid; + ++ drop_caps = cap_setid; ++ + #if (NXT_HAVE_CLONE_NEWUSER) +- if (!cap_setid && NXT_CLONE_USER(init->isolation.clone.flags)) { ++ if (NXT_CLONE_USER(init->isolation.clone.flags)) { + cap_setid = 1; ++ drop_caps = 0; + } + #endif + +@@ -301,6 +304,12 @@ nxt_process_start(nxt_task_t *task, nxt_ + if (nxt_slow_path(ret != NXT_OK)) { + goto fail; + } ++ ++#if (NXT_HAVE_LINUX_CAPABILITY) ++ if (drop_caps && nxt_capability_drop_all(task) != NXT_OK) { ++ goto fail; ++ } ++#endif + } + + rt->type = init->type; \ No newline at end of file