From f87bc139309991449031678217ab472810dcaa93 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Wed, 15 Apr 2020 08:48:09 +0300 Subject: [PATCH] unit: remove drop capabilites patch --- pkgs/servers/http/unit/default.nix | 5 -- pkgs/servers/http/unit/drop_cap.patch | 79 --------------------------- 2 files changed, 84 deletions(-) delete mode 100644 pkgs/servers/http/unit/drop_cap.patch diff --git a/pkgs/servers/http/unit/default.nix b/pkgs/servers/http/unit/default.nix index 0779a31f1064..f90395b3cece 100644 --- a/pkgs/servers/http/unit/default.nix +++ b/pkgs/servers/http/unit/default.nix @@ -39,11 +39,6 @@ in stdenv.mkDerivation rec { sha256 = "19gclqhwccpi7y4386ap33ycwhylv4s4kwfc6ik8scmc4pw3sj9l"; }; - patches = [ - # https://github.com/nginx/unit/issues/357 - ./drop_cap.patch - ]; - nativeBuildInputs = [ which ]; buildInputs = [ ] diff --git a/pkgs/servers/http/unit/drop_cap.patch b/pkgs/servers/http/unit/drop_cap.patch deleted file mode 100644 index 87caf77904e2..000000000000 --- a/pkgs/servers/http/unit/drop_cap.patch +++ /dev/null @@ -1,79 +0,0 @@ -diff -r ed17ce89119f src/nxt_capability.c ---- a/src/nxt_capability.c Fri Dec 06 17:02:23 2019 +0000 -+++ b/src/nxt_capability.c Mon Dec 09 23:23:00 2019 +0000 -@@ -93,6 +93,26 @@ nxt_capability_specific_set(nxt_task_t * - return NXT_OK; - } - -+ -+nxt_int_t -+nxt_capability_drop_all(nxt_task_t *task) -+{ -+ struct __user_cap_header_struct hdr; -+ struct __user_cap_data_struct data[2]; -+ -+ hdr.version = nxt_capability_linux_get_version(); -+ hdr.pid = nxt_pid; -+ -+ nxt_memset(data, 0, sizeof(data)); -+ -+ if (nxt_slow_path(nxt_capset(&hdr, data) == -1)) { -+ nxt_alert(task, "failed to drop capabilities %E", nxt_errno); -+ return NXT_ERROR; -+ } -+ -+ return NXT_OK; -+} -+ - #else - - static nxt_int_t -diff -r ed17ce89119f src/nxt_capability.h ---- a/src/nxt_capability.h Fri Dec 06 17:02:23 2019 +0000 -+++ b/src/nxt_capability.h Mon Dec 09 23:23:00 2019 +0000 -@@ -14,4 +14,6 @@ typedef struct { - NXT_EXPORT nxt_int_t nxt_capability_set(nxt_task_t *task, - nxt_capabilities_t *cap); - -+NXT_EXPORT nxt_int_t nxt_capability_drop_all(nxt_task_t *task); -+ - #endif /* _NXT_CAPABILITY_INCLUDED_ */ -diff -r ed17ce89119f src/nxt_process.c ---- a/src/nxt_process.c Fri Dec 06 17:02:23 2019 +0000 -+++ b/src/nxt_process.c Mon Dec 09 23:23:00 2019 +0000 -@@ -264,7 +264,7 @@ cleanup: - static void - nxt_process_start(nxt_task_t *task, nxt_process_t *process) - { -- nxt_int_t ret, cap_setid; -+ nxt_int_t ret, cap_setid, drop_caps; - nxt_port_t *port, *main_port; - nxt_thread_t *thread; - nxt_runtime_t *rt; -@@ -285,9 +285,12 @@ nxt_process_start(nxt_task_t *task, nxt_ - - cap_setid = rt->capabilities.setid; - -+ drop_caps = cap_setid; -+ - #if (NXT_HAVE_CLONE_NEWUSER) -- if (!cap_setid && NXT_CLONE_USER(init->isolation.clone.flags)) { -+ if (NXT_CLONE_USER(init->isolation.clone.flags)) { - cap_setid = 1; -+ drop_caps = 0; - } - #endif - -@@ -301,6 +304,12 @@ nxt_process_start(nxt_task_t *task, nxt_ - if (nxt_slow_path(ret != NXT_OK)) { - goto fail; - } -+ -+#if (NXT_HAVE_LINUX_CAPABILITY) -+ if (drop_caps && nxt_capability_drop_all(task) != NXT_OK) { -+ goto fail; -+ } -+#endif - } - - rt->type = init->type; \ No newline at end of file