xref: /unit/auto/isolation (revision 2348:103ed9652c92)
11182St.nateldemoura@f5.com# Copyright (C) Igor Sysoev
21182St.nateldemoura@f5.com# Copyright (C) NGINX, Inc.
31182St.nateldemoura@f5.com
41182St.nateldemoura@f5.com# Linux clone syscall.
51182St.nateldemoura@f5.com
61182St.nateldemoura@f5.comNXT_ISOLATION=NO
72347Sa.clayton@nginx.comNXT_HAVE_LINUX_NS=NO
81306St.nateldemoura@f5.comNXT_HAVE_CLONE_NEWUSER=NO
91489St.nateldemoura@f5.comNXT_HAVE_MOUNT=NO
101489St.nateldemoura@f5.comNXT_HAVE_UNMOUNT=NO
111489St.nateldemoura@f5.comNXT_HAVE_ROOTFS=NO
121182St.nateldemoura@f5.com
131182St.nateldemoura@f5.comnsflags="USER NS PID NET UTS CGROUP"
141182St.nateldemoura@f5.com
152347Sa.clayton@nginx.comnxt_feature="Linux unshare()"
162347Sa.clayton@nginx.comnxt_feature_name=NXT_HAVE_LINUX_NS
171182St.nateldemoura@f5.comnxt_feature_run=no
181182St.nateldemoura@f5.comnxt_feature_incs=
191182St.nateldemoura@f5.comnxt_feature_libs=
202347Sa.clayton@nginx.comnxt_feature_test="#define _GNU_SOURCE
212347Sa.clayton@nginx.com                  #include <sched.h>
221182St.nateldemoura@f5.com
23*2228Sa.clayton@nginx.com                  int main(void) {
242347Sa.clayton@nginx.com                      return unshare(0);
251182St.nateldemoura@f5.com                  }"
261182St.nateldemoura@f5.com. auto/feature
271182St.nateldemoura@f5.com
281182St.nateldemoura@f5.comif [ $nxt_found = yes ]; then
292347Sa.clayton@nginx.com    NXT_HAVE_LINUX_NS=YES
301182St.nateldemoura@f5.com
311182St.nateldemoura@f5.com    # Test all isolation flags
321182St.nateldemoura@f5.com    for flag in $nsflags; do
331182St.nateldemoura@f5.com        nxt_feature="CLONE_NEW${flag}"
341182St.nateldemoura@f5.com        nxt_feature_name=NXT_HAVE_CLONE_NEW${flag}
351182St.nateldemoura@f5.com        nxt_feature_run=no
361182St.nateldemoura@f5.com        nxt_feature_incs=
371182St.nateldemoura@f5.com        nxt_feature_libs=
381182St.nateldemoura@f5.com        nxt_feature_test="#define _GNU_SOURCE
391182St.nateldemoura@f5.com                          #include <sys/wait.h>
401182St.nateldemoura@f5.com                          #include <sys/syscall.h>
411182St.nateldemoura@f5.com                          #include <sched.h>
421182St.nateldemoura@f5.com
43*2228Sa.clayton@nginx.com                          int main(void) {
441182St.nateldemoura@f5.com                              return CLONE_NEW$flag;
451182St.nateldemoura@f5.com                         }"
461182St.nateldemoura@f5.com        . auto/feature
471182St.nateldemoura@f5.com
481182St.nateldemoura@f5.com        if [ $nxt_found = yes ]; then
491306St.nateldemoura@f5.com            if [ $flag = "USER" ]; then
501306St.nateldemoura@f5.com                NXT_HAVE_CLONE_NEWUSER=YES
511306St.nateldemoura@f5.com            fi
521306St.nateldemoura@f5.com
531182St.nateldemoura@f5.com            if [ "$NXT_ISOLATION" = "NO" ]; then
541182St.nateldemoura@f5.com                NXT_ISOLATION=$flag
551182St.nateldemoura@f5.com            else
561182St.nateldemoura@f5.com                NXT_ISOLATION="$NXT_ISOLATION $flag"
571182St.nateldemoura@f5.com            fi
581182St.nateldemoura@f5.com        fi
591182St.nateldemoura@f5.com    done
601182St.nateldemoura@f5.comfi
611489St.nateldemoura@f5.com
621489St.nateldemoura@f5.com
631489St.nateldemoura@f5.comnxt_feature="Linux pivot_root()"
642170Salx.manpages@gmail.comnxt_feature_name=NXT_HAVE_LINUX_PIVOT_ROOT
651489St.nateldemoura@f5.comnxt_feature_run=no
661489St.nateldemoura@f5.comnxt_feature_incs=
671489St.nateldemoura@f5.comnxt_feature_libs=
681489St.nateldemoura@f5.comnxt_feature_test="#include <sys/syscall.h>
692170Salx.manpages@gmail.com                  #if !defined(__linux__)
702170Salx.manpages@gmail.com                  # error
712170Salx.manpages@gmail.com                  #endif
721489St.nateldemoura@f5.com
73*2228Sa.clayton@nginx.com                  int main(void) {
742153Salx.manpages@gmail.com                      return SYS_pivot_root;
751489St.nateldemoura@f5.com                  }"
761489St.nateldemoura@f5.com. auto/feature
771489St.nateldemoura@f5.com
781489St.nateldemoura@f5.com
792169Salx.manpages@gmail.comnxt_feature="<mntent.h>"
802169Salx.manpages@gmail.comnxt_feature_name=NXT_HAVE_MNTENT_H
812169Salx.manpages@gmail.comnxt_feature_run=no
822169Salx.manpages@gmail.comnxt_feature_incs=
832169Salx.manpages@gmail.comnxt_feature_libs=
842169Salx.manpages@gmail.comnxt_feature_test="#include <mntent.h>
852169Salx.manpages@gmail.com
862169Salx.manpages@gmail.com                  int main(void) {
872169Salx.manpages@gmail.com                      return 0;
882169Salx.manpages@gmail.com                  }"
892169Salx.manpages@gmail.com. auto/feature
902169Salx.manpages@gmail.com
912169Salx.manpages@gmail.com
921489St.nateldemoura@f5.comnxt_feature="prctl(PR_SET_NO_NEW_PRIVS)"
932346Sa.clayton@nginx.comnxt_feature_name=NXT_HAVE_PR_SET_NO_NEW_PRIVS
941489St.nateldemoura@f5.comnxt_feature_run=no
951489St.nateldemoura@f5.comnxt_feature_incs=
961489St.nateldemoura@f5.comnxt_feature_libs=
971489St.nateldemoura@f5.comnxt_feature_test="#include <sys/prctl.h>
981489St.nateldemoura@f5.com
99*2228Sa.clayton@nginx.com                  int main(void) {
1001489St.nateldemoura@f5.com                      return PR_SET_NO_NEW_PRIVS;
1011489St.nateldemoura@f5.com                  }"
1021489St.nateldemoura@f5.com. auto/feature
1031489St.nateldemoura@f5.com
1041489St.nateldemoura@f5.com
1052348Sa.clayton@nginx.comnxt_feature="prctl(PR_SET_CHILD_SUBREAPER)"
1062348Sa.clayton@nginx.comnxt_feature_name=NXT_HAVE_PR_SET_CHILD_SUBREAPER
1072348Sa.clayton@nginx.comnxt_feature_run=no
1082348Sa.clayton@nginx.comnxt_feature_incs=
1092348Sa.clayton@nginx.comnxt_feature_libs=
1102348Sa.clayton@nginx.comnxt_feature_test="#include <sys/prctl.h>
1112348Sa.clayton@nginx.com
1122348Sa.clayton@nginx.com                  int main(void) {
1132348Sa.clayton@nginx.com                      return PR_SET_CHILD_SUBREAPER;
1142348Sa.clayton@nginx.com                  }"
1152348Sa.clayton@nginx.com. auto/feature
1162348Sa.clayton@nginx.com
1172348Sa.clayton@nginx.com
1181489St.nateldemoura@f5.comnxt_feature="Linux mount()"
1191489St.nateldemoura@f5.comnxt_feature_name=NXT_HAVE_LINUX_MOUNT
1201489St.nateldemoura@f5.comnxt_feature_run=no
1211489St.nateldemoura@f5.comnxt_feature_incs=
1221489St.nateldemoura@f5.comnxt_feature_libs=
1231489St.nateldemoura@f5.comnxt_feature_test="#include <sys/mount.h>
1241489St.nateldemoura@f5.com
125*2228Sa.clayton@nginx.com                  int main(void) {
1261503St.nateldemoura@f5.com                      return mount(\"/\", \"/\", \"bind\",
1271503St.nateldemoura@f5.com                                   MS_BIND | MS_REC, \"\");
1281489St.nateldemoura@f5.com                  }"
1291489St.nateldemoura@f5.com. auto/feature
1301489St.nateldemoura@f5.com
1311489St.nateldemoura@f5.comif [ $nxt_found = yes ]; then
1321489St.nateldemoura@f5.com    NXT_HAVE_MOUNT=YES
1331489St.nateldemoura@f5.comfi
1341489St.nateldemoura@f5.com
1351489St.nateldemoura@f5.com
1361489St.nateldemoura@f5.comif [ $nxt_found = no ]; then
1371489St.nateldemoura@f5.com    nxt_feature="FreeBSD nmount()"
1381489St.nateldemoura@f5.com    nxt_feature_name=NXT_HAVE_FREEBSD_NMOUNT
1391489St.nateldemoura@f5.com    nxt_feature_run=no
1401489St.nateldemoura@f5.com    nxt_feature_incs=
1411489St.nateldemoura@f5.com    nxt_feature_libs=
1421489St.nateldemoura@f5.com    nxt_feature_test="#include <sys/mount.h>
1431489St.nateldemoura@f5.com
144*2228Sa.clayton@nginx.com                    int main(void) {
1451489St.nateldemoura@f5.com                        return nmount((void *)0, 0, 0);
1461489St.nateldemoura@f5.com                    }"
1471489St.nateldemoura@f5.com    . auto/feature
1481489St.nateldemoura@f5.com
1491489St.nateldemoura@f5.com    if [ $nxt_found = yes ]; then
1501489St.nateldemoura@f5.com        NXT_HAVE_MOUNT=YES
1511489St.nateldemoura@f5.com    fi
1521489St.nateldemoura@f5.comfi
1531489St.nateldemoura@f5.com
1541489St.nateldemoura@f5.com
1551489St.nateldemoura@f5.comnxt_feature="Linux umount2()"
1561489St.nateldemoura@f5.comnxt_feature_name=NXT_HAVE_LINUX_UMOUNT2
1571489St.nateldemoura@f5.comnxt_feature_run=no
1581489St.nateldemoura@f5.comnxt_feature_incs=
1591489St.nateldemoura@f5.comnxt_feature_libs=
1601489St.nateldemoura@f5.comnxt_feature_test="#include <sys/mount.h>
1611489St.nateldemoura@f5.com
162*2228Sa.clayton@nginx.com                  int main(void) {
1631489St.nateldemoura@f5.com                      return umount2((void *)0, 0);
1641489St.nateldemoura@f5.com                  }"
1651489St.nateldemoura@f5.com. auto/feature
1661489St.nateldemoura@f5.com
1671489St.nateldemoura@f5.comif [ $nxt_found = yes ]; then
1681489St.nateldemoura@f5.com    NXT_HAVE_UNMOUNT=YES
1691489St.nateldemoura@f5.comfi
1701489St.nateldemoura@f5.com
1711489St.nateldemoura@f5.comif [ $nxt_found = no ]; then
1721489St.nateldemoura@f5.com    nxt_feature="unmount()"
1731489St.nateldemoura@f5.com    nxt_feature_name=NXT_HAVE_UNMOUNT
1741489St.nateldemoura@f5.com    nxt_feature_run=no
1751489St.nateldemoura@f5.com    nxt_feature_incs=
1761489St.nateldemoura@f5.com    nxt_feature_libs=
1771489St.nateldemoura@f5.com    nxt_feature_test="#include <sys/mount.h>
1781489St.nateldemoura@f5.com
179*2228Sa.clayton@nginx.com                    int main(void) {
1801489St.nateldemoura@f5.com                        return unmount((void *)0, 0);
1811489St.nateldemoura@f5.com                    }"
1821489St.nateldemoura@f5.com    . auto/feature
1831489St.nateldemoura@f5.com
1841489St.nateldemoura@f5.com    if [ $nxt_found = yes ]; then
1851489St.nateldemoura@f5.com        NXT_HAVE_UNMOUNT=YES
1861489St.nateldemoura@f5.com    fi
1871489St.nateldemoura@f5.comfi
1881489St.nateldemoura@f5.com
1891489St.nateldemoura@f5.comif [ $NXT_HAVE_MOUNT = YES -a $NXT_HAVE_UNMOUNT = YES ]; then
1901489St.nateldemoura@f5.com    NXT_HAVE_ROOTFS=YES
1911489St.nateldemoura@f5.com
1921489St.nateldemoura@f5.com    cat << END >> $NXT_AUTO_CONFIG_H
1931489St.nateldemoura@f5.com
1941489St.nateldemoura@f5.com#ifndef NXT_HAVE_ISOLATION_ROOTFS
1951489St.nateldemoura@f5.com#define NXT_HAVE_ISOLATION_ROOTFS  1
1961489St.nateldemoura@f5.com#endif
1971489St.nateldemoura@f5.com
1981489St.nateldemoura@f5.comEND
1991489St.nateldemoura@f5.com
2001489St.nateldemoura@f5.comfi
201