xref: /unit/auto/isolation (revision 2320)
11182St.nateldemoura@f5.com# Copyright (C) Igor Sysoev
21182St.nateldemoura@f5.com# Copyright (C) NGINX, Inc.
31182St.nateldemoura@f5.com
41182St.nateldemoura@f5.com# Linux clone syscall.
51182St.nateldemoura@f5.com
61182St.nateldemoura@f5.comNXT_ISOLATION=NO
71182St.nateldemoura@f5.comNXT_HAVE_CLONE=NO
81306St.nateldemoura@f5.comNXT_HAVE_CLONE_NEWUSER=NO
91489St.nateldemoura@f5.comNXT_HAVE_MOUNT=NO
101489St.nateldemoura@f5.comNXT_HAVE_UNMOUNT=NO
111489St.nateldemoura@f5.comNXT_HAVE_ROOTFS=NO
121182St.nateldemoura@f5.com
131182St.nateldemoura@f5.comnsflags="USER NS PID NET UTS CGROUP"
141182St.nateldemoura@f5.com
151182St.nateldemoura@f5.comnxt_feature="clone(2)"
161182St.nateldemoura@f5.comnxt_feature_name=NXT_HAVE_CLONE
171182St.nateldemoura@f5.comnxt_feature_run=no
181182St.nateldemoura@f5.comnxt_feature_incs=
191182St.nateldemoura@f5.comnxt_feature_libs=
201182St.nateldemoura@f5.comnxt_feature_test="#include <sys/wait.h>
211182St.nateldemoura@f5.com                  #include <sys/syscall.h>
221182St.nateldemoura@f5.com
232228Sa.clayton@nginx.com                  int main(void) {
242153Salx.manpages@gmail.com                      return SYS_clone | SIGCHLD;
251182St.nateldemoura@f5.com                  }"
261182St.nateldemoura@f5.com. auto/feature
271182St.nateldemoura@f5.com
281182St.nateldemoura@f5.comif [ $nxt_found = yes ]; then
291182St.nateldemoura@f5.com    NXT_HAVE_CLONE=YES
301182St.nateldemoura@f5.com
311182St.nateldemoura@f5.com    # Test all isolation flags
321182St.nateldemoura@f5.com    for flag in $nsflags; do
331182St.nateldemoura@f5.com        nxt_feature="CLONE_NEW${flag}"
341182St.nateldemoura@f5.com        nxt_feature_name=NXT_HAVE_CLONE_NEW${flag}
351182St.nateldemoura@f5.com        nxt_feature_run=no
361182St.nateldemoura@f5.com        nxt_feature_incs=
371182St.nateldemoura@f5.com        nxt_feature_libs=
381182St.nateldemoura@f5.com        nxt_feature_test="#define _GNU_SOURCE
391182St.nateldemoura@f5.com                          #include <sys/wait.h>
401182St.nateldemoura@f5.com                          #include <sys/syscall.h>
411182St.nateldemoura@f5.com                          #include <sched.h>
421182St.nateldemoura@f5.com
432228Sa.clayton@nginx.com                          int main(void) {
441182St.nateldemoura@f5.com                              return CLONE_NEW$flag;
451182St.nateldemoura@f5.com                         }"
461182St.nateldemoura@f5.com        . auto/feature
471182St.nateldemoura@f5.com
481182St.nateldemoura@f5.com        if [ $nxt_found = yes ]; then
491306St.nateldemoura@f5.com            if [ $flag = "USER" ]; then
501306St.nateldemoura@f5.com                NXT_HAVE_CLONE_NEWUSER=YES
511306St.nateldemoura@f5.com            fi
521306St.nateldemoura@f5.com
531182St.nateldemoura@f5.com            if [ "$NXT_ISOLATION" = "NO" ]; then
541182St.nateldemoura@f5.com                NXT_ISOLATION=$flag
551182St.nateldemoura@f5.com            else
561182St.nateldemoura@f5.com                NXT_ISOLATION="$NXT_ISOLATION $flag"
571182St.nateldemoura@f5.com            fi
581182St.nateldemoura@f5.com        fi
591182St.nateldemoura@f5.com    done
601182St.nateldemoura@f5.comfi
611489St.nateldemoura@f5.com
621489St.nateldemoura@f5.com
631489St.nateldemoura@f5.comnxt_feature="Linux pivot_root()"
642170Salx.manpages@gmail.comnxt_feature_name=NXT_HAVE_LINUX_PIVOT_ROOT
651489St.nateldemoura@f5.comnxt_feature_run=no
661489St.nateldemoura@f5.comnxt_feature_incs=
671489St.nateldemoura@f5.comnxt_feature_libs=
681489St.nateldemoura@f5.comnxt_feature_test="#include <sys/syscall.h>
692170Salx.manpages@gmail.com                  #if !defined(__linux__)
702170Salx.manpages@gmail.com                  # error
712170Salx.manpages@gmail.com                  #endif
721489St.nateldemoura@f5.com
732228Sa.clayton@nginx.com                  int main(void) {
742153Salx.manpages@gmail.com                      return SYS_pivot_root;
751489St.nateldemoura@f5.com                  }"
761489St.nateldemoura@f5.com. auto/feature
771489St.nateldemoura@f5.com
781489St.nateldemoura@f5.com
792169Salx.manpages@gmail.comnxt_feature="<mntent.h>"
802169Salx.manpages@gmail.comnxt_feature_name=NXT_HAVE_MNTENT_H
812169Salx.manpages@gmail.comnxt_feature_run=no
822169Salx.manpages@gmail.comnxt_feature_incs=
832169Salx.manpages@gmail.comnxt_feature_libs=
842169Salx.manpages@gmail.comnxt_feature_test="#include <mntent.h>
852169Salx.manpages@gmail.com
862169Salx.manpages@gmail.com                  int main(void) {
872169Salx.manpages@gmail.com                      return 0;
882169Salx.manpages@gmail.com                  }"
892169Salx.manpages@gmail.com. auto/feature
902169Salx.manpages@gmail.com
912169Salx.manpages@gmail.com
921489St.nateldemoura@f5.comnxt_feature="prctl(PR_SET_NO_NEW_PRIVS)"
93*2320Sa.clayton@nginx.comnxt_feature_name=NXT_HAVE_PR_SET_NO_NEW_PRIVS
941489St.nateldemoura@f5.comnxt_feature_run=no
951489St.nateldemoura@f5.comnxt_feature_incs=
961489St.nateldemoura@f5.comnxt_feature_libs=
971489St.nateldemoura@f5.comnxt_feature_test="#include <sys/prctl.h>
981489St.nateldemoura@f5.com
992228Sa.clayton@nginx.com                  int main(void) {
1001489St.nateldemoura@f5.com                      return PR_SET_NO_NEW_PRIVS;
1011489St.nateldemoura@f5.com                  }"
1021489St.nateldemoura@f5.com. auto/feature
1031489St.nateldemoura@f5.com
1041489St.nateldemoura@f5.com
1051489St.nateldemoura@f5.comnxt_feature="Linux mount()"
1061489St.nateldemoura@f5.comnxt_feature_name=NXT_HAVE_LINUX_MOUNT
1071489St.nateldemoura@f5.comnxt_feature_run=no
1081489St.nateldemoura@f5.comnxt_feature_incs=
1091489St.nateldemoura@f5.comnxt_feature_libs=
1101489St.nateldemoura@f5.comnxt_feature_test="#include <sys/mount.h>
1111489St.nateldemoura@f5.com
1122228Sa.clayton@nginx.com                  int main(void) {
1131503St.nateldemoura@f5.com                      return mount(\"/\", \"/\", \"bind\",
1141503St.nateldemoura@f5.com                                   MS_BIND | MS_REC, \"\");
1151489St.nateldemoura@f5.com                  }"
1161489St.nateldemoura@f5.com. auto/feature
1171489St.nateldemoura@f5.com
1181489St.nateldemoura@f5.comif [ $nxt_found = yes ]; then
1191489St.nateldemoura@f5.com    NXT_HAVE_MOUNT=YES
1201489St.nateldemoura@f5.comfi
1211489St.nateldemoura@f5.com
1221489St.nateldemoura@f5.com
1231489St.nateldemoura@f5.comif [ $nxt_found = no ]; then
1241489St.nateldemoura@f5.com    nxt_feature="FreeBSD nmount()"
1251489St.nateldemoura@f5.com    nxt_feature_name=NXT_HAVE_FREEBSD_NMOUNT
1261489St.nateldemoura@f5.com    nxt_feature_run=no
1271489St.nateldemoura@f5.com    nxt_feature_incs=
1281489St.nateldemoura@f5.com    nxt_feature_libs=
1291489St.nateldemoura@f5.com    nxt_feature_test="#include <sys/mount.h>
1301489St.nateldemoura@f5.com
1312228Sa.clayton@nginx.com                    int main(void) {
1321489St.nateldemoura@f5.com                        return nmount((void *)0, 0, 0);
1331489St.nateldemoura@f5.com                    }"
1341489St.nateldemoura@f5.com    . auto/feature
1351489St.nateldemoura@f5.com
1361489St.nateldemoura@f5.com    if [ $nxt_found = yes ]; then
1371489St.nateldemoura@f5.com        NXT_HAVE_MOUNT=YES
1381489St.nateldemoura@f5.com    fi
1391489St.nateldemoura@f5.comfi
1401489St.nateldemoura@f5.com
1411489St.nateldemoura@f5.com
1421489St.nateldemoura@f5.comnxt_feature="Linux umount2()"
1431489St.nateldemoura@f5.comnxt_feature_name=NXT_HAVE_LINUX_UMOUNT2
1441489St.nateldemoura@f5.comnxt_feature_run=no
1451489St.nateldemoura@f5.comnxt_feature_incs=
1461489St.nateldemoura@f5.comnxt_feature_libs=
1471489St.nateldemoura@f5.comnxt_feature_test="#include <sys/mount.h>
1481489St.nateldemoura@f5.com
1492228Sa.clayton@nginx.com                  int main(void) {
1501489St.nateldemoura@f5.com                      return umount2((void *)0, 0);
1511489St.nateldemoura@f5.com                  }"
1521489St.nateldemoura@f5.com. auto/feature
1531489St.nateldemoura@f5.com
1541489St.nateldemoura@f5.comif [ $nxt_found = yes ]; then
1551489St.nateldemoura@f5.com    NXT_HAVE_UNMOUNT=YES
1561489St.nateldemoura@f5.comfi
1571489St.nateldemoura@f5.com
1581489St.nateldemoura@f5.comif [ $nxt_found = no ]; then
1591489St.nateldemoura@f5.com    nxt_feature="unmount()"
1601489St.nateldemoura@f5.com    nxt_feature_name=NXT_HAVE_UNMOUNT
1611489St.nateldemoura@f5.com    nxt_feature_run=no
1621489St.nateldemoura@f5.com    nxt_feature_incs=
1631489St.nateldemoura@f5.com    nxt_feature_libs=
1641489St.nateldemoura@f5.com    nxt_feature_test="#include <sys/mount.h>
1651489St.nateldemoura@f5.com
1662228Sa.clayton@nginx.com                    int main(void) {
1671489St.nateldemoura@f5.com                        return unmount((void *)0, 0);
1681489St.nateldemoura@f5.com                    }"
1691489St.nateldemoura@f5.com    . auto/feature
1701489St.nateldemoura@f5.com
1711489St.nateldemoura@f5.com    if [ $nxt_found = yes ]; then
1721489St.nateldemoura@f5.com        NXT_HAVE_UNMOUNT=YES
1731489St.nateldemoura@f5.com    fi
1741489St.nateldemoura@f5.comfi
1751489St.nateldemoura@f5.com
1761489St.nateldemoura@f5.comif [ $NXT_HAVE_MOUNT = YES -a $NXT_HAVE_UNMOUNT = YES ]; then
1771489St.nateldemoura@f5.com    NXT_HAVE_ROOTFS=YES
1781489St.nateldemoura@f5.com
1791489St.nateldemoura@f5.com    cat << END >> $NXT_AUTO_CONFIG_H
1801489St.nateldemoura@f5.com
1811489St.nateldemoura@f5.com#ifndef NXT_HAVE_ISOLATION_ROOTFS
1821489St.nateldemoura@f5.com#define NXT_HAVE_ISOLATION_ROOTFS  1
1831489St.nateldemoura@f5.com#endif
1841489St.nateldemoura@f5.com
1851489St.nateldemoura@f5.comEND
1861489St.nateldemoura@f5.com
1871489St.nateldemoura@f5.comfi
188