Merge pull request #76537 from Izorkin/unit

unit: 1.13.0 -> 1.14.0

3 files changed, 87 insertions, 3 deletions

diff --git a/nixos/modules/services/web-servers/unit/default.nix b/nixos/modules/services/web-servers/unit/default.nix
index 2303dfa95404..b0b837cd1929 100644
--- a/nixos/modules/services/web-servers/unit/default.nix
+++ b/nixos/modules/services/web-servers/unit/default.nix
@@ -111,7 +111,7 @@ in {
         AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ];
         # Security
         NoNewPrivileges = true;
-        # Sanboxing
+        # Sandboxing
         ProtectSystem = "full";
         ProtectHome = true;
         RuntimeDirectory = "unit";
diff --git a/pkgs/servers/http/unit/default.nix b/pkgs/servers/http/unit/default.nix
index d210fcefc85c..c3af0d555438 100644
--- a/pkgs/servers/http/unit/default.nix
+++ b/pkgs/servers/http/unit/default.nix
@@ -18,16 +18,21 @@
 with stdenv.lib;
 
 stdenv.mkDerivation rec {
-  version = "1.13.0";
+  version = "1.14.0";
   pname = "unit";
 
   src = fetchFromGitHub {
     owner = "nginx";
     repo = "unit";
     rev = version;
-    sha256 = "1b5il05isq5yvnx2qpnihsrmj0jliacvhrm58i87d48anwpv1k8q";
+    sha256 = "01anczfcdwd22hb0y4zw647f86ivk5zq8lcd13xfxjvkmnsnbj9w";
   };
 
+  patches = [
+    # https://github.com/nginx/unit/issues/357
+    ./drop_cap.patch
+  ];
+
   nativeBuildInputs = [ which ];
 
   buildInputs = [ ]
diff --git a/pkgs/servers/http/unit/drop_cap.patch b/pkgs/servers/http/unit/drop_cap.patch
new file mode 100644
index 000000000000..87caf77904e2
--- /dev/null
+++ b/pkgs/servers/http/unit/drop_cap.patch
@@ -0,0 +1,79 @@
+diff -r ed17ce89119f src/nxt_capability.c
+--- a/src/nxt_capability.c      Fri Dec 06 17:02:23 2019 +0000
++++ b/src/nxt_capability.c      Mon Dec 09 23:23:00 2019 +0000
+@@ -93,6 +93,26 @@ nxt_capability_specific_set(nxt_task_t *
+     return NXT_OK;
+ }
+ 
++
++nxt_int_t
++nxt_capability_drop_all(nxt_task_t *task)
++{
++    struct __user_cap_header_struct hdr;
++    struct __user_cap_data_struct data[2];
++
++    hdr.version = nxt_capability_linux_get_version();
++    hdr.pid = nxt_pid;
++
++    nxt_memset(data, 0, sizeof(data));
++
++    if (nxt_slow_path(nxt_capset(&hdr, data) == -1)) {
++        nxt_alert(task, "failed to drop capabilities %E", nxt_errno);
++        return NXT_ERROR;
++    }
++
++    return NXT_OK;
++}
++
+ #else
+ 
+ static nxt_int_t
+diff -r ed17ce89119f src/nxt_capability.h
+--- a/src/nxt_capability.h      Fri Dec 06 17:02:23 2019 +0000
++++ b/src/nxt_capability.h      Mon Dec 09 23:23:00 2019 +0000
+@@ -14,4 +14,6 @@ typedef struct {
+ NXT_EXPORT nxt_int_t nxt_capability_set(nxt_task_t *task,
+     nxt_capabilities_t *cap);
+ 
++NXT_EXPORT nxt_int_t nxt_capability_drop_all(nxt_task_t *task);
++
+ #endif /* _NXT_CAPABILITY_INCLUDED_ */
+diff -r ed17ce89119f src/nxt_process.c
+--- a/src/nxt_process.c Fri Dec 06 17:02:23 2019 +0000
++++ b/src/nxt_process.c Mon Dec 09 23:23:00 2019 +0000
+@@ -264,7 +264,7 @@ cleanup:
+ static void
+ nxt_process_start(nxt_task_t *task, nxt_process_t *process)
+ {
+-    nxt_int_t                    ret, cap_setid;
++    nxt_int_t                    ret, cap_setid, drop_caps;
+     nxt_port_t                   *port, *main_port;
+     nxt_thread_t                 *thread;
+     nxt_runtime_t                *rt;
+@@ -285,9 +285,12 @@ nxt_process_start(nxt_task_t *task, nxt_
+ 
+     cap_setid = rt->capabilities.setid;
+ 
++    drop_caps = cap_setid;
++
+ #if (NXT_HAVE_CLONE_NEWUSER)
+-    if (!cap_setid && NXT_CLONE_USER(init->isolation.clone.flags)) {
++    if (NXT_CLONE_USER(init->isolation.clone.flags)) {
+         cap_setid = 1;
++        drop_caps = 0;
+     }
+ #endif
+ 
+@@ -301,6 +304,12 @@ nxt_process_start(nxt_task_t *task, nxt_
+         if (nxt_slow_path(ret != NXT_OK)) {
+             goto fail;
+         }
++
++#if (NXT_HAVE_LINUX_CAPABILITY)
++        if (drop_caps && nxt_capability_drop_all(task) != NXT_OK) {
++            goto fail;
++        }
++#endif
+     }
+ 
+     rt->type = init->type;
\ No newline at end of file