Closed ac000 closed 5 months ago
Changes:
Add Zhidao's Reviewed-by
$ git range-diff aa091295...25db3123
1: 4927f5bf ! 1: c1e747a4 Isolation: Add a new nxt_cred_t type
@@ Commit message
This will be used in subsequent commits.
+ Reviewed-by: Zhidao Hong <z.hong@f5.com>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
## src/nxt_clone.h ##
2: 09b9eed0 ! 2: 0a0de26b Isolation: Use an appropriate type for storing uid/gids
@@ Commit message
variables.
Reported-by: Andrei Zeliankou <zelenkov@nginx.com>
+ Reviewed-by: Zhidao Hong <z.hong@f5.com>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
## src/nxt_clone.c ##
3: a1517e77 ! 3: 726c6885 Configuration: Use the NXT_CONF_VLDT_REQUIRED flag for procmap
@@ Commit message
These are for the uidmap & gidmap settings in the config.
Suggested-by: Zhidao HONG <z.hong@f5.com>
+ Reviewed-by: Zhidao Hong <z.hong@f5.com>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
## src/nxt_conf_validation.c ##
4: aa091295 ! 4: 25db3123 Configuration: Remove procmap validation code
@@ Commit message
validation, it's only purpose was to check if the three uidmap/gidmap
settings had been provided.
+ Reviewed-by: Zhidao Hong <z.hong@f5.com>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
## src/nxt_conf_validation.c ##
Rebased with master.
This pull-request fixes an issue on arm64 when using user namespaces on Linux whereby the "container", "host" and "size" members of the uid/gidmaps could be corrupted.
This would happen due to using nxt_int_t's to store these things, but on arm64 (and potentially others) these are 64bits. However there was an assumption that these would only be 32bits and due to setting these variables through a 32bit union alias, we would only set the four lower half bytes, leaving whatever was around in the upper half, giving some whacked out values.
It consists of the following five commits.
This adds a new type for holding uid/gids on Linux when using user namespaces.
This adds a new configuration map type that corresponds to the above.
This is the meat and potatoes of the series. It switches over to using the above two new items.
The following two commits are some cleanup allowed by the previous.
Each of the "container", "host" and "size" parameters are required.
This removes the custom validation of the above three items, it's sole purpose was to check that they were set and now we know they will be.