diff options
author | Roman Arutyunyan <arut@nginx.com> | 2017-12-13 20:40:53 +0300 |
---|---|---|
committer | Roman Arutyunyan <arut@nginx.com> | 2017-12-13 20:40:53 +0300 |
commit | 752f66bf7d70fae2bf05fbf5941ff4be52b2b9a5 (patch) | |
tree | 78fc3bcc2f52d8fc71fa4ec12080fdf891e0a113 /auto | |
parent | d2d737e70b46429ef9ed71b99402a9151f3c2e1f (diff) |
Retain CAP_NET_RAW capability for transparent proxying.
The capability is retained automatically in unprivileged worker processes after
changing UID if transparent proxying is enabled at least once in nginx
configuration.
The feature is only available in Linux.
Diffstat (limited to 'auto')
-rw-r--r-- | auto/os/linux | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/auto/os/linux b/auto/os/linux index a0c8795bb..e4aa0e549 100644 --- a/auto/os/linux +++ b/auto/os/linux @@ -157,6 +157,37 @@ ngx_feature_test="if (prctl(PR_SET_DUMPABLE, 1, 0, 0, 0) == -1) return 1" . auto/feature +# prctl(PR_SET_KEEPCAPS) + +ngx_feature="prctl(PR_SET_KEEPCAPS)" +ngx_feature_name="NGX_HAVE_PR_SET_KEEPCAPS" +ngx_feature_run=yes +ngx_feature_incs="#include <sys/prctl.h>" +ngx_feature_path= +ngx_feature_libs= +ngx_feature_test="if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) return 1" +. auto/feature + + +# capabilities + +ngx_feature="capabilities" +ngx_feature_name="NGX_HAVE_CAPABILITIES" +ngx_feature_run=no +ngx_feature_incs="#include <sys/capability.h>" +ngx_feature_path= +ngx_feature_libs= +ngx_feature_test="struct __user_cap_data_struct data; + struct __user_cap_header_struct header; + + header.version = _LINUX_CAPABILITY_VERSION_3; + data.effective = CAP_TO_MASK(CAP_NET_RAW); + data.permitted = 0; + + (void) capset(&header, &data)" +. auto/feature + + # crypt_r() ngx_feature="crypt_r()" |