Mercurial > hg > nginx
comparison auto/os/linux @ 7176:7f28b61c92f0
Fixed capabilities version.
Previously, capset(2) was called with the 64-bit capabilities version
_LINUX_CAPABILITY_VERSION_3. With this version Linux kernel expected two
copies of struct __user_cap_data_struct, while only one was submitted. As a
result, random stack memory was accessed and random capabilities were requested
by the worker. This sometimes caused capset() errors. Now the 32-bit version
_LINUX_CAPABILITY_VERSION_1 is used instead. This is OK since CAP_NET_RAW is
a 32-bit capability (CAP_NET_RAW = 13).
| author | Roman Arutyunyan <arut@nginx.com> |
|---|---|
| date | Tue, 19 Dec 2017 19:00:27 +0300 |
| parents | 56923e8e01a5 |
| children | f7e79596baf2 |
comparison
equal
deleted
inserted
replaced
| 7175:56923e8e01a5 | 7176:7f28b61c92f0 |
|---|---|
| 179 ngx_feature_path= | 179 ngx_feature_path= |
| 180 ngx_feature_libs= | 180 ngx_feature_libs= |
| 181 ngx_feature_test="struct __user_cap_data_struct data; | 181 ngx_feature_test="struct __user_cap_data_struct data; |
| 182 struct __user_cap_header_struct header; | 182 struct __user_cap_header_struct header; |
| 183 | 183 |
| 184 header.version = _LINUX_CAPABILITY_VERSION_3; | 184 header.version = _LINUX_CAPABILITY_VERSION_1; |
| 185 data.effective = CAP_TO_MASK(CAP_NET_RAW); | 185 data.effective = CAP_TO_MASK(CAP_NET_RAW); |
| 186 data.permitted = 0; | 186 data.permitted = 0; |
| 187 | 187 |
| 188 (void) SYS_capset" | 188 (void) SYS_capset" |
| 189 . auto/feature | 189 . auto/feature |