Enable openssl

resolves: rhbz#1972058 Close dir when fsync=on resolves: rhbz#1972069 Do not exit when user/group can not be found resolves: rhbz#1990868 Remove abortOnIDResolution fail Always use message severity when comparing with ratelimit severity resolves: rhbz#1990869
2021-08-16 12:36:52 +02:00 · 2021-08-16 12:36:52 +02:00 · 2669cb8cc6
parent 70f03d2010
commit 2669cb8cc6
6 changed files with 303 additions and 3 deletions
--- a/rsyslog-8.1911.0-rhbz1659898-imjournal-default-tag.patch
+++ b/rsyslog-8.1911.0-rhbz1659898-imjournal-default-tag.patch
@ -0,0 +1,93 @@
+diff -up ./plugins/imjournal/imjournal.c.default-tag ./plugins/imjournal/imjournal.c
+--- ./plugins/imjournal/imjournal.c.default-tag	2018-05-17 08:50:11.416418022 -0400
+++ ./plugins/imjournal/imjournal.c	2018-05-17 08:53:02.884418022 -0400
+@@ -78,6 +78,7 @@ static struct configSettings_s {
+ 	int bWorkAroundJournalBug; /* deprecated, left for backwards compatibility only */
+ 	int bFsync;
+ 	int bRemote;
+	char *dfltTag;
+ } cs;
+ 
+ static rsRetVal facilityHdlr(uchar **pp, void *pVal);
+@@ -93,7 +94,8 @@ static struct cnfparamdescr modpdescr[]
+ 	{ "usepid", eCmdHdlrString, 0 },
+ 	{ "workaroundjournalbug", eCmdHdlrBinary, 0 },
+ 	{ "fsync", eCmdHdlrBinary, 0 },
+-	{ "remote", eCmdHdlrBinary, 0 }
+	{ "remote", eCmdHdlrBinary, 0 },
+	{ "defaulttag", eCmdHdlrGetWord, 0 }
+ };
+ static struct cnfparamblk modpblk =
+ 	{ CNFPARAMBLK_VERSION,
+@@ -104,6 +106,7 @@ static struct cnfparamblk modpblk =
+ #define DFLT_persiststateinterval 10
+ #define DFLT_SEVERITY pri2sev(LOG_NOTICE)
+ #define DFLT_FACILITY pri2fac(LOG_USER)
+#define DFLT_TAG "journal"
+ 
+ static int bLegacyCnfModGlobalsPermitted = 1;/* are legacy module-global config parameters permitted? */
+ 
+@@ -268,7 +271,7 @@ readjournal(void)
+ 
+ 	/* Information from messages */
+ 	char *message = NULL;
+-	char *sys_iden;
+	char *sys_iden = NULL;
+ 	char *sys_iden_help = NULL;
+ 
+ 	const void *get;
+@@ -331,7 +334,7 @@ readjournal(void)
+ 	if (journalGetData("SYSLOG_IDENTIFIER", &get, &length) >= 0) {
+ 		CHKiRet(sanitizeValue(((const char *)get) + 18, length - 18, &sys_iden));
+ 	} else {
+-		CHKmalloc(sys_iden = strdup("journal"));
+		CHKmalloc(sys_iden = strdup(cs.dfltTag));
+ 	}
+ 
+ 	/* trying to get PID, default is "SYSLOG_PID" property */
+@@ -654,6 +657,11 @@ CODESTARTrunInput
+ 			"\"usepidfromsystem\" is depricated, use \"usepid\" instead");
+ 	}
+ 
+	if (cs.dfltTag == NULL) {
+		cs.dfltTag = strdup(DFLT_TAG);
+	}
+
+
+ 	if (cs.usePid && (strcmp(cs.usePid, "system") == 0)) {
+ 		pidFieldName = "_PID";
+ 		bPidFallBack = 0;
+@@ -732,6 +740,7 @@ CODESTARTbeginCnfLoad
+ 	cs.bWorkAroundJournalBug = 1;
+ 	cs.bFsync = 0;
+ 	cs.bRemote = 0;
+	cs.dfltTag = NULL;
+ ENDbeginCnfLoad
+ 
+ 
+@@ -754,6 +763,7 @@ BEGINfreeCnf
+ CODESTARTfreeCnf
+ 	free(cs.stateFile);
+ 	free(cs.usePid);
+	free(cs.dfltTag);
+ 	free(journalContext.cursor);
+ 	statsobj.Destruct(&(statsCounter.stats));
+ ENDfreeCnf
+@@ -832,6 +842,8 @@ CODESTARTsetModCnf
+ 			cs.bFsync = (int) pvals[i].val.d.n;
+ 		} else if (!strcmp(modpblk.descr[i].name, "remote")) {
+ 			cs.bRemote = (int) pvals[i].val.d.n;
+		} else if (!strcmp(modpblk.descr[i].name, "defaulttag")) {
+			cs.dfltTag = (char *)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else {
+ 			dbgprintf("imjournal: program error, non-handled "
+ 				"param '%s' in beginCnfLoad\n", modpblk.descr[i].name);
+@@ -799,6 +820,8 @@ CODEmodInit_QueryRegCFSLineHdlr
+ 		facilityHdlr, &cs.iDfltFacility, STD_LOADABLE_MODULE_ID));
+ 	CHKiRet(omsdRegCFSLineHdlr((uchar *)"imjournalusepidfromsystem", 0, eCmdHdlrBinary,
+ 		NULL, &cs.bUseJnlPID, STD_LOADABLE_MODULE_ID));
+	CHKiRet(omsdRegCFSLineHdlr((uchar *)"imjournaldefaulttag", 0, eCmdHdlrGetWord,
+		NULL, &cs.dfltTag, STD_LOADABLE_MODULE_ID));
+ ENDmodInit
+ /* vim:set ai:
+  */
--- a/rsyslog-8.2102.0-rhbz1886400-reduce-default-timeout.patch
+++ b/rsyslog-8.2102.0-rhbz1886400-reduce-default-timeout.patch
@ -0,0 +1,21 @@
+diff -up rsyslog-8.2102.0/plugins/omrelp/omrelp.c.orig rsyslog-8.2102.0/plugins/omrelp/omrelp.c
+--- rsyslog-8.2102.0/plugins/omrelp/omrelp.c.orig	2021-06-15 12:46:14.758589030 +0200
+++ rsyslog-8.2102.0/plugins/omrelp/omrelp.c	2021-06-15 12:47:08.130516632 +0200
+@@ -303,7 +303,7 @@ ENDfreeCnf
+ BEGINcreateInstance
+ CODESTARTcreateInstance
+ 	pData->sizeWindow = 0;
+-	pData->timeout = 90;
+	pData->timeout = 5;
+ 	pData->connTimeout = 10;
+ 	pData->rebindInterval = 0;
+ 	pData->bEnableTLS = DFLT_ENABLE_TLS;
+@@ -365,7 +365,7 @@ setInstParamDefaults(instanceData *pData
+ 	pData->target = NULL;
+ 	pData->port = NULL;
+ 	pData->tplName = NULL;
+-	pData->timeout = 90;
+	pData->timeout = 5;
+ 	pData->connTimeout = 10;
+ 	pData->sizeWindow = 0;
+ 	pData->rebindInterval = 0;
--- a/rsyslog-8.2102.0-rhbz1960536-fdleak-on-fsync.patch
+++ b/rsyslog-8.2102.0-rhbz1960536-fdleak-on-fsync.patch
@ -0,0 +1,20 @@
+diff -up rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2102.0/plugins/imjournal/imjournal.c
+--- rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig	2021-06-15 12:30:35.238832058 +0200
+++ rsyslog-8.2102.0/plugins/imjournal/imjournal.c	2021-06-15 12:32:04.699721356 +0200
+@@ -565,6 +565,8 @@ persistJournalState(void)
+ 		ABORT_FINALIZE(RS_RET_IO_ERROR);
+ 	}
+ 
+	fflush(sf);
+
+ 	/* change the name of the file to the configured one */
+ 	if (rename(tmp_sf, cs.stateFile) < 0) {
+ 		LogError(errno, iRet, "imjournal: rename() failed for new path: '%s'", cs.stateFile);
+@@ -586,6 +588,7 @@ persistJournalState(void)
+ 			LogError(errno, RS_RET_IO_ERROR, "imjournal: fsync on '%s' failed", glbl.GetWorkDir());
+ 			ABORT_FINALIZE(RS_RET_IO_ERROR);
+ 		}
+		closedir(wd);
+ 	}
+ 
+ 	DBGPRINTF("Persisted journal to '%s'\n", cs.stateFile);
--- a/rsyslog-8.2102.0-rhbz1984489-remove-abort-on-id-resolution-fail.patch
+++ b/rsyslog-8.2102.0-rhbz1984489-remove-abort-on-id-resolution-fail.patch
@ -0,0 +1,102 @@
+diff -up rsyslog-8.2102.0/runtime/cfsysline.c.orig rsyslog-8.2102.0/runtime/cfsysline.c
+--- rsyslog-8.2102.0/runtime/cfsysline.c.orig	2021-08-04 07:16:02.663163106 +0200
+++ rsyslog-8.2102.0/runtime/cfsysline.c	2021-08-04 07:18:05.952490008 +0200
+@@ -353,13 +353,8 @@ static rsRetVal doGetGID(uchar **pp, rsR
+ 	assert(*pp != NULL);
+ 
+ 	if(getSubString(pp, (char*) szName, sizeof(szName), ' ')  != 0) {
+-		if(loadConf->globals.abortOnIDResolutionFail) {
+-			fprintf(stderr, "could not extract group name: %s\n", (char*)szName);
+-			exit(1); /* good exit */
+-		} else {
+-			LogError(0, RS_RET_NOT_FOUND, "could not extract group name");
+-			ABORT_FINALIZE(RS_RET_NOT_FOUND);
+-		}
+		LogError(0, RS_RET_NOT_FOUND, "could not extract group name");
+		ABORT_FINALIZE(RS_RET_NOT_FOUND);
+ 	}
+ 
+ 	do {
+@@ -380,10 +375,6 @@ static rsRetVal doGetGID(uchar **pp, rsR
+ 			LogError(0, RS_RET_NOT_FOUND, "ID for group '%s' could not be found", szName);
+ 		}
+ 		iRet = RS_RET_NOT_FOUND;
+-		if(loadConf->globals.abortOnIDResolutionFail) {
+-			fprintf(stderr, "ID for group '%s' could not be found or error\n", szName);
+-			exit(1); /* good exit */
+-		}
+ 	} else {
+ 		if(pSetHdlr == NULL) {
+ 			/* we should set value directly to var */
+@@ -418,25 +409,15 @@ static rsRetVal doGetUID(uchar **pp, rsR
+ 	assert(*pp != NULL);
+ 
+ 	if(getSubString(pp, (char*) szName, sizeof(szName), ' ')  != 0) {
+-		if(loadConf->globals.abortOnIDResolutionFail) {
+-			fprintf(stderr, "could not extract user name: %s\n", (char*)szName);
+-			exit(1); /* good exit */
+-		} else {
+-			LogError(0, RS_RET_NOT_FOUND, "could not extract user name");
+-			ABORT_FINALIZE(RS_RET_NOT_FOUND);
+-		}
+		LogError(0, RS_RET_NOT_FOUND, "could not extract user name");
+		ABORT_FINALIZE(RS_RET_NOT_FOUND);
+ 	}
+ 
+ 	getpwnam_r((char*)szName, &pwBuf, stringBuf, sizeof(stringBuf), &ppwBuf);
+ 
+ 	if(ppwBuf == NULL) {
+-		if(loadConf->globals.abortOnIDResolutionFail) {
+-			fprintf(stderr, "ID for user '%s' could not be found or error\n", (char*)szName);
+-			exit(1); /* good exit */
+-		} else {
+-			LogError(0, RS_RET_NOT_FOUND, "ID for user '%s' could not be found or error", (char*)szName);
+-			iRet = RS_RET_NOT_FOUND;
+-		}
+		LogError(0, RS_RET_NOT_FOUND, "ID for user '%s' could not be found or error", (char*)szName);
+		iRet = RS_RET_NOT_FOUND;
+ 	} else {
+ 		if(pSetHdlr == NULL) {
+ 			/* we should set value directly to var */
+diff -up rsyslog-8.2102.0/runtime/glbl.c.orig rsyslog-8.2102.0/runtime/glbl.c
+--- rsyslog-8.2102.0/runtime/glbl.c.orig	2021-08-04 07:18:19.301633677 +0200
+++ rsyslog-8.2102.0/runtime/glbl.c	2021-08-04 07:19:02.409019106 +0200
+@@ -210,7 +210,6 @@ static struct cnfparamdescr cnfparamdesc
+ 	{ "environment", eCmdHdlrArray, 0 },
+ 	{ "processinternalmessages", eCmdHdlrBinary, 0 },
+ 	{ "umask", eCmdHdlrFileCreateMode, 0 },
+-	{ "security.abortonidresolutionfail", eCmdHdlrBinary, 0 },
+ 	{ "internal.developeronly.options", eCmdHdlrInt, 0 },
+ 	{ "internalmsg.ratelimit.interval", eCmdHdlrPositiveInt, 0 },
+ 	{ "internalmsg.ratelimit.burst", eCmdHdlrPositiveInt, 0 },
+@@ -1443,8 +1442,6 @@ glblDoneLoadCnf(void)
+ 			glblInputTimeoutShutdown = (int) cnfparamvals[i].val.d.n;
+ 		} else if(!strcmp(paramblk.descr[i].name, "privdrop.group.keepsupplemental")) {
+ 			loadConf->globals.gidDropPrivKeepSupplemental = (int) cnfparamvals[i].val.d.n;
+-		} else if(!strcmp(paramblk.descr[i].name, "security.abortonidresolutionfail")) {
+-			loadConf->globals.abortOnIDResolutionFail = (int) cnfparamvals[i].val.d.n;
+ 		} else if(!strcmp(paramblk.descr[i].name, "net.acladdhostnameonfail")) {
+ 			*(net.pACLAddHostnameOnFail) = (int) cnfparamvals[i].val.d.n;
+ 		} else if(!strcmp(paramblk.descr[i].name, "net.aclresolvehostname")) {
+diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
+--- rsyslog-8.2102.0/runtime/rsconf.c.orig	2021-08-04 07:19:13.103104854 +0200
+++ rsyslog-8.2102.0/runtime/rsconf.c	2021-08-04 07:19:44.635357684 +0200
+@@ -156,7 +156,6 @@ static void cnfSetDefaults(rsconf_t *pTh
+ 	pThis->globals.maxErrMsgToStderr = -1;
+ 	pThis->globals.umask = -1;
+ 	pThis->globals.gidDropPrivKeepSupplemental = 0;
+-	pThis->globals.abortOnIDResolutionFail = 1;
+ 	pThis->templates.root = NULL;
+ 	pThis->templates.last = NULL;
+ 	pThis->templates.lastStatic = NULL;
+diff -up rsyslog-8.2102.0/runtime/rsconf.h.orig rsyslog-8.2102.0/runtime/rsconf.h
+--- rsyslog-8.2102.0/runtime/rsconf.h.orig	2021-08-04 07:20:15.848607958 +0200
+++ rsyslog-8.2102.0/runtime/rsconf.h	2021-08-04 07:20:42.782823920 +0200
+@@ -73,7 +73,6 @@ struct globals_s {
+ 	int uidDropPriv;	/* user-id to which priveleges should be dropped to */
+ 	int gidDropPriv;	/* group-id to which priveleges should be dropped to */
+ 	int gidDropPrivKeepSupplemental; /* keep supplemental groups when dropping? */
+-	int abortOnIDResolutionFail;
+ 	int umask;		/* umask to use */
+ 	uchar *pszConfDAGFile;	/* name of config DAG file, non-NULL means generate one */
+ 
--- a/rsyslog-8.2102.0-rhbz1984616-imuxsock-ratelimit.patch
+++ b/rsyslog-8.2102.0-rhbz1984616-imuxsock-ratelimit.patch
@ -0,0 +1,26 @@
+diff -up rsyslog-8.2102.0/runtime/ratelimit.c.orig rsyslog-8.2102.0/runtime/ratelimit.c
+--- rsyslog-8.2102.0/runtime/ratelimit.c.orig	2021-07-27 10:37:50.972903104 +0200
+++ rsyslog-8.2102.0/runtime/ratelimit.c	2021-07-27 10:38:26.141002988 +0200
+@@ -235,7 +235,6 @@ ratelimitMsg(ratelimit_t *__restrict__ c
+ {
+ 	DEFiRet;
+ 	rsRetVal localRet;
+-	int severity = 0;
+ 
+ 	*ppRepMsg = NULL;
+ 
+@@ -246,13 +245,12 @@ ratelimitMsg(ratelimit_t *__restrict__ c
+ 				DBGPRINTF("Message discarded, parsing error %d\n", localRet);
+ 				ABORT_FINALIZE(RS_RET_DISCARDMSG);
+ 			}
+-			severity = pMsg->iSeverity;
+ 		}
+ 	}
+ 
+ 	/* Only the messages having severity level at or below the
+ 	 * treshold (the value is >=) are subject to ratelimiting. */
+-	if(ratelimit->interval && (severity >= ratelimit->severity)) {
+	if(ratelimit->interval && (pMsg->iSeverity >= ratelimit->severity)) {
+ 		char namebuf[512]; /* 256 for FGDN adn 256 for APPNAME should be enough */
+ 		snprintf(namebuf, sizeof namebuf, "%s:%s", getHOSTNAME(pMsg),
+ 			getAPPNAME(pMsg, 0));
--- a/rsyslog.spec
+++ b/rsyslog.spec
@ -5,7 +5,7 @@
 Summary: Enhanced system logging and kernel message trapping daemon
 Name: rsyslog
 Version: 8.2102.0
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: (GPLv3+ and ASL 2.0)
 URL: http://www.rsyslog.com/
 Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz
@ -19,6 +19,11 @@ Source5: rsyslog.service
 Source6: qpid-proton-0.34.0.tar.gz

 Patch0: openssl3-compatibility.patch
+Patch1: rsyslog-8.1911.0-rhbz1659898-imjournal-default-tag.patch
+Patch2: rsyslog-8.2102.0-rhbz1960536-fdleak-on-fsync.patch
+Patch3: rsyslog-8.2102.0-rhbz1886400-reduce-default-timeout.patch
+Patch4: rsyslog-8.2102.0-rhbz1984616-imuxsock-ratelimit.patch
+Patch5: rsyslog-8.2102.0-rhbz1984489-remove-abort-on-id-resolution-fail.patch

 BuildRequires: make
 BuildRequires: gcc
@ -96,10 +101,16 @@ Requires: %name = %version-%release
 BuildRequires: librelp-devel >= 1.2.16

 %package gnutls
-Summary: TLS protocol support for rsyslog
+Summary: TLS protocol support for rsyslog via GnuTLS library
 Requires: %name = %version-%release
 BuildRequires: gnutls-devel

+%package openssl
+Summary: TLS protocol support for rsyslog via OpenSSL library
+Group: System Environment/Daemons
+Requires: %name = %version-%release
+BuildRequires: openssl-devel
+
 %package snmp
 Summary: SNMP protocol support for rsyslog
 Requires: %name = %version-%release
@ -187,9 +198,15 @@ protocol.

 %description gnutls
 The rsyslog-gnutls package contains the rsyslog plugins that provide the
-ability to receive syslog messages via upcoming syslog-transport-tls
+ability to send and receive syslog messages via upcoming syslog-transport-tls
 IETF standard protocol.

+%description openssl
+The rsyslog-openssl package contains the rsyslog plugins that provide the
+ability to send and receive syslog messages via TCP or RELP using TLS
+encryption via OpenSSL library. For details refer to rsyslog doc on imtcp
+and omfwd modules.
+
 %description snmp
 The rsyslog-snmp package contains the rsyslog plugin that provides the
 ability to send syslog messages as SNMPv1 and SNMPv2c traps.
@ -220,6 +237,12 @@ mv build doc
 # Unpack qpid-proton for rhel
 %setup -q -D -T -b 6

+%patch1 -p1 -b .default-tag
+%patch2 -p1 -b .fd-leak-on-fsync
+%patch3 -p1 -b .timeout
+%patch4 -p1 -b .imuxsock-rate-limit
+%patch5 -p1 -b .abort-on-id-resolution-fail
+
 pushd ..
 %patch0 -p1 -b .openssl-compatibility
 popd
@ -269,6 +292,7 @@ autoreconf -if
 	--enable-elasticsearch \
 	--enable-generate-man-pages \
 	--enable-gnutls \
+	--enable-openssl \
 	--enable-gssapi-krb5 \
 	--enable-imfile \
 	--enable-imjournal \
@ -446,6 +470,9 @@ done
 %files gnutls
 %{_libdir}/rsyslog/lmnsd_gtls.so

+%files openssl
+%{_libdir}/rsyslog/lmnsd_ossl.so
+
 %files snmp
 %{_libdir}/rsyslog/omsnmp.so

@ -466,6 +493,17 @@ done


 %changelog
+* Wed Aug 18 2021 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-7
+- Enable openssl
+  resolves: rhbz#1972058
+- Close dir when fsync=on
+  resolves: rhbz#1972069
+- Do not exit when user/group can not be found
+  resolves: rhbz#1990868
+- Remove abortOnIDResolution fail
+- Always use message severity when comparing with ratelimit severity
+  resolves: rhbz#1990869
+
 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 8.2102.0-6
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688