libcapng: do not try to drop capabilities that are not present

add global libcapng.default to not abort when libcapng fails resolves: rhbz#2216919
2023-06-27 08:14:39 +02:00 · 2023-06-27 08:14:39 +02:00 · 2f5a1a9930
commit 2f5a1a9930
parent 203cd69dcb
3 changed files with 264 additions and 1 deletions
--- a/rsyslog-8.2102.0-rhbz2216919-libcapng-default.patch
+++ b/rsyslog-8.2102.0-rhbz2216919-libcapng-default.patch
@ -0,0 +1,109 @@
+diff -up rsyslog-8.2102.0/runtime/glbl.c.orig rsyslog-8.2102.0/runtime/glbl.c
+--- rsyslog-8.2102.0/runtime/glbl.c.orig	2023-06-27 08:20:45.265387162 +0200
+++ rsyslog-8.2102.0/runtime/glbl.c	2023-06-27 08:20:45.262387154 +0200
+@@ -230,7 +230,8 @@ static struct cnfparamdescr cnfparamdesc
+ 	{ "reverselookup.cache.ttl.enable", eCmdHdlrBinary, 0 },
+ 	{ "shutdown.queue.doublesize", eCmdHdlrBinary, 0 },
+ 	{ "debug.files", eCmdHdlrArray, 0 },
+-	{ "debug.whitelist", eCmdHdlrBinary, 0 }
+	{ "debug.whitelist", eCmdHdlrBinary, 0 },
+	{ "libcapng.default", eCmdHdlrBinary, 0 }
+ };
+ static struct cnfparamblk paramblk =
+ 	{ CNFPARAMBLK_VERSION,
+@@ -1315,6 +1316,13 @@ glblDoneLoadCnf(void)
+ 		if(!strcmp(paramblk.descr[i].name, "workdirectory")) {
+ 			cstr = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
+ 			setWorkDir(NULL, cstr);
+		} else if(!strcmp(paramblk.descr[i].name, "libcapng.default")) {
+#ifdef ENABLE_LIBCAPNG
+			loadConf->globals.bAbortOnFailedLibcapngSetup = (int) cnfparamvals[i].val.d.n;
+#else
+			LogError(0, RS_RET_ERR, "rsyslog wasn't "
+				"compiled with libcap-ng support.");
+#endif
+ 		} else if(!strcmp(paramblk.descr[i].name, "variables.casesensitive")) {
+ 			const int val = (int) cnfparamvals[i].val.d.n;
+ 			fjson_global_do_case_sensitive_comparison(val);
+diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
+--- rsyslog-8.2102.0/runtime/rsconf.c.orig	2023-06-27 08:20:45.265387162 +0200
+++ rsyslog-8.2102.0/runtime/rsconf.c	2023-06-27 08:20:45.264387159 +0200
+@@ -146,6 +146,9 @@ int rsconfNeedDropPriv(rsconf_t *const c
+ 
+ static void cnfSetDefaults(rsconf_t *pThis)
+ {
+#ifdef ENABLE_LIBCAPNG
+	pThis->globals.bAbortOnFailedLibcapngSetup = 1;
+#endif
+ 	pThis->globals.bAbortOnUncleanConfig = 0;
+ 	pThis->globals.bReduceRepeatMsgs = 0;
+ 	pThis->globals.bDebugPrintTemplateList = 1;
+diff -up rsyslog-8.2102.0/runtime/rsconf.h.orig rsyslog-8.2102.0/runtime/rsconf.h
+--- rsyslog-8.2102.0/runtime/rsconf.h.orig	2023-06-27 08:20:45.265387162 +0200
+++ rsyslog-8.2102.0/runtime/rsconf.h	2023-06-27 08:20:45.260387149 +0200
+@@ -61,6 +61,9 @@ struct queuecnf_s {
+  * be re-set as often as the user likes).
+  */
+ struct globals_s {
+#ifdef ENABLE_LIBCAPNG
+	int bAbortOnFailedLibcapngSetup;
+#endif
+ 	int bDebugPrintTemplateList;
+ 	int bDebugPrintModuleList;
+ 	int bDebugPrintCfSysLineHandlerList;
+diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
+--- rsyslog-8.2102.0/tools/rsyslogd.c.orig	2023-06-27 08:20:45.245387109 +0200
+++ rsyslog-8.2102.0/tools/rsyslogd.c	2023-06-27 08:31:35.250120215 +0200
+@@ -2151,7 +2151,7 @@ main(int argc, char **argv)
+ 	/*
+ 	 * Drop capabilities to the necessary set
+ 	 */
+-	int capng_rc;
+	int capng_rc, capng_failed = 0;
+ 	capng_clear(CAPNG_SELECT_BOTH);
+ 
+ 	if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+@@ -2161,10 +2161,9 @@ main(int argc, char **argv)
+ 		CAP_LEASE,
+ 		CAP_NET_ADMIN,
+ 		CAP_NET_BIND_SERVICE,
+		CAP_DAC_OVERRIDE,
+ 		CAP_SETGID,
+ 		CAP_SETUID,
+-		CAP_DAC_OVERRIDE,
+-		CAP_NET_RAW,
+ 		CAP_SYS_ADMIN,
+ 		CAP_SYS_CHROOT,
+ 		CAP_SYS_RESOURCE,
+@@ -2173,17 +2172,25 @@ main(int argc, char **argv)
+ 	)) != 0) {
+ 		LogError(0, RS_RET_LIBCAPNG_ERR,
+ 				"could not update the internal posix capabilities settings "
+-				"based on the options passed to it, capng_updatev=%d\n", capng_rc);
+-		exit(-1);
+				"based on the options passed to it, capng_updatev=%d", capng_rc);
+		capng_failed = 1;
+ 	}
+ 
+ 	if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
+ 		LogError(0, RS_RET_LIBCAPNG_ERR,
+-			"could not transfer  the  specified  internal posix  capabilities "
+-			"settings to the kernel, capng_apply=%d\n", capng_rc);
+-		exit(-1);
+			"could not transfer the specified internal posix capabilities "
+			"settings to the kernel, capng_apply=%d", capng_rc);
+		capng_failed = 1;
+	}
+
+	if (capng_failed) {
+		DBGPRINTF("Capabilities were not dropped successfully.\n");
+		if (loadConf->globals.bAbortOnFailedLibcapngSetup) {
+			exit(RS_RET_LIBCAPNG_ERR);
+		}
+	} else {
+		DBGPRINTF("Capabilities were dropped successfully\n");
+ 	}
+-	DBGPRINTF("Capabilities were dropped successfully\n");
+ #endif
+ 
+ 	initAll(argc, argv);
--- a/rsyslog-8.2102.0-rhbz2216919-libcapng-no-drop.patch
+++ b/rsyslog-8.2102.0-rhbz2216919-libcapng-no-drop.patch
@ -0,0 +1,145 @@
+diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
+--- rsyslog-8.2102.0/tools/rsyslogd.c.orig	2023-06-27 08:56:27.321174891 +0200
+++ rsyslog-8.2102.0/tools/rsyslogd.c	2023-06-27 08:58:17.977481782 +0200
+@@ -1557,6 +1557,88 @@ initAll(int argc, char **argv)
+ 	resetErrMsgsFlag();
+ 	localRet = rsconf.Load(&ourConf, ConfFile);
+ 
+	#ifdef ENABLE_LIBCAPNG
+	/*
+	 * Drop capabilities to the necessary set
+	 */
+	int capng_rc, capng_failed = 0;
+	typedef struct capabilities_s {
+		int capability; /* capability code */
+		const char *name; /* name of the capability to be displayed */
+		sbool present; /* is the capability present that is needed by rsyslog? if so we do not drop it */
+	} capabilities_t;
+
+	capabilities_t capabilities[] = {
+		#define CAP_FIELD(code) { code, #code,  0 }
+		CAP_FIELD(CAP_BLOCK_SUSPEND),
+		CAP_FIELD(CAP_CHOWN),
+		CAP_FIELD(CAP_IPC_LOCK),
+		CAP_FIELD(CAP_LEASE),
+		CAP_FIELD(CAP_NET_ADMIN),
+		CAP_FIELD(CAP_NET_BIND_SERVICE),
+		CAP_FIELD(CAP_DAC_OVERRIDE),
+		CAP_FIELD(CAP_SETGID),
+		CAP_FIELD(CAP_SETUID),
+		CAP_FIELD(CAP_SYS_ADMIN),
+		CAP_FIELD(CAP_SYS_CHROOT),
+		CAP_FIELD(CAP_SYS_RESOURCE),
+		CAP_FIELD(CAP_SYSLOG)
+		#undef CAP_FIELD
+	};
+
+	if (capng_have_capabilities(CAPNG_SELECT_CAPS) > CAPNG_NONE) {
+		/* Examine which capabilities are available to us, so we do not try to
+		   drop something that is not present. We need to do this in two steps,
+		   because capng_clear clears the capability set. In the second step,
+		   we add back those caps, which were present before clearing the selected
+		   posix capabilities set.
+		*/
+		unsigned long caps_len = sizeof(capabilities) / sizeof(capabilities_t);
+		for (unsigned long i = 0; i < caps_len; i++) {
+			if (capng_have_capability(CAPNG_EFFECTIVE, capabilities[i].capability)) {
+				capabilities[i].present = 1;
+			}
+		}
+
+		capng_clear(CAPNG_SELECT_BOTH);
+
+		for (unsigned long i = 0; i < caps_len; i++) {
+			if (capabilities[i].present) {
+				DBGPRINTF("The %s capability is present, "
+					"will try to preserve it.\n", capabilities[i].name);
+				if ((capng_rc = capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+				capabilities[i].capability)) != 0) {
+					LogError(0, RS_RET_LIBCAPNG_ERR,
+							"could not update the internal posix capabilities settings "
+							"based on the options passed to it, capng_update=%d", capng_rc);
+					capng_failed = 1;
+				}
+			} else {
+				DBGPRINTF("The %s capability is not present, "
+					"will not try to preserve it.\n", capabilities[i].name);
+			}
+		}
+
+		if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
+			LogError(0, RS_RET_LIBCAPNG_ERR,
+				"could not transfer the specified internal posix capabilities "
+				"settings to the kernel, capng_apply=%d", capng_rc);
+			capng_failed = 1;
+		}
+
+		if (capng_failed) {
+			DBGPRINTF("Capabilities were not dropped successfully.\n");
+			if (loadConf->globals.bAbortOnFailedLibcapngSetup) {
+				ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
+			}
+		} else {
+			DBGPRINTF("Capabilities were dropped successfully\n");
+		}
+	} else {
+		DBGPRINTF("No capabilities to drop\n");
+	}
+#endif
+
+ 	if(fp_rs_full_conf_output != NULL) {
+ 		if(fp_rs_full_conf_output != stdout) {
+ 			fclose(fp_rs_full_conf_output);
+@@ -2147,52 +2229,6 @@ main(int argc, char **argv)
+ 		bProcessInternalMessages = 1;
+ 	dbgClassInit();
+ 
+-#ifdef ENABLE_LIBCAPNG
+-	/*
+-	 * Drop capabilities to the necessary set
+-	 */
+-	int capng_rc, capng_failed = 0;
+-	capng_clear(CAPNG_SELECT_BOTH);
+-
+-	if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+-		CAP_BLOCK_SUSPEND,
+-		CAP_CHOWN,
+-		CAP_IPC_LOCK,
+-		CAP_LEASE,
+-		CAP_NET_ADMIN,
+-		CAP_NET_BIND_SERVICE,
+-		CAP_DAC_OVERRIDE,
+-		CAP_SETGID,
+-		CAP_SETUID,
+-		CAP_SYS_ADMIN,
+-		CAP_SYS_CHROOT,
+-		CAP_SYS_RESOURCE,
+-		CAP_SYSLOG,
+-		-1
+-	)) != 0) {
+-		LogError(0, RS_RET_LIBCAPNG_ERR,
+-				"could not update the internal posix capabilities settings "
+-				"based on the options passed to it, capng_updatev=%d", capng_rc);
+-		capng_failed = 1;
+-	}
+-
+-	if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
+-		LogError(0, RS_RET_LIBCAPNG_ERR,
+-			"could not transfer the specified internal posix capabilities "
+-			"settings to the kernel, capng_apply=%d", capng_rc);
+-		capng_failed = 1;
+-	}
+-
+-	if (capng_failed) {
+-		DBGPRINTF("Capabilities were not dropped successfully.\n");
+-		if (loadConf->globals.bAbortOnFailedLibcapngSetup) {
+-			exit(RS_RET_LIBCAPNG_ERR);
+-		}
+-	} else {
+-		DBGPRINTF("Capabilities were dropped successfully\n");
+-	}
+-#endif
+-
+ 	initAll(argc, argv);
+ #ifdef HAVE_LIBSYSTEMD
+ 	sd_notify(0, "READY=1");
--- a/rsyslog.spec
+++ b/rsyslog.spec
@ -5,7 +5,7 @@
 Summary: Enhanced system logging and kernel message trapping daemon
 Name: rsyslog
 Version: 8.2102.0
-Release: 115%{?dist}
+Release: 116%{?dist}
 License: (GPLv3+ and ASL 2.0)
 URL: http://www.rsyslog.com/
 Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz
@ -48,6 +48,8 @@ Patch26: rsyslog-8.2102.0-rhbz2192955-es-4.patch
 Patch27: rsyslog-8.2102.0-rhbz2192955-es-5.patch
 Patch28: rsyslog-8.2102.0-rhbz2192955-es-6.patch
 Patch29: rsyslog-8.2102.0-rhbz2192955-es-doc.patch
+Patch30: rsyslog-8.2102.0-rhbz2216919-libcapng-default.patch
+Patch31: rsyslog-8.2102.0-rhbz2216919-libcapng-no-drop.patch

 BuildRequires: make
 BuildRequires: gcc
@ -313,6 +315,8 @@ mv build doc
 %patch27 -p1 -b .es5
 %patch28 -p1 -b .es6
 %patch29 -p1 -b .es-doc
+%patch30 -p1
+%patch31 -p1

 pushd ..
 %patch9 -p1 -b .openssl-compatibility
@ -578,6 +582,11 @@ done


 %changelog
+* Tue Jun 27 2023 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-116
+- libcapng: do not try to drop capabilities that are not present
+- add global libcapng.default to not abort when libcapng fails
+  resolves: rhbz#2216919
+
 * Mon May 22 2023 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-115
 - omelasticsearch: make compatible with elasticsearch>=8
 - add new action specific parameter esversion.major