libcapng: do not try to drop capabilities that are not present
add global libcapng.default to not abort when libcapng fails resolves: rhbz#2216919
This commit is contained in:
alakatos
parent
203cd69dcb
commit
2f5a1a9930
|
|
@ -0,0 +1,109 @@
|
|||
diff -up rsyslog-8.2102.0/runtime/glbl.c.orig rsyslog-8.2102.0/runtime/glbl.c
|
||||
--- rsyslog-8.2102.0/runtime/glbl.c.orig 2023-06-27 08:20:45.265387162 +0200
|
||||
+++ rsyslog-8.2102.0/runtime/glbl.c 2023-06-27 08:20:45.262387154 +0200
|
||||
@@ -230,7 +230,8 @@ static struct cnfparamdescr cnfparamdesc
|
||||
{ "reverselookup.cache.ttl.enable", eCmdHdlrBinary, 0 },
|
||||
{ "shutdown.queue.doublesize", eCmdHdlrBinary, 0 },
|
||||
{ "debug.files", eCmdHdlrArray, 0 },
|
||||
- { "debug.whitelist", eCmdHdlrBinary, 0 }
|
||||
+ { "debug.whitelist", eCmdHdlrBinary, 0 },
|
||||
+ { "libcapng.default", eCmdHdlrBinary, 0 }
|
||||
};
|
||||
static struct cnfparamblk paramblk =
|
||||
{ CNFPARAMBLK_VERSION,
|
||||
@@ -1315,6 +1316,13 @@ glblDoneLoadCnf(void)
|
||||
if(!strcmp(paramblk.descr[i].name, "workdirectory")) {
|
||||
cstr = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
|
||||
setWorkDir(NULL, cstr);
|
||||
+ } else if(!strcmp(paramblk.descr[i].name, "libcapng.default")) {
|
||||
+#ifdef ENABLE_LIBCAPNG
|
||||
+ loadConf->globals.bAbortOnFailedLibcapngSetup = (int) cnfparamvals[i].val.d.n;
|
||||
+#else
|
||||
+ LogError(0, RS_RET_ERR, "rsyslog wasn't "
|
||||
+ "compiled with libcap-ng support.");
|
||||
+#endif
|
||||
} else if(!strcmp(paramblk.descr[i].name, "variables.casesensitive")) {
|
||||
const int val = (int) cnfparamvals[i].val.d.n;
|
||||
fjson_global_do_case_sensitive_comparison(val);
|
||||
diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
|
||||
--- rsyslog-8.2102.0/runtime/rsconf.c.orig 2023-06-27 08:20:45.265387162 +0200
|
||||
+++ rsyslog-8.2102.0/runtime/rsconf.c 2023-06-27 08:20:45.264387159 +0200
|
||||
@@ -146,6 +146,9 @@ int rsconfNeedDropPriv(rsconf_t *const c
|
||||
|
||||
static void cnfSetDefaults(rsconf_t *pThis)
|
||||
{
|
||||
+#ifdef ENABLE_LIBCAPNG
|
||||
+ pThis->globals.bAbortOnFailedLibcapngSetup = 1;
|
||||
+#endif
|
||||
pThis->globals.bAbortOnUncleanConfig = 0;
|
||||
pThis->globals.bReduceRepeatMsgs = 0;
|
||||
pThis->globals.bDebugPrintTemplateList = 1;
|
||||
diff -up rsyslog-8.2102.0/runtime/rsconf.h.orig rsyslog-8.2102.0/runtime/rsconf.h
|
||||
--- rsyslog-8.2102.0/runtime/rsconf.h.orig 2023-06-27 08:20:45.265387162 +0200
|
||||
+++ rsyslog-8.2102.0/runtime/rsconf.h 2023-06-27 08:20:45.260387149 +0200
|
||||
@@ -61,6 +61,9 @@ struct queuecnf_s {
|
||||
* be re-set as often as the user likes).
|
||||
*/
|
||||
struct globals_s {
|
||||
+#ifdef ENABLE_LIBCAPNG
|
||||
+ int bAbortOnFailedLibcapngSetup;
|
||||
+#endif
|
||||
int bDebugPrintTemplateList;
|
||||
int bDebugPrintModuleList;
|
||||
int bDebugPrintCfSysLineHandlerList;
|
||||
diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
|
||||
--- rsyslog-8.2102.0/tools/rsyslogd.c.orig 2023-06-27 08:20:45.245387109 +0200
|
||||
+++ rsyslog-8.2102.0/tools/rsyslogd.c 2023-06-27 08:31:35.250120215 +0200
|
||||
@@ -2151,7 +2151,7 @@ main(int argc, char **argv)
|
||||
/*
|
||||
* Drop capabilities to the necessary set
|
||||
*/
|
||||
- int capng_rc;
|
||||
+ int capng_rc, capng_failed = 0;
|
||||
capng_clear(CAPNG_SELECT_BOTH);
|
||||
|
||||
if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
|
||||
@@ -2161,10 +2161,9 @@ main(int argc, char **argv)
|
||||
CAP_LEASE,
|
||||
CAP_NET_ADMIN,
|
||||
CAP_NET_BIND_SERVICE,
|
||||
+ CAP_DAC_OVERRIDE,
|
||||
CAP_SETGID,
|
||||
CAP_SETUID,
|
||||
- CAP_DAC_OVERRIDE,
|
||||
- CAP_NET_RAW,
|
||||
CAP_SYS_ADMIN,
|
||||
CAP_SYS_CHROOT,
|
||||
CAP_SYS_RESOURCE,
|
||||
@@ -2173,17 +2172,25 @@ main(int argc, char **argv)
|
||||
)) != 0) {
|
||||
LogError(0, RS_RET_LIBCAPNG_ERR,
|
||||
"could not update the internal posix capabilities settings "
|
||||
- "based on the options passed to it, capng_updatev=%d\n", capng_rc);
|
||||
- exit(-1);
|
||||
+ "based on the options passed to it, capng_updatev=%d", capng_rc);
|
||||
+ capng_failed = 1;
|
||||
}
|
||||
|
||||
if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
|
||||
LogError(0, RS_RET_LIBCAPNG_ERR,
|
||||
- "could not transfer the specified internal posix capabilities "
|
||||
- "settings to the kernel, capng_apply=%d\n", capng_rc);
|
||||
- exit(-1);
|
||||
+ "could not transfer the specified internal posix capabilities "
|
||||
+ "settings to the kernel, capng_apply=%d", capng_rc);
|
||||
+ capng_failed = 1;
|
||||
+ }
|
||||
+
|
||||
+ if (capng_failed) {
|
||||
+ DBGPRINTF("Capabilities were not dropped successfully.\n");
|
||||
+ if (loadConf->globals.bAbortOnFailedLibcapngSetup) {
|
||||
+ exit(RS_RET_LIBCAPNG_ERR);
|
||||
+ }
|
||||
+ } else {
|
||||
+ DBGPRINTF("Capabilities were dropped successfully\n");
|
||||
}
|
||||
- DBGPRINTF("Capabilities were dropped successfully\n");
|
||||
#endif
|
||||
|
||||
initAll(argc, argv);
|
||||
|
|
@ -0,0 +1,145 @@
|
|||
diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
|
||||
--- rsyslog-8.2102.0/tools/rsyslogd.c.orig 2023-06-27 08:56:27.321174891 +0200
|
||||
+++ rsyslog-8.2102.0/tools/rsyslogd.c 2023-06-27 08:58:17.977481782 +0200
|
||||
@@ -1557,6 +1557,88 @@ initAll(int argc, char **argv)
|
||||
resetErrMsgsFlag();
|
||||
localRet = rsconf.Load(&ourConf, ConfFile);
|
||||
|
||||
+ #ifdef ENABLE_LIBCAPNG
|
||||
+ /*
|
||||
+ * Drop capabilities to the necessary set
|
||||
+ */
|
||||
+ int capng_rc, capng_failed = 0;
|
||||
+ typedef struct capabilities_s {
|
||||
+ int capability; /* capability code */
|
||||
+ const char *name; /* name of the capability to be displayed */
|
||||
+ sbool present; /* is the capability present that is needed by rsyslog? if so we do not drop it */
|
||||
+ } capabilities_t;
|
||||
+
|
||||
+ capabilities_t capabilities[] = {
|
||||
+ #define CAP_FIELD(code) { code, #code, 0 }
|
||||
+ CAP_FIELD(CAP_BLOCK_SUSPEND),
|
||||
+ CAP_FIELD(CAP_CHOWN),
|
||||
+ CAP_FIELD(CAP_IPC_LOCK),
|
||||
+ CAP_FIELD(CAP_LEASE),
|
||||
+ CAP_FIELD(CAP_NET_ADMIN),
|
||||
+ CAP_FIELD(CAP_NET_BIND_SERVICE),
|
||||
+ CAP_FIELD(CAP_DAC_OVERRIDE),
|
||||
+ CAP_FIELD(CAP_SETGID),
|
||||
+ CAP_FIELD(CAP_SETUID),
|
||||
+ CAP_FIELD(CAP_SYS_ADMIN),
|
||||
+ CAP_FIELD(CAP_SYS_CHROOT),
|
||||
+ CAP_FIELD(CAP_SYS_RESOURCE),
|
||||
+ CAP_FIELD(CAP_SYSLOG)
|
||||
+ #undef CAP_FIELD
|
||||
+ };
|
||||
+
|
||||
+ if (capng_have_capabilities(CAPNG_SELECT_CAPS) > CAPNG_NONE) {
|
||||
+ /* Examine which capabilities are available to us, so we do not try to
|
||||
+ drop something that is not present. We need to do this in two steps,
|
||||
+ because capng_clear clears the capability set. In the second step,
|
||||
+ we add back those caps, which were present before clearing the selected
|
||||
+ posix capabilities set.
|
||||
+ */
|
||||
+ unsigned long caps_len = sizeof(capabilities) / sizeof(capabilities_t);
|
||||
+ for (unsigned long i = 0; i < caps_len; i++) {
|
||||
+ if (capng_have_capability(CAPNG_EFFECTIVE, capabilities[i].capability)) {
|
||||
+ capabilities[i].present = 1;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ capng_clear(CAPNG_SELECT_BOTH);
|
||||
+
|
||||
+ for (unsigned long i = 0; i < caps_len; i++) {
|
||||
+ if (capabilities[i].present) {
|
||||
+ DBGPRINTF("The %s capability is present, "
|
||||
+ "will try to preserve it.\n", capabilities[i].name);
|
||||
+ if ((capng_rc = capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
|
||||
+ capabilities[i].capability)) != 0) {
|
||||
+ LogError(0, RS_RET_LIBCAPNG_ERR,
|
||||
+ "could not update the internal posix capabilities settings "
|
||||
+ "based on the options passed to it, capng_update=%d", capng_rc);
|
||||
+ capng_failed = 1;
|
||||
+ }
|
||||
+ } else {
|
||||
+ DBGPRINTF("The %s capability is not present, "
|
||||
+ "will not try to preserve it.\n", capabilities[i].name);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
|
||||
+ LogError(0, RS_RET_LIBCAPNG_ERR,
|
||||
+ "could not transfer the specified internal posix capabilities "
|
||||
+ "settings to the kernel, capng_apply=%d", capng_rc);
|
||||
+ capng_failed = 1;
|
||||
+ }
|
||||
+
|
||||
+ if (capng_failed) {
|
||||
+ DBGPRINTF("Capabilities were not dropped successfully.\n");
|
||||
+ if (loadConf->globals.bAbortOnFailedLibcapngSetup) {
|
||||
+ ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
|
||||
+ }
|
||||
+ } else {
|
||||
+ DBGPRINTF("Capabilities were dropped successfully\n");
|
||||
+ }
|
||||
+ } else {
|
||||
+ DBGPRINTF("No capabilities to drop\n");
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
if(fp_rs_full_conf_output != NULL) {
|
||||
if(fp_rs_full_conf_output != stdout) {
|
||||
fclose(fp_rs_full_conf_output);
|
||||
@@ -2147,52 +2229,6 @@ main(int argc, char **argv)
|
||||
bProcessInternalMessages = 1;
|
||||
dbgClassInit();
|
||||
|
||||
-#ifdef ENABLE_LIBCAPNG
|
||||
- /*
|
||||
- * Drop capabilities to the necessary set
|
||||
- */
|
||||
- int capng_rc, capng_failed = 0;
|
||||
- capng_clear(CAPNG_SELECT_BOTH);
|
||||
-
|
||||
- if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
|
||||
- CAP_BLOCK_SUSPEND,
|
||||
- CAP_CHOWN,
|
||||
- CAP_IPC_LOCK,
|
||||
- CAP_LEASE,
|
||||
- CAP_NET_ADMIN,
|
||||
- CAP_NET_BIND_SERVICE,
|
||||
- CAP_DAC_OVERRIDE,
|
||||
- CAP_SETGID,
|
||||
- CAP_SETUID,
|
||||
- CAP_SYS_ADMIN,
|
||||
- CAP_SYS_CHROOT,
|
||||
- CAP_SYS_RESOURCE,
|
||||
- CAP_SYSLOG,
|
||||
- -1
|
||||
- )) != 0) {
|
||||
- LogError(0, RS_RET_LIBCAPNG_ERR,
|
||||
- "could not update the internal posix capabilities settings "
|
||||
- "based on the options passed to it, capng_updatev=%d", capng_rc);
|
||||
- capng_failed = 1;
|
||||
- }
|
||||
-
|
||||
- if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
|
||||
- LogError(0, RS_RET_LIBCAPNG_ERR,
|
||||
- "could not transfer the specified internal posix capabilities "
|
||||
- "settings to the kernel, capng_apply=%d", capng_rc);
|
||||
- capng_failed = 1;
|
||||
- }
|
||||
-
|
||||
- if (capng_failed) {
|
||||
- DBGPRINTF("Capabilities were not dropped successfully.\n");
|
||||
- if (loadConf->globals.bAbortOnFailedLibcapngSetup) {
|
||||
- exit(RS_RET_LIBCAPNG_ERR);
|
||||
- }
|
||||
- } else {
|
||||
- DBGPRINTF("Capabilities were dropped successfully\n");
|
||||
- }
|
||||
-#endif
|
||||
-
|
||||
initAll(argc, argv);
|
||||
#ifdef HAVE_LIBSYSTEMD
|
||||
sd_notify(0, "READY=1");
|
||||
11
rsyslog.spec
11
rsyslog.spec
|
|
@ -5,7 +5,7 @@
|
|||
Summary: Enhanced system logging and kernel message trapping daemon
|
||||
Name: rsyslog
|
||||
Version: 8.2102.0
|
||||
Release: 115%{?dist}
|
||||
Release: 116%{?dist}
|
||||
License: (GPLv3+ and ASL 2.0)
|
||||
URL: http://www.rsyslog.com/
|
||||
Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz
|
||||
|
|
@ -48,6 +48,8 @@ Patch26: rsyslog-8.2102.0-rhbz2192955-es-4.patch
|
|||
Patch27: rsyslog-8.2102.0-rhbz2192955-es-5.patch
|
||||
Patch28: rsyslog-8.2102.0-rhbz2192955-es-6.patch
|
||||
Patch29: rsyslog-8.2102.0-rhbz2192955-es-doc.patch
|
||||
Patch30: rsyslog-8.2102.0-rhbz2216919-libcapng-default.patch
|
||||
Patch31: rsyslog-8.2102.0-rhbz2216919-libcapng-no-drop.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc
|
||||
|
|
@ -313,6 +315,8 @@ mv build doc
|
|||
%patch27 -p1 -b .es5
|
||||
%patch28 -p1 -b .es6
|
||||
%patch29 -p1 -b .es-doc
|
||||
%patch30 -p1
|
||||
%patch31 -p1
|
||||
|
||||
pushd ..
|
||||
%patch9 -p1 -b .openssl-compatibility
|
||||
|
|
@ -578,6 +582,11 @@ done
|
|||
|
||||
|
||||
%changelog
|
||||
* Tue Jun 27 2023 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-116
|
||||
- libcapng: do not try to drop capabilities that are not present
|
||||
- add global libcapng.default to not abort when libcapng fails
|
||||
resolves: rhbz#2216919
|
||||
|
||||
* Mon May 22 2023 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-115
|
||||
- omelasticsearch: make compatible with elasticsearch>=8
|
||||
- add new action specific parameter esversion.major
|
||||
|
|
|
|||
Loading…
Reference in New Issue