From 45f06f7194154003c1c384a9d73c048144194716 Mon Sep 17 00:00:00 2001
From: Cropi <alakatos@redhat.com>
Date: Fri, 6 Dec 2024 07:46:00 +0100
Subject: [PATCH] Rebase to 8.2412.0

Resolves: RHEL-70110
Fix $ActionQueueDiscardMark default value to 80% queue size
Resolves: RHEL-41153
Fix segfault when $ControlCharacterEscapePrefix is set
Resolves: RHEL-35823
Fix segfault due to processing malform queue message
Resolves: RHEL-33451
Fix crash on startup when an invalid function is specified
Resolves: RHEL-59893
Startup rsyslog service after network-online.target
Resolves: RHEL-39284
Harden service file
Resolves: RHEL-39237
imjournal: PID nummber is retrieved from the journal by default
Resolves: RHEL-39413
---
 .gitignore                   |  2 ++
 disable-openssl-engine.patch | 70 +++++++++++++++---------------------
 rsyslog.conf                 |  2 ++
 rsyslog.service              | 14 ++++++++
 rsyslog.spec                 | 22 ++++++++++--
 sources                      |  4 +--
 6 files changed, 69 insertions(+), 45 deletions(-)

diff --git a/.gitignore b/.gitignore
index 2674446..ff0224a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -96,3 +96,5 @@ rsyslog-4.6.3.tar.gz
 /rsyslog-doc-8.2312.0.tar.gz
 /rsyslog-8.2408.0.tar.gz
 /rsyslog-doc-8.2408.0.tar.gz
+/rsyslog-8.2412.0.tar.gz
+/rsyslog-doc-8.2412.0.tar.gz
diff --git a/disable-openssl-engine.patch b/disable-openssl-engine.patch
index b270eee..20ba01e 100644
--- a/disable-openssl-engine.patch
+++ b/disable-openssl-engine.patch
@@ -1,72 +1,60 @@
-diff -up rsyslog-8.2408.0/runtime/net_ossl.c.orig rsyslog-8.2408.0/runtime/net_ossl.c
---- rsyslog-8.2408.0/runtime/net_ossl.c.orig	2024-08-21 12:20:02.634846602 +0200
-+++ rsyslog-8.2408.0/runtime/net_ossl.c	2024-08-21 12:23:59.487229756 +0200
-@@ -223,6 +223,7 @@ osslGlblInit(void)
+diff -up rsyslog-8.2412.0/runtime/net_ossl.c.orig rsyslog-8.2412.0/runtime/net_ossl.c
+--- rsyslog-8.2412.0/runtime/net_ossl.c.orig	2024-11-27 13:05:51.327988286 +0100
++++ rsyslog-8.2412.0/runtime/net_ossl.c	2024-11-27 13:06:26.806335104 +0100
+@@ -220,6 +220,7 @@ osslGlblInit(void)
+ 	ERR_load_crypto_strings();
+ #endif
+ 
++#ifdef ENABLE_OPENSSL_ENGINES_DOWNSTREAM
  PRAGMA_DIAGNOSTIC_PUSH
  PRAGMA_IGNORE_Wdeprecated_declarations
  
-+#ifdef ENABLE_OPENSSL_ENGINES_DOWNSTREAM
- 	// Initialize OpenSSL engine library
- 	ENGINE_load_builtin_engines();
- 	/* Register all of them for every algorithm they collectively implement */
-@@ -243,6 +244,7 @@ PRAGMA_IGNORE_Wdeprecated_declarations
- 	}
+@@ -244,6 +245,8 @@ PRAGMA_IGNORE_Wdeprecated_declarations
  	// Free the engine reference when done
  	ENGINE_free(osslEngine);
-+#endif
  PRAGMA_DIAGNOSTIC_POP
++#endif
++
  }
  
-@@ -251,7 +253,10 @@ void
+ /* globally de-initialize OpenSSL */
+@@ -251,7 +254,9 @@ void
  osslGlblExit(void)
  {
  	DBGPRINTF("openssl: entering osslGlblExit\n");
-+
-+#ifdef ENABLE_OPENSSL_ENGINES_DOWNSTREAM
++	#ifdef ENABLE_OPENSSL_ENGINES_DOWNSTREAM
  	ENGINE_cleanup();
-+#endif
++	#endif
  	ERR_free_strings();
  	EVP_cleanup();
  	CRYPTO_cleanup_all_ex_data();
-@@ -638,7 +643,7 @@ net_ossl_chkonepeername(net_ossl_t *pThi
- #endif
- 	char *x509name = NULL;
- 	DEFiRet;
--	
-+
- 	if (certpeer == NULL) {
- 		ABORT_FINALIZE(RS_RET_TLS_NO_CERT);
- 	}
-@@ -1151,6 +1156,8 @@ net_ossl_init_engine(__attribute__((unus
+@@ -1149,6 +1154,7 @@ net_ossl_init_engine(__attribute__((unus
+ 	const char *engine_id = NULL;
+ 	const char *engine_name = NULL;
  
++#ifdef ENABLE_OPENSSL_ENGINES_DOWNSTREAM
  PRAGMA_DIAGNOSTIC_PUSH
  PRAGMA_IGNORE_Wdeprecated_declarations
-+#ifdef ENABLE_OPENSSL_ENGINES_DOWNSTREAM
-+
  	// Get the default RSA engine
- 	ENGINE *default_engine = ENGINE_get_default_RSA();
- 	if (default_engine) {
-@@ -1188,6 +1195,7 @@ PRAGMA_IGNORE_Wdeprecated_declarations
- 	} else {
+@@ -1189,7 +1195,7 @@ PRAGMA_IGNORE_Wdeprecated_declarations
  		DBGPRINTF("net_ossl_init_engine: use openssl default Engine");
  	}
-+#endif
  PRAGMA_DIAGNOSTIC_POP
- 
+-
++#endif // ENABLE_OPENSSL_ENGINES_DOWNSTREAM
  	RETiRet;
-diff -up rsyslog-8.2408.0/runtime/net_ossl.h.orig rsyslog-8.2408.0/runtime/net_ossl.h
---- rsyslog-8.2408.0/runtime/net_ossl.h.orig	2024-08-21 12:19:42.902648065 +0200
-+++ rsyslog-8.2408.0/runtime/net_ossl.h	2024-08-21 12:23:14.053772607 +0200
-@@ -31,7 +31,11 @@
+ }
+ 
+diff -up rsyslog-8.2412.0/runtime/net_ossl.h.orig rsyslog-8.2412.0/runtime/net_ossl.h
+--- rsyslog-8.2412.0/runtime/net_ossl.h.orig	2024-11-27 13:06:01.138084180 +0100
++++ rsyslog-8.2412.0/runtime/net_ossl.h	2024-11-27 13:06:30.536372456 +0100
+@@ -31,7 +31,9 @@
  #if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER)
  #	include <openssl/bioerr.h>
  #endif
--#include <openssl/engine.h>
-+
 +#ifdef ENABLE_OPENSSL_ENGINES_DOWNSTREAM
-+#	include <openssl/engine.h>
+ #include <openssl/engine.h>
 +#endif
-+
  #include <openssl/rand.h>
  #include <openssl/evp.h>
  
diff --git a/rsyslog.conf b/rsyslog.conf
index f6d3f6a..44e2a49 100644
--- a/rsyslog.conf
+++ b/rsyslog.conf
@@ -18,6 +18,8 @@ module(load="imuxsock"    # provides support for local system logging (e.g. via
        SysSock.Use="off") # Turn off message reception via local log socket; 
                           # local messages are retrieved through imjournal now.
 module(load="imjournal"             # provides access to the systemd journal
+       UsePid="system" # PID nummber is retrieved as the ID of the process the journal entry originates from
+       FileCreateMode="0644" # Set the access permissions for the state file
        StateFile="imjournal.state") # File to store the position in the journal
 
 # Include all config files in /etc/rsyslog.d/
diff --git a/rsyslog.service b/rsyslog.service
index 9c13b1d..fa59599 100644
--- a/rsyslog.service
+++ b/rsyslog.service
@@ -1,6 +1,8 @@
 [Unit]
 Description=System Logging Service
 ;Requires=syslog.socket
+Wants=network.target network-online.target
+After=network.target network-online.target
 Documentation=man:rsyslogd(8)
 Documentation=https://www.rsyslog.com/doc/
 
@@ -12,6 +14,18 @@ ExecReload=/usr/bin/kill -HUP $MAINPID
 UMask=0066
 StandardOutput=null
 Restart=on-failure
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=net
+NoNewPrivileges=yes
+ProtectControlGroups=yes
+ProtectHome=read-only
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @debug @module @raw-io @reboot @swap @cpu-emulation @obsolete
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
 
 # Increase the default a bit in order to allow many simultaneous
 # files to be monitored, we might need a lot of fds.
diff --git a/rsyslog.spec b/rsyslog.spec
index 389f6d0..3e11c10 100644
--- a/rsyslog.spec
+++ b/rsyslog.spec
@@ -36,8 +36,8 @@
 
 Summary: Enhanced system logging and kernel message trapping daemon
 Name: rsyslog
-Version: 8.2408.0
-Release: 2%{?dist}
+Version: 8.2412.0
+Release: 1%{?dist}
 License: GPL-3.0-or-later AND Apache-2.0
 URL: http://www.rsyslog.com/
 Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz
@@ -767,6 +767,24 @@ done
 
 
 %changelog
+* Thu Dec 05 2024 Attila Lakatos <alakatos@redhat.com> - 8.2412.0-1
+- Rebase to 8.2412.0
+  Resolves: RHEL-70110
+- Fix $ActionQueueDiscardMark default value to 80% queue size
+  Resolves: RHEL-41153
+- Fix segfault when $ControlCharacterEscapePrefix is set
+  Resolves: RHEL-35823
+- Fix segfault due to processing malform queue message
+  Resolves: RHEL-33451
+- Fix crash on startup when an invalid function is specified
+  Resolves: RHEL-59893
+- Startup rsyslog service after network-online.target
+  Resolves: RHEL-39284
+- Harden service file
+  Resolves: RHEL-39237
+- imjournal: PID nummber is retrieved from the journal by default 
+  Resolves: RHEL-39413
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 8.2408.0-2
 - Bump release for October 2024 mass rebuild:
   Resolves: RHEL-64018
diff --git a/sources b/sources
index f364de8..380a910 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 SHA512 (qpid-proton-0.39.0.tar.gz) = df5c5469ee82ba02de62dce15b73b81aab2aae07c7db668182df690cea4ff7584111bd12143fe5e3569469a9ddf4950ac68d60b53d1a7815da4748052948cd1b
-SHA512 (rsyslog-8.2408.0.tar.gz) = 86901f76290aa451dfc8dc3d2c7eb2ea82bdbf39875fe2872169a3aa44933aff064dd5ea9b80964881fd07c34c17da25ec6a0efc1c5b7f4d6884435639fa0338
-SHA512 (rsyslog-doc-8.2408.0.tar.gz) = 9982688880b8362ca2ecd5f076f12aaf31b966144bd9b291761e660307e4c31e8c3ccc17b6b2b0cb2ccf2e30ba81927126991f9539562c2f02966a59fd1624aa
+SHA512 (rsyslog-8.2412.0.tar.gz) = fdd8bb096c9578fe2c4ed8cdb13179d7b3333d0f9be1b2c921b5b040f1e1414c3f9f8106e44444aaefba22f235a44d17c0c5b80cd114fe540a2aebb30e3eba72
+SHA512 (rsyslog-doc-8.2412.0.tar.gz) = 9b5d453b5774b027a6a4ba232133953d8a8058df4bfff31f835504656d7b01008cec5c0d28667bed0052799cf7389c0bafea7c76c3190bdcdf3d8a2eedf19b4e