import rsyslog-8.1911.0-6.el8

This commit is contained in:
CentOS Sources 2020-07-28 02:16:28 -04:00 committed by Stepan Oksanichenko
parent 3f7674c145
commit 517681983b
9 changed files with 365 additions and 2 deletions

1
.gitignore vendored
View File

@ -1,2 +1,3 @@
SOURCES/qpid-proton-0.31.0.tar.gz
SOURCES/rsyslog-8.1911.0.tar.gz
SOURCES/rsyslog-doc-8.1911.0.tar.gz

View File

@ -1,2 +1,3 @@
8714235747ec8947648448eecda57e97d3a733ce SOURCES/qpid-proton-0.31.0.tar.gz
30dfc2b99d73598788e2bd0d0ac45e16e7c3a3d5 SOURCES/rsyslog-8.1911.0.tar.gz
8bcb23571ab8011b712ccf52acee20f8940b7f03 SOURCES/rsyslog-doc-8.1911.0.tar.gz

View File

@ -0,0 +1,123 @@
From ba5b68be84888b24918dd019b87ed9f62d7fa988 Mon Sep 17 00:00:00 2001
From: Jiri Vymazal <jvymazal@redhat.com>
Date: Tue, 11 Feb 2020 13:46:23 +0100
Subject: [PATCH] Fixed processing of 'cofig.enabled' directive
Previously the directive was processed way too late which caused
false errors whenever it was set to 'off' and possibly other
problems.
---
grammar/rainerscript.c | 43+++++++++++++++++++++++----------------
grammar/rainerscript.h | 1 +
runtime/rsconf.c | 10 +++++++++
3 files changed, 38 insertions(+), 18 deletions(-)
diff --git a/grammar/rainerscript.c b/grammar/rainerscript.c
index 8f14bbe319..4398e6011a 100644
--- a/grammar/rainerscript.c
+++ b/grammar/rainerscript.c
@@ -699,6 +699,22 @@ nvlstFindNameCStr(struct nvlst *lst, const char *const __restrict__ name)
return lst;
}
+/* check if the nvlst is disabled, and mark config.enabled directive
+ * as used if it is not. Returns 1 if block is disabled, 0 otherwise.
+ */
+int nvlstChkDisabled(struct nvlst *lst)
+{
+ struct nvlst *valnode;
+
+ if((valnode = nvlstFindNameCStr(lst, "config.enabled")) != NULL) {
+ lst->bUsed = 1;
+ if(es_strbufcmp(valnode->val.d.estr, (unsigned char*) "on", 2)) {
+ return 1;
+ }
+ }
+ return 0;
+}
+
/* check if there are duplicate names inside a nvlst and emit
* an error message, if so.
@@ -1207,21 +1224,6 @@ nvlstGetParams(struct nvlst *lst, struct cnfparamblk *params,
}
}
- /* now config-system parameters (currently a bit hackish, as we
- * only have one...). -- rgerhards, 2018-01-24
- */
- if((valnode = nvlstFindNameCStr(lst, "config.enabled")) != NULL) {
- if(es_strbufcmp(valnode->val.d.estr, (unsigned char*) "on", 2)) {
- dbgprintf("config object disabled by configuration\n");
- /* flag all params as used to not emit error mssages */
- bInError = 1;
- struct nvlst *val;
- for(val = lst; val != NULL ; val = val->next) {
- val->bUsed = 1;
- }
- }
- }
-
/* done parameter processing */
if(bInError) {
if(bValsWasNULL)
@@ -4418,8 +4418,13 @@ cnfstmtNewAct(struct nvlst *lst)
struct cnfstmt* cnfstmt;
char namebuf[256];
rsRetVal localRet;
- if((cnfstmt = cnfstmtNew(S_ACT)) == NULL)
+ if((cnfstmt = cnfstmtNew(S_ACT)) == NULL) {
goto done;
+ }
+ if (nvlstChkDisabled(lst)) {
+ dbgprintf("action disabled by configuration\n");
+ cnfstmt->nodetype = S_NOP;
+ }
localRet = actionNewInst(lst, &cnfstmt->d.act);
if(localRet == RS_RET_OK_WARN) {
parser_errmsg("warnings occured in file '%s' around line %d",
@@ -5284,6 +5289,11 @@ includeProcessCnf(struct nvlst *const lst)
goto done;
}
+ if (nvlstChkDisabled(lst)) {
+ DBGPRINTF("include statement disabled\n");
+ goto done;
+ }
+
pvals = nvlstGetParams(lst, &incpblk, NULL);
if(pvals == NULL) {
goto done;
diff --git a/grammar/rainerscript.h b/grammar/rainerscript.h
index bfa8ee6cb9..0f8128861b 100644
--- a/grammar/rainerscript.h
+++ b/grammar/rainerscript.h
@@ -340,6 +340,7 @@ void nvlstDestruct(struct nvlst *lst);
void nvlstPrint(struct nvlst *lst);
void nvlstChkUnused(struct nvlst *lst);
struct nvlst* nvlstFindName(struct nvlst *lst, es_str_t *name);
+int nvlstChkDisabled(struct nvlst *lst);
struct cnfobj* cnfobjNew(enum cnfobjType objType, struct nvlst *lst);
void cnfobjDestruct(struct cnfobj *o);
void cnfobjPrint(struct cnfobj *o);
diff --git a/runtime/rsconf.c b/runtime/rsconf.c
index fc0863a738..303e06365b 100644
--- a/runtime/rsconf.c
+++ b/runtime/rsconf.c
@@ -438,6 +438,16 @@ cnfDoObj(struct cnfobj *const o)
dbgprintf("cnf:global:obj: ");
cnfobjPrint(o);
+
+ /* We need to check for object disabling as early as here to cover most
+ * of them at once and avoid needless initializations
+ * - jvymazal 2020-02-12
+ */
+ if (nvlstChkDisabled(o->nvlst)) {
+ dbgprintf("object disabled by configuration\n");
+ return;
+ }
+
switch(o->objType) {
case CNFOBJ_GLOBAL:
glblProcessCnf(o);

View File

@ -0,0 +1,58 @@
From 0de93c9e1597b20f71bb61d5375ded546cfd2fa8 Mon Sep 17 00:00:00 2001
From: Jiri Vymazal <jvymazal@redhat.com>
Date: Wed, 11 Dec 2019 15:35:26 +0100
Subject: [PATCH] Changed default for permitExpiredCerts to "off"
This is to be conssitent with rsyslog's prior behavior where
expired certs were automatically rejected
---
runtime/nsd_gtls.c | 10 +++++-----
runtime/nsd_ossl.c | 8 ++++----
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
index 5df12994d1..2be0ca9c92 100644
--- a/runtime/nsd_gtls.c
+++ b/runtime/nsd_gtls.c
@@ -1461,16 +1461,16 @@ SetPermitExpiredCerts(nsd_t *pNsd, uchar *mode)
nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd;
ISOBJ_TYPE_assert((pThis), nsd_gtls);
- /* default is set to warn! */
- if(mode == NULL || !strcasecmp((char*)mode, "warn")) {
- pThis->permitExpiredCerts = GTLS_EXPIRED_WARN;
- } else if(!strcasecmp((char*) mode, "off")) {
+ /* default is set to off! */
+ if(mode == NULL || !strcasecmp((char*)mode, "off")) {
pThis->permitExpiredCerts = GTLS_EXPIRED_DENY;
+ } else if(!strcasecmp((char*) mode, "warn")) {
+ pThis->permitExpiredCerts = GTLS_EXPIRED_WARN;
} else if(!strcasecmp((char*) mode, "on")) {
pThis->permitExpiredCerts = GTLS_EXPIRED_PERMIT;
} else {
LogError(0, RS_RET_VALUE_NOT_SUPPORTED, "error: permitexpiredcerts mode '%s' not supported by "
- "ossl netstream driver", mode);
+ "gtls netstream driver", mode);
ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED);
}
diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
index 4f8dd845ab..ebb2537d72 100644
--- a/runtime/nsd_ossl.c
+++ b/runtime/nsd_ossl.c
@@ -1130,11 +1130,11 @@ SetPermitExpiredCerts(nsd_t *pNsd, uchar *mode)
nsd_ossl_t *pThis = (nsd_ossl_t*) pNsd;
ISOBJ_TYPE_assert((pThis), nsd_ossl);
- /* default is set to warn! */
- if(mode == NULL || !strcasecmp((char*)mode, "warn")) {
- pThis->permitExpiredCerts = OSSL_EXPIRED_WARN;
- } else if(!strcasecmp((char*) mode, "off")) {
+ /* default is set to off! */
+ if(mode == NULL || !strcasecmp((char*)mode, "off")) {
pThis->permitExpiredCerts = OSSL_EXPIRED_DENY;
+ } else if(!strcasecmp((char*) mode, "warn")) {
+ pThis->permitExpiredCerts = OSSL_EXPIRED_WARN;
} else if(!strcasecmp((char*) mode, "on")) {
pThis->permitExpiredCerts = OSSL_EXPIRED_PERMIT;
} else {

View File

@ -0,0 +1,33 @@
From: Jiri Vymazal <jvymazal@redhat.com>
Date: Wed, 18 Dec 2019 09:48:15 +0100
Subject: [PATCH] Fix race condition related to libfastjson when using DA queue
Rsyslogd aborts when writing to disk queue from multiple workers simultaneously.
It is assumed that libfastjson is not thread-safe.
Resolve libfastjson race condition when writing to disk queue.
see also https://github.com/rsyslog/rsyslog/issues/4099
---
runtime/msg.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/runtime/msg.c b/runtime/msg.c
index b5c17cfdd4..f9da40005f 100644
--- a/runtime/msg.c
+++ b/runtime/msg.c
@@ -1242,11 +1242,15 @@ static rsRetVal MsgSerialize(smsg_t *pThis, strm_t *pStrm)
psz = pThis->pszStrucData;
CHKiRet(obj.SerializeProp(pStrm, UCHAR_CONSTANT("pszStrucData"), PROPTYPE_PSZ, (void*) psz));
if(pThis->json != NULL) {
+ MsgLock(pThis);
psz = (uchar*) json_object_get_string(pThis->json);
+ MsgUnlock(pThis);
CHKiRet(obj.SerializeProp(pStrm, UCHAR_CONSTANT("json"), PROPTYPE_PSZ, (void*) psz));
}
if(pThis->localvars != NULL) {
+ MsgLock(pThis);
psz = (uchar*) json_object_get_string(pThis->localvars);
+ MsgUnlock(pThis);
CHKiRet(obj.SerializeProp(pStrm, UCHAR_CONSTANT("localvars"), PROPTYPE_PSZ, (void*) psz));
}

View File

@ -0,0 +1,37 @@
From 0c69ec76d8cac47bcfa78abae86229ad63c92b0b Mon Sep 17 00:00:00 2001
From: Jiri Vymazal <jvymazal@redhat.com>
Date: Tue, 21 Jan 2020 13:58:14 +0100
Subject: [PATCH] Fixed saving of old file_id for statefiles
Previously we saved old file_id unconditionally, which led to not
deleting old statefiles if files changes without rsyslog running.
Now it should work correctly.
---
plugins/imfile/imfile.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/plugins/imfile/imfile.c b/plugins/imfile/imfile.c
index 908bb5901c..5ad44f6c59 100644
--- a/plugins/imfile/imfile.c
+++ b/plugins/imfile/imfile.c
@@ -1258,8 +1258,8 @@ get_file_id_hash(const char *data, size_t lendata,
static void ATTR_NONNULL(1)
getFileID(act_obj_t *const act)
{
- /* save the old id for cleaning purposes */
- strncpy(act->file_id_prev, (const char*)act->file_id, FILE_ID_HASH_SIZE);
+ char tmp_id[FILE_ID_HASH_SIZE];
+ strncpy(tmp_id, (const char*)act->file_id, FILE_ID_HASH_SIZE);
act->file_id[0] = '\0';
assert(act->fd >= 0); /* fd must have been opened at act_obj_t creation! */
char filedata[FILE_ID_SIZE];
@@ -1270,6 +1270,9 @@ getFileID(act_obj_t *const act)
} else {
DBGPRINTF("getFileID partial or error read, ret %d\n", r);
}
+ if (strncmp(tmp_id, act->file_id, FILE_ID_HASH_SIZE)) {/* save the old id for cleaning purposes */
+ strncpy(act->file_id_prev, tmp_id, FILE_ID_HASH_SIZE);
+ }
DBGPRINTF("getFileID for '%s', file_id_hash '%s'\n", act->name, act->file_id);
}

View File

@ -0,0 +1,24 @@
From 89ff6436b55cd81c54dcb076490b0c4de98d508d Mon Sep 17 00:00:00 2001
From: Jiri Vymazal <jvymazal@redhat.com>
Date: Tue, 9 Jun 2020 12:09:59 +0200
Subject: [PATCH] Fixing imfile segfaulting on selinux denial
If imfile is denied access to file watched trough symlink there is
unchecked condition resulting in access to not initialized memory.
---
plugins/imfile/imfile.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/plugins/imfile/imfile.c b/plugins/imfile/imfile.c
index f360bd290b..21d6546552 100644
--- a/plugins/imfile/imfile.c
+++ b/plugins/imfile/imfile.c
@@ -732,7 +732,7 @@ act_obj_add(fs_edge_t *const edge, const char *const name, const int is_file,
} else { /* reporting only in debug for dirs as higher lvl paths are likely blocked by selinux */
DBGPRINTF("imfile: error accessing directory '%s'", name);
}
- FINALIZE;
+ ABORT_FINALIZE(RS_RET_NO_FILE_ACCESS);
}
DBGPRINTF("add new active object '%s' in '%s'\n", name, edge->path);
CHKmalloc(act = calloc(sizeof(act_obj_t), 1));

View File

@ -12,7 +12,7 @@ module(load="imuxsock" # provides support for local system logging (e.g. via
module(load="imjournal" # provides access to the systemd journal
StateFile="imjournal.state") # File to store the position in the journal
#module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load"immark") # provides --MARK-- message capability
#module(load="immark") # provides --MARK-- message capability
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html

View File

@ -6,7 +6,7 @@
Summary: Enhanced system logging and kernel message trapping daemon
Name: rsyslog
Version: 8.1911.0
Release: 2%{?dist}
Release: 6%{?dist}
License: (GPLv3+ and ASL 2.0)
Group: System Environment/Daemons
ExcludeArch: i686
@ -16,6 +16,7 @@ Source1: http://www.rsyslog.com/files/download/rsyslog/%{name}-doc-%{version}.ta
Source2: rsyslog.conf
Source3: rsyslog.sysconfig
Source4: rsyslog.log
Source5: qpid-proton-0.31.0.tar.gz
BuildRequires: autoconf
BuildRequires: automake
@ -48,6 +49,11 @@ Patch0: rsyslog-8.1911.0-service.patch
# imjournal: adds "journal" when tag/process name is missing
Patch1: rsyslog-8.1911.0-rhbz1659898-imjournal-default-tag.patch
Patch2: rsyslog-8.1911.0-rhbz1763757-imfile-statefiles.patch
Patch3: rsyslog-8.1911.0-rhbz1782353-deny-expired-by-default.patch
Patch4: rsyslog-8.1911.0-rhbz1659383-config-enabled-error.patch
Patch5: rsyslog-8.1911.0-rhbz1789675-serialize-crash-race.patch
Patch6: rsyslog-8.1911.0-rhbz1793569-imfile-file_id.patch
Patch7: rsyslog-8.1911.0-rhbz1843994-imfile-selinux-symlink-crash.patch
%package crypto
Summary: Encryption support
@ -115,6 +121,20 @@ Group: System Environment/Daemons
Requires: %name = %version-%release
BuildRequires: mariadb-connector-c-devel
%package omamqp1
Summary: AMQP1 support for rsyslog
Group: System Environment/Daemons
Requires: %name = %version-%release
Requires: cyrus-sasl-lib
Requires: openssl-libs
BuildRequires: cmake
BuildRequires: make
BuildRequires: gcc
BuildRequires: gcc-c++
BuildRequires: cyrus-sasl-devel
BuildRequires: openssl-devel
BuildRequires: python3
%package pgsql
Summary: PostgresSQL support for rsyslog
Group: System Environment/Daemons
@ -189,6 +209,10 @@ modifies them so that they look like they originated from the read originator.
The rsyslog-mysql package contains a dynamic shared object that will add
MySQL database support to rsyslog.
%description omamqp1
The rsyslog-omamqp1 package contains a dynamic shared object that will add
AMQP1 support to rsyslog.
%description pgsql
The rsyslog-pgsql package contains a dynamic shared object that will add
PostgreSQL database support to rsyslog.
@ -218,14 +242,44 @@ mv build doc
# set up rsyslog sources
%setup -q -D
%setup -q -D -T -b 5
%patch0 -p1 -b .service
%patch1 -p1 -b .default-tag
%patch2 -p1 -b .imfile-statefiles
%patch3 -p1 -b .deny-expired-certs
%patch4 -p1 -b .config-enabled-on
%patch5 -p1 -b .serialize-json
%patch6 -p1 -b .imfile-id
%patch7 -p1 -b .imfile-selinux-symlink
%build
%ifarch sparc64
#sparc64 need big PIE
export CFLAGS="$RPM_OPT_FLAGS -fPIC"
%else
export CFLAGS="$RPM_OPT_FLAGS -fpic"
%endif
# build the proton first
(
cd %{_builddir}/qpid-proton-0.31.0
mkdir bld
cd bld
# Need ENABLE_FUZZ_TESTING=NO to avoid a link failure
# Find python include dir and python library from
# https://stackoverflow.com/questions/24174394/cmake-is-not-able-to-find-python-libraries
cmake .. \
-DBUILD_BINDINGS="" \
-DBUILD_STATIC_LIBS=YES \
-DENABLE_FUZZ_TESTING=NO \
-DPYTHON_INCLUDE_DIR=$(python3 -c "from distutils.sysconfig import get_python_inc; print(get_python_inc())") \
-DPYTHON_LIBRARY=$(python3 -c "import distutils.sysconfig as sysconfig; print(sysconfig.get_config_var('LIBDIR'))") \
-DCMAKE_AR="/usr/bin/gcc-ar" -DCMAKE_NM="/usr/bin/gcc-nm" -DCMAKE_RANLIB="/usr/bin/gcc-ranlib"
make -j8
)
%ifarch sparc64
#sparc64 need big PIE
export CFLAGS="$RPM_OPT_FLAGS -fPIE"
%else
export CFLAGS="$RPM_OPT_FLAGS -fpie"
@ -258,6 +312,7 @@ autoreconf -if
--enable-mmsnmptrapd \
--enable-mmutf8fix \
--enable-mysql \
--enable-omamqp1 PROTON_LIBS="%{_builddir}/qpid-proton-0.31.0/bld/c/libqpid-proton-core-static.a %{_builddir}/qpid-proton-0.31.0/bld/c/libqpid-proton-proactor-static.a %{_builddir}/qpid-proton-0.31.0/bld/c/libqpid-proton-static.a -lssl -lsasl2 -lcrypto" PROTON_CFLAGS="-I%{_builddir}/qpid-proton-0.31.0/bld/c/include" \
--enable-omhttp \
--enable-omjournal \
--enable-omkafka \
@ -413,6 +468,9 @@ done
%doc %{rsyslog_docdir}/mysql-createDB.sql
%{_libdir}/rsyslog/ommysql.so
%files omamqp1
%{_libdir}/rsyslog/omamqp1.so
%files pgsql
%doc %{rsyslog_docdir}/pgsql-createDB.sql
%{_libdir}/rsyslog/ompgsql.so
@ -426,6 +484,34 @@ done
%changelog
* Thu Jun 18 2020 Jiri Vymazal <jvymazal@redhat.com> - 8.1911.0-6
RHEL 8.3.0 ERRATUM
- added patch preventing imfile crash when selinux blocks symlink
access
resolves: rhbz#1843994
- fixed config-enabled patch
resolves: rhbz#1659383
* Thu Jun 04 2020 Jiri Vymazal <jvymazal@redhat.com> - 8.1911.0-5
RHEL 8.3.0 ERRATUM
- added qpid-proton as another source and enabled omamqp1 module
in a separate sub-package with it statically linked
resolves: rhbz#1713427
- extended config.enabled patch to cover rest of the cases
resolves: rhbz#1659383
- added patch making json serialization thread-safe
resolves: rhbz#1789675
- added another patch for imfile state-files id
resolves: rhbz#1793569
- fixed typo in commend-out part of default rsyslog.conf
* Wed Dec 11 2019 Jiri Vymazal <jvymazal@redhat.com> - 8.1911.0-3
RHEL 8.2.0 ERRATUM
- added patch reverting rejecting expired certs by default
resolves: rhbz#1782353
- added patch silencing false errors on config.enabled statement
resolves: rhbz#1659383
* Tue Dec 03 2019 Jiri Vymazal <jvymazal@redhat.com> - 8.1911.0-2
RHEL 8.2.0 ERRATUM
- cleaned old patches, fixed patch names