rpms/rsyslog
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Adjust capability set for libcap-ng

Browse Source
This commit is contained in:
alakatos 2023-01-17 17:01:37 +01:00
parent c61f1049a4
commit 8b6dfc7653
2 changed files with 109 additions and 102 deletions

205
rsyslog-8.2210.0-rhbz2127403-drop-capabilities.patch
View File

@ -1,20 +1,3 @@
From e9f85312630eb25d0985e911475803bd06f4173e Mon Sep 17 00:00:00 2001
From: alakatos <alakatos@redhat.com>
Date: Thu, 13 Oct 2022 10:41:38 +0200
Subject: [PATCH 1/2] Introduce --enable-libcap-ng configure option
The option allows to drop the capabilities to only
the necessary set, to minimize security exposure in
case there was ever a mistake in a networking
plugin or some other input resource. Resolves #4986
---
configure.ac | 24 ++++++++++++++++++++++++
runtime/debug.c | 4 ++--
runtime/modules.c | 6 +++---
runtime/rsyslog.h | 1 +
tools/rsyslogd.c | 42 ++++++++++++++++++++++++++++++++++++++++++
5 files changed, 72 insertions(+), 5 deletions(-)
diff --git a/configure.ac b/configure.ac
index 9f73a708d0..958c26245e 100644
--- a/configure.ac
@ -110,91 +93,8 @@ index 810b2e9b52..b39bd9f066 100644
finalize_it:
free(cnfModName);
cnfparamvalsDestruct(pvals, &pblk);
diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h
index 908e5e7b73..01616d8f7d 100644
--- a/runtime/rsyslog.h
+++ b/runtime/rsyslog.h
@@ -604,6 +604,7 @@ enum rsRetVal_ /** return value. All methods return this if not specified oth
RS_RET_REDIS_ERROR = -2452, /**< redis-specific error. See message foe details. */
RS_RET_REDIS_AUTH_FAILED = -2453, /**< redis authentication failure */
RS_RET_FAUP_INIT_OPTIONS_FAILED = -2454, /**< could not initialize faup options */
+ RS_RET_LIBCAPNG_ERR = -2455, /**< error during dropping the capabilities */
/* RainerScript error messages (range 1000.. 1999) */
RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */
diff --git a/tools/rsyslogd.c b/tools/rsyslogd.c
index 31b91a1bd1..c209e1bcdd 100644
--- a/tools/rsyslogd.c
+++ b/tools/rsyslogd.c
@@ -37,6 +37,9 @@
#ifdef HAVE_LIBSYSTEMD
# include <systemd/sd-daemon.h>
#endif
+#ifdef ENABLE_LIBCAPNG
+ #include <cap-ng.h>
+#endif
#include "rsyslog.h"
#include "wti.h"
@@ -2167,6 +2170,45 @@ main(int argc, char **argv)
fjson_global_do_case_sensitive_comparison(0);
dbgClassInit();
+
+#ifdef ENABLE_LIBCAPNG
+ /*
+ * Drop capabilities to the necessary set
+ */
+ int capng_rc;
+ capng_clear(CAPNG_SELECT_BOTH);
+
+ if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+ CAP_BLOCK_SUSPEND,
+ CAP_CHOWN,
+ CAP_IPC_LOCK,
+ CAP_LEASE,
+ CAP_NET_ADMIN,
+ CAP_NET_BIND_SERVICE,
+ CAP_PERFMON,
+ CAP_SETGID,
+ CAP_SETUID,
+ CAP_SYS_ADMIN,
+ CAP_SYS_CHROOT,
+ CAP_SYS_RESOURCE,
+ CAP_SYSLOG,
+ -1
+ )) != 0) {
+ LogError(0, RS_RET_LIBCAPNG_ERR,
+ "could not update the internal posix capabilities settings "
+ "based on the options passed to it, capng_updatev=%d\n", capng_rc);
+ exit(-1);
+ }
+
+ if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
+ LogError(0, RS_RET_LIBCAPNG_ERR,
+ "could not transfer the specified internal posix capabilities "
+ "settings to the kernel, capng_apply=%d\n", capng_rc);
+ exit(-1);
+ }
+ DBGPRINTF("Capabilities were dropped successfully\n");
+#endif
+
initAll(argc, argv);
#ifdef HAVE_LIBSYSTEMD
sd_notify(0, "READY=1");
From 305e07a2b757b98dc7e26c148c175901034451b9 Mon Sep 17 00:00:00 2001
From: alakatos <alakatos@redhat.com>
Date: Mon, 31 Oct 2022 12:30:48 +0100
Subject: [PATCH 2/2] Add ability to change uid and gid while retaining the
capabilities previously specified
---
runtime/rsconf.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/runtime/rsconf.c b/runtime/rsconf.c
index 4620ff8d13..24d1ec3570 100644
index 4620ff8d13..de2a21b406 100644
--- a/runtime/rsconf.c
+++ b/runtime/rsconf.c
@@ -34,6 +34,10 @@
@ -256,3 +156,106 @@ index 4620ff8d13..24d1ec3570 100644
DBGPRINTF("setuid(%d): %d\n", cnf->globals.uidDropPriv, res);
snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's userid changed to %d", cnf->globals.uidDropPriv);
logmsgInternal(NO_ERRCODE, LOG_SYSLOG|LOG_INFO, szBuf, 0);
@@ -739,6 +760,29 @@ dropPrivileges(rsconf_t *cnf)
cnf->globals.uidDropPriv);
}
+#ifdef ENABLE_LIBCAPNG
+ /* In case privileges were dropped, do not allow bypassing
+ * file read, write, and execute permission checks
+ */
+ if (cnf->globals.gidDropPriv != 0 || cnf->globals.uidDropPriv != 0) {
+ int capng_rc;
+ if ((capng_rc = capng_update(CAPNG_DROP, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_DAC_OVERRIDE)) != 0) {
+ LogError(0, RS_RET_LIBCAPNG_ERR,
+ "could not update the internal posix capabilities settings "
+ "based on the options passed to it, capng_update=%d\n", capng_rc);
+ exit(-1);
+ }
+
+ if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
+ LogError(0, RS_RET_LIBCAPNG_ERR,
+ "could not transfer the specified internal posix capabilities "
+ "settings to the kernel, capng_apply=%d\n", capng_rc);
+ exit(-1);
+ }
+ }
+
+#endif
+
finalize_it:
RETiRet;
}
diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h
index 908e5e7b73..01616d8f7d 100644
--- a/runtime/rsyslog.h
+++ b/runtime/rsyslog.h
@@ -604,6 +604,7 @@ enum rsRetVal_ /** return value. All methods return this if not specified oth
RS_RET_REDIS_ERROR = -2452, /**< redis-specific error. See message foe details. */
RS_RET_REDIS_AUTH_FAILED = -2453, /**< redis authentication failure */
RS_RET_FAUP_INIT_OPTIONS_FAILED = -2454, /**< could not initialize faup options */
+ RS_RET_LIBCAPNG_ERR = -2455, /**< error during dropping the capabilities */
/* RainerScript error messages (range 1000.. 1999) */
RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */
diff --git a/tools/rsyslogd.c b/tools/rsyslogd.c
index 31b91a1bd1..77d814b482 100644
--- a/tools/rsyslogd.c
+++ b/tools/rsyslogd.c
@@ -37,6 +37,9 @@
#ifdef HAVE_LIBSYSTEMD
# include <systemd/sd-daemon.h>
#endif
+#ifdef ENABLE_LIBCAPNG
+ #include <cap-ng.h>
+#endif
#include "rsyslog.h"
#include "wti.h"
@@ -2167,6 +2170,46 @@ main(int argc, char **argv)
fjson_global_do_case_sensitive_comparison(0);
dbgClassInit();
+
+#ifdef ENABLE_LIBCAPNG
+ /*
+ * Drop capabilities to the necessary set
+ */
+ int capng_rc;
+ capng_clear(CAPNG_SELECT_BOTH);
+
+ if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+ CAP_BLOCK_SUSPEND,
+ CAP_CHOWN,
+ CAP_IPC_LOCK,
+ CAP_LEASE,
+ CAP_NET_ADMIN,
+ CAP_NET_BIND_SERVICE,
+ CAP_DAC_OVERRIDE,
+ CAP_SETGID,
+ CAP_SETUID,
+ CAP_SETPCAP,
+ CAP_SYS_ADMIN,
+ CAP_SYS_CHROOT,
+ CAP_SYS_RESOURCE,
+ CAP_SYSLOG,
+ -1
+ )) != 0) {
+ LogError(0, RS_RET_LIBCAPNG_ERR,
+ "could not update the internal posix capabilities settings "
+ "based on the options passed to it, capng_updatev=%d\n", capng_rc);
+ exit(-1);
+ }
+
+ if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
+ LogError(0, RS_RET_LIBCAPNG_ERR,
+ "could not transfer the specified internal posix capabilities "
+ "settings to the kernel, capng_apply=%d\n", capng_rc);
+ exit(-1);
+ }
+ DBGPRINTF("Capabilities were dropped successfully\n");
+#endif
+
initAll(argc, argv);
#ifdef HAVE_LIBSYSTEMD
sd_notify(0, "READY=1");

6
rsyslog.spec
View File

@ -35,7 +35,7 @@
Summary: Enhanced system logging and kernel message trapping daemon
Name: rsyslog
Version: 8.2210.0
Release: 2%{?dist}
Release: 3%{?dist}
License: (GPLv3+ and ASL 2.0)
URL: http://www.rsyslog.com/
Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz
@ -757,6 +757,10 @@ done
%changelog
* Tue Jan 17 2023 Attila Lakatos <alakatos@redhat.com> - 8.2210.0-3
- Remove CAP_PERFMON from the capability set
- Add CAP_DAC_OVERRIDE to the capability set
* Fri Dec 16 2022 Attila Lakatos <alakatos@redhat.com> - 8.2210.0-2
- Move all if rhel feature conditions to bcond
- Move to bcond: rdkafka, relp, mysql, pgsql, gssapi, gnutls, udpspoof, omamqp1