diff --git a/rsyslog-8.2210.0-rhbz2127403-drop-capabilities.patch b/rsyslog-8.2210.0-rhbz2127403-drop-capabilities.patch index 6b3f43f..cb583fb 100644 --- a/rsyslog-8.2210.0-rhbz2127403-drop-capabilities.patch +++ b/rsyslog-8.2210.0-rhbz2127403-drop-capabilities.patch @@ -1,20 +1,3 @@ -From e9f85312630eb25d0985e911475803bd06f4173e Mon Sep 17 00:00:00 2001 -From: alakatos -Date: Thu, 13 Oct 2022 10:41:38 +0200 -Subject: [PATCH 1/2] Introduce --enable-libcap-ng configure option - -The option allows to drop the capabilities to only -the necessary set, to minimize security exposure in -case there was ever a mistake in a networking -plugin or some other input resource. Resolves #4986 ---- - configure.ac | 24 ++++++++++++++++++++++++ - runtime/debug.c | 4 ++-- - runtime/modules.c | 6 +++--- - runtime/rsyslog.h | 1 + - tools/rsyslogd.c | 42 ++++++++++++++++++++++++++++++++++++++++++ - 5 files changed, 72 insertions(+), 5 deletions(-) - diff --git a/configure.ac b/configure.ac index 9f73a708d0..958c26245e 100644 --- a/configure.ac @@ -110,91 +93,8 @@ index 810b2e9b52..b39bd9f066 100644 finalize_it: free(cnfModName); cnfparamvalsDestruct(pvals, &pblk); -diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h -index 908e5e7b73..01616d8f7d 100644 ---- a/runtime/rsyslog.h -+++ b/runtime/rsyslog.h -@@ -604,6 +604,7 @@ enum rsRetVal_ /** return value. All methods return this if not specified oth - RS_RET_REDIS_ERROR = -2452, /**< redis-specific error. See message foe details. */ - RS_RET_REDIS_AUTH_FAILED = -2453, /**< redis authentication failure */ - RS_RET_FAUP_INIT_OPTIONS_FAILED = -2454, /**< could not initialize faup options */ -+ RS_RET_LIBCAPNG_ERR = -2455, /**< error during dropping the capabilities */ - - /* RainerScript error messages (range 1000.. 1999) */ - RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */ -diff --git a/tools/rsyslogd.c b/tools/rsyslogd.c -index 31b91a1bd1..c209e1bcdd 100644 ---- a/tools/rsyslogd.c -+++ b/tools/rsyslogd.c -@@ -37,6 +37,9 @@ - #ifdef HAVE_LIBSYSTEMD - # include - #endif -+#ifdef ENABLE_LIBCAPNG -+ #include -+#endif - - #include "rsyslog.h" - #include "wti.h" -@@ -2167,6 +2170,45 @@ main(int argc, char **argv) - fjson_global_do_case_sensitive_comparison(0); - - dbgClassInit(); -+ -+#ifdef ENABLE_LIBCAPNG -+ /* -+ * Drop capabilities to the necessary set -+ */ -+ int capng_rc; -+ capng_clear(CAPNG_SELECT_BOTH); -+ -+ if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, -+ CAP_BLOCK_SUSPEND, -+ CAP_CHOWN, -+ CAP_IPC_LOCK, -+ CAP_LEASE, -+ CAP_NET_ADMIN, -+ CAP_NET_BIND_SERVICE, -+ CAP_PERFMON, -+ CAP_SETGID, -+ CAP_SETUID, -+ CAP_SYS_ADMIN, -+ CAP_SYS_CHROOT, -+ CAP_SYS_RESOURCE, -+ CAP_SYSLOG, -+ -1 -+ )) != 0) { -+ LogError(0, RS_RET_LIBCAPNG_ERR, -+ "could not update the internal posix capabilities settings " -+ "based on the options passed to it, capng_updatev=%d\n", capng_rc); -+ exit(-1); -+ } -+ -+ if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) { -+ LogError(0, RS_RET_LIBCAPNG_ERR, -+ "could not transfer the specified internal posix capabilities " -+ "settings to the kernel, capng_apply=%d\n", capng_rc); -+ exit(-1); -+ } -+ DBGPRINTF("Capabilities were dropped successfully\n"); -+#endif -+ - initAll(argc, argv); - #ifdef HAVE_LIBSYSTEMD - sd_notify(0, "READY=1"); - -From 305e07a2b757b98dc7e26c148c175901034451b9 Mon Sep 17 00:00:00 2001 -From: alakatos -Date: Mon, 31 Oct 2022 12:30:48 +0100 -Subject: [PATCH 2/2] Add ability to change uid and gid while retaining the - capabilities previously specified - ---- - runtime/rsconf.c | 23 ++++++++++++++++++++++- - 1 file changed, 22 insertions(+), 1 deletion(-) - diff --git a/runtime/rsconf.c b/runtime/rsconf.c -index 4620ff8d13..24d1ec3570 100644 +index 4620ff8d13..de2a21b406 100644 --- a/runtime/rsconf.c +++ b/runtime/rsconf.c @@ -34,6 +34,10 @@ @@ -256,3 +156,106 @@ index 4620ff8d13..24d1ec3570 100644 DBGPRINTF("setuid(%d): %d\n", cnf->globals.uidDropPriv, res); snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's userid changed to %d", cnf->globals.uidDropPriv); logmsgInternal(NO_ERRCODE, LOG_SYSLOG|LOG_INFO, szBuf, 0); +@@ -739,6 +760,29 @@ dropPrivileges(rsconf_t *cnf) + cnf->globals.uidDropPriv); + } + ++#ifdef ENABLE_LIBCAPNG ++ /* In case privileges were dropped, do not allow bypassing ++ * file read, write, and execute permission checks ++ */ ++ if (cnf->globals.gidDropPriv != 0 || cnf->globals.uidDropPriv != 0) { ++ int capng_rc; ++ if ((capng_rc = capng_update(CAPNG_DROP, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_DAC_OVERRIDE)) != 0) { ++ LogError(0, RS_RET_LIBCAPNG_ERR, ++ "could not update the internal posix capabilities settings " ++ "based on the options passed to it, capng_update=%d\n", capng_rc); ++ exit(-1); ++ } ++ ++ if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) { ++ LogError(0, RS_RET_LIBCAPNG_ERR, ++ "could not transfer the specified internal posix capabilities " ++ "settings to the kernel, capng_apply=%d\n", capng_rc); ++ exit(-1); ++ } ++ } ++ ++#endif ++ + finalize_it: + RETiRet; + } +diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h +index 908e5e7b73..01616d8f7d 100644 +--- a/runtime/rsyslog.h ++++ b/runtime/rsyslog.h +@@ -604,6 +604,7 @@ enum rsRetVal_ /** return value. All methods return this if not specified oth + RS_RET_REDIS_ERROR = -2452, /**< redis-specific error. See message foe details. */ + RS_RET_REDIS_AUTH_FAILED = -2453, /**< redis authentication failure */ + RS_RET_FAUP_INIT_OPTIONS_FAILED = -2454, /**< could not initialize faup options */ ++ RS_RET_LIBCAPNG_ERR = -2455, /**< error during dropping the capabilities */ + + /* RainerScript error messages (range 1000.. 1999) */ + RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */ +diff --git a/tools/rsyslogd.c b/tools/rsyslogd.c +index 31b91a1bd1..77d814b482 100644 +--- a/tools/rsyslogd.c ++++ b/tools/rsyslogd.c +@@ -37,6 +37,9 @@ + #ifdef HAVE_LIBSYSTEMD + # include + #endif ++#ifdef ENABLE_LIBCAPNG ++ #include ++#endif + + #include "rsyslog.h" + #include "wti.h" +@@ -2167,6 +2170,46 @@ main(int argc, char **argv) + fjson_global_do_case_sensitive_comparison(0); + + dbgClassInit(); ++ ++#ifdef ENABLE_LIBCAPNG ++ /* ++ * Drop capabilities to the necessary set ++ */ ++ int capng_rc; ++ capng_clear(CAPNG_SELECT_BOTH); ++ ++ if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, ++ CAP_BLOCK_SUSPEND, ++ CAP_CHOWN, ++ CAP_IPC_LOCK, ++ CAP_LEASE, ++ CAP_NET_ADMIN, ++ CAP_NET_BIND_SERVICE, ++ CAP_DAC_OVERRIDE, ++ CAP_SETGID, ++ CAP_SETUID, ++ CAP_SETPCAP, ++ CAP_SYS_ADMIN, ++ CAP_SYS_CHROOT, ++ CAP_SYS_RESOURCE, ++ CAP_SYSLOG, ++ -1 ++ )) != 0) { ++ LogError(0, RS_RET_LIBCAPNG_ERR, ++ "could not update the internal posix capabilities settings " ++ "based on the options passed to it, capng_updatev=%d\n", capng_rc); ++ exit(-1); ++ } ++ ++ if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) { ++ LogError(0, RS_RET_LIBCAPNG_ERR, ++ "could not transfer the specified internal posix capabilities " ++ "settings to the kernel, capng_apply=%d\n", capng_rc); ++ exit(-1); ++ } ++ DBGPRINTF("Capabilities were dropped successfully\n"); ++#endif ++ + initAll(argc, argv); + #ifdef HAVE_LIBSYSTEMD + sd_notify(0, "READY=1"); diff --git a/rsyslog.spec b/rsyslog.spec index fe58095..867e492 100644 --- a/rsyslog.spec +++ b/rsyslog.spec @@ -35,7 +35,7 @@ Summary: Enhanced system logging and kernel message trapping daemon Name: rsyslog Version: 8.2210.0 -Release: 2%{?dist} +Release: 3%{?dist} License: (GPLv3+ and ASL 2.0) URL: http://www.rsyslog.com/ Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz @@ -757,6 +757,10 @@ done %changelog +* Tue Jan 17 2023 Attila Lakatos - 8.2210.0-3 +- Remove CAP_PERFMON from the capability set +- Add CAP_DAC_OVERRIDE to the capability set + * Fri Dec 16 2022 Attila Lakatos - 8.2210.0-2 - Move all if rhel feature conditions to bcond - Move to bcond: rdkafka, relp, mysql, pgsql, gssapi, gnutls, udpspoof, omamqp1