Adjust capability set for libcap-ng

rsyslog-8.2210.0-rhbz2127403-drop-capabilities.patch

@@ -1,20 +1,3 @@
-From e9f85312630eb25d0985e911475803bd06f4173e Mon Sep 17 00:00:00 2001
-From: alakatos <alakatos@redhat.com>
-Date: Thu, 13 Oct 2022 10:41:38 +0200
-Subject: [PATCH 1/2] Introduce --enable-libcap-ng configure option
-
-The option allows to drop the capabilities to only
-the necessary set, to minimize security exposure in
-case there was ever a mistake in a networking
-plugin or some other input resource. Resolves #4986
----
- configure.ac      | 24 ++++++++++++++++++++++++
- runtime/debug.c   |  4 ++--
- runtime/modules.c |  6 +++---
- runtime/rsyslog.h |  1 +
- tools/rsyslogd.c  | 42 ++++++++++++++++++++++++++++++++++++++++++
- 5 files changed, 72 insertions(+), 5 deletions(-)
-
 diff --git a/configure.ac b/configure.ac
 index 9f73a708d0..958c26245e 100644
 --- a/configure.ac
@@ -110,91 +93,8 @@ index 810b2e9b52..b39bd9f066 100644
  finalize_it:
  	free(cnfModName);
  	cnfparamvalsDestruct(pvals, &pblk);
-diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h
-index 908e5e7b73..01616d8f7d 100644
---- a/runtime/rsyslog.h
-+++ b/runtime/rsyslog.h
-@@ -604,6 +604,7 @@ enum rsRetVal_				/** return value. All methods return this if not specified oth
- 	RS_RET_REDIS_ERROR = -2452, /**< redis-specific error. See message foe details. */
- 	RS_RET_REDIS_AUTH_FAILED = -2453, /**< redis authentication failure */
- 	RS_RET_FAUP_INIT_OPTIONS_FAILED = -2454, /**< could not initialize faup options */
-+	RS_RET_LIBCAPNG_ERR = -2455, /**< error during dropping the capabilities */
- 
- 	/* RainerScript error messages (range 1000.. 1999) */
- 	RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */
-diff --git a/tools/rsyslogd.c b/tools/rsyslogd.c
-index 31b91a1bd1..c209e1bcdd 100644
---- a/tools/rsyslogd.c
-+++ b/tools/rsyslogd.c
-@@ -37,6 +37,9 @@
- #ifdef HAVE_LIBSYSTEMD
- #	include <systemd/sd-daemon.h>
- #endif
-+#ifdef ENABLE_LIBCAPNG
-+	#include <cap-ng.h>
-+#endif
- 
- #include "rsyslog.h"
- #include "wti.h"
-@@ -2167,6 +2170,45 @@ main(int argc, char **argv)
- 	fjson_global_do_case_sensitive_comparison(0);
- 
- 	dbgClassInit();
-+
-+#ifdef ENABLE_LIBCAPNG
-+	/*
-+	 * Drop capabilities to the necessary set
-+	 */
-+	int capng_rc;
-+	capng_clear(CAPNG_SELECT_BOTH);
-+
-+	if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
-+		CAP_BLOCK_SUSPEND,
-+		CAP_CHOWN,
-+		CAP_IPC_LOCK,
-+		CAP_LEASE,
-+		CAP_NET_ADMIN,
-+		CAP_NET_BIND_SERVICE,
-+		CAP_PERFMON,
-+		CAP_SETGID,
-+		CAP_SETUID,
-+		CAP_SYS_ADMIN,
-+		CAP_SYS_CHROOT,
-+		CAP_SYS_RESOURCE,
-+		CAP_SYSLOG,
-+		-1
-+	)) != 0) {
-+		LogError(0, RS_RET_LIBCAPNG_ERR,
-+				"could not update the internal posix capabilities settings "
-+				"based on the options passed to it, capng_updatev=%d\n", capng_rc);
-+		exit(-1);
-+	}
-+
-+	if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
-+		LogError(0, RS_RET_LIBCAPNG_ERR,
-+			"could not transfer  the  specified  internal posix  capabilities "
-+			"settings to the kernel, capng_apply=%d\n", capng_rc);
-+		exit(-1);
-+	}
-+	DBGPRINTF("Capabilities were dropped successfully\n");
-+#endif
-+
- 	initAll(argc, argv);
- #ifdef HAVE_LIBSYSTEMD
- 	sd_notify(0, "READY=1");
-
-From 305e07a2b757b98dc7e26c148c175901034451b9 Mon Sep 17 00:00:00 2001
-From: alakatos <alakatos@redhat.com>
-Date: Mon, 31 Oct 2022 12:30:48 +0100
-Subject: [PATCH 2/2] Add ability to change uid and gid while retaining the
- capabilities previously specified
-
----
- runtime/rsconf.c | 23 ++++++++++++++++++++++-
- 1 file changed, 22 insertions(+), 1 deletion(-)
-
 diff --git a/runtime/rsconf.c b/runtime/rsconf.c
-index 4620ff8d13..24d1ec3570 100644
+index 4620ff8d13..de2a21b406 100644
 --- a/runtime/rsconf.c
 +++ b/runtime/rsconf.c
 @@ -34,6 +34,10 @@
@@ -256,3 +156,106 @@ index 4620ff8d13..24d1ec3570 100644
  	DBGPRINTF("setuid(%d): %d\n", cnf->globals.uidDropPriv, res);
  	snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's userid changed to %d", cnf->globals.uidDropPriv);
  	logmsgInternal(NO_ERRCODE, LOG_SYSLOG|LOG_INFO, szBuf, 0);
+@@ -739,6 +760,29 @@ dropPrivileges(rsconf_t *cnf)
+ 			  cnf->globals.uidDropPriv);
+ 	}
+ 
++#ifdef ENABLE_LIBCAPNG
++	/* In case privileges were dropped, do not allow bypassing
++	 * file read, write, and execute permission checks
++	 */
++	if (cnf->globals.gidDropPriv != 0 || cnf->globals.uidDropPriv != 0) {
++		int capng_rc;
++		if ((capng_rc = capng_update(CAPNG_DROP, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_DAC_OVERRIDE)) != 0) {
++			LogError(0, RS_RET_LIBCAPNG_ERR,
++				"could not update the internal posix capabilities settings "
++				"based on the options passed to it, capng_update=%d\n", capng_rc);
++			exit(-1);
++		}
++
++		if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
++			LogError(0, RS_RET_LIBCAPNG_ERR,
++				"could not transfer  the  specified  internal posix  capabilities "
++				"settings to the kernel, capng_apply=%d\n", capng_rc);
++			exit(-1);
++		}
++	}
++
++#endif
++
+ finalize_it:
+ 	RETiRet;
+ }
+diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h
+index 908e5e7b73..01616d8f7d 100644
+--- a/runtime/rsyslog.h
++++ b/runtime/rsyslog.h
+@@ -604,6 +604,7 @@ enum rsRetVal_				/** return value. All methods return this if not specified oth
+ 	RS_RET_REDIS_ERROR = -2452, /**< redis-specific error. See message foe details. */
+ 	RS_RET_REDIS_AUTH_FAILED = -2453, /**< redis authentication failure */
+ 	RS_RET_FAUP_INIT_OPTIONS_FAILED = -2454, /**< could not initialize faup options */
++	RS_RET_LIBCAPNG_ERR = -2455, /**< error during dropping the capabilities */
+ 
+ 	/* RainerScript error messages (range 1000.. 1999) */
+ 	RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */
+diff --git a/tools/rsyslogd.c b/tools/rsyslogd.c
+index 31b91a1bd1..77d814b482 100644
+--- a/tools/rsyslogd.c
++++ b/tools/rsyslogd.c
+@@ -37,6 +37,9 @@
+ #ifdef HAVE_LIBSYSTEMD
+ #	include <systemd/sd-daemon.h>
+ #endif
++#ifdef ENABLE_LIBCAPNG
++	#include <cap-ng.h>
++#endif
+ 
+ #include "rsyslog.h"
+ #include "wti.h"
+@@ -2167,6 +2170,46 @@ main(int argc, char **argv)
+ 	fjson_global_do_case_sensitive_comparison(0);
+ 
+ 	dbgClassInit();
++
++#ifdef ENABLE_LIBCAPNG
++	/*
++	 * Drop capabilities to the necessary set
++	 */
++	int capng_rc;
++	capng_clear(CAPNG_SELECT_BOTH);
++
++	if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
++		CAP_BLOCK_SUSPEND,
++		CAP_CHOWN,
++		CAP_IPC_LOCK,
++		CAP_LEASE,
++		CAP_NET_ADMIN,
++		CAP_NET_BIND_SERVICE,
++		CAP_DAC_OVERRIDE,
++		CAP_SETGID,
++		CAP_SETUID,
++		CAP_SETPCAP,
++		CAP_SYS_ADMIN,
++		CAP_SYS_CHROOT,
++		CAP_SYS_RESOURCE,
++		CAP_SYSLOG,
++		-1
++	)) != 0) {
++		LogError(0, RS_RET_LIBCAPNG_ERR,
++				"could not update the internal posix capabilities settings "
++				"based on the options passed to it, capng_updatev=%d\n", capng_rc);
++		exit(-1);
++	}
++
++	if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
++		LogError(0, RS_RET_LIBCAPNG_ERR,
++			"could not transfer  the  specified  internal posix  capabilities "
++			"settings to the kernel, capng_apply=%d\n", capng_rc);
++		exit(-1);
++	}
++	DBGPRINTF("Capabilities were dropped successfully\n");
++#endif
++
+ 	initAll(argc, argv);
+ #ifdef HAVE_LIBSYSTEMD
+ 	sd_notify(0, "READY=1");

rsyslog.spec

@@ -35,7 +35,7 @@
 Summary: Enhanced system logging and kernel message trapping daemon
 Name: rsyslog
 Version: 8.2210.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: (GPLv3+ and ASL 2.0)
 URL: http://www.rsyslog.com/
 Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz
@@ -757,6 +757,10 @@ done
 
 
 %changelog
+* Tue Jan 17 2023 Attila Lakatos <alakatos@redhat.com> - 8.2210.0-3
+- Remove CAP_PERFMON from the capability set
+- Add CAP_DAC_OVERRIDE to the capability set
+
 * Fri Dec 16 2022 Attila Lakatos <alakatos@redhat.com> - 8.2210.0-2
 - Move all if rhel feature conditions to bcond
 - Move to bcond: rdkafka, relp, mysql, pgsql, gssapi, gnutls, udpspoof, omamqp1