import UBI rsyslog-8.2102.0-113.el9_2.1

2023-09-12 09:52:15 +00:00 · 2023-09-12 09:52:15 +00:00 · 9fd4d3e53e
commit 9fd4d3e53e
parent dc036749d6
3 changed files with 211 additions and 1 deletions
--- a/SOURCES/rsyslog-8.2102.0-libcapng-no-cap-support.patch
+++ b/SOURCES/rsyslog-8.2102.0-libcapng-no-cap-support.patch
@ -0,0 +1,191 @@
+diff -up rsyslog-8.2102.0/runtime/glbl.c.orig rsyslog-8.2102.0/runtime/glbl.c
+--- rsyslog-8.2102.0/runtime/glbl.c.orig	2023-07-14 09:32:51.781256794 +0200
+++ rsyslog-8.2102.0/runtime/glbl.c	2023-07-14 09:34:34.061315870 +0200
+@@ -230,7 +230,8 @@ static struct cnfparamdescr cnfparamdesc
+ 	{ "reverselookup.cache.ttl.enable", eCmdHdlrBinary, 0 },
+ 	{ "shutdown.queue.doublesize", eCmdHdlrBinary, 0 },
+ 	{ "debug.files", eCmdHdlrArray, 0 },
+-	{ "debug.whitelist", eCmdHdlrBinary, 0 }
+	{ "debug.whitelist", eCmdHdlrBinary, 0 },
+	{ "libcapng.default", eCmdHdlrBinary, 0 }
+ };
+ static struct cnfparamblk paramblk =
+ 	{ CNFPARAMBLK_VERSION,
+@@ -1315,6 +1316,13 @@ glblDoneLoadCnf(void)
+ 		if(!strcmp(paramblk.descr[i].name, "workdirectory")) {
+ 			cstr = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
+ 			setWorkDir(NULL, cstr);
+		} else if(!strcmp(paramblk.descr[i].name, "libcapng.default")) {
+#ifdef ENABLE_LIBCAPNG
+			loadConf->globals.bAbortOnFailedLibcapngSetup = (int) cnfparamvals[i].val.d.n;
+#else
+			LogError(0, RS_RET_ERR, "rsyslog wasn't "
+				"compiled with libcap-ng support.");
+#endif
+ 		} else if(!strcmp(paramblk.descr[i].name, "variables.casesensitive")) {
+ 			const int val = (int) cnfparamvals[i].val.d.n;
+ 			fjson_global_do_case_sensitive_comparison(val);
+diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
+--- rsyslog-8.2102.0/runtime/rsconf.c.orig	2023-07-14 09:32:56.923259764 +0200
+++ rsyslog-8.2102.0/runtime/rsconf.c	2023-07-14 09:34:47.722323759 +0200
+@@ -146,6 +146,9 @@ int rsconfNeedDropPriv(rsconf_t *const c
+ 
+ static void cnfSetDefaults(rsconf_t *pThis)
+ {
+#ifdef ENABLE_LIBCAPNG
+	pThis->globals.bAbortOnFailedLibcapngSetup = 1;
+#endif
+ 	pThis->globals.bAbortOnUncleanConfig = 0;
+ 	pThis->globals.bReduceRepeatMsgs = 0;
+ 	pThis->globals.bDebugPrintTemplateList = 1;
+diff -up rsyslog-8.2102.0/runtime/rsconf.h.orig rsyslog-8.2102.0/runtime/rsconf.h
+--- rsyslog-8.2102.0/runtime/rsconf.h.orig	2023-07-14 09:33:02.575263028 +0200
+++ rsyslog-8.2102.0/runtime/rsconf.h	2023-07-14 09:35:29.265347750 +0200
+@@ -61,6 +61,9 @@ struct queuecnf_s {
+  * be re-set as often as the user likes).
+  */
+ struct globals_s {
+#ifdef ENABLE_LIBCAPNG
+	int bAbortOnFailedLibcapngSetup;
+#endif
+ 	int bDebugPrintTemplateList;
+ 	int bDebugPrintModuleList;
+ 	int bDebugPrintCfSysLineHandlerList;
+diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
+--- rsyslog-8.2102.0/tools/rsyslogd.c.orig	2023-07-14 09:29:13.038130459 +0200
+++ rsyslog-8.2102.0/tools/rsyslogd.c	2023-07-14 09:31:58.575226065 +0200
+@@ -1557,6 +1557,88 @@ initAll(int argc, char **argv)
+ 	resetErrMsgsFlag();
+ 	localRet = rsconf.Load(&ourConf, ConfFile);
+ 
+#ifdef ENABLE_LIBCAPNG
+	/*
+	 * Drop capabilities to the necessary set
+	 */
+	int capng_rc, capng_failed = 0;
+	typedef struct capabilities_s {
+		int capability; /* capability code */
+		const char *name; /* name of the capability to be displayed */
+		sbool present; /* is the capability present that is needed by rsyslog? if so we do not drop it */
+	} capabilities_t;
+
+	capabilities_t capabilities[] = {
+		#define CAP_FIELD(code) { code, #code,  0 }
+		CAP_FIELD(CAP_BLOCK_SUSPEND),
+		CAP_FIELD(CAP_CHOWN),
+		CAP_FIELD(CAP_IPC_LOCK),
+		CAP_FIELD(CAP_LEASE),
+		CAP_FIELD(CAP_NET_ADMIN),
+		CAP_FIELD(CAP_NET_BIND_SERVICE),
+		CAP_FIELD(CAP_DAC_OVERRIDE),
+		CAP_FIELD(CAP_SETGID),
+		CAP_FIELD(CAP_SETUID),
+		CAP_FIELD(CAP_SYS_ADMIN),
+		CAP_FIELD(CAP_SYS_CHROOT),
+		CAP_FIELD(CAP_SYS_RESOURCE),
+		CAP_FIELD(CAP_SYSLOG)
+		#undef CAP_FIELD
+	};
+
+	if (capng_have_capabilities(CAPNG_SELECT_CAPS) > CAPNG_NONE) {
+		/* Examine which capabilities are available to us, so we do not try to
+		   drop something that is not present. We need to do this in two steps,
+		   because capng_clear clears the capability set. In the second step,
+		   we add back those caps, which were present before clearing the selected
+		   posix capabilities set.
+		*/
+		unsigned long caps_len = sizeof(capabilities) / sizeof(capabilities_t);
+		for (unsigned long i = 0; i < caps_len; i++) {
+			if (capng_have_capability(CAPNG_EFFECTIVE, capabilities[i].capability)) {
+				capabilities[i].present = 1;
+			}
+		}
+
+		capng_clear(CAPNG_SELECT_BOTH);
+
+		for (unsigned long i = 0; i < caps_len; i++) {
+			if (capabilities[i].present) {
+				DBGPRINTF("The %s capability is present, "
+					"will try to preserve it.\n", capabilities[i].name);
+				if ((capng_rc = capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+				capabilities[i].capability)) != 0) {
+					LogError(0, RS_RET_LIBCAPNG_ERR,
+							"could not update the internal posix capabilities settings "
+							"based on the options passed to it, capng_update=%d", capng_rc);
+					capng_failed = 1;
+				}
+			} else {
+				DBGPRINTF("The %s capability is not present, "
+					"will not try to preserve it.\n", capabilities[i].name);
+			}
+		}
+
+		if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
+			LogError(0, RS_RET_LIBCAPNG_ERR,
+				"could not transfer the specified internal posix capabilities "
+				"settings to the kernel, capng_apply=%d", capng_rc);
+			capng_failed = 1;
+		}
+
+		if (capng_failed) {
+			DBGPRINTF("Capabilities were not dropped successfully.\n");
+			if (loadConf->globals.bAbortOnFailedLibcapngSetup) {
+				ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
+			}
+		} else {
+			DBGPRINTF("Capabilities were dropped successfully\n");
+		}
+	} else {
+		DBGPRINTF("No capabilities to drop\n");
+	}
+#endif
+
+ 	if(fp_rs_full_conf_output != NULL) {
+ 		if(fp_rs_full_conf_output != stdout) {
+ 			fclose(fp_rs_full_conf_output);
+@@ -2147,45 +2229,6 @@ main(int argc, char **argv)
+ 		bProcessInternalMessages = 1;
+ 	dbgClassInit();
+ 
+-#ifdef ENABLE_LIBCAPNG
+-	/*
+-	 * Drop capabilities to the necessary set
+-	 */
+-	int capng_rc;
+-	capng_clear(CAPNG_SELECT_BOTH);
+-
+-	if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+-		CAP_BLOCK_SUSPEND,
+-		CAP_CHOWN,
+-		CAP_IPC_LOCK,
+-		CAP_LEASE,
+-		CAP_NET_ADMIN,
+-		CAP_NET_BIND_SERVICE,
+-		CAP_SETGID,
+-		CAP_SETUID,
+-		CAP_DAC_OVERRIDE,
+-		CAP_NET_RAW,
+-		CAP_SYS_ADMIN,
+-		CAP_SYS_CHROOT,
+-		CAP_SYS_RESOURCE,
+-		CAP_SYSLOG,
+-		-1
+-	)) != 0) {
+-		LogError(0, RS_RET_LIBCAPNG_ERR,
+-				"could not update the internal posix capabilities settings "
+-				"based on the options passed to it, capng_updatev=%d\n", capng_rc);
+-		exit(-1);
+-	}
+-
+-	if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
+-		LogError(0, RS_RET_LIBCAPNG_ERR,
+-			"could not transfer  the  specified  internal posix  capabilities "
+-			"settings to the kernel, capng_apply=%d\n", capng_rc);
+-		exit(-1);
+-	}
+-	DBGPRINTF("Capabilities were dropped successfully\n");
+-#endif
+-
+ 	initAll(argc, argv);
+ #ifdef HAVE_LIBSYSTEMD
+ 	sd_notify(0, "READY=1");
--- a/SOURCES/rsyslog-8.2102.0-libcapng-no-cap-support2.patch
+++ b/SOURCES/rsyslog-8.2102.0-libcapng-no-cap-support2.patch
@ -0,0 +1,11 @@
+diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
+--- rsyslog-8.2102.0/tools/rsyslogd.c.orig	2023-07-28 10:58:34.763191141 +0200
+++ rsyslog-8.2102.0/tools/rsyslogd.c	2023-07-28 10:59:14.867276818 +0200
+@@ -1571,6 +1571,7 @@ initAll(int argc, char **argv)
+ 	capabilities_t capabilities[] = {
+ 		#define CAP_FIELD(code) { code, #code,  0 }
+ 		CAP_FIELD(CAP_BLOCK_SUSPEND),
+		CAP_FIELD(CAP_NET_RAW),
+ 		CAP_FIELD(CAP_CHOWN),
+ 		CAP_FIELD(CAP_IPC_LOCK),
+ 		CAP_FIELD(CAP_LEASE),
--- a/SPECS/rsyslog.spec
+++ b/SPECS/rsyslog.spec
@ -5,7 +5,7 @@
 Summary: Enhanced system logging and kernel message trapping daemon
 Name: rsyslog
 Version: 8.2102.0
-Release: 113%{?dist}
+Release: 113%{?dist}.1
 License: (GPLv3+ and ASL 2.0)
 URL: http://www.rsyslog.com/
 Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz
@ -38,6 +38,8 @@ Patch16: rsyslog-8.2102.0-rhbz2127404-libcap-ng.patch
 Patch17: rsyslog-8.2102.0-rhbz2157658-imklog.patch
 Patch18: rsyslog-8.2102.0-capabilities-drop-credential.patch
 Patch19: rsyslog-8.2102.0-capabilities-capnetraw.patch
+Patch20: rsyslog-8.2102.0-libcapng-no-cap-support.patch
+Patch21: rsyslog-8.2102.0-libcapng-no-cap-support2.patch

 BuildRequires: make
 BuildRequires: gcc
@ -293,6 +295,8 @@ mv build doc
 %patch17 -p1 -b .imklog-leak
 %patch18 -p1 -b .capabilities-drop-credential
 %patch19 -p1 -b .capabilities-capnetraw
+%patch20 -p1
+%patch21 -p1

 pushd ..
 %patch9 -p1 -b .openssl-compatibility
@ -558,6 +562,10 @@ done


 %changelog
+* Fri Jul 14 2023 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-113.1
+- Do not drop capabilities if we don't have any
+- resolves: rhbz#2225088
+
 * Tue Mar 07 2023 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-113
 - Do not allow having selinux-policy < 38.1.3-1
  resolves: rhbz#2176386