diff --git a/rsyslog-8.2102.0-rhbz2129015-journal-COMM.patch b/rsyslog-8.2102.0-rhbz2129015-journal-COMM.patch new file mode 100644 index 0000000..0c18c56 --- /dev/null +++ b/rsyslog-8.2102.0-rhbz2129015-journal-COMM.patch @@ -0,0 +1,12 @@ +diff -up rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2102.0/plugins/imjournal/imjournal.c +--- rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig 2023-05-19 10:32:32.467826852 +0200 ++++ rsyslog-8.2102.0/plugins/imjournal/imjournal.c 2023-05-19 10:33:34.426902983 +0200 +@@ -452,6 +452,8 @@ readjournal(void) + /* Get message identifier, client pid and add ':' */ + if (journalGetData("SYSLOG_IDENTIFIER", &get, &length) >= 0) { + CHKiRet(sanitizeValue(((const char *)get) + 18, length - 18, &sys_iden)); ++ } else if (journalGetData("_COMM", &get, &length) >= 0) { ++ CHKiRet(sanitizeValue(((const char *)get) + 6, length - 6, &sys_iden)); + } else { + CHKmalloc(sys_iden = strdup(cs.dfltTag)); + } diff --git a/rsyslog-8.2102.0-rhbz2157804-cstrlen.patch b/rsyslog-8.2102.0-rhbz2157804-cstrlen.patch new file mode 100644 index 0000000..aaf5beb --- /dev/null +++ b/rsyslog-8.2102.0-rhbz2157804-cstrlen.patch @@ -0,0 +1,72 @@ +diff -up rsyslog-8.2102.0/parse.h.orig rsyslog-8.2102.0/parse.h +--- rsyslog-8.2102.0/parse.h.orig 2023-05-09 09:10:09.236597063 +0200 ++++ rsyslog-8.2102.0/parse.h 2023-05-09 09:10:26.913608034 +0200 +@@ -56,7 +56,7 @@ struct rsParsObject + rsObjID OID; /**< object ID */ + #endif + cstr_t *pCStr; /**< pointer to the string object we are parsing */ +- int iCurrPos; /**< current parsing position (char offset) */ ++ size_t iCurrPos; /**< current parsing position (char offset) */ + }; + typedef struct rsParsObject rsParsObj; + +diff -up rsyslog-8.2102.0/runtime/stream.c.orig rsyslog-8.2102.0/runtime/stream.c +--- rsyslog-8.2102.0/runtime/stream.c.orig 2023-05-09 09:10:34.122612508 +0200 ++++ rsyslog-8.2102.0/runtime/stream.c 2023-05-09 09:12:47.934640583 +0200 +@@ -1071,7 +1071,7 @@ strmReadMultiLine(strm_t *pThis, cstr_t + cstr_t *thisLine = NULL; + rsRetVal readCharRet; + const time_t tCurr = pThis->readTimeout ? getTime(NULL) : 0; +- int maxMsgSize = glblGetMaxLine(); ++ size_t maxMsgSize = glblGetMaxLine(); + DEFiRet; + + do { +@@ -1132,9 +1132,9 @@ strmReadMultiLine(strm_t *pThis, cstr_t + } + + +- int currLineLen = cstrLen(thisLine); ++ size_t currLineLen = cstrLen(thisLine); + if(currLineLen > 0) { +- int len; ++ size_t len; + if((len = cstrLen(pThis->prevMsgSegment) + currLineLen) < + maxMsgSize) { + CHKiRet(cstrAppendCStr(pThis->prevMsgSegment, thisLine)); +@@ -1144,7 +1144,7 @@ strmReadMultiLine(strm_t *pThis, cstr_t + len = 0; + } else { + len = currLineLen-(len-maxMsgSize); +- for(int z=0; zprevMsgSegment, + thisLine->pBuf[z]); + } +diff -up rsyslog-8.2102.0/runtime/stringbuf.c.orig rsyslog-8.2102.0/runtime/stringbuf.c +--- rsyslog-8.2102.0/runtime/stringbuf.c.orig 2023-05-09 09:09:37.627577446 +0200 ++++ rsyslog-8.2102.0/runtime/stringbuf.c 2023-05-09 09:09:59.061590749 +0200 +@@ -474,7 +474,7 @@ finalize_it: + * This is due to performance reasons. + */ + #ifndef NDEBUG +-int cstrLen(cstr_t *pThis) ++size_t cstrLen(cstr_t *pThis) + { + rsCHECKVALIDOBJECT(pThis, OIDrsCStr); + return(pThis->iStrLen); +diff -up rsyslog-8.2102.0/runtime/stringbuf.h.orig rsyslog-8.2102.0/runtime/stringbuf.h +--- rsyslog-8.2102.0/runtime/stringbuf.h.orig 2023-05-09 09:08:05.199520082 +0200 ++++ rsyslog-8.2102.0/runtime/stringbuf.h 2023-05-09 09:09:26.924570803 +0200 +@@ -144,9 +144,9 @@ rsRetVal cstrAppendCStr(cstr_t *pThis, c + + /* now come inline-like functions */ + #ifdef NDEBUG +-# define cstrLen(x) ((int)((x)->iStrLen)) ++# define cstrLen(x) ((size_t)((x)->iStrLen)) + #else +- int cstrLen(cstr_t *pThis); ++ size_t cstrLen(cstr_t *pThis); + #endif + #define rsCStrLen(s) cstrLen((s)) + diff --git a/rsyslog.conf b/rsyslog.conf index b51e844..368399f 100644 --- a/rsyslog.conf +++ b/rsyslog.conf @@ -12,19 +12,20 @@ global(workDirectory="/var/lib/rsyslog") # Use default timestamp format module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat") -# Include all config files in /etc/rsyslog.d/ -include(file="/etc/rsyslog.d/*.conf" mode="optional") - #### MODULES #### module(load="imuxsock" # provides support for local system logging (e.g. via logger command) SysSock.Use="off") # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. module(load="imjournal" # provides access to the systemd journal + UsePid="system" # PID nummber is retrieved as the ID of the process the journal entry originates from StateFile="imjournal.state") # File to store the position in the journal #module(load="imklog") # reads kernel messages (the same are read from journald) #module(load="immark") # provides --MARK-- message capability +# Include all config files in /etc/rsyslog.d/ +include(file="/etc/rsyslog.d/*.conf" mode="optional") + # Provides UDP syslog reception # for parameters see http://www.rsyslog.com/doc/imudp.html #module(load="imudp") # needs to be done just once diff --git a/rsyslog.service b/rsyslog.service index 9c13b1d..fa59599 100644 --- a/rsyslog.service +++ b/rsyslog.service @@ -1,6 +1,8 @@ [Unit] Description=System Logging Service ;Requires=syslog.socket +Wants=network.target network-online.target +After=network.target network-online.target Documentation=man:rsyslogd(8) Documentation=https://www.rsyslog.com/doc/ @@ -12,6 +14,18 @@ ExecReload=/usr/bin/kill -HUP $MAINPID UMask=0066 StandardOutput=null Restart=on-failure +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictNamespaces=net +NoNewPrivileges=yes +ProtectControlGroups=yes +ProtectHome=read-only +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @raw-io @reboot @swap @cpu-emulation @obsolete +LockPersonality=yes +MemoryDenyWriteExecute=yes # Increase the default a bit in order to allow many simultaneous # files to be monitored, we might need a lot of fds. diff --git a/rsyslog.spec b/rsyslog.spec index f0da4e9..bda971d 100644 --- a/rsyslog.spec +++ b/rsyslog.spec @@ -5,7 +5,7 @@ Summary: Enhanced system logging and kernel message trapping daemon Name: rsyslog Version: 8.2102.0 -Release: 113%{?dist} +Release: 114%{?dist} License: (GPLv3+ and ASL 2.0) URL: http://www.rsyslog.com/ Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz @@ -38,6 +38,8 @@ Patch16: rsyslog-8.2102.0-rhbz2127404-libcap-ng.patch Patch17: rsyslog-8.2102.0-rhbz2157658-imklog.patch Patch18: rsyslog-8.2102.0-capabilities-drop-credential.patch Patch19: rsyslog-8.2102.0-capabilities-capnetraw.patch +Patch20: rsyslog-8.2102.0-rhbz2157804-cstrlen.patch +Patch21: rsyslog-8.2102.0-rhbz2129015-journal-COMM.patch BuildRequires: make BuildRequires: gcc @@ -293,6 +295,8 @@ mv build doc %patch17 -p1 -b .imklog-leak %patch18 -p1 -b .capabilities-drop-credential %patch19 -p1 -b .capabilities-capnetraw +%patch20 -p1 -b .cstrlen +%patch21 -p1 -b .journalCOMM pushd .. %patch9 -p1 -b .openssl-compatibility @@ -558,6 +562,20 @@ done %changelog +* Fri May 19 2023 Attila Lakatos - 8.2102.0-114 +- Fix wrong type conversion in cstrLen() + resolves: rhbz#2157805 +- imjournal: by default retrieves _PID from journal as PID number + resolves: rhbz#2176397 +- Systemd service file hardening + resolves: rhbz#2176403 +- rsyslog.conf: load imuxsock and imjournal before loading rsyslog.d + resolves: rhbz#2165899 +- rsyslog is now started after the network service during boot + resolves: rhbz#2074318 +- imjournal: add second fallback to the message identifier + resolves: rhbv#2129015 + * Tue Mar 07 2023 Attila Lakatos - 8.2102.0-113 - Do not allow having selinux-policy < 38.1.3-1 resolves: rhbz#2176386