diff -up rsyslog-8.2102.0/runtime/glbl.c.orig rsyslog-8.2102.0/runtime/glbl.c --- rsyslog-8.2102.0/runtime/glbl.c.orig 2023-06-27 08:20:45.265387162 +0200 +++ rsyslog-8.2102.0/runtime/glbl.c 2023-06-27 08:20:45.262387154 +0200 @@ -230,7 +230,8 @@ static struct cnfparamdescr cnfparamdesc { "reverselookup.cache.ttl.enable", eCmdHdlrBinary, 0 }, { "shutdown.queue.doublesize", eCmdHdlrBinary, 0 }, { "debug.files", eCmdHdlrArray, 0 }, - { "debug.whitelist", eCmdHdlrBinary, 0 } + { "debug.whitelist", eCmdHdlrBinary, 0 }, + { "libcapng.default", eCmdHdlrBinary, 0 } }; static struct cnfparamblk paramblk = { CNFPARAMBLK_VERSION, @@ -1315,6 +1316,13 @@ glblDoneLoadCnf(void) if(!strcmp(paramblk.descr[i].name, "workdirectory")) { cstr = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL); setWorkDir(NULL, cstr); + } else if(!strcmp(paramblk.descr[i].name, "libcapng.default")) { +#ifdef ENABLE_LIBCAPNG + loadConf->globals.bAbortOnFailedLibcapngSetup = (int) cnfparamvals[i].val.d.n; +#else + LogError(0, RS_RET_ERR, "rsyslog wasn't " + "compiled with libcap-ng support."); +#endif } else if(!strcmp(paramblk.descr[i].name, "variables.casesensitive")) { const int val = (int) cnfparamvals[i].val.d.n; fjson_global_do_case_sensitive_comparison(val); diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c --- rsyslog-8.2102.0/runtime/rsconf.c.orig 2023-06-27 08:20:45.265387162 +0200 +++ rsyslog-8.2102.0/runtime/rsconf.c 2023-06-27 08:20:45.264387159 +0200 @@ -146,6 +146,9 @@ int rsconfNeedDropPriv(rsconf_t *const c static void cnfSetDefaults(rsconf_t *pThis) { +#ifdef ENABLE_LIBCAPNG + pThis->globals.bAbortOnFailedLibcapngSetup = 1; +#endif pThis->globals.bAbortOnUncleanConfig = 0; pThis->globals.bReduceRepeatMsgs = 0; pThis->globals.bDebugPrintTemplateList = 1; diff -up rsyslog-8.2102.0/runtime/rsconf.h.orig rsyslog-8.2102.0/runtime/rsconf.h --- rsyslog-8.2102.0/runtime/rsconf.h.orig 2023-06-27 08:20:45.265387162 +0200 +++ rsyslog-8.2102.0/runtime/rsconf.h 2023-06-27 08:20:45.260387149 +0200 @@ -61,6 +61,9 @@ struct queuecnf_s { * be re-set as often as the user likes). */ struct globals_s { +#ifdef ENABLE_LIBCAPNG + int bAbortOnFailedLibcapngSetup; +#endif int bDebugPrintTemplateList; int bDebugPrintModuleList; int bDebugPrintCfSysLineHandlerList; diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c --- rsyslog-8.2102.0/tools/rsyslogd.c.orig 2023-06-27 08:20:45.245387109 +0200 +++ rsyslog-8.2102.0/tools/rsyslogd.c 2023-06-27 08:31:35.250120215 +0200 @@ -2151,7 +2151,7 @@ main(int argc, char **argv) /* * Drop capabilities to the necessary set */ - int capng_rc; + int capng_rc, capng_failed = 0; capng_clear(CAPNG_SELECT_BOTH); if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, @@ -2161,10 +2161,9 @@ main(int argc, char **argv) CAP_LEASE, CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, + CAP_DAC_OVERRIDE, CAP_SETGID, CAP_SETUID, - CAP_DAC_OVERRIDE, - CAP_NET_RAW, CAP_SYS_ADMIN, CAP_SYS_CHROOT, CAP_SYS_RESOURCE, @@ -2173,17 +2172,25 @@ main(int argc, char **argv) )) != 0) { LogError(0, RS_RET_LIBCAPNG_ERR, "could not update the internal posix capabilities settings " - "based on the options passed to it, capng_updatev=%d\n", capng_rc); - exit(-1); + "based on the options passed to it, capng_updatev=%d", capng_rc); + capng_failed = 1; } if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) { LogError(0, RS_RET_LIBCAPNG_ERR, - "could not transfer the specified internal posix capabilities " - "settings to the kernel, capng_apply=%d\n", capng_rc); - exit(-1); + "could not transfer the specified internal posix capabilities " + "settings to the kernel, capng_apply=%d", capng_rc); + capng_failed = 1; + } + + if (capng_failed) { + DBGPRINTF("Capabilities were not dropped successfully.\n"); + if (loadConf->globals.bAbortOnFailedLibcapngSetup) { + exit(RS_RET_LIBCAPNG_ERR); + } + } else { + DBGPRINTF("Capabilities were dropped successfully\n"); } - DBGPRINTF("Capabilities were dropped successfully\n"); #endif initAll(argc, argv);