rpms/rsyslog
7
0
Fork 0
Code Issues Pull Requests Releases Activity
2f5a1a9930
rsyslog/rsyslog-8.2102.0-rhbz2216919-libcapng-default.patch
alakatos 2f5a1a9930 libcapng: do not try to drop capabilities that are not present 
add global libcapng.default to not abort when libcapng fails
  resolves: rhbz#2216919
2023-06-27 09:23:21 +02:00

110 lines
4.1 KiB
Diff
Raw Blame History

diff -up rsyslog-8.2102.0/runtime/glbl.c.orig rsyslog-8.2102.0/runtime/glbl.c
--- rsyslog-8.2102.0/runtime/glbl.c.orig 2023-06-27 08:20:45.265387162 +0200
+++ rsyslog-8.2102.0/runtime/glbl.c 2023-06-27 08:20:45.262387154 +0200
@@ -230,7 +230,8 @@ static struct cnfparamdescr cnfparamdesc
{ "reverselookup.cache.ttl.enable", eCmdHdlrBinary, 0 },
{ "shutdown.queue.doublesize", eCmdHdlrBinary, 0 },
{ "debug.files", eCmdHdlrArray, 0 },
- { "debug.whitelist", eCmdHdlrBinary, 0 }
+ { "debug.whitelist", eCmdHdlrBinary, 0 },
+ { "libcapng.default", eCmdHdlrBinary, 0 }
};
static struct cnfparamblk paramblk =
{ CNFPARAMBLK_VERSION,
@@ -1315,6 +1316,13 @@ glblDoneLoadCnf(void)
if(!strcmp(paramblk.descr[i].name, "workdirectory")) {
cstr = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
setWorkDir(NULL, cstr);
+ } else if(!strcmp(paramblk.descr[i].name, "libcapng.default")) {
+#ifdef ENABLE_LIBCAPNG
+ loadConf->globals.bAbortOnFailedLibcapngSetup = (int) cnfparamvals[i].val.d.n;
+#else
+ LogError(0, RS_RET_ERR, "rsyslog wasn't "
+ "compiled with libcap-ng support.");
+#endif
} else if(!strcmp(paramblk.descr[i].name, "variables.casesensitive")) {
const int val = (int) cnfparamvals[i].val.d.n;
fjson_global_do_case_sensitive_comparison(val);
diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
--- rsyslog-8.2102.0/runtime/rsconf.c.orig 2023-06-27 08:20:45.265387162 +0200
+++ rsyslog-8.2102.0/runtime/rsconf.c 2023-06-27 08:20:45.264387159 +0200
@@ -146,6 +146,9 @@ int rsconfNeedDropPriv(rsconf_t *const c
static void cnfSetDefaults(rsconf_t *pThis)
{
+#ifdef ENABLE_LIBCAPNG
+ pThis->globals.bAbortOnFailedLibcapngSetup = 1;
+#endif
pThis->globals.bAbortOnUncleanConfig = 0;
pThis->globals.bReduceRepeatMsgs = 0;
pThis->globals.bDebugPrintTemplateList = 1;
diff -up rsyslog-8.2102.0/runtime/rsconf.h.orig rsyslog-8.2102.0/runtime/rsconf.h
--- rsyslog-8.2102.0/runtime/rsconf.h.orig 2023-06-27 08:20:45.265387162 +0200
+++ rsyslog-8.2102.0/runtime/rsconf.h 2023-06-27 08:20:45.260387149 +0200
@@ -61,6 +61,9 @@ struct queuecnf_s {
* be re-set as often as the user likes).
*/
struct globals_s {
+#ifdef ENABLE_LIBCAPNG
+ int bAbortOnFailedLibcapngSetup;
+#endif
int bDebugPrintTemplateList;
int bDebugPrintModuleList;
int bDebugPrintCfSysLineHandlerList;
diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
--- rsyslog-8.2102.0/tools/rsyslogd.c.orig 2023-06-27 08:20:45.245387109 +0200
+++ rsyslog-8.2102.0/tools/rsyslogd.c 2023-06-27 08:31:35.250120215 +0200
@@ -2151,7 +2151,7 @@ main(int argc, char **argv)
/*
* Drop capabilities to the necessary set
*/
- int capng_rc;
+ int capng_rc, capng_failed = 0;
capng_clear(CAPNG_SELECT_BOTH);
if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
@@ -2161,10 +2161,9 @@ main(int argc, char **argv)
CAP_LEASE,
CAP_NET_ADMIN,
CAP_NET_BIND_SERVICE,
+ CAP_DAC_OVERRIDE,
CAP_SETGID,
CAP_SETUID,
- CAP_DAC_OVERRIDE,
- CAP_NET_RAW,
CAP_SYS_ADMIN,
CAP_SYS_CHROOT,
CAP_SYS_RESOURCE,
@@ -2173,17 +2172,25 @@ main(int argc, char **argv)
)) != 0) {
LogError(0, RS_RET_LIBCAPNG_ERR,
"could not update the internal posix capabilities settings "
- "based on the options passed to it, capng_updatev=%d\n", capng_rc);
- exit(-1);
+ "based on the options passed to it, capng_updatev=%d", capng_rc);
+ capng_failed = 1;
}
if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
LogError(0, RS_RET_LIBCAPNG_ERR,
- "could not transfer the specified internal posix capabilities "
- "settings to the kernel, capng_apply=%d\n", capng_rc);
- exit(-1);
+ "could not transfer the specified internal posix capabilities "
+ "settings to the kernel, capng_apply=%d", capng_rc);
+ capng_failed = 1;
+ }
+
+ if (capng_failed) {
+ DBGPRINTF("Capabilities were not dropped successfully.\n");
+ if (loadConf->globals.bAbortOnFailedLibcapngSetup) {
+ exit(RS_RET_LIBCAPNG_ERR);
+ }
+ } else {
+ DBGPRINTF("Capabilities were dropped successfully\n");
}
- DBGPRINTF("Capabilities were dropped successfully\n");
#endif
initAll(argc, argv);
Reference in New Issue View Git Blame Copy Permalink