|
 |
6d5a3a |
diff -up rsyslog-8.2102.0/configure.ac.orig rsyslog-8.2102.0/configure.ac
|
|
|
6d5a3a |
--- rsyslog-8.2102.0/configure.ac.orig 2022-11-21 11:39:40.717183684 +0100
|
|
|
6d5a3a |
+++ rsyslog-8.2102.0/configure.ac 2022-11-21 11:40:18.697206706 +0100
|
|
|
6d5a3a |
@@ -387,6 +387,28 @@ if test "$enable_fmhash_xxhash" = "yes";
|
|
|
6d5a3a |
])
|
|
|
6d5a3a |
fi
|
|
|
6d5a3a |
|
|
|
6d5a3a |
+AC_ARG_ENABLE(libcap-ng,
|
|
|
6d5a3a |
+ [AS_HELP_STRING([--enable-libcap-ng],[Enable dropping capabilities to only the necessary set @<:@default=no@:>@])],
|
|
|
6d5a3a |
+ [case "${enableval}" in
|
|
|
6d5a3a |
+ yes) enable_libcapng="yes" ;;
|
|
|
6d5a3a |
+ no) enable_libcapng="no" ;;
|
|
|
6d5a3a |
+ *) AC_MSG_ERROR(bad value ${enableval} for --enable_libcapng) ;;
|
|
|
6d5a3a |
+ esac],
|
|
|
6d5a3a |
+ [enable_libcapng=no]
|
|
|
6d5a3a |
+)
|
|
|
6d5a3a |
+
|
|
|
6d5a3a |
+if test "$enable_libcapng" = "yes"; then
|
|
|
6d5a3a |
+ PKG_CHECK_MODULES(
|
|
|
6d5a3a |
+ [LIBCAPNG],
|
|
|
6d5a3a |
+ [libcap-ng >= 0.8.2],
|
|
|
6d5a3a |
+ [AC_DEFINE([ENABLE_LIBCAPNG], [1], [Indicator that libcap-ng is present])],
|
|
|
6d5a3a |
+ [AC_MSG_ERROR(libcap-ng is not present.)]
|
|
|
6d5a3a |
+ )
|
|
|
6d5a3a |
+ CFLAGS="$CFLAGS $LIBCAPNG_CFLAGS"
|
|
|
6d5a3a |
+ LIBS="$LIBS $LIBCAPNG_LIBS"
|
|
|
6d5a3a |
+fi
|
|
|
6d5a3a |
+
|
|
|
6d5a3a |
+
|
|
|
6d5a3a |
|
|
|
6d5a3a |
#gssapi
|
|
|
6d5a3a |
AC_ARG_ENABLE(gssapi_krb5,
|
|
|
6d5a3a |
@@ -2688,6 +2710,7 @@ echo " liblogging-stdlog support enab
|
|
|
6d5a3a |
echo " libsystemd enabled: $enable_libsystemd"
|
|
|
6d5a3a |
echo " kafka static linking enabled: $enable_kafka_static"
|
|
|
6d5a3a |
echo " atomic operations enabled: $enable_atomic_operations"
|
|
|
6d5a3a |
+echo " libcap-ng support enabled: $enable_libcapng"
|
|
|
6d5a3a |
echo
|
|
|
6d5a3a |
echo "---{ input plugins }---"
|
|
|
6d5a3a |
if test "$unamestr" != "AIX"; then
|
|
|
6d5a3a |
diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
|
|
|
6d5a3a |
--- rsyslog-8.2102.0/runtime/rsconf.c.orig 2022-11-21 11:40:31.926214720 +0100
|
|
|
6d5a3a |
+++ rsyslog-8.2102.0/runtime/rsconf.c 2022-11-21 11:44:26.742356979 +0100
|
|
|
6d5a3a |
@@ -33,6 +33,9 @@
|
|
|
6d5a3a |
#include <sys/resource.h>
|
|
|
6d5a3a |
#include <sys/types.h>
|
|
|
6d5a3a |
#include <sys/stat.h>
|
|
|
6d5a3a |
+#ifdef ENABLE_LIBCAPNG
|
|
|
6d5a3a |
+ #include <cap-ng.h>
|
|
|
6d5a3a |
+#endif
|
|
|
6d5a3a |
|
|
|
6d5a3a |
#include "rsyslog.h"
|
|
|
6d5a3a |
#include "obj.h"
|
|
|
6d5a3a |
@@ -546,6 +549,7 @@ rsRetVal doDropPrivGid(void)
|
|
|
6d5a3a |
uchar szBuf[1024];
|
|
|
6d5a3a |
DEFiRet;
|
|
|
6d5a3a |
|
|
|
6d5a3a |
+#ifndef ENABLE_LIBCAPNG
|
|
|
6d5a3a |
if(!ourConf->globals.gidDropPrivKeepSupplemental) {
|
|
|
6d5a3a |
res = setgroups(0, NULL); /* remove all supplemental group IDs */
|
|
|
6d5a3a |
if(res) {
|
|
|
6d5a3a |
@@ -560,9 +564,19 @@ rsRetVal doDropPrivGid(void)
|
|
|
6d5a3a |
if(res) {
|
|
|
6d5a3a |
rs_strerror_r(errno, (char*)szBuf, sizeof(szBuf));
|
|
|
6d5a3a |
LogError(0, RS_RET_ERR_DROP_PRIV,
|
|
|
6d5a3a |
- "could not set requested group id: %s", szBuf);
|
|
|
6d5a3a |
+ "could not set requested group id: %s via setgid()", szBuf);
|
|
|
6d5a3a |
ABORT_FINALIZE(RS_RET_ERR_DROP_PRIV);
|
|
|
6d5a3a |
}
|
|
|
6d5a3a |
+#else
|
|
|
6d5a3a |
+ int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
|
|
|
6d5a3a |
+ res = capng_change_id(-1, ourConf->globals.gidDropPriv, capng_flags);
|
|
|
6d5a3a |
+ if (res) {
|
|
|
6d5a3a |
+ LogError(0, RS_RET_LIBCAPNG_ERR,
|
|
|
6d5a3a |
+ "could not set requested group id %d via capng_change_id()", ourConf->globals.gidDropPriv);
|
|
|
6d5a3a |
+ ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
|
|
|
6d5a3a |
+ }
|
|
|
6d5a3a |
+#endif
|
|
|
6d5a3a |
+
|
|
|
6d5a3a |
DBGPRINTF("setgid(%d): %d\n", ourConf->globals.gidDropPriv, res);
|
|
|
6d5a3a |
snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's groupid changed to %d",
|
|
|
6d5a3a |
ourConf->globals.gidDropPriv);
|
|
|
6d5a3a |
@@ -599,7 +613,14 @@ static void doDropPrivUid(int iUid)
|
|
|
6d5a3a |
iUid, szBuf);
|
|
|
6d5a3a |
}
|
|
|
6d5a3a |
|
|
|
6d5a3a |
+#ifndef ENABLE_LIBCAPNG
|
|
|
6d5a3a |
res = setuid(iUid);
|
|
|
6d5a3a |
+ // res = setuid(cnf->globals.uidDropPriv);
|
|
|
6d5a3a |
+#else
|
|
|
6d5a3a |
+ int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
|
|
|
6d5a3a |
+ res = capng_change_id(iUid, -1, capng_flags);
|
|
|
6d5a3a |
+#endif
|
|
|
6d5a3a |
+
|
|
|
6d5a3a |
if(res) {
|
|
|
6d5a3a |
/* if we can not set the userid, this is fatal, so let's unconditionally abort */
|
|
|
6d5a3a |
perror("could not set requested userid");
|
|
|
6d5a3a |
diff -up rsyslog-8.2102.0/runtime/rsyslog.h.orig rsyslog-8.2102.0/runtime/rsyslog.h
|
|
|
6d5a3a |
--- rsyslog-8.2102.0/runtime/rsyslog.h.orig 2022-11-21 11:45:09.007382588 +0100
|
|
|
6d5a3a |
+++ rsyslog-8.2102.0/runtime/rsyslog.h 2022-11-21 11:45:31.333396112 +0100
|
|
|
6d5a3a |
@@ -582,6 +582,7 @@ enum rsRetVal_ /** return value. All
|
|
|
6d5a3a |
RS_RET_RABBITMQ_CHANNEL_ERR = -2449, /**< RabbitMQ Connection error */
|
|
|
6d5a3a |
RS_RET_NO_WRKDIR_SET = -2450, /**< working directory not set, but desired by functionality */
|
|
|
6d5a3a |
RS_RET_ERR_QUEUE_FN_DUP = -2451, /**< duplicate queue file name */
|
|
|
6d5a3a |
+ RS_RET_LIBCAPNG_ERR = -2455, /**< error during dropping the capabilities */
|
|
|
6d5a3a |
|
|
|
6d5a3a |
/* RainerScript error messages (range 1000.. 1999) */
|
|
|
6d5a3a |
RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */
|
|
|
6d5a3a |
diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
|
|
|
6d5a3a |
--- rsyslog-8.2102.0/tools/rsyslogd.c.orig 2022-11-21 11:45:17.587387786 +0100
|
|
|
6d5a3a |
+++ rsyslog-8.2102.0/tools/rsyslogd.c 2022-11-21 11:46:19.509425295 +0100
|
|
|
6d5a3a |
@@ -38,6 +38,10 @@
|
|
|
6d5a3a |
# include <systemd/sd-daemon.h>
|
|
|
6d5a3a |
#endif
|
|
|
6d5a3a |
|
|
|
6d5a3a |
+#ifdef ENABLE_LIBCAPNG
|
|
|
6d5a3a |
+ #include <cap-ng.h>
|
|
|
6d5a3a |
+#endif
|
|
|
6d5a3a |
+
|
|
|
6d5a3a |
#include "rsyslog.h"
|
|
|
6d5a3a |
#include "wti.h"
|
|
|
6d5a3a |
#include "ratelimit.h"
|
|
|
6d5a3a |
@@ -321,7 +325,7 @@ checkStartupOK(void)
|
|
|
6d5a3a |
fprintf(stderr, "rsyslogd: error reading pid file, cannot start up\n");
|
|
|
6d5a3a |
ABORT_FINALIZE(RS_RET_ERR);
|
|
|
6d5a3a |
}
|
|
|
6d5a3a |
-
|
|
|
6d5a3a |
+
|
|
|
6d5a3a |
/* ok, we got a pid, let's check if the process is running */
|
|
|
6d5a3a |
const pid_t pid = (pid_t) pf_pid;
|
|
|
6d5a3a |
if(kill(pid, 0) == 0 || errno != ESRCH) {
|
|
|
6d5a3a |
@@ -1594,7 +1598,7 @@ initAll(int argc, char **argv)
|
|
|
6d5a3a |
localRet = RS_RET_OK;
|
|
|
6d5a3a |
}
|
|
|
6d5a3a |
CHKiRet(localRet);
|
|
|
6d5a3a |
-
|
|
|
6d5a3a |
+
|
|
|
6d5a3a |
CHKiRet(rsyslogd_InitStdRatelimiters());
|
|
|
6d5a3a |
|
|
|
6d5a3a |
if(bChDirRoot) {
|
|
|
6d5a3a |
@@ -2019,7 +2023,7 @@ deinitAll(void)
|
|
|
6d5a3a |
/* close the inputs */
|
|
|
6d5a3a |
DBGPRINTF("Terminating input threads...\n");
|
|
|
6d5a3a |
glbl.SetGlobalInputTermination();
|
|
|
6d5a3a |
-
|
|
|
6d5a3a |
+
|
|
|
6d5a3a |
thrdTerminateAll();
|
|
|
6d5a3a |
|
|
|
6d5a3a |
/* and THEN send the termination log message (see long comment above) */
|
|
|
6d5a3a |
@@ -2142,6 +2146,45 @@ main(int argc, char **argv)
|
|
|
6d5a3a |
if(log_dflt != NULL && !strcmp(log_dflt, "1"))
|
|
|
6d5a3a |
bProcessInternalMessages = 1;
|
|
|
6d5a3a |
dbgClassInit();
|
|
|
6d5a3a |
+
|
|
|
6d5a3a |
+#ifdef ENABLE_LIBCAPNG
|
|
|
6d5a3a |
+ /*
|
|
|
6d5a3a |
+ * Drop capabilities to the necessary set
|
|
|
6d5a3a |
+ */
|
|
|
6d5a3a |
+ int capng_rc;
|
|
|
6d5a3a |
+ capng_clear(CAPNG_SELECT_BOTH);
|
|
|
6d5a3a |
+
|
|
|
6d5a3a |
+ if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
|
|
|
6d5a3a |
+ CAP_BLOCK_SUSPEND,
|
|
|
6d5a3a |
+ CAP_CHOWN,
|
|
|
6d5a3a |
+ CAP_IPC_LOCK,
|
|
|
6d5a3a |
+ CAP_LEASE,
|
|
|
6d5a3a |
+ CAP_NET_ADMIN,
|
|
|
6d5a3a |
+ CAP_NET_BIND_SERVICE,
|
|
|
6d5a3a |
+ CAP_PERFMON,
|
|
|
6d5a3a |
+ CAP_SETGID,
|
|
|
6d5a3a |
+ CAP_SETUID,
|
|
|
6d5a3a |
+ CAP_SYS_ADMIN,
|
|
|
6d5a3a |
+ CAP_SYS_CHROOT,
|
|
|
6d5a3a |
+ CAP_SYS_RESOURCE,
|
|
|
6d5a3a |
+ CAP_SYSLOG,
|
|
|
6d5a3a |
+ -1
|
|
|
6d5a3a |
+ )) != 0) {
|
|
|
6d5a3a |
+ LogError(0, RS_RET_LIBCAPNG_ERR,
|
|
|
6d5a3a |
+ "could not update the internal posix capabilities settings "
|
|
|
6d5a3a |
+ "based on the options passed to it, capng_updatev=%d\n", capng_rc);
|
|
|
6d5a3a |
+ exit(-1);
|
|
|
6d5a3a |
+ }
|
|
|
6d5a3a |
+
|
|
|
6d5a3a |
+ if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
|
|
|
6d5a3a |
+ LogError(0, RS_RET_LIBCAPNG_ERR,
|
|
|
6d5a3a |
+ "could not transfer the specified internal posix capabilities "
|
|
|
6d5a3a |
+ "settings to the kernel, capng_apply=%d\n", capng_rc);
|
|
|
6d5a3a |
+ exit(-1);
|
|
|
6d5a3a |
+ }
|
|
|
6d5a3a |
+ DBGPRINTF("Capabilities were dropped successfully\n");
|
|
|
6d5a3a |
+#endif
|
|
|
6d5a3a |
+
|
|
|
6d5a3a |
initAll(argc, argv);
|
|
|
6d5a3a |
#ifdef HAVE_LIBSYSTEMD
|
|
|
6d5a3a |
sd_notify(0, "READY=1");
|