diff options
Diffstat (limited to 'app-admin/syslog-ng/files/syslog-ng-3.2.4-use-cap_syslog.patch')
-rw-r--r-- | app-admin/syslog-ng/files/syslog-ng-3.2.4-use-cap_syslog.patch | 172 |
1 files changed, 0 insertions, 172 deletions
diff --git a/app-admin/syslog-ng/files/syslog-ng-3.2.4-use-cap_syslog.patch b/app-admin/syslog-ng/files/syslog-ng-3.2.4-use-cap_syslog.patch deleted file mode 100644 index 9b97f97..0000000 --- a/app-admin/syslog-ng/files/syslog-ng-3.2.4-use-cap_syslog.patch +++ /dev/null @@ -1,172 +0,0 @@ -From: Balazs Scheidler <bazsi@balabit.hu> -Date: Thu, 12 May 2011 11:11:58 +0000 (+0200) -Subject: Use CAP_SYSLOG instead of CAP_SYS_ADMIN, if available. -X-Git-Url: http://git.balabit.hu/?p=algernon%2Fsyslog-ng-3.2.git;a=commitdiff_plain;h=54a316a1692a3baac3f65e9eaecd962e46a9dfc8 - -Use CAP_SYSLOG instead of CAP_SYS_ADMIN, if available. - -If cap_syslog exists, the kernel will complain (once) that we only -have cap_sys_admin. Additionally, using cap_syslog instead of -cap_sys_admin significantly lowers the unneeded privs we are -using. - -Upon startup, syslog-ng will detect whether CAP_SYSLOG is available, -and use capabilities based on that finding. This detection will also -have a side-effect, which will make it so that -g_process_cap_modify(CAP_SYSLOG) will fall back to CAP_SYS_ADMIN, if -CAP_SYSLOG support was not detected. - -Thanks to Andrew Morgan for pointing out a nice way to detect whether -the kernel has CAP_SYSLOG. Original code by Serge Hallyn, with minor -changes based on Balazs Scheidler's review by Gergely Nagy. - -Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> -Signed-off-by: Gergely Nagy <algernon@balabit.hu> -Signed-off-by: Balazs Scheidler <bazsi@balabit.hu> ---- - -diff --git a/lib/gprocess.c b/lib/gprocess.c -index 38bcb12..e2159fc 100644 ---- a/lib/gprocess.c -+++ b/lib/gprocess.c -@@ -98,6 +98,7 @@ static gint startup_result_pipe[2] = { -1, -1 }; - static gint init_result_pipe[2] = { -1, -1 }; - static GProcessKind process_kind = G_PK_STARTUP; - static gboolean stderr_present = TRUE; -+static int have_capsyslog = FALSE; - - /* global variables */ - static struct -@@ -216,6 +217,13 @@ g_process_cap_modify(int capability, int onoff) - if (!process_opts.caps) - return TRUE; - -+ /* -+ * if libcap or kernel doesn't support cap_syslog, then resort to -+ * cap_sys_admin -+ */ -+ if (capability == CAP_SYSLOG && (!have_capsyslog || CAP_SYSLOG == -1)) -+ capability = CAP_SYS_ADMIN; -+ - caps = cap_get_proc(); - if (!caps) - return FALSE; -@@ -297,6 +305,25 @@ g_process_cap_restore(cap_t r) - return; - } - -+gboolean -+g_process_check_cap_syslog(void) -+{ -+ int ret; -+ -+ if (have_capsyslog) -+ return TRUE; -+ -+ if (CAP_SYSLOG == -1) -+ return FALSE; -+ -+ ret = prctl(PR_CAPBSET_READ, CAP_SYSLOG); -+ if (ret == -1) -+ return FALSE; -+ -+ have_capsyslog = TRUE; -+ return TRUE; -+} -+ - #endif - - /** -diff --git a/lib/gprocess.h b/lib/gprocess.h -index a6dd7c4..1bdd719 100644 ---- a/lib/gprocess.h -+++ b/lib/gprocess.h -@@ -46,6 +46,10 @@ gboolean g_process_cap_modify(int capability, int onoff); - cap_t g_process_cap_save(void); - void g_process_cap_restore(cap_t r); - -+#ifndef CAP_SYSLOG -+#define CAP_SYSLOG -1 -+#endif -+ - #else - - typedef gpointer cap_t; -@@ -71,6 +75,8 @@ void g_process_set_argv_space(gint argc, gchar **argv); - void g_process_set_use_fdlimit(gboolean use); - void g_process_set_check(gint check_period, gboolean (*check_fn)(void)); - -+gboolean g_process_check_cap_syslog(void); -+ - void g_process_start(void); - void g_process_startup_failed(guint ret_num, gboolean may_exit); - void g_process_startup_ok(void); -diff --git a/modules/affile/affile.c b/modules/affile/affile.c -index ce343cd..bb8aa75 100644 ---- a/modules/affile/affile.c -+++ b/modules/affile/affile.c -@@ -59,7 +59,7 @@ affile_open_file(gchar *name, gint flags, - if (privileged) - { - g_process_cap_modify(CAP_DAC_READ_SEARCH, TRUE); -- g_process_cap_modify(CAP_SYS_ADMIN, TRUE); -+ g_process_cap_modify(CAP_SYSLOG, TRUE); - } - else - { -diff --git a/syslog-ng/main.c b/syslog-ng/main.c -index 9880c1f..02f17b6 100644 ---- a/syslog-ng/main.c -+++ b/syslog-ng/main.c -@@ -363,6 +363,33 @@ version(void) - ON_OFF_STR(ENABLE_PACCT_MODULE)); - } - -+#if ENABLE_LINUX_CAPS -+#define BASE_CAPS "cap_net_bind_service,cap_net_broadcast,cap_net_raw," \ -+ "cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner=p " -+ -+static void -+setup_caps (void) -+{ -+ static gchar *capsstr_syslog = BASE_CAPS "cap_syslog=ep"; -+ static gchar *capsstr_sys_admin = BASE_CAPS "cap_sys_admin=ep"; -+ -+ /* Set up the minimal privilege we'll need -+ * -+ * NOTE: polling /proc/kmsg requires cap_sys_admin, otherwise it'll always -+ * indicate readability. Enabling/disabling cap_sys_admin on every poll -+ * invocation seems to be too expensive. So I enable it for now. -+ */ -+ if (g_process_check_cap_syslog()) -+ g_process_set_caps(capsstr_syslog); -+ else -+ g_process_set_caps(capsstr_sys_admin); -+} -+#else -+ -+#define setup_caps() -+ -+#endif -+ - int - main(int argc, char *argv[]) - { -@@ -374,14 +401,9 @@ main(int argc, char *argv[]) - z_mem_trace_init("syslog-ng.trace"); - - g_process_set_argv_space(argc, (gchar **) argv); -- -- /* NOTE: polling /proc/kmsg requires cap_sys_admin, otherwise it'll always -- * indicate readability. Enabling/disabling cap_sys_admin on every poll -- * invocation seems to be too expensive. So I enable it for now. */ -- -- g_process_set_caps("cap_net_bind_service,cap_net_broadcast,cap_net_raw," -- "cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner=p " -- "cap_sys_admin=ep"); -+ -+ setup_caps(); -+ - ctx = g_option_context_new("syslog-ng"); - g_process_add_option_group(ctx); - msg_add_option_group(ctx); |