Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/app-admin/syslog-ng/files/syslog-ng-3.2.4-use-cap_syslog.patch
diff options
context:
space:
mode:
Diffstat (limited to 'app-admin/syslog-ng/files/syslog-ng-3.2.4-use-cap_syslog.patch')
-rw-r--r--app-admin/syslog-ng/files/syslog-ng-3.2.4-use-cap_syslog.patch172
1 files changed, 0 insertions, 172 deletions
diff --git a/app-admin/syslog-ng/files/syslog-ng-3.2.4-use-cap_syslog.patch b/app-admin/syslog-ng/files/syslog-ng-3.2.4-use-cap_syslog.patch
deleted file mode 100644
index 9b97f97..0000000
--- a/app-admin/syslog-ng/files/syslog-ng-3.2.4-use-cap_syslog.patch
+++ /dev/null
@@ -1,172 +0,0 @@
-From: Balazs Scheidler <bazsi@balabit.hu>
-Date: Thu, 12 May 2011 11:11:58 +0000 (+0200)
-Subject: Use CAP_SYSLOG instead of CAP_SYS_ADMIN, if available.
-X-Git-Url: http://git.balabit.hu/?p=algernon%2Fsyslog-ng-3.2.git;a=commitdiff_plain;h=54a316a1692a3baac3f65e9eaecd962e46a9dfc8
-
-Use CAP_SYSLOG instead of CAP_SYS_ADMIN, if available.
-
-If cap_syslog exists, the kernel will complain (once) that we only
-have cap_sys_admin. Additionally, using cap_syslog instead of
-cap_sys_admin significantly lowers the unneeded privs we are
-using.
-
-Upon startup, syslog-ng will detect whether CAP_SYSLOG is available,
-and use capabilities based on that finding. This detection will also
-have a side-effect, which will make it so that
-g_process_cap_modify(CAP_SYSLOG) will fall back to CAP_SYS_ADMIN, if
-CAP_SYSLOG support was not detected.
-
-Thanks to Andrew Morgan for pointing out a nice way to detect whether
-the kernel has CAP_SYSLOG. Original code by Serge Hallyn, with minor
-changes based on Balazs Scheidler's review by Gergely Nagy.
-
-Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
-Signed-off-by: Gergely Nagy <algernon@balabit.hu>
-Signed-off-by: Balazs Scheidler <bazsi@balabit.hu>
----
-
-diff --git a/lib/gprocess.c b/lib/gprocess.c
-index 38bcb12..e2159fc 100644
---- a/lib/gprocess.c
-+++ b/lib/gprocess.c
-@@ -98,6 +98,7 @@ static gint startup_result_pipe[2] = { -1, -1 };
- static gint init_result_pipe[2] = { -1, -1 };
- static GProcessKind process_kind = G_PK_STARTUP;
- static gboolean stderr_present = TRUE;
-+static int have_capsyslog = FALSE;
-
- /* global variables */
- static struct
-@@ -216,6 +217,13 @@ g_process_cap_modify(int capability, int onoff)
- if (!process_opts.caps)
- return TRUE;
-
-+ /*
-+ * if libcap or kernel doesn't support cap_syslog, then resort to
-+ * cap_sys_admin
-+ */
-+ if (capability == CAP_SYSLOG && (!have_capsyslog || CAP_SYSLOG == -1))
-+ capability = CAP_SYS_ADMIN;
-+
- caps = cap_get_proc();
- if (!caps)
- return FALSE;
-@@ -297,6 +305,25 @@ g_process_cap_restore(cap_t r)
- return;
- }
-
-+gboolean
-+g_process_check_cap_syslog(void)
-+{
-+ int ret;
-+
-+ if (have_capsyslog)
-+ return TRUE;
-+
-+ if (CAP_SYSLOG == -1)
-+ return FALSE;
-+
-+ ret = prctl(PR_CAPBSET_READ, CAP_SYSLOG);
-+ if (ret == -1)
-+ return FALSE;
-+
-+ have_capsyslog = TRUE;
-+ return TRUE;
-+}
-+
- #endif
-
- /**
-diff --git a/lib/gprocess.h b/lib/gprocess.h
-index a6dd7c4..1bdd719 100644
---- a/lib/gprocess.h
-+++ b/lib/gprocess.h
-@@ -46,6 +46,10 @@ gboolean g_process_cap_modify(int capability, int onoff);
- cap_t g_process_cap_save(void);
- void g_process_cap_restore(cap_t r);
-
-+#ifndef CAP_SYSLOG
-+#define CAP_SYSLOG -1
-+#endif
-+
- #else
-
- typedef gpointer cap_t;
-@@ -71,6 +75,8 @@ void g_process_set_argv_space(gint argc, gchar **argv);
- void g_process_set_use_fdlimit(gboolean use);
- void g_process_set_check(gint check_period, gboolean (*check_fn)(void));
-
-+gboolean g_process_check_cap_syslog(void);
-+
- void g_process_start(void);
- void g_process_startup_failed(guint ret_num, gboolean may_exit);
- void g_process_startup_ok(void);
-diff --git a/modules/affile/affile.c b/modules/affile/affile.c
-index ce343cd..bb8aa75 100644
---- a/modules/affile/affile.c
-+++ b/modules/affile/affile.c
-@@ -59,7 +59,7 @@ affile_open_file(gchar *name, gint flags,
- if (privileged)
- {
- g_process_cap_modify(CAP_DAC_READ_SEARCH, TRUE);
-- g_process_cap_modify(CAP_SYS_ADMIN, TRUE);
-+ g_process_cap_modify(CAP_SYSLOG, TRUE);
- }
- else
- {
-diff --git a/syslog-ng/main.c b/syslog-ng/main.c
-index 9880c1f..02f17b6 100644
---- a/syslog-ng/main.c
-+++ b/syslog-ng/main.c
-@@ -363,6 +363,33 @@ version(void)
- ON_OFF_STR(ENABLE_PACCT_MODULE));
- }
-
-+#if ENABLE_LINUX_CAPS
-+#define BASE_CAPS "cap_net_bind_service,cap_net_broadcast,cap_net_raw," \
-+ "cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner=p "
-+
-+static void
-+setup_caps (void)
-+{
-+ static gchar *capsstr_syslog = BASE_CAPS "cap_syslog=ep";
-+ static gchar *capsstr_sys_admin = BASE_CAPS "cap_sys_admin=ep";
-+
-+ /* Set up the minimal privilege we'll need
-+ *
-+ * NOTE: polling /proc/kmsg requires cap_sys_admin, otherwise it'll always
-+ * indicate readability. Enabling/disabling cap_sys_admin on every poll
-+ * invocation seems to be too expensive. So I enable it for now.
-+ */
-+ if (g_process_check_cap_syslog())
-+ g_process_set_caps(capsstr_syslog);
-+ else
-+ g_process_set_caps(capsstr_sys_admin);
-+}
-+#else
-+
-+#define setup_caps()
-+
-+#endif
-+
- int
- main(int argc, char *argv[])
- {
-@@ -374,14 +401,9 @@ main(int argc, char *argv[])
- z_mem_trace_init("syslog-ng.trace");
-
- g_process_set_argv_space(argc, (gchar **) argv);
--
-- /* NOTE: polling /proc/kmsg requires cap_sys_admin, otherwise it'll always
-- * indicate readability. Enabling/disabling cap_sys_admin on every poll
-- * invocation seems to be too expensive. So I enable it for now. */
--
-- g_process_set_caps("cap_net_bind_service,cap_net_broadcast,cap_net_raw,"
-- "cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner=p "
-- "cap_sys_admin=ep");
-+
-+ setup_caps();
-+
- ctx = g_option_context_new("syslog-ng");
- g_process_add_option_group(ctx);
- msg_add_option_group(ctx);