Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
omprog bugfix: Add CAP_DAC_OVERRIDE to the bounding set
The omprog module uses the execve() function to execute a third party program. Some required capabilities were not preserved in the bounding set [1]. This caused problems, e.g. the program could not write to files even if rsyslog was executed as root and privileges were not dropped. As of now, only the CAP_DAC_OVERRIDE capability is added to the bounding set. Others could be added later, if there is justification behind that. [1] The capability bounding set is a security mechanism that can be used to limit the capabilities that can be gained during an execve(2). During an execve, the capability bounding set is ANDed with the file permitted capability set, and the result of this operation is assigned to the thread's permitted capability set. The capability bounding set thus places a limit on the permitted capabilities that may be granted by an executable file.
- Loading branch information