Merge pull request #5144 from Cropi/libcap

Add new global config option "libcapng.default"
rsyslog · Jun 16, 2023 · f1d5474 · f1d5474
2 parents 605a83b + ea821b7
commit f1d5474
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 39 deletions.
diff --git a/runtime/glbl.c b/runtime/glbl.c
@@ -178,7 +178,8 @@ static struct cnfparamdescr cnfparamdescr[] = {
 	{ "parser.supportcompressionextension", eCmdHdlrBinary, 0 },
 	{ "shutdown.queue.doublesize", eCmdHdlrBinary, 0 },
 	{ "debug.files", eCmdHdlrArray, 0 },
-	{ "debug.whitelist", eCmdHdlrBinary, 0 }
+	{ "debug.whitelist", eCmdHdlrBinary, 0 },
+	{ "libcapng.default", eCmdHdlrBinary, 0 }
 };
 static struct cnfparamblk paramblk =
 	{ CNFPARAMBLK_VERSION,
@@ -1183,6 +1184,13 @@ glblDoneLoadCnf(void)
 		if(!strcmp(paramblk.descr[i].name, "workdirectory")) {
 			cstr = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
 			setWorkDir(NULL, cstr);
+		} else if(!strcmp(paramblk.descr[i].name, "libcapng.default")) {
+#ifdef ENABLE_LIBCAPNG
+			loadConf->globals.bAbortOnFailedLibcapngSetup = (int) cnfparamvals[i].val.d.n;
+#else
+			LogError(0, RS_RET_ERR, "rsyslog wasn't "
+				"compiled with libcap-ng support.");
+#endif
 		} else if(!strcmp(paramblk.descr[i].name, "variables.casesensitive")) {
 			const int val = (int) cnfparamvals[i].val.d.n;
 			fjson_global_do_case_sensitive_comparison(val);

diff --git a/runtime/rsconf.c b/runtime/rsconf.c
@@ -159,6 +159,9 @@ int rsconfNeedDropPriv(rsconf_t *const cnf)
 
 static void cnfSetDefaults(rsconf_t *pThis)
 {
+#ifdef ENABLE_LIBCAPNG
+	pThis->globals.bAbortOnFailedLibcapngSetup = 1;
+#endif
 	pThis->globals.bAbortOnUncleanConfig = 0;
 	pThis->globals.bAbortOnFailedQueueStartup = 0;
 	pThis->globals.bReduceRepeatMsgs = 0;

diff --git a/runtime/rsconf.h b/runtime/rsconf.h
@@ -84,6 +84,9 @@ struct parsercnf_s {
  * be re-set as often as the user likes).
  */
 struct globals_s {
+#ifdef ENABLE_LIBCAPNG
+	int bAbortOnFailedLibcapngSetup;
+#endif
 	int bDebugPrintTemplateList;
 	int bDebugPrintModuleList;
 	int bDebugPrintCfSysLineHandlerList;

diff --git a/tools/rsyslogd.c b/tools/rsyslogd.c
@@ -1565,6 +1565,52 @@ initAll(int argc, char **argv)
 	resetErrMsgsFlag();
 	localRet = rsconf.Load(&ourConf, ConfFile);
 
+#ifdef ENABLE_LIBCAPNG
+	/*
+	 * Drop capabilities to the necessary set
+	 */
+	int capng_rc, capng_failed = 0;
+	capng_clear(CAPNG_SELECT_BOTH);
+
+	if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+		CAP_BLOCK_SUSPEND,
+		CAP_CHOWN,
+		CAP_IPC_LOCK,
+		CAP_LEASE,
+		CAP_NET_ADMIN,
+		CAP_NET_BIND_SERVICE,
+		CAP_DAC_OVERRIDE,
+		CAP_SETGID,
+		CAP_SETUID,
+		CAP_SYS_ADMIN,
+		CAP_SYS_CHROOT,
+		CAP_SYS_RESOURCE,
+		CAP_SYSLOG,
+		-1
+	)) != 0) {
+		LogError(0, RS_RET_LIBCAPNG_ERR,
+				"could not update the internal posix capabilities settings "
+				"based on the options passed to it, capng_updatev=%d", capng_rc);
+		capng_failed = 1;
+	}
+
+	if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
+		LogError(0, RS_RET_LIBCAPNG_ERR,
+			"could not transfer the specified internal posix capabilities "
+			"settings to the kernel, capng_apply=%d", capng_rc);
+		capng_failed = 1;
+	}
+
+	if (capng_failed) {
+		DBGPRINTF("Capabilities were not dropped successfully.\n");
+		if (loadConf->globals.bAbortOnFailedLibcapngSetup) {
+			ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
+		}
+	} else {
+		DBGPRINTF("Capabilities were dropped successfully\n");
+	}
+#endif
+
 	if(fp_rs_full_conf_output != NULL) {
 		if(fp_rs_full_conf_output != stdout) {
 			fclose(fp_rs_full_conf_output);
@@ -2171,44 +2217,6 @@ main(int argc, char **argv)
 
 	dbgClassInit();
 
-#ifdef ENABLE_LIBCAPNG
-	/*
-	 * Drop capabilities to the necessary set
-	 */
-	int capng_rc;
-	capng_clear(CAPNG_SELECT_BOTH);
-
-	if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
-		CAP_BLOCK_SUSPEND,
-		CAP_CHOWN,
-		CAP_IPC_LOCK,
-		CAP_LEASE,
-		CAP_NET_ADMIN,
-		CAP_NET_BIND_SERVICE,
-		CAP_DAC_OVERRIDE,
-		CAP_SETGID,
-		CAP_SETUID,
-		CAP_SYS_ADMIN,
-		CAP_SYS_CHROOT,
-		CAP_SYS_RESOURCE,
-		CAP_SYSLOG,
-		-1
-	)) != 0) {
-		LogError(0, RS_RET_LIBCAPNG_ERR,
-				"could not update the internal posix capabilities settings "
-				"based on the options passed to it, capng_updatev=%d\n", capng_rc);
-		exit(-1);
-	}
-
-	if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
-		LogError(0, RS_RET_LIBCAPNG_ERR,
-			"could not transfer  the  specified  internal posix  capabilities "
-			"settings to the kernel, capng_apply=%d\n", capng_rc);
-		exit(-1);
-	}
-	DBGPRINTF("Capabilities were dropped successfully\n");
-#endif
-
 	initAll(argc, argv);
 #ifdef HAVE_LIBSYSTEMD
 	sd_notify(0, "READY=1");