From 8b6dfc76536de1794469f66d5f830692a040fdaf Mon Sep 17 00:00:00 2001
From: alakatos <alakatos@redhat.com>
Date: Jan 17 2023 16:01:37 +0000
Subject: Adjust capability set for libcap-ng


---

diff --git a/rsyslog-8.2210.0-rhbz2127403-drop-capabilities.patch b/rsyslog-8.2210.0-rhbz2127403-drop-capabilities.patch
index 6b3f43f..cb583fb 100644
--- a/rsyslog-8.2210.0-rhbz2127403-drop-capabilities.patch
+++ b/rsyslog-8.2210.0-rhbz2127403-drop-capabilities.patch
@@ -1,20 +1,3 @@
-From e9f85312630eb25d0985e911475803bd06f4173e Mon Sep 17 00:00:00 2001
-From: alakatos <alakatos@redhat.com>
-Date: Thu, 13 Oct 2022 10:41:38 +0200
-Subject: [PATCH 1/2] Introduce --enable-libcap-ng configure option
-
-The option allows to drop the capabilities to only
-the necessary set, to minimize security exposure in
-case there was ever a mistake in a networking
-plugin or some other input resource. Resolves #4986
----
- configure.ac      | 24 ++++++++++++++++++++++++
- runtime/debug.c   |  4 ++--
- runtime/modules.c |  6 +++---
- runtime/rsyslog.h |  1 +
- tools/rsyslogd.c  | 42 ++++++++++++++++++++++++++++++++++++++++++
- 5 files changed, 72 insertions(+), 5 deletions(-)
-
 diff --git a/configure.ac b/configure.ac
 index 9f73a708d0..958c26245e 100644
 --- a/configure.ac
@@ -110,6 +93,99 @@ index 810b2e9b52..b39bd9f066 100644
  finalize_it:
  	free(cnfModName);
  	cnfparamvalsDestruct(pvals, &pblk);
+diff --git a/runtime/rsconf.c b/runtime/rsconf.c
+index 4620ff8d13..de2a21b406 100644
+--- a/runtime/rsconf.c
++++ b/runtime/rsconf.c
+@@ -34,6 +34,10 @@
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <sys/socket.h>
++#ifdef ENABLE_LIBCAPNG
++	#include <cap-ng.h>
++#endif
++
+ 
+ #include "rsyslog.h"
+ #include "obj.h"
+@@ -656,6 +660,7 @@ rsRetVal doDropPrivGid(rsconf_t *cnf)
+ 	uchar szBuf[1024];
+ 	DEFiRet;
+ 
++#ifndef ENABLE_LIBCAPNG
+ 	if(!cnf->globals.gidDropPrivKeepSupplemental) {
+ 		res = setgroups(0, NULL); /* remove all supplemental group IDs */
+ 		if(res) {
+@@ -668,9 +673,19 @@ rsRetVal doDropPrivGid(rsconf_t *cnf)
+ 	res = setgid(cnf->globals.gidDropPriv);
+ 	if(res) {
+ 		LogError(errno, RS_RET_ERR_DROP_PRIV,
+-				"could not set requested group id %d", cnf->globals.gidDropPriv);
++				"could not set requested group id %d via setgid()", cnf->globals.gidDropPriv);
+ 		ABORT_FINALIZE(RS_RET_ERR_DROP_PRIV);
+ 	}
++#else
++	int capng_flags = cnf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
++	res = capng_change_id(-1, cnf->globals.gidDropPriv, capng_flags);
++	if (res) {
++		LogError(0, RS_RET_LIBCAPNG_ERR,
++				"could not set requested group id %d via capng_change_id()", cnf->globals.gidDropPriv);
++		ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
++	}
++#endif
++
+ 	DBGPRINTF("setgid(%d): %d\n", cnf->globals.gidDropPriv, res);
+ 	snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's groupid changed to %d",
+ 		 cnf->globals.gidDropPriv);
+@@ -705,12 +720,18 @@ static void doDropPrivUid(rsconf_t *cnf)
+ 			cnf->globals.uidDropPriv);
+ 	}
+ 
++#ifndef ENABLE_LIBCAPNG
+ 	res = setuid(cnf->globals.uidDropPriv);
++#else
++	int capng_flags = cnf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
++	res = capng_change_id(cnf->globals.uidDropPriv, -1, capng_flags);
++#endif
+ 	if(res) {
+ 		/* if we can not set the userid, this is fatal, so let's unconditionally abort */
+ 		perror("could not set requested userid");
+ 		exit(1);
+ 	}
++
+ 	DBGPRINTF("setuid(%d): %d\n", cnf->globals.uidDropPriv, res);
+ 	snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's userid changed to %d", cnf->globals.uidDropPriv);
+ 	logmsgInternal(NO_ERRCODE, LOG_SYSLOG|LOG_INFO, szBuf, 0);
+@@ -739,6 +760,29 @@ dropPrivileges(rsconf_t *cnf)
+ 			  cnf->globals.uidDropPriv);
+ 	}
+ 
++#ifdef ENABLE_LIBCAPNG
++	/* In case privileges were dropped, do not allow bypassing
++	 * file read, write, and execute permission checks
++	 */
++	if (cnf->globals.gidDropPriv != 0 || cnf->globals.uidDropPriv != 0) {
++		int capng_rc;
++		if ((capng_rc = capng_update(CAPNG_DROP, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_DAC_OVERRIDE)) != 0) {
++			LogError(0, RS_RET_LIBCAPNG_ERR,
++				"could not update the internal posix capabilities settings "
++				"based on the options passed to it, capng_update=%d\n", capng_rc);
++			exit(-1);
++		}
++
++		if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
++			LogError(0, RS_RET_LIBCAPNG_ERR,
++				"could not transfer  the  specified  internal posix  capabilities "
++				"settings to the kernel, capng_apply=%d\n", capng_rc);
++			exit(-1);
++		}
++	}
++
++#endif
++
+ finalize_it:
+ 	RETiRet;
+ }
 diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h
 index 908e5e7b73..01616d8f7d 100644
 --- a/runtime/rsyslog.h
@@ -123,7 +199,7 @@ index 908e5e7b73..01616d8f7d 100644
  	/* RainerScript error messages (range 1000.. 1999) */
  	RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */
 diff --git a/tools/rsyslogd.c b/tools/rsyslogd.c
-index 31b91a1bd1..c209e1bcdd 100644
+index 31b91a1bd1..77d814b482 100644
 --- a/tools/rsyslogd.c
 +++ b/tools/rsyslogd.c
 @@ -37,6 +37,9 @@
@@ -136,7 +212,7 @@ index 31b91a1bd1..c209e1bcdd 100644
  
  #include "rsyslog.h"
  #include "wti.h"
-@@ -2167,6 +2170,45 @@ main(int argc, char **argv)
+@@ -2167,6 +2170,46 @@ main(int argc, char **argv)
  	fjson_global_do_case_sensitive_comparison(0);
  
  	dbgClassInit();
@@ -155,9 +231,10 @@ index 31b91a1bd1..c209e1bcdd 100644
 +		CAP_LEASE,
 +		CAP_NET_ADMIN,
 +		CAP_NET_BIND_SERVICE,
-+		CAP_PERFMON,
++		CAP_DAC_OVERRIDE,
 +		CAP_SETGID,
 +		CAP_SETUID,
++		CAP_SETPCAP,
 +		CAP_SYS_ADMIN,
 +		CAP_SYS_CHROOT,
 +		CAP_SYS_RESOURCE,
@@ -182,77 +259,3 @@ index 31b91a1bd1..c209e1bcdd 100644
  	initAll(argc, argv);
  #ifdef HAVE_LIBSYSTEMD
  	sd_notify(0, "READY=1");
-
-From 305e07a2b757b98dc7e26c148c175901034451b9 Mon Sep 17 00:00:00 2001
-From: alakatos <alakatos@redhat.com>
-Date: Mon, 31 Oct 2022 12:30:48 +0100
-Subject: [PATCH 2/2] Add ability to change uid and gid while retaining the
- capabilities previously specified
-
----
- runtime/rsconf.c | 23 ++++++++++++++++++++++-
- 1 file changed, 22 insertions(+), 1 deletion(-)
-
-diff --git a/runtime/rsconf.c b/runtime/rsconf.c
-index 4620ff8d13..24d1ec3570 100644
---- a/runtime/rsconf.c
-+++ b/runtime/rsconf.c
-@@ -34,6 +34,10 @@
- #include <sys/types.h>
- #include <sys/stat.h>
- #include <sys/socket.h>
-+#ifdef ENABLE_LIBCAPNG
-+	#include <cap-ng.h>
-+#endif
-+
- 
- #include "rsyslog.h"
- #include "obj.h"
-@@ -656,6 +660,7 @@ rsRetVal doDropPrivGid(rsconf_t *cnf)
- 	uchar szBuf[1024];
- 	DEFiRet;
- 
-+#ifndef ENABLE_LIBCAPNG
- 	if(!cnf->globals.gidDropPrivKeepSupplemental) {
- 		res = setgroups(0, NULL); /* remove all supplemental group IDs */
- 		if(res) {
-@@ -668,9 +673,19 @@ rsRetVal doDropPrivGid(rsconf_t *cnf)
- 	res = setgid(cnf->globals.gidDropPriv);
- 	if(res) {
- 		LogError(errno, RS_RET_ERR_DROP_PRIV,
--				"could not set requested group id %d", cnf->globals.gidDropPriv);
-+				"could not set requested group id %d via setgid()", cnf->globals.gidDropPriv);
- 		ABORT_FINALIZE(RS_RET_ERR_DROP_PRIV);
- 	}
-+#else
-+	int capng_flags = cnf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
-+	res = capng_change_id(-1, cnf->globals.gidDropPriv, capng_flags);
-+	if (res) {
-+		LogError(0, RS_RET_LIBCAPNG_ERR,
-+				"could not set requested group id %d via capng_change_id()", cnf->globals.gidDropPriv);
-+		ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
-+	}
-+#endif
-+
- 	DBGPRINTF("setgid(%d): %d\n", cnf->globals.gidDropPriv, res);
- 	snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's groupid changed to %d",
- 		 cnf->globals.gidDropPriv);
-@@ -705,12 +720,18 @@ static void doDropPrivUid(rsconf_t *cnf)
- 			cnf->globals.uidDropPriv);
- 	}
- 
-+#ifndef ENABLE_LIBCAPNG
- 	res = setuid(cnf->globals.uidDropPriv);
-+#else
-+	int capng_flags = cnf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
-+	res = capng_change_id(cnf->globals.uidDropPriv, -1, capng_flags);
-+#endif
- 	if(res) {
- 		/* if we can not set the userid, this is fatal, so let's unconditionally abort */
- 		perror("could not set requested userid");
- 		exit(1);
- 	}
-+
- 	DBGPRINTF("setuid(%d): %d\n", cnf->globals.uidDropPriv, res);
- 	snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's userid changed to %d", cnf->globals.uidDropPriv);
- 	logmsgInternal(NO_ERRCODE, LOG_SYSLOG|LOG_INFO, szBuf, 0);
diff --git a/rsyslog.spec b/rsyslog.spec
index fe58095..867e492 100644
--- a/rsyslog.spec
+++ b/rsyslog.spec
@@ -35,7 +35,7 @@
 Summary: Enhanced system logging and kernel message trapping daemon
 Name: rsyslog
 Version: 8.2210.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: (GPLv3+ and ASL 2.0)
 URL: http://www.rsyslog.com/
 Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz
@@ -757,6 +757,10 @@ done
 
 
 %changelog
+* Tue Jan 17 2023 Attila Lakatos <alakatos@redhat.com> - 8.2210.0-3
+- Remove CAP_PERFMON from the capability set
+- Add CAP_DAC_OVERRIDE to the capability set
+
 * Fri Dec 16 2022 Attila Lakatos <alakatos@redhat.com> - 8.2210.0-2
 - Move all if rhel feature conditions to bcond
 - Move to bcond: rdkafka, relp, mysql, pgsql, gssapi, gnutls, udpspoof, omamqp1