]>
Commit | Line | Data |
---|---|---|
d24ef564 | 1 | diff -upr syslog-ng-3.0.9./src/affile.c syslog-ng-3.0.9/src/affile.c |
2 | --- syslog-ng-3.0.9./src/affile.c 2011-01-19 15:14:11.813181829 +0100 | |
3 | +++ syslog-ng-3.0.9/src/affile.c 2011-01-19 16:10:12.399928759 +0100 | |
4 | @@ -59,7 +59,12 @@ affile_open_file(gchar *name, gint flags | |
5 | if (privileged) | |
6 | { | |
7 | g_process_cap_modify(CAP_DAC_READ_SEARCH, TRUE); | |
8 | - g_process_cap_modify(CAP_SYS_ADMIN, TRUE); | |
9 | + if (!kernel_version) | |
10 | + get_kernel_version(); | |
132db421 | 11 | + if (kernel_version < LINUX_VERSION(2, 6, 38)) |
d24ef564 | 12 | + g_process_cap_modify(CAP_SYS_ADMIN, TRUE); |
13 | + else | |
14 | + g_process_cap_modify(CAP_SYSLOG, TRUE); | |
15 | } | |
16 | else | |
17 | g_process_cap_modify(CAP_DAC_OVERRIDE, TRUE); | |
18 | diff -upr syslog-ng-3.0.9./src/gprocess.h syslog-ng-3.0.9/src/gprocess.h | |
19 | --- syslog-ng-3.0.9./src/gprocess.h 2009-04-22 13:06:55.000000000 +0200 | |
20 | +++ syslog-ng-3.0.9/src/gprocess.h 2011-01-19 16:10:12.399928759 +0100 | |
21 | @@ -27,6 +27,7 @@ | |
22 | #include "syslog-ng.h" | |
23 | ||
24 | #include <sys/types.h> | |
25 | +#include <sys/utsname.h> | |
26 | ||
27 | #if ENABLE_LINUX_CAPS | |
28 | # include <sys/capability.h> | |
29 | @@ -77,5 +78,8 @@ void g_process_finish(void); | |
30 | ||
31 | void g_process_add_option_group(GOptionContext *ctx); | |
32 | ||
33 | +extern int kernel_version; | |
34 | +extern void get_kernel_version(void); | |
35 | +#define LINUX_VERSION(x,y,z) (0x10000*(x) + 0x100*(y) + z) | |
36 | ||
37 | #endif | |
38 | diff -upr syslog-ng-3.0.9./src/main.c syslog-ng-3.0.9/src/main.c | |
39 | --- syslog-ng-3.0.9./src/main.c 2010-05-10 17:46:05.000000000 +0200 | |
40 | +++ syslog-ng-3.0.9/src/main.c 2011-01-19 16:10:25.346593248 +0100 | |
41 | @@ -64,6 +64,7 @@ static const gchar *persist_file = PATH_ | |
42 | static gboolean syntax_only = FALSE; | |
43 | static gboolean seed_rng = FALSE; | |
44 | static gboolean display_version = FALSE; | |
45 | +int kernel_version; | |
46 | ||
47 | static volatile sig_atomic_t sig_hup_received = FALSE; | |
48 | static volatile sig_atomic_t sig_term_received = FALSE; | |
49 | @@ -395,6 +396,20 @@ version(void) | |
50 | ON_OFF_STR(ENABLE_PCRE)); | |
51 | } | |
52 | ||
53 | +void | |
54 | +get_kernel_version(void) { | |
55 | + static struct utsname uts; | |
56 | + int x = 0, y = 0, z = 0; | |
57 | + | |
58 | + if (uname(&uts) == -1) { | |
59 | + fprintf(stderr, "Unable to retrieve kernel version.\n"); | |
60 | + exit(1); | |
61 | + } | |
62 | + | |
63 | + sscanf(uts.release, "%d.%d.%d", &x, &y, &z); | |
64 | + kernel_version = LINUX_VERSION(x, y, z); | |
65 | +} | |
66 | + | |
67 | int | |
68 | main(int argc, char *argv[]) | |
69 | { | |
70 | @@ -411,9 +426,20 @@ main(int argc, char *argv[]) | |
71 | * indicate readability. Enabling/disabling cap_sys_admin on every poll | |
72 | * invocation seems to be too expensive. So I enable it for now. */ | |
73 | ||
74 | - g_process_set_caps("cap_net_bind_service,cap_net_broadcast,cap_net_raw," | |
75 | + if (!kernel_version) | |
76 | + get_kernel_version(); | |
77 | + if (kernel_version < LINUX_VERSION(2, 6, 34)) | |
78 | + g_process_set_caps("cap_net_bind_service,cap_net_broadcast,cap_net_raw," | |
79 | "cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner=p " | |
80 | "cap_sys_admin=ep"); | |
132db421 | 81 | + else if (kernel_version < LINUX_VERSION(2, 6, 38)) |
d24ef564 | 82 | + g_process_set_caps("cap_net_bind_service,cap_net_broadcast,cap_net_raw," |
83 | + "cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner," | |
84 | + "cap_sys_admin=p"); | |
85 | + else | |
86 | + g_process_set_caps("cap_net_bind_service,cap_net_broadcast,cap_net_raw," | |
87 | + "cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner," | |
88 | + "cap_syslog=p"); | |
89 | ctx = g_option_context_new("syslog-ng"); | |
90 | g_process_add_option_group(ctx); | |
91 | msg_add_option_group(ctx); |