[packages/syslog-ng.git] / cap_syslog.patch

diff -upr syslog-ng-3.0.9./src/affile.c syslog-ng-3.0.9/src/affile.c
--- syslog-ng-3.0.9./src/affile.c	2011-01-19 15:14:11.813181829 +0100
+++ syslog-ng-3.0.9/src/affile.c	2011-01-19 16:10:12.399928759 +0100
@@ -59,7 +59,12 @@ affile_open_file(gchar *name, gint flags
   if (privileged)
     {
       g_process_cap_modify(CAP_DAC_READ_SEARCH, TRUE);
-      g_process_cap_modify(CAP_SYS_ADMIN, TRUE);
+      if (!kernel_version)
+        get_kernel_version();
+      if (kernel_version < LINUX_VERSION(2, 6, 38))
+        g_process_cap_modify(CAP_SYS_ADMIN, TRUE);
+      else
+        g_process_cap_modify(CAP_SYSLOG, TRUE);
     }
   else
       g_process_cap_modify(CAP_DAC_OVERRIDE, TRUE);
diff -upr syslog-ng-3.0.9./src/gprocess.h syslog-ng-3.0.9/src/gprocess.h
--- syslog-ng-3.0.9./src/gprocess.h	2009-04-22 13:06:55.000000000 +0200
+++ syslog-ng-3.0.9/src/gprocess.h	2011-01-19 16:10:12.399928759 +0100
@@ -27,6 +27,7 @@
 #include "syslog-ng.h"
 
 #include <sys/types.h>
+#include <sys/utsname.h>
 
 #if ENABLE_LINUX_CAPS
 #  include <sys/capability.h>
@@ -77,5 +78,8 @@ void g_process_finish(void);
 
 void g_process_add_option_group(GOptionContext *ctx);
 
+extern int kernel_version;
+extern void get_kernel_version(void);
+#define LINUX_VERSION(x,y,z)    (0x10000*(x) + 0x100*(y) + z)
 
 #endif
diff -upr syslog-ng-3.0.9./src/main.c syslog-ng-3.0.9/src/main.c
--- syslog-ng-3.0.9./src/main.c	2010-05-10 17:46:05.000000000 +0200
+++ syslog-ng-3.0.9/src/main.c	2011-01-19 16:10:25.346593248 +0100
@@ -64,6 +64,7 @@ static const gchar *persist_file = PATH_
 static gboolean syntax_only = FALSE;
 static gboolean seed_rng = FALSE;
 static gboolean display_version = FALSE;
+int kernel_version;
 
 static volatile sig_atomic_t sig_hup_received = FALSE;
 static volatile sig_atomic_t sig_term_received = FALSE;
@@ -395,6 +396,20 @@ version(void)
          ON_OFF_STR(ENABLE_PCRE));
 }
 
+void
+get_kernel_version(void) {
+	static struct utsname uts;
+	int x = 0, y = 0, z = 0;
+
+	if (uname(&uts) == -1) {
+		fprintf(stderr, "Unable to retrieve kernel version.\n");
+		exit(1);
+	}
+
+	sscanf(uts.release, "%d.%d.%d", &x, &y, &z);
+	kernel_version = LINUX_VERSION(x, y, z);
+}
+
 int 
 main(int argc, char *argv[])
 {
@@ -411,9 +426,20 @@ main(int argc, char *argv[])
    * indicate readability. Enabling/disabling cap_sys_admin on every poll
    * invocation seems to be too expensive. So I enable it for now. */
   
-  g_process_set_caps("cap_net_bind_service,cap_net_broadcast,cap_net_raw,"
+  if (!kernel_version)
+    get_kernel_version();
+  if (kernel_version < LINUX_VERSION(2, 6, 34))
+    g_process_set_caps("cap_net_bind_service,cap_net_broadcast,cap_net_raw,"
                      "cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner=p "
                      "cap_sys_admin=ep");
+  else if (kernel_version < LINUX_VERSION(2, 6, 38))
+    g_process_set_caps("cap_net_bind_service,cap_net_broadcast,cap_net_raw,"
+                     "cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner,"
+                     "cap_sys_admin=p");
+  else 
+    g_process_set_caps("cap_net_bind_service,cap_net_broadcast,cap_net_raw,"
+                     "cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner,"
+                     "cap_syslog=p");
   ctx = g_option_context_new("syslog-ng");
   g_process_add_option_group(ctx);
   msg_add_option_group(ctx);
Commit	Line	Data
d24ef564	1	diff -upr syslog-ng-3.0.9./src/affile.c syslog-ng-3.0.9/src/affile.c
	2	--- syslog-ng-3.0.9./src/affile.c 2011-01-19 15:14:11.813181829 +0100
	3	+++ syslog-ng-3.0.9/src/affile.c 2011-01-19 16:10:12.399928759 +0100
	4	@@ -59,7 +59,12 @@ affile_open_file(gchar *name, gint flags
	5	if (privileged)
	6	{
	7	g_process_cap_modify(CAP_DAC_READ_SEARCH, TRUE);
	8	- g_process_cap_modify(CAP_SYS_ADMIN, TRUE);
	9	+ if (!kernel_version)
	10	+ get_kernel_version();
132db421	11	+ if (kernel_version < LINUX_VERSION(2, 6, 38))
d24ef564	12	+ g_process_cap_modify(CAP_SYS_ADMIN, TRUE);
	13	+ else
	14	+ g_process_cap_modify(CAP_SYSLOG, TRUE);
	15	}
	16	else
	17	g_process_cap_modify(CAP_DAC_OVERRIDE, TRUE);
	18	diff -upr syslog-ng-3.0.9./src/gprocess.h syslog-ng-3.0.9/src/gprocess.h
	19	--- syslog-ng-3.0.9./src/gprocess.h 2009-04-22 13:06:55.000000000 +0200
	20	+++ syslog-ng-3.0.9/src/gprocess.h 2011-01-19 16:10:12.399928759 +0100
	21	@@ -27,6 +27,7 @@
	22	#include "syslog-ng.h"
	23
	24	#include <sys/types.h>
	25	+#include <sys/utsname.h>
	26
	27	#if ENABLE_LINUX_CAPS
	28	# include <sys/capability.h>
	29	@@ -77,5 +78,8 @@ void g_process_finish(void);
	30
	31	void g_process_add_option_group(GOptionContext *ctx);
	32
	33	+extern int kernel_version;
	34	+extern void get_kernel_version(void);
	35	+#define LINUX_VERSION(x,y,z) (0x10000(x) + 0x100(y) + z)
	36
	37	#endif
	38	diff -upr syslog-ng-3.0.9./src/main.c syslog-ng-3.0.9/src/main.c
	39	--- syslog-ng-3.0.9./src/main.c 2010-05-10 17:46:05.000000000 +0200
	40	+++ syslog-ng-3.0.9/src/main.c 2011-01-19 16:10:25.346593248 +0100
	41	@@ -64,6 +64,7 @@ static const gchar *persist_file = PATH_
	42	static gboolean syntax_only = FALSE;
	43	static gboolean seed_rng = FALSE;
	44	static gboolean display_version = FALSE;
	45	+int kernel_version;
	46
	47	static volatile sig_atomic_t sig_hup_received = FALSE;
	48	static volatile sig_atomic_t sig_term_received = FALSE;
	49	@@ -395,6 +396,20 @@ version(void)
	50	ON_OFF_STR(ENABLE_PCRE));
	51	}
	52
	53	+void
	54	+get_kernel_version(void) {
	55	+ static struct utsname uts;
	56	+ int x = 0, y = 0, z = 0;
	57	+
	58	+ if (uname(&uts) == -1) {
	59	+ fprintf(stderr, "Unable to retrieve kernel version.\n");
	60	+ exit(1);
	61	+ }
	62	+
	63	+ sscanf(uts.release, "%d.%d.%d", &x, &y, &z);
	64	+ kernel_version = LINUX_VERSION(x, y, z);
	65	+}
	66	+
	67	int
	68	main(int argc, char *argv[])
	69	{
	70	@@ -411,9 +426,20 @@ main(int argc, char *argv[])
	71	* indicate readability. Enabling/disabling cap_sys_admin on every poll
	72	* invocation seems to be too expensive. So I enable it for now. */
	73
	74	- g_process_set_caps("cap_net_bind_service,cap_net_broadcast,cap_net_raw,"
	75	+ if (!kernel_version)
76	+ get_kernel_version();
77	+ if (kernel_version < LINUX_VERSION(2, 6, 34))
78	+ g_process_set_caps("cap_net_bind_service,cap_net_broadcast,cap_net_raw,"
79	"cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner=p "
80	"cap_sys_admin=ep");
132db421	81	+ else if (kernel_version < LINUX_VERSION(2, 6, 38))
d24ef564	82	+ g_process_set_caps("cap_net_bind_service,cap_net_broadcast,cap_net_raw,"
	83	+ "cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner,"
	84	+ "cap_sys_admin=p");
	85	+ else
	86	+ g_process_set_caps("cap_net_bind_service,cap_net_broadcast,cap_net_raw,"
	87	+ "cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner,"
	88	+ "cap_syslog=p");
	89	ctx = g_option_context_new("syslog-ng");
	90	g_process_add_option_group(ctx);
	91	msg_add_option_group(ctx);